Help!! Avast detects four different viruses

[Mogge]

Hi,
i have a big problem and i cannot solve it.
As soon as my computer connects tio internet i get 4 warnings from Avast that http://185.555.bla bla bla contains a virus.
I have tryed to erase a lot in my computer with avast,adaware,ewido etc.But the warnings still remains,about every 5 minute.If i close my network connection,then i get a note every 5 minutes from IE that the page cannot open because there is no connection.My OS is win 2000 proffesional.I downloade Hijack this and ran it,but i cannot tell what to delete.I hope someone here can help me.Below i have added the log from hijack this.

Best regards
Morgan

Logfile of HijackThis v1.99.1
Scan saved at 21:50:32, on 2006-04-29
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\svchost.exe
C:\Program\ewido anti-malware\ewidoctrl.exe
C:\Program\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program\Microsoft IntelliType Pro\type32.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\Program\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\OLYMPUS\CAMEDIA Master Pro\CM_camera.exe
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program\MSN Toolbar Suite\DS\02.05.0001.1119\sv-se\bin\WindowsSearch.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\MSN Toolbar Suite\DS\02.05.0001.1119\sv-se\bin\WindowsSearchIndexer.exe
C:\Program\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\ML Bilservice\Mina dokument\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.se/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Toolbar Suite\TB\02.05.0000.1105\sv-se\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Toolbar Suite\TB\02.05.0000.1105\sv-se\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINNT\system32\hgqhp.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program\OLYMPUS\CAMEDIA Master Pro\CM_camera.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program\MSN Toolbar Suite\DS\02.05.0001.1119\sv-se\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &MSN Search - res://C:\Program\MSN Toolbar Suite\TB\02.05.0000.1105\sv-se\msntb.dll/search.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: View EXIF - C:\ViewEXIF\EXIF.htm
O8 - Extra context menu item: Öppna på ny flik i bakgrunden - res://C:\Program\MSN Toolbar Suite\TAB\02.05.0000.1105\sv-se\msntabres.dll/229?fb8f45ce25549fba9c0b53ad4b9f23a
O8 - Extra context menu item: Öppna på ny flik i förgrunden - res://C:\Program\MSN Toolbar Suite\TAB\02.05.0000.1105\sv-se\msntabres.dll/230?fb8f45ce25549fba9c0b53ad4b9f23a
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1D0C59-5ECC-4028-87F3-482191D2230F} (AxisRTPSrcFilter) - http://webcam.hotelbibionepalace.it/activex/AMC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136586797959
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB97D784-5E78-47C7-9C99-B058335C8BDC}: NameServer = 85.255.114.106,85.255.112.123
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido anti-malware\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

[polonus]

Hi Mogge,

There is a clear indication is the log file that you have a trojan infection, see here for info:
http://www.symantec.com/avcenter/venc/data/trojan.flush.f.html
It is in your log here: O4 - HKLM\..\Run: [hgqhp.exe] C:\WINNT\system32\hgqhp.exe
You can find your log here:
http://www.hijackthis.de/logfiles/9040b214d04b28d634928a6abd754913.html
for three days after posting was done (to-day).
Ask FwF to give a second opinion on the 08 msntb.dll there.
And copy SSI from here: http://www.spywaredata.com/spyware/download.php
Install, run and look at the result-analysis in your browser.
They are happy to include your findings to their base.

polonus

[RejZoR]

Jup, O4 - HKLM\..\Run: [hgqhp.exe] C:\WINNT\system32\hgqhp.exe also cought my eye.

msntb.dll thingie appears to be related with MSN Toolbar which is indeed installed by user. Certanly try to clean hgqhp.exe. This should help i guess.

[Mogge]

  Thank you very very very much for your help.
I tryed to erase only 04 but 2 minutes after it was there again.Then i erased 08 also and then i uninstalled the complete MSN search toolbar.And now it seems that its working ok.No warnings anymore.Ohh i almost forgot,i also went into REGEDIT and changed the nameserver adress.I found the info about that in the link to Symatec database.

However i couldnt install the SSI it stops the installation after 2 seconds because 1 file is in use by another application.I closed all applications exept AVAST,but it still didnt install.
But i dont think i need it now,since the computer seems ok.

Its really nice when you can get this quick help.What should we do without you great guys.Keep up the good work.

See ya

Best regards
Mogge from Sweden

[polonus]

Hi Mogge,

Nice to hear that we could assist you here in solving your problems. Keep coming to the forum to learn about security, surf safe and secure, is the wish of,

greetings,

polonus

[DavidR]

For the future, if you haven't already got this software (freeware), Ewido is a good trojan detection and removal tool that works well with avast.

Ewido Security Suite for XP and w2k.

[FreewheelinFrank]

The HijackThis! analysis site does indeed identify the MSN toolbar as a nasty. I don't know why.

Mogge, I'm a little concerned that you say the following entry has returned:

O4 - HKLM\..\Run: [hgqhp.exe] C:\WINNT\system32\hgqhp.exe

Can you try fixing the entry in safe mode?

http://www.computerhope.com/issues/chsafe.htm#02

Reboot into safe mode immediately again, make sure you can view hidden files:

http://www.computerhope.com/issues/ch000516.htm

Look for and delete the file hgqhp.exe if you can find it.

[Mogge]

The HijackThis! analysis site does indeed identify the MSN toolbar as a nasty. I don't know why.

Mogge, I'm a little concerned that you say the following entry has returned:

O4 - HKLM\..\Run: [hgqhp.exe] C:\WINNT\system32\hgqhp.exe

Can you try fixing the entry in safe mode?

http://www.computerhope.com/issues/chsafe.htm#02

Reboot into safe mode immediately again, make sure you can view hidden files:

http://www.computerhope.com/issues/ch000516.htm

Look for and delete the file hgqhp.exe if you can find it.

HI,
it is gone now.When i deleted the MSN Toolbar 08 and then uninstalled the complete toolbar i could delete the file and now its gone.And the warnings has vanished.I suppose something has happened with the MSN toolbar,some trojan or something else that has infected it.Otherwise i cannot explain why it only worked when the toolbar was uninstalled and 08 deleted.

Best regards
Mogge