Computer infected by Win32:Trojan-gen

[xystential]

My computer has recently become infected with Win32:Trojan-gen. Avast! alerted me to it and I have tried Avast!, Trojan-remover,and some of the tips outlined by MicroTend(which in this case didn't apply) to try and rid my computer of this pesky virus. Here's the LogFile from HiJackThis!:

Logfile of HijackThis v1.98.2
Scan saved at 10:05:49 PM, on 9/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Chuck Matthews\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} - C:\WINDOWS\system32\mspxs32.dll
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\system32\explorer32.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [trojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\system32\explorer32.exe
O4 - HKCU\..\Run: [Utop] C:\Documents and Settings\Chuck Matthews\Application Data\s????k.exe
O4 - HKCU\..\Run: [Vcp] C:\WINDOWS\System32\r?ndll32.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://C:\\MAIN.MHT!http://super-gals.com//index//in//index.chm::/ad.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=b262b0ad414acb9189b79ca9611238b08547955a9e1be092ffa689db1636bf5c92ee1f16d8872858710aba174607a0e7f2b4b2a1:a3f5099f60d56ff1d1f59f4600741a6e
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll

I know the references to db105.com have to go but what else if anything? Please help me out!!!!

[whocares]

Hi,

here's an analysis of the log:
http://hijackthis.de/logfiles/74d7b78d01716c867781c5ff462a25e0.html

- at first sight, everything that's marked RED or YELLOW there should go..

-> read the link "VirusRemoval" below in my sig and then:
- disable RESTORE
- reboot to safeMode (F8-Boot)
- rescan with hijackthis and fix everythign that's marked red or yellow in above link
- reboot normally
- repair or reinstall (avast) virus scanner
- change all your passwords/PINs
- secure your system & browser better
- AD-Aware, SPYBOT, CWSHREDDER & SPHJFIX could also help
(see "VirusRemoval"-link and board-search here for details)

[Eddy]

- rescan with hijackthis and fix everythign that's marked red or yellow in above link

Not everything will show up again in HJT while in safe mode. The harmfull process that should be deleted will not show, some of the "run" keys will not show.

This is what my analyzer came up with:
--------------------------------------------------------------------------------
THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :
--------------------------------------------------------------------------------
r1 - hkcu\software\microsoft\internet explorer,searchurl = http://searchmiracle.com/sp.php
r1 - hkcu\software\microsoft\internet explorer\main,default_page_url = http://db105.com:81/cgi-bin/index.cgi?c=0
r1 - hkcu\software\microsoft\internet explorer\main,default_search_url = http://db105.com:81/cgi-bin/index.cgi?c=0
r1 - hkcu\software\microsoft\internet explorer\main,search bar = http://my.netzero.net/s/search?r=minisearch
r1 - hklm\software\microsoft\internet explorer\main,search bar = http://db105.com:81/cgi-bin/index.cgi?c=0
r0 - hklm\software\microsoft\internet explorer\main,start page = http://db105.com:81/cgi-bin/index.cgi?c=0
r1 - hkcu\software\microsoft\internet explorer\search,searchassistant = http://db105.com:81/cgi-bin/index.cgi?c=0
r1 - hkcu\software\microsoft\internet explorer\search,customizesearch = http://db105.com:81/cgi-bin/index.cgi?c=0
r1 - hkcu\software\microsoft\internet explorer\searchurl,(default) = http://my.netzero.net/s/search?r=minisearch
r1 - hklm\software\microsoft\internet explorer\searchurl,(default) = http://db105.com:81/cgi-bin/index.cgi?c=0
r0 - hkcu\software\microsoft\internet explorer\main,local page = http://db105.com:81/cgi-bin/index.cgi?c=0
r0 - hklm\software\microsoft\internet explorer\main,local page = http://db105.com:81/cgi-bin/index.cgi?c=0
r3 - urlsearchhook: urlsearchhook class - {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\nzsearch\searchenh1.dll
o2 - bho: bho - {06cad548-14dd-4fa3-9ea9-05f83c18cbd7} - c:\windows\system32\mspxs32.dll
o4 - hklm\..\run: [win32 explorer] c:\windows\system32\explorer32.exe
o4 - hkcu\..\run: [spc_w] "c:\program files\nzsearch\hcm.exe" -w
o4 - hkcu\..\run: [netzero_uoltray] c:\program files\netzero\exec.exe regrun
o4 - hkcu\..\run: [win32 explorer] c:\windows\system32\explorer32.exe
o4 - hkcu\..\run: [utop] c:\documents and settings\chuck matthews\application data\s????k.exe
o4 - hkcu\..\run: [vcp] c:\windows\system32\r?ndll32.exe
o16 - dpf: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\\main.mht!http://super-gals.com//index//in//index.chm::/ad.exe
o16 - dpf: {15ad4789-cdb4-47e1-a9da-992ee8e6bad6} - http://public.windupdates.com/get_file.php?bt=ie&p=b262b0ad414acb9189b79ca9611238b08547955a9e1be092ffa689db1636bf5c92ee1f16d8872858710aba174607a0e7f2b4b2a1:a3f5099f60d56ff1d1f59f4600741a6e
o16 - dpf: {9eb320ce-be1d-4304-a081-4b4665414bef} - http://www.mt-download.com/mediaticketsinstaller.cab
o16 - dpf: {b9191f79-5613-4c76-aa2a-398534bb8999} (yaddbook class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
o16 - dpf: {f04a8ae2-a59d-11d2-8792-00c04f8ef29d} (hotmail attachments control) - http://by8fd.bay8.hotmail.msn.com/activex/hmatchmt.ocx
o18 - filter: text/html - {ee7a946e-61fa-4979-87b8-a6c462e6fa62} - c:\windows\httpfilter.dll