hs.exe / Sivka burka Virus?

  Jake_027 19:51 18 Dec 2005
Locked

A few days ago i was having a problem with a file under C:\Documents and Settings\Jake\Local Settings\Temp\400.... something like that, i keep deleting the file as soon as i log on. It is a fiel called hs.exe and from what i can find doing a google search it is a trogan virus [see:click here]. My antivirus will not pick it up and neither will the a2 scanner i was recommended. I have deleted the file every time i log on and all the prefetch values, but it still keeps coming back. I don't know if this has anything to do with it but i can no longer access C:\Documents and Settings\Jake\Local Settings\History. If I try to it comes up with "windows explorer has encountered a problem and needs to close" as soon as i double click to go into history, but i can access all other areas of my pc. Any solutions?

  VoG II 20:00 18 Dec 2005

Scan with Ewido click here and let us know if it finds anything.

  Jake_027 20:23 18 Dec 2005

Still no luck I'm afraid

  VoG II 20:25 18 Dec 2005

That was remarkably quick for an Ewido scan!

Run HJT click here and post the complete log file on this specialised forum click here

  Jake_027 20:31 18 Dec 2005

Logfile of HijackThis v1.99.1
Scan saved at 20:28:28, on 18/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\HistorySweep\HSSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
D:\QUICKH~1\qhwscsvc.exe
D:\QUICKH~1\QHONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\QUICKH~1\MailSvr.exe
D:\QUICKH~1\UPSCHD.EXE
D:\QUICKH~1\QHM32.EXE
C:\Program Files\VoyagerTest\fts.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
D:\OmniPage SE\opware32.exe
C:\Program Files\WinPortrait\wpctrl.exe
D:\Microsoft Antispyware\gcasServ.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\pupxpman.exe
C:\Program Files\WinPortrait\floater.exe
D:\PowerDVD\PDVDServ.exe
C:\DOCUME~1\Jake\LOCALS~1\Temp\40000010c00069dd890027\hs.exe
D:\iPod Updater\iPod\bin\iPodService.exe
D:\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1133353862\ee\AOLHostManager.exe
D:\QUICKH~1\QHONLINE.EXE
C:\Program Files\Common Files\AOL\1133353862\ee\AOLServiceHost.exe
D:\Spyware BeGone\SpywareBeGone.exe
D:\Adobe\Reader\reader_sl.exe
D:\AOL 9.0\aoltray.exe
C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
c:\program files\common files\aol\1133353862\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1133353862\ee\AOLServiceHost.exe
D:\Microsoft Antispyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
D:\AOL 9.0\waol.exe
D:\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\DOCUME~1\Jake\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

  Jake_027 20:32 18 Dec 2005

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = click here
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: (no name) - {FE7953EE-25ED-40D8-A53F-066C124CE023} - D:\HistorySweep\popkill.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Quick Heal e-mail Protection] D:\QUICKH~1\MailSvr.exe
O4 - HKLM\..\Run: [QH Live Update Scheduler] D:\QUICKH~1\UPSCHD.EXE /Check
O4 - HKLM\..\Run: [Quick Heal Messenger] D:\QUICKH~1\QHM32.EXE
O4 - HKLM\..\Run: [Quick Heal Startup Scan] D:\QUICKH~1\QHSTRT32.EXE /LOADRUN
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [Omnipage] D:\OmniPage SE\opware32.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\Microsoft Antispyware\gcasServ.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Quick Heal On-Line Protection] D:\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HistorySweep] "D:\HISTOR~1\HistorySweep.exe" /autostart
O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\system32\pupxpman.exe
O4 - HKLM\..\Run: [RemoteControl] D:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133353862\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [GhostSurf Reminder] "D:\GhostSurf 2005\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Quick Heal Startup Scan] D:\QUICKH~1\QHSTRT32.EXE /check
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] D:\Adobe\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Spyware Begone] "D:\Spyware BeGone\SpywareBeGone.exe" -FastScan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = D:\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -

  VoG II 20:32 18 Dec 2005

Not here please - click here

  Jake_027 20:33 18 Dec 2005

C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - click here
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - click here
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - click here
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - click here
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - click here
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - click here
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D2023F3-6DB8-4F01-AE5D-47141F84B5F2}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: HistorySweepService - Unknown owner - D:\HistorySweep\HSSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\iPod Updater\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Quick Heal Helper Service WSC (qhwscsvc) - Unknown owner - D:\QUICKH~1\qhwscsvc.exe
O23 - Service: Quick Heal Online Protection - Unknown owner - D:\QUICKH~1\QHONSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

The HSSvc.exe is from historysweep 1.6 on the dec 05 pc advisor disc, its the hs.exe in temp that i think is the problem

  VoG II 20:34 18 Dec 2005

Please post your log on another forum click here

  VoG II 20:40 18 Dec 2005

Thank you.

  rabadubdub 03:20 19 Dec 2005

There's a program called HSremove.exe ..which apparently removes this nasty little guy. Do a search.. if you don't find it, contact me (by clicking the envelope icon) and I'll send you a copy. It's an XP specific thing. Good luck.

Rab

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Fujitsu Lifebook P727 laptop review

Microsoft Paint set to die after 32 years

Mac power user tips and hidden tricks

Comment désactiver la saisie intuitive et paramétrer votre clavier ?