installed all software recommended.
they seem to find all the things i thought was there, and then looks like they are cleaning, but the malware/trojans keep coming back.
also every new ie window comes with a
C:\WIN2K\ShellIconCache:rfroot trojan detected by McAfee.
here is my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:17:08 AM, on 4/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WIN2K\System32\smss.exe
C:\WIN2K\system32\winlogon.exe
C:\WIN2K\system32\services.exe
C:\WIN2K\system32\lsass.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WIN2K\system32\regsvc.exe
C:\WIN2K\system32\svchost.exe
C:\WIN2K\system32\mspmspsv.exe
C:\WIN2K\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WIN2K\System32\WBEM\WinMgmt.exe
C:\WIN2K\Explorer.EXE
C:\WIN2K\netss32.exe
C:\WIN2K\system32\rundll32.exe
C:\WIN2K\ipfj32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WIN2K\system32\pctspk.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WIN2K\System32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Compuware\QALoad\plgui.exe
C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tesrv.exe
C:\Program Files\Compuware\QALoad\PlayerAgent.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Common Files\Compuware\cwaftrcsrv.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WIN2K\jslvz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN2K\jslvz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WIN2K\jslvz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WIN2K\jslvz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN2K\jslvz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WIN2K\jslvz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compuware Corporation
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {E5EA22AB-4F6B-A697-C966-AD102CC207D9} - C:\WIN2K\iepb.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ipfj32.exe] C:\WIN2K\ipfj32.exe
O4 - HKLM\..\Run: [USBPAD] UsbPad.exe Install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [netat32.exe] C:\WIN2K\system32\netat32.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "d:\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Player Agent.lnk = C:\Program Files\Compuware\QALoad\plgui.exe
O4 - Global Startup: Test Execution Server.lnk = C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tesrv.exe
O4 - Global Startup: USB KeyPad.lnk = C:\WIN2K\USBPad.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN2K\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN2K\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WIN2K\System32\Shdocvw.dll
O9 - Extra button: Phone Book - {AA0850BA-2281-4487-BB23-79CD86CD65F1} - http://compuapps1.co...jamorgchart.asp (file missing) (HKCU)
O9 - Extra button: Helpdesk - {E722A195-8277-4207-9DC0-5E9509DC3608} - http://compuweb.comp...lp/contacts.htm (file missing) (HKCU)
O9 - Extra button: Standards - {EEFB7A5F-FE31-4BDD-841C-1C291E928609} - http://compuweb.comp...ers/default.htm (file missing) (HKCU)
O9 - Extra button: Webmail - {F0035C52-A157-4528-A2C7-3155D3D3908B} - https://webmail1.com...hange/logon.asp (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://compuweb.compuware.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwcc.ops.pl...quicksilver.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://download.35mb...es/dlapplet.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyh.../stream/mmp.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://compuwaremc....bex/ieatgpc.cab
O16 - DPF: {FE4E8B9F-758D-4596-A4D4-37187B78A513} (DemoShield DemoNow Class) - http://aweb.nl.compu...ion/demonow.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D54343B9-A8E1-412B-B111-0C6148BEA62C}: Domain = compuware.com
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WIN2K\netcd32.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WIN2K\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WIN2K\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: Test Management Server (TmSrvService) - Compuware Corporation - C:\Program Files\Compuware\QADirector\x86-win32\bin\qc_tmsrv.exe
Also, here is my Panda ActiveScan:
Incident Status Location
Adware:Adware/Sqwire No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\GLF175GLF175.EXE
Adware:Adware/Sqwire No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\GLF9GLF9.EXE
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5845.tmp[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5845.tmp[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5845.tmp[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5845.tmp[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5847.tmp[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5848.tmp[Mein.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5848.tmp[ProbeLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5848.tmp[Dummy.class]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache5848.tmp[Beyond.class]
Adware:Adware/Sqwire No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\targetsaver.exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mibjjd1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-54808e3a-456a7782.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mibjjd1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-54808e3a-456a7782.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mibjjd1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-54808e3a-456a7782.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\mibjjd1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-54808e3a-456a7782.zip[Beyond.class]
Virus:Trj/Downloader.BWD Disinfected C:\ml00!.exe
Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet\newdotnet6_38.dll
Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet\uninstall6_38.exe
Adware:Adware/EasySearch No disinfected C:\RECYCLER\S-1-5-21-329068152-764733703-1343024091-1004\Dc65.dll
Virus:Trj/Downloader.BSU Disinfected C:\WIN2K\addac.exe
Virus:Trj/Downloader.BSU Disinfected C:\WIN2K\adddl.exe
Virus:Trj/Downloader.BSU Disinfected C:\WIN2K\addia.exe
Virus:Trj/Downloader.BSU Disinfected C:\WIN2K\crge.exe
Virus:Trj/Downloader.BSU Disinfected C:\WIN2K\d3zc.exe
Adware:Adware/FunWeb No disinfected C:\WIN2K\Downloaded Program Files\f3initialsetup1.0.0.8.inf
Spyware:Spyware/YourSiteBar No disinfected C:\WIN2K\Downloaded Program Files\YSBactivex.dll
Spyware:Spyware/YourSiteBar No disinfected C:\WIN2K\Downloaded Program Files\ysbactivex.inf
Adware:Adware/SearchAid No disinfected C:\WIN2K\iepb.dll
Adware:Adware/SearchAid No disinfected C:\WIN2K\ipfj32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WIN2K\javaak32.exe
Adware:Adware/EasySearch No disinfected C:\WIN2K\jslvz.dll
Spyware:Spyware/New.net No disinfected C:\WIN2K\NDNuninstall6_38.exe
Virus:Trj/Downloader.BSU No disinfected C:\WIN2K\netss32.exe
Spyware:Spyware/MarketScore No disinfected C:\WIN2K\system32\rk.exe
Thanks a lot, for any help!