So far I have ran AdAware, Spybot S&D, CW Shredder, Trojan Hunter, and 2 online scanners. (Kapersky and Trend Housecall in safe mode, network connection). I have also ran Ewido. Still have a bizarre desktop splash screen that seems to be JAVA controlled.
Below is the Ewido log;
+ Created on: 2:15:20 PM, 6/25/2005
+ Report-Checksum: 5B72A6BD
+ Date of database: 6/25/2005
+ Version of scan engine: v3.0
+ Duration: 50 min
+ Scanned Files: 171807
+ Speed: 56.54 Files/Second
+ Infected files: 87
+ Removed files: 87
+ Files put in quarantine: 87
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
D:\
+ Scan result:
C:\WINDOWS\SYSTEM32\lwv.dll -> Spyware.PurityScan.ak -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ms.exe -> TrojanDownloader.Vb.Cw -> Cleaned with backup
C:\WINDOWS\SYSTEM32\SWRT01.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Erl6A.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Searchx.htm -> Spyware.TwainTech -> Cleaned with backup
C:\WINDOWS\SYSTEM32\YhaJ.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\KfmJ8U3.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Rydo84km.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Bnqw5T.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ATPartners.dll.tcf -> TrojanDownloader.Rameh.c -> Cleaned with backup
C:\WINDOWS\SYSTEM32\іеxplore.exe -> Spyware.PurityScan.am -> Cleaned with backup
C:\WINDOWS\SYSTEM32\hookdump.exe -> Trojan.Agent.ep -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Dlv273d8.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\FnpZ1lX.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Ifojyc.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Lppk3f.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\bundles\bs5-vwqouc.exe -> Spyware.BookedSpace.c -> Cleaned with backup
C:\WINDOWS\bundles\32wu54rd.exe.tcf -> TrojanDropper.Small.gt -> Cleaned with backup
C:\WINDOWS\nmvrnx.dat -> TrojanDownloader.Agent.an -> Cleaned with backup
C:\WINDOWS\oqgoid.dat -> TrojanDownloader.Agent.an -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx.tcf -> Spyware.MediaTickets.f -> Cleaned with backup
C:\WINDOWS\stoolbd.dll.tcf -> Spyware.FastLook -> Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Trojan.Searcher -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll.tcf -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\Hijack\backup-20050116-013110-620-Microsoft Windows.RB0 -> TrojanDropper.Inor.cj -> Cleaned with backup
C:\Hijack\backup-20050625-130219-702-Microsoft Windows.RB0 -> TrojanDropper.Inor.cj -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Local Settings\Temp\optimize.exe -> TrojanDownloader.Dyfuca.cy -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Local Settings\Temp\THI752.tmp\preInsMt.exe -> Spyware.BiSpy.q -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Local Settings\Temp\bnnf.exe -> Trojan.Agent.ep -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@gostats[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@media[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@S140456[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@S122915[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@bcentral[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@geocities[4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@bannerspace[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@linkexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@S119703[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@specificpop[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@exitfuel[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@S140456[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@list[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@gostats[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@dcs7sl75d21e5hek6e95sli2p_2u4f[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@geocities[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@bcentral[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@real[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@30848670[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@11274796[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\[email protected][5].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\ntdetect.RB0 -> TrojanDropper.Inor.cj -> Cleaned with backup
D:\Ini system\SYSTEM\H@tKeysH@@k.DLL.tcf -> Not-A-Virus.Tool.Game.HotHook -> Cleaned with backup
::Report End
Below is the latest HJT log;
Logfile of HijackThis v1.99.1
Scan saved at 2:26:55 PM, on 6/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\SpywareGuard\sgmain.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\SpywareGuard\sgbhp.exe
C:\ewido\security suite\ewidoctrl.exe
C:\ewido\security suite\ewidoguard.exe
C:\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://lc2.law13.hot.../cgi-bin/login"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Mmilbert\Application Data\Mozilla\Profiles\default\tbrbt0id.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Mmilbert\Application Data\Mozilla\Profiles\default\tbrbt0id.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [THGuard] "C:\TrojanHunter 4.2\THGuard.exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: SpywareGuard.lnk = C:\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113054576218
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\ewido\security suite\ewidoguard.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Unknown owner - C:\HP Web Jetadmin\hpwebjetd.exe" -k runservice (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
I have not updated the PC to SP2 yet till I get the system cleaned. Thanks for the assist
~G~