Things are sort of under control, (I think), but I believe I have PS Guard remenants and something that appears to be masquerading as Windows security, there are 3 entries in my start menu, Set Program Access and Defaults (the one that may be legit), Securty Troubleshooting, and Online Security Center. I'm also getting the flashing exclamation point telling me I have pop ups and I'm getting pop ups for a search2k.net. My homepage is back to Google.
Ran Trend Housecall and it found several instances of JAVA_BYTEVER.A and TROJ_DHIJACH.A but could not remove.
I know just enough about these kinds of problems to be a danger to myself and my computer.
Hijak This log below. (I've tried to remove the BHO, but it keeps coming back).
Logfile of HijackThis v1.99.1
Scan saved at 9:46:29 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brad Rudolph\Desktop\HijackThis.exe
O2 - BHO: (no name) - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINDOWS\system32\hp93E3.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
ewido log results:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 7:36:19 PM, 9/18/2005
+ Report-Checksum: DC8C130D
+ Scan result:
[632] C:\WINDOWS\system32\ld8954.tmp -> TrojanDownloader.Zlob.am : Cleaned with backup
C:\Documents and Settings\Brad Rudolph\Cookies\brad rudolph@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Brad Rudolph\Cookies\brad [email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Brad Rudolph\Cookies\brad [email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Brad Rudolph\Local Settings\Temp\Cookies\brad rudolph@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Brad Rudolph\Local Settings\Temp\Cookies\brad [email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Brad Rudolph\Local Settings\Temp\Cookies\brad [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Brad Rudolph\Local Settings\Temp\Cookies\brad [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Brad Rudolph\Local Settings\Temp\Cookies\brad [email protected][2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\brad [email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP524\A0045608.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP524\A0045618.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP524\A0045637.dll -> Spyware.SpywareNo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP524\A0045638.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP524\A0045640.exe -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525\A0045759.dll -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525\A0045780.dll -> Spyware.SpywareNo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525\A0045781.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525\A0045783.exe -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525\A0045799.exe -> Not-A-Virus.Hoax.Renos.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\ld408E.tmp -> TrojanDownloader.Zlob.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\ld8954.tmp -> TrojanDownloader.Zlob.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\ld8F3E.tmp -> TrojanDownloader.Zlob.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldA1CD.tmp -> TrojanDownloader.Zlob.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldA1ED.tmp -> TrojanDownloader.Zlob.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldA911.tmp -> TrojanDownloader.Zlob.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldB443.tmp -> TrojanDownloader.Zlob.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldB94D.tmp -> TrojanDownloader.Zlob.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldB98C.tmp -> TrojanDownloader.Zlob.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\mscornet.exe -> TrojanDownloader.Zlob.am : Cleaned with backup
::Report End
Thanks in advance for any help and please let me know what additional information you may need. I did go through all the steps in the "You Must Read This..." hopefully I did it correctly!