I ran the Ad-aware with the plug-in, and the Ewido scan (the initial hijackthis log was actually post- Ad-aware, VX2 plug-in, Ewido, Trojan hunter, Clean Up, CW Shredder, and Spybot). Here are both logs. Thanks for your help:
Logfile of HijackThis v1.99.1
Scan saved at 3:31:34 PM, on 9/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\vudpuyo\jlvlae.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\bwjieei.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\blmogbr.EXE
C:\WINDOWS\System32\gkvj\gqoqnmj.exe
C:\WINDOWS\System32\llwt\exllehp.exe
C:\WINDOWS\System32\jbls\racrf.exe
C:\WINDOWS\System32\emrxjg\ehibrw.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\FCEngine\FCEngine.exe
C:\WINDOWS\System32\m?dtc.exe
C:\Program Files\ttrd\arse.exe
C:\DOCUME~1\yreyes\LOCALS~1\Temp\InSearch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://companyweb/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://companywebO1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshuziv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [blmogbr] C:\WINDOWS\blmogbr.EXE
O4 - HKLM\..\Run: [jlvlae] C:\WINDOWS\System32\vudpuyo\jlvlae.exe
O4 - HKLM\..\Run: [gqoqnmj] C:\WINDOWS\System32\gkvj\gqoqnmj.exe
O4 - HKLM\..\Run: [exllehp] C:\WINDOWS\System32\llwt\exllehp.exe
O4 - HKLM\..\Run: [racrf] C:\WINDOWS\System32\jbls\racrf.exe
O4 - HKLM\..\Run: [ehibrw] C:\WINDOWS\System32\emrxjg\ehibrw.exe
O4 - HKLM\..\Run: [fdkkyd] C:\WINDOWS\System32\ghxhcu\fdkkyd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [dwrg] C:\WINDOWS\system32\eywd\dwrg.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [FCEngine] "C:\Program Files\FCEngine\FCEngine.exe"
O4 - HKCU\..\Run: [Degeuavj] C:\WINDOWS\System32\m?dtc.exe
O4 - HKCU\..\Run: [Ehwe] C:\Program Files\ttrd\arse.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Cleanscapedom.local
O17 - HKLM\Software\..\Telephony: DomainName = Cleanscapedom.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CEEC009-DF8E-404F-9DC5-DCB38801EC2B}: NameServer = 192.168.0.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Cleanscapedom.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{3CEEC009-DF8E-404F-9DC5-DCB38801EC2B}: NameServer = 192.168.0.3
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Cleanscapedom.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{3CEEC009-DF8E-404F-9DC5-DCB38801EC2B}: NameServer = 192.168.0.3
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dwrgeywd - Unknown owner - C:\WINDOWS\system32\eywd\dwrg.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: jlvlaevudpuyo - Unknown owner - C:\WINDOWS\System32\vudpuyo\jlvlae.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\bwjieei.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 3:24:40 PM, 9/22/2005
+ Report-Checksum: 1D8CCC50
+ Scan result:
C:\WINDOWS\system32\__delete_on_reboot__aunps2.dll.tcf -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__pkshuziv.dll.tcf -> Spyware.SafeSurfing : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\
[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\
[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\yreyes\Cookies\
[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\yreyes\Cookies\
[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\yreyes\Cookies\yreyes@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100801.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100803.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100805.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100806.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100807.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100810.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100811.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100812.exe -> TrojanDownloader.VB.jl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100813.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100814.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100815.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100816.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100819.EXE -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100820.dll -> TrojanDownloader.Small : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100821.cpl -> TrojanDownloader.Qoologic.ad : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100822.exe -> Backdoor.Lamebot.c : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100823.dll -> Trojan.Agent.ff : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100825.exe -> TrojanDownloader.VB.hw : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100826.exe -> Trojan.EliteBar.c : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100827.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100828.dll -> Spyware.CASClient : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100830.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100831.dll -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100832.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100802.exe.tcf -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100804.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100808.exe.tcf -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100809.exe.tcf -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100817.exe.tcf -> Spyware.ISearch : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100818.exe.tcf -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100824.exe.tcf -> Spyware.ISearch : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100829.dll.tcf -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100854.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100855.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100869.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100870.dll -> TrojanDownloader.Qoologic.af : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100872.exe -> Spyware.MediaMotor : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100880.exe -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100881.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100885.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP592\A0093593.exe -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP592\A0094582.exe -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP592\A0094697.exe -> Trojan.Stervis.h : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP592\A0094699.dll -> Trojan.Agent.iw : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP591\A0092980.exe -> Spyware.CASClient : Cleaned with backup
::Report End