It was spewing out garbage on port 135, according to my ISP. I've run Sophos, Trend Micro and removed javast.eve, cftmon.exe. HKTL_Hideware.a and HKTL_Pwdump.c were detected as well and presumably fixed.
Eventvwr log was indicating unauthorized visitors on vnc4 (which I use frequently and need). At this stage, when I reboot I consistently get this err msg: The SMB Locator service failed to start due to the following error: The system cannot find the file specified. ? because the corrupted javast.exe was nuked??
I'm an inch away from taking the machine down to the bone but thought I'd see what the gurus had to say first.
Two logs included here: 1.99.1 and 1.98.2
Grateful for any suggestion/analysis.
AlexC
Logfile of HijackThis v1.99.1
Scan saved at 3:58:06 PM, on 6/6/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\DIALOGIC\OOC\BIN\NTEVEN~1.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\Dialogic\bin\IPMedia.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\PROGRA~1\DIALOGIC\OOC\BIN\NTNAME~1.EXE
C:\PROGRA~1\Pronexus\VBSalt\NLOGSE~1.EXE
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Vail\Telephony Interface Manager\bin\VailSoap.exe
C:\PROGRA~1\Pronexus\VBSalt\VBVARB~1.EXE
c:\program files\microsoft enterprise instrumentation\bin\trace service\tracesessionmanager.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Vail\Telephony Interface Manager\bin\VailCsta.exe
C:\Program Files\Vail\Telephony Interface Manager\bin\VailTimCall.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\tmp\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [tcp / ip services] sethcs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124141515906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133913138578
O17 - HKLM\System\CCS\Services\Tcpip\..\{325BB0E8-D10E-4AED-A6F5-E026ABFDB0F5}: NameServer = 207.115.64.2,207.115.64.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/salt+html - {407AADC1-FF74-4885-AB6D-67AF452F531A} - C:\Program Files\Microsoft Speech Application SDK 1.1\Client\SaltFilter.dll
O18 - Filter: text/salt+html; charset=utf-8 - {407AADC1-FF74-4885-AB6D-67AF452F531A} - C:\Program Files\Microsoft Speech Application SDK 1.1\Client\SaltFilter.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AnmChannelFactoryServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMCHANNELFACTORYSERVER.exe
O23 - Service: AnmChannelServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMCHANNELSERVER.exe
O23 - Service: AnmLoggerServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMLOGGERSERVER.exe
O23 - Service: AnmSupplierServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMSUPPLIERSERVER.exe
O23 - Service: CT Bus Broker (CTBusBroker) - Dialogic Corporation - C:\PROGRA~1\Dialogic\bin\ctbbserv.exe
O23 - Service: Dialogic System Service (Dialogic) - Dialogic Corporation - C:\PROGRA~1\Dialogic\bin\dlgc_srv.exe
O23 - Service: Dialogic SS7 Service (DlgcS7Srv) - Intel Corporation - C:\PROGRA~1\Dialogic\bin\DlgcS7Srv.exe
O23 - Service: ORBacus Event Service (EventService) - Unknown owner - C:\PROGRA~1\DIALOGIC\OOC\BIN\NTEVEN~1.EXE
O23 - Service: IPLink Media Service (IPMedia) - Intel Corporation - C:\PROGRA~1\Dialogic\bin\IPMedia.exe
O23 - Service: ORBacus Naming Service (NamingService) - Unknown owner - C:\PROGRA~1\DIALOGIC\OOC\BIN\NTNAME~1.EXE
O23 - Service: SMB Locator (NBTHLP) - Unknown owner - C:\WINDOWS\system32\javast.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NLogServer - Pronexus Inc. - C:\PROGRA~1\Pronexus\VBSalt\NLOGSE~1.EXE
O23 - Service: Paraxip Gateway - Unknown owner - C:\Program Files\Paraxip Gateway\bin\paraxip-gateway.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Speechify Voice - US English, Jill, 8kHz (SpfyJill8) - Unknown owner - C:\Program Files\Common Files\SpeechEngines\ScanSoft\Speechify\bin\SpfyJill8.exe" --service --config "C:\Program Files\Common Files\SpeechEngines\ScanSoft\Speechify\config\SWIttsConfig.xml" --config "C:\Program Files\Common Files\SpeechEngines\ScanSoft\Speechify\en-US\jill\jill8.xml" --config "C:\Program Files\Common Files\SpeechEngines\ScanSoft\Speechify\en-US\jill\Ojill8.xml (file missing)
O23 - Service: Speechify Voice - US English, Tom, 8kHz (SpfyTom8) - Unknown owner - C:\Program Files\Common Files\SpeechEngines\ScanSoft\Speechify\bin\SpfyTom8.exe" --service --config "C:\Program Files\Common Files\SpeechEngines\ScanSoft\Speechify\config\SWIttsConfig.xml" --config "C:\Program Files\Common Files\SpeechEngines\ScanSoft\Speechify\en-US\tom\tom8.xml" --config "C:\Program Files\Common Files\SpeechEngines\ScanSoft\Speechify\en-US\tom\Otom8.xml (file missing)
O23 - Service: VailSIPTIMCSTA - Vail Systems, Inc. - C:\Program Files\Vail\Telephony Interface Manager\\bin\VailCsta.exe
O23 - Service: VailSIPTIMSoap - Vail Systems, Inc. - C:\Program Files\Vail\Telephony Interface Manager\\bin\VailSoap.exe
O23 - Service: VailTimCall - Vail Systems, Inc. - C:\Program Files\Vail\Telephony Interface Manager\bin\VailTimCall.exe
O23 - Service: VailTimCallManager - Vail Systems, Inc. - C:\Program Files\Vail\Telephony Interface Manager\bin\VailTimCallManager.exe
O23 - Service: VBVArbiter - Pronexus Inc. - C:\PROGRA~1\Pronexus\VBSalt\VBVARB~1.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
and the 1.98.2
Logfile of HijackThis v1.98.2
Scan saved at 4:06:24 PM, on 6/6/2006
Platform: Unknown Windows (WinNT 5.02.3790 SP1)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\DIALOGIC\OOC\BIN\NTEVEN~1.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\Dialogic\bin\IPMedia.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\PROGRA~1\DIALOGIC\OOC\BIN\NTNAME~1.EXE
C:\PROGRA~1\Pronexus\VBSalt\NLOGSE~1.EXE
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Vail\Telephony Interface Manager\bin\VailSoap.exe
C:\PROGRA~1\Pronexus\VBSalt\VBVARB~1.EXE
c:\program files\microsoft enterprise instrumentation\bin\trace service\tracesessionmanager.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Vail\Telephony Interface Manager\bin\VailCsta.exe
C:\Program Files\Vail\Telephony Interface Manager\bin\VailTimCall.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\tmp\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [tcp / ip services] sethcs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124141515906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133913138578
O17 - HKLM\System\CCS\Services\Tcpip\..\{325BB0E8-D10E-4AED-A6F5-E026ABFDB0F5}: NameServer = 207.115.64.2,207.115.64.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/salt+html - {407AADC1-FF74-4885-AB6D-67AF452F531A} - C:\Program Files\Microsoft Speech Application SDK 1.1\Client\SaltFilter.dll
O18 - Filter: text/salt+html; charset=utf-8 - {407AADC1-FF74-4885-AB6D-67AF452F531A} - C:\Program Files\Microsoft Speech Application SDK 1.1\Client\SaltFilter.dll