Yeah, sorry if I seem consumed by this, I just have more time to be around it on the weekends. Plus, I used to be a programmer and work oin computers for a living and so I am REALLY POd that I got zapped like this (even if it WAS #2 son's fault while we were in Florida).
Anyway, all thru the last list and here are the latest logs - I'll check back before bed. I appreciate your hard work!
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
AIL DLL 227,104 03-28-05 2:56p ail.dll
NGTOS DLL 227,104 03-28-05 2:56p NGTOS.DLL
UCL DLL 227,104 03-28-05 2:56p UCL.DLL
OSBCTL32 DLL 227,104 03-28-05 2:56p OSBCTL32.DLL
MSVCP70 DLL 487,424 01-05-02 4:40a msvcp70.dll
MSVCR70 DLL 344,064 01-05-02 4:37a msvcr70.dll
7 file(s) 1,740,929 bytes
0 dir(s) 93,552.44 MB free
------- Hidden Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 3FF9-E9C1
Directory of C:\WINDOWS\SYSTEM
ORG12732 IQT 1,025 08-21-29 5:54p ORG12732.IQT
ATMENUXX GID 10,842 07-29-04 8:03p ATMenuxx.GID
FOLDER HTT 13,122 10-08-99 12:05p folder.htt
DESKTOP INI 266 10-08-99 12:05p desktop.ini
4 file(s) 25,255 bytes
0 dir(s) 93,552.41 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0CB8F13E-CB22-F453-A999-EF2D23CC8C9A}"=""
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
org12732.iqt Tue Aug 21 2029 5:54:54p A.SH. 1,025 1.00 K
ail.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ngtos.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
ucl.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
osbctl32.dll Mon Mar 28 2005 2:56:04p ..S.R 227,104 221.78 K
5 items found: 5 files, 0 directories.
Total of file sizes: 909,441 bytes 888.13 K
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\winzip32.ini: DefDir=C:\WINDOWS\Desktop\QOOLOGIC
C:\WINDOWS\winzip32.ini: ExtractTo=C:\WINDOWS\Desktop\QOOLOGIC\
C:\WINDOWS\winzip32.ini: filemenu4=C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\WINDOWS\winzip32.ini: extract10=C:\WINDOWS\Desktop\QOOLOGIC
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"POINTER"="point32.exe"
"CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"HPHmon03"="C:\\WINDOWS\\SYSTEM\\HPHMON03.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"Pop-Up Stopper"=""
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"
"AtiPTA"="Atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
ECHO is off
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\winzip32.ini: DefDir=C:\WINDOWS\Desktop\QOOLOGIC
C:\WINDOWS\winzip32.ini: ExtractTo=C:\WINDOWS\Desktop\QOOLOGIC\
C:\WINDOWS\winzip32.ini: filemenu4=C:\WINDOWS\Desktop\QOOLOGIC\find_qooligic.zip
C:\WINDOWS\winzip32.ini: extract10=C:\WINDOWS\Desktop\QOOLOGIC
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.522: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
Finished
Logfile of HijackThis v1.99.1
Scan saved at 1:55:15 PM, on 4/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPHIPM09.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [Tasktray] C:\PROGRAM FILES\CREATIVE\SBAUDIGY\TASKBAR\CTLTray.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcaf...311/mcfscan.cabO16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -
http://us.creative.c...119/CTSUEng.cabO16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) -
http://us.creative.c...12119/CTPID.cabO16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) -
http://chat.yahoo.com/cab/yvwrctl.cabO16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) -
http://chat.yahoo.com/cab/yacsui.cabO16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -
http://us.chat1.yimg...v45/yacscom.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.syma...n/bin/cabsa.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.syma...bin/AvSniff.cabO16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.co...up1.0.0.8-2.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft.../as5/asinst.cab