Thanks for the help! Here's the output file.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Temp\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7
Directory of C:\WINDOWS\System32
12/26/2004 11:15 AM 56 k4620ejoehoc0.dll
12/26/2004 10:11 AM 223,256 m6julg1916.dll
12/25/2004 11:53 PM 224,811 k0nola531d.dll
12/25/2004 11:14 PM 224,811 ag3api.dll
12/25/2004 01:00 AM 223,232 o0rola931d.dll
12/08/2004 03:49 PM 223,896 o4660ejseho60.dll
04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 10:04 PM <DIR> Microsoft
03/19/2002 09:27 PM <DIR> dllcache
7 File(s) 1,128,766 bytes
2 Dir(s) 14,836,203,520 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7
Directory of C:\WINDOWS\System32
12/26/2004 11:21 AM 892 vsconfig.xml
12/21/2004 07:30 PM 4,212 zllictbl.dat
08/01/2004 02:02 PM 488 WindowsLogon.manifest
08/01/2004 02:02 PM 488 logonui.exe.manifest
08/01/2004 02:02 PM 749 nwc.cpl.manifest
08/01/2004 02:02 PM 749 cdplayer.exe.manifest
08/01/2004 02:02 PM 749 sapi.cpl.manifest
08/01/2004 02:02 PM 749 wuaucpl.cpl.manifest
08/01/2004 02:02 PM 749 ncpa.cpl.manifest
03/13/2004 01:07 PM 4,212 imlictbl.dat
04/21/2003 04:24 PM 8,704 Thumbs.db
03/19/2002 09:27 PM <DIR> dllcache
11 File(s) 22,741 bytes
1 Dir(s) 14,836,187,136 bytes free
---------- Files Named "Guard" -------------
Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7
Directory of C:\WINDOWS\System32
12/26/2004 11:22 AM 223,256 guard.tmp
1 File(s) 223,256 bytes
0 Dir(s) 14,836,170,752 bytes free
--------- Temp Files in System32 Directory --------
Volume in drive C is LOCAL DISK
Volume Serial Number is 3678-10D7
Directory of C:\WINDOWS\System32
12/26/2004 11:22 AM 223,256 guard.tmp
05/23/2003 01:15 PM 1,338,880 SET18D.tmp
04/14/2003 09:25 AM 483,840 SET191.tmp
3 File(s) 2,045,976 bytes
0 Dir(s) 14,836,154,368 bytes free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1E03FCAB-9838-463E-9007-1587E2754387}"=""
------------ Keys Under Notify ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\m6julg1916.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM32\
ag3api.dll Sat Dec 25 2004 11:14:14p ..S.R 224,811 219.54 K
vsconfig.xml Sun Dec 26 2004 11:21:58a A..H. 892 0.87 K
zllictbl.dat Tue Dec 21 2004 7:30:48p ...H. 4,212 4.11 K
m6julg~1.dll Sun Dec 26 2004 10:11:40a ..S.R 223,256 218.02 K
o4660e~1.dll Wed Dec 8 2004 3:49:54p ..S.R 223,896 218.65 K
o0rola~1.dll Sat Dec 25 2004 1:00:18a ..S.R 223,232 218.00 K
k0nola~1.dll Sat Dec 25 2004 11:53:14p ..S.R 224,811 219.54 K
k4620e~1.dll Sun Dec 26 2004 11:15:38a ..S.R 56 0.05 K
8 items found: 8 files, 0 directories.
Total of file sizes: 1,125,166 bytes 1.07 M
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\SYSTEM32\seiuiu.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\xhlmlm.exe: updates.qoologic.com
C:\WINDOWS\SYSTEM32\iclzlz.dll: updates.qoologic.com
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\SYSTEM32\Playboy by Don Diego Screensaver1024.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Screen Saver 4.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo1 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo2 Screen Saver.scr: .aspack
C:\WINDOWS\SYSTEM32\gpwywy.dat: .aspack
C:\WINDOWS\SYSTEM32\qwvovo.exe: .aspack
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\PerfectFoursome800.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-1.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-2.scr: .aspack
C:\WINDOWS\SYSTEM32\MontecristoSerieV-3.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum Screensaver.scr: .aspack
C:\WINDOWS\SYSTEM32\Montecristo Platinum.scr: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\fhkpkp.exe: .aspack
----------------- HKLM Run Key ------------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Multi-function Keyboard"="GWHotKey.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"BCWipeTM Startup"="\"C:\\Program Files\\Jetico\\BCWipe\\BCWipeTM.exe\" startup"
"REWARDS NETWORK"="C:\\Program Files\\Rewards Network\\brntray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\""
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"KazaaBooster"="aaDisabled"
"WheelMouse"="C:\\PROGRA~1\\A4Tech\\Mouse\\Amoumain.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"DXDllRegExe"="dxdllreg.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"saap"="c:\\docume~1\\atn4mxs\\locals~1\\temp\\is-km362.tmp\\180solutions\\saap.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SStb.exe"="SStb.exe"
"Narrator"="C:\\WINDOWS\\system32\\qwvovo.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"