Here are some logs, if anyone is kind enough to lend a hand:
HJT:
Logfile of HijackThis v1.99.0 Scan saved at 12:33:48 AM, on 12/31/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\vqikiv.exe C:\Program Files\AIM\aim.exe C:\WINDOWS\System32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\notepad.exe C:\WINDOWS\System32\taskmgr.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\notepad.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS Probe\AsusProb.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [Ldee] C:\Documents and Settings\Administrator\Application Data\cttm.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: strings.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.pcsecurityshield.com/control/avxnew.dll O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Unknown - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
Find-It:
Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. Find.bat is running from: C:\Program Files\Spyware Removal\Find-It\Find It NT-2K-XP ------- System Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is EC4F-7627 Directory of C:\WINDOWS\System32 12/31/2004 12:04 AM 512 NpzW4m.71i 12/31/2004 12:04 AM 253,973 Wab8.exe 12/31/2004 12:04 AM 253,973 Dyf0o5.exe 12/31/2004 12:04 AM 253,973 RvkY0ko.exe 12/31/2004 12:04 AM 253,973 HhmDU5G.exe 12/31/2004 12:04 AM 253,973 MtkN7qy.exe 12/31/2004 12:04 AM 253,973 Jug5W.exe 12/31/2004 12:04 AM 499,733 HacH5X.exe 12/31/2004 12:04 AM 499,733 Qxcn74j.exe 12/31/2004 12:04 AM 499,733 Mzc2.exe 12/30/2004 11:47 PM <DIR> dllcache 12/30/2004 05:08 PM 224,966 n2p4lc7q1f.dll 12/30/2004 03:19 PM 224,966 jt8607lse.dll 12/30/2004 03:09 PM 224,966 o8480ihue8480.dll 12/29/2004 04:58 PM 224,966 q6pslg7716.dll 12/29/2004 12:20 PM 222,992 n86qlij518o.dll 12/29/2004 11:18 AM 223,232 mzorc32r.dll 12/29/2004 12:50 AM 223,232 lv8009lme.dll 12/29/2004 12:36 AM 223,372 h04m0ah1ed4.dll 12/29/2004 12:31 AM 223,961 lv2s09f7e.dll 12/22/2004 02:19 PM 389,120 ?hkntfs.exe 09/04/2003 03:20 AM <DIR> Microsoft 20 File(s) 5,429,322 bytes 2 Dir(s) 85,314,273,280 bytes free ------- Hidden Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is EC4F-7627 Directory of C:\WINDOWS\System32 12/31/2004 12:04 AM 512 NpzW4m.71i 12/31/2004 12:04 AM 253,973 Wab8.exe 12/31/2004 12:04 AM 253,973 Dyf0o5.exe 12/31/2004 12:04 AM 253,973 MtkN7qy.exe 12/31/2004 12:04 AM 253,973 HhmDU5G.exe 12/31/2004 12:04 AM 253,973 Jug5W.exe 12/31/2004 12:04 AM 253,973 RvkY0ko.exe 12/31/2004 12:04 AM 499,733 HacH5X.exe 12/31/2004 12:04 AM 499,733 Qxcn74j.exe 12/31/2004 12:04 AM 499,733 Mzc2.exe 12/30/2004 11:47 PM <DIR> dllcache 12/22/2004 02:19 PM 389,120 ?hkntfs.exe 09/04/2003 01:57 AM 488 logonui.exe.manifest 09/04/2003 01:57 AM 488 WindowsLogon.manifest 09/04/2003 01:57 AM 749 sapi.cpl.manifest 09/04/2003 01:57 AM 749 ncpa.cpl.manifest 09/04/2003 01:57 AM 749 nwc.cpl.manifest 09/04/2003 01:57 AM 749 wuaucpl.cpl.manifest 09/04/2003 01:57 AM 749 cdplayer.exe.manifest 18 File(s) 3,417,390 bytes 1 Dir(s) 85,314,269,184 bytes free ---------- Files Named "Guard" ------------- Volume in drive C has no label. Volume Serial Number is EC4F-7627 Directory of C:\WINDOWS\System32 12/31/2004 12:11 AM 224,966 guard.tmp 1 File(s) 224,966 bytes 0 Dir(s) 85,314,269,184 bytes free --------- Temp Files in System32 Directory -------- Volume in drive C has no label. Volume Serial Number is EC4F-7627 Directory of C:\WINDOWS\System32 12/31/2004 12:11 AM 224,966 guard.tmp 12/29/2004 12:43 AM 0 ~GLH0014.TMP 03/31/2003 07:00 AM 2,577 CONFIG.TMP 3 File(s) 227,543 bytes 0 Dir(s) 85,314,265,088 bytes free ---------------- User Agent ------------ REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{2B670ADF-F66B-4E50-A09E-13D39DF8F66D}"="" ------------ Keys Under Notify ------------ REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\o8480ihue8480.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ------------------ Locate.com Results ------------------ ------------ Strings.exe Qoologic Results ------------ C:\WINDOWS\system32\isoaoi.dll: updates.qoologic.com C:\WINDOWS\system32\liypyl.dll: updates.qoologic.com C:\WINDOWS\system32\lxzqzl.exe: updates.qoologic.com -------------- Strings.exe Aspack Results ------------- C:\WINDOWS\system32\vqikiv.exe: .aspack C:\WINDOWS\system32\wgavaw.dat: .aspack C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kfunuk.exe: .aspack ----------------- HKLM Run Key ------------------ REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "C-Media Mixer"="Mixer.exe /startup" "NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe" "ASUS Probe"="C:\\Program Files\\ASUS Probe\\AsusProb.exe" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit" "KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\ 65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00 "Narrator"="C:\\WINDOWS\\System32\\vqikiv.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1"
I do have the Google Toolbar, btw. If anyone needs any other logs (like Spybot, although that doesn't seem to be helpful), I'd be glad to show them.
Thanks!
~Mynnx