Thanks in advance for your help!
HIJACKTHIS LOG
Logfile of HijackThis v1.99.0
Scan saved at 10:11:47 AM, on 2/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\yriwiw.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Common Files\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\KERB\SideCar.exe
C:\Program Files\Desktop Alert\desktopalert_1768445.exe
C:\KERB\krbcc32s.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\4D\4D_ISURF_6.7\4D WIN Client 6.7.3\4DClient.exe
C:\Documents and Settings\lpetersn\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techtransfer.iastate.edu/
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [PtLiveUpdate] C:\Program Files\Common Files\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\System32\wgp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1768445.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SideCar.lnk = C:\KERB\SideCar.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\lpetersn\LOCALS~1\Temp\ThereInstallHelper.2.0.2106.0.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iastate.edu
O17 - HKLM\Software\..\Telephony: DomainName = iastate.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1223BB3-88C3-4C97-A4C1-AAD5172BC94C}: NameServer = 129.186.1.200,129.186.140.200,129.186.142.200
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iastate.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = iastate.edu,ait.iastate.edu,ats.iastate.edu,adp.iastate.edu,vincent.iastate.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iastate.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = iastate.edu,ait.iastate.edu,ats.iastate.edu,adp.iastate.edu,vincent.iastate.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = iastate.edu,ait.iastate.edu,ats.iastate.edu,adp.iastate.edu,vincent.iastate.edu
O23 - Service: Bluetooth Service - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe
O23 - Service: STOPzilla Local Service - Unknown - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
Find It NT-2K-XP OUTPOUT
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Documents and Settings\lpetersn\Desktop\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 98AF-24CF
Directory of C:\WINDOWS\System32
01/12/2005 12:01 PM <DIR> dllcache
12/30/2004 11:03 AM 223,670 guard.tmp
12/30/2004 10:28 AM 223,670 f8j2li1o18.dll
12/30/2004 09:52 AM 223,670 lv2u09f9e.dll
12/30/2004 09:34 AM 223,670 m4ls0e37eh.dll
12/30/2004 09:31 AM 223,548 ktjml7111.dll
12/29/2004 05:29 PM 224,588 lv2o09f3e.dll
11/21/2003 10:06 AM <DIR> Microsoft
6 File(s) 1,342,816 bytes
2 Dir(s) 22,260,121,600 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 98AF-24CF
Directory of C:\WINDOWS\System32
01/12/2005 12:01 PM <DIR> dllcache
11/24/2004 11:31 AM 488 WindowsLogon.manifest
11/24/2004 11:31 AM 488 logonui.exe.manifest
11/24/2004 11:31 AM 749 cdplayer.exe.manifest
11/24/2004 11:31 AM 749 wuaucpl.cpl.manifest
11/24/2004 11:31 AM 749 sapi.cpl.manifest
11/24/2004 11:31 AM 749 ncpa.cpl.manifest
11/24/2004 11:31 AM 749 nwc.cpl.manifest
07/02/2003 01:56 PM <DIR> GroupPolicy
7 File(s) 4,721 bytes
2 Dir(s) 22,260,117,504 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C has no label.
Volume Serial Number is 98AF-24CF
Directory of C:\WINDOWS\System32
12/30/2004 11:03 AM 223,670 guard.tmp
1 File(s) 223,670 bytes
0 Dir(s) 22,260,117,504 bytes free
------ Temp Files in System32 Directory ------
Volume in drive C has no label.
Volume Serial Number is 98AF-24CF
Directory of C:\WINDOWS\System32
12/30/2004 11:03 AM 223,670 guard.tmp
08/29/2002 06:00 AM 2,577 CONFIG.TMP
2 File(s) 226,247 bytes
0 Dir(s) 22,260,117,504 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{03A2F7E7-4B2A-485B-90D2-97DDAF365341}"=""
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
------------- Locate.com Results -------------
C:\WINDOWS\SYSTEM32\
cdplay~1.man Wed Nov 24 2004 11:31:34a A..HR 749 0.73 K
f8j2li~1.dll Thu Dec 30 2004 10:28:56a ..S.R 223,670 218.43 K
guard.tmp Thu Dec 30 2004 11:03:50a ..S.R 223,670 218.43 K
ktjml7~1.dll Thu Dec 30 2004 9:31:46a ..S.R 223,548 218.31 K
logonu~1.man Wed Nov 24 2004 11:31:42a A..HR 488 0.48 K
lv2o09~1.dll Wed Dec 29 2004 5:29:18p ..S.R 224,588 219.32 K
lv2u09~1.dll Thu Dec 30 2004 9:52:06a ..S.R 223,670 218.43 K
m4ls0e~1.dll Thu Dec 30 2004 9:34:12a ..S.R 223,670 218.43 K
ncpacp~1.man Wed Nov 24 2004 11:31:34a A..HR 749 0.73 K
nwccpl~1.man Wed Nov 24 2004 11:31:34a A..HR 749 0.73 K
sapicp~1.man Wed Nov 24 2004 11:31:34a A..HR 749 0.73 K
window~1.man Wed Nov 24 2004 11:31:42a A..HR 488 0.48 K
wuaucp~1.man Wed Nov 24 2004 11:31:34a A..HR 749 0.73 K
13 items found: 13 files, 0 directories.
Total of file sizes: 1,347,537 bytes 1.28 M
-------- Strings.exe Qoologic Results --------
C:\WINDOWS\system32\goycyc.dll: updates.qoologic.com
C:\WINDOWS\system32\pav.sig: Qoologic
C:\WINDOWS\system32\pav.sig: Qoologic
C:\WINDOWS\system32\pwzhzh.exe: updates.qoologic.com
C:\WINDOWS\system32\zboeoe.dll: updates.qoologic.com
--------- Strings.exe Aspack Results ---------
C:\WINDOWS\system32\pav.sig: AsPack
C:\WINDOWS\system32\qbapap.dat: .aspack
C:\WINDOWS\system32\yriwiw.exe: .aspack
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"NDPS"="C:\\WINDOWS\\System32\\dpmw32.exe"
"NWTRAY"="NWTRAY.EXE"
"PtLiveUpdate"="C:\\Program Files\\Common Files\\Pumatech Shared\\5.3\\LiveUpdate Client\\PtLUWorker.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"
"WinGuard Pro"="C:\\WINDOWS\\System32\\wgp.exe"
"Narrator"="C:\\WINDOWS\\System32\\yriwiw.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"sealmon"="C:\\Program Files\\SealedMedia\\sealmon.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"