[coachwife6]

How is it running?

[Advertisements]

Yes, I delete the Ad-Aware files.

It's running so-so. Thank you for asking. If I go to a cell phone manufacturer or carrier site, for example, a pop-up coupon comes up. That's new since we got rid of the original dll error, how weird is that? I can go online once, but then once I log off I can't go on again without restarting the computer (also new quirk since resolving Umonitor error). My biggest problem now, though, is that I can't send e-mail from University of Phoenix, nor sync the classes I teach. I'd blame it on you but I had that problem before deleting the UOP files this morning. I'll take that one up with UOP tech support, though, as I've taken up so, so much of your time already.

I am in such better shape than I was a couple weeks ago. Does it appear from the last log that my system is clean? That dll error or whatever it was left me virtually unable to use the computer. Now I have a few annoyances, but I can live with them.

I'm sure you're lavished with praise all the time, but thank you so much.

[Sabres rock]

Yes, I delete the Ad-Aware files.

It's running so-so. Thank you for asking. If I go to a cell phone manufacturer or carrier site, for example, a pop-up coupon comes up. That's new since we got rid of the original dll error, how weird is that? I can go online once, but then once I log off I can't go on again without restarting the computer (also new quirk since resolving Umonitor error). My biggest problem now, though, is that I can't send e-mail from University of Phoenix, nor sync the classes I teach. I'd blame it on you but I had that problem before deleting the UOP files this morning. I'll take that one up with UOP tech support, though, as I've taken up so, so much of your time already.

I am in such better shape than I was a couple weeks ago. Does it appear from the last log that my system is clean? That dll error or whatever it was left me virtually unable to use the computer. Now I have a few annoyances, but I can live with them.

I'm sure you're lavished with praise all the time, but thank you so much.

[coachwife6]

Don't apologize. I enjoy doing it. I think your log looks OK. I think I'll have Metallica or admin. or Jonnyrotten read about your problems and see if they can recommend anything.

[Metallica]

In HijackThis click Config > Misc Tools > Generate StartUpList

Post the content of the textfile that produces please.

Regards,

Pieter

[Sabres rock]

Hi Pieter and thank you. Here are the contents. It's weird to me that there is something called Microsoft Works -- haven't had that application in years. Maybe it's a bundling thing with MS Word. Regardless ... thanks again --

StartupList report, 01/06/2005, 2:01:33 PM
StartupList version: 1.52.2
Started from : C:\hijack\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\hppapml0.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\hijack\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtsc.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DellTouch = C:\WINDOWS\MMKeybd.exe
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
UpdReg = C:\WINDOWS\Updreg.exe
AHQInit = C:\Program Files\Creative\SBLive\Program\AHQInit.exe
WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe
Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
MMTray = C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
HP SchedIndexer = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
HP AutoIndexer = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
AOLDialer = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
AOL Spyware Protection = "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe
tcactive = C:\Program Files\The Cleaner\tca.exe
tcmonitor = C:\Program Files\The Cleaner\tcm.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Iomega Active Disk = C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
Google Desktop Search = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=NVDESK32.DLL

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.ma...director/sw.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\OUTC.DLL
CODEBASE = http://officeupdate....nloads/outc.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
Protocol #2: C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
Protocol #3: C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
Protocol #19: C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 8,988 bytes
Report generated in 0.141 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[Metallica]

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Then reboot and uninstall/re-install the Google Toolbar.

It may have been damaged by the malware. Since it is in your winsock that could be interfering with your connection.

Regards,

Pieter

[mgibson4678]

Hello - I am having the same problem. I have been working for days trying to get rid of the spyware. IT IS VERY FRUSTRATING. Can you help me? Here is my log.


Logfile of HijackThis v1.99.0
Scan saved at 3:12:40 PM, on 1/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\WINDOWS\system32\wvwacv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton AntiVirus\NAVAPW32.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\unzipped\KillBox\KillBox.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\wynonak.POC1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{1FFED2CB-FC98-49f8-B3D0-678D03350F1E} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Outlook.lnk = C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton AntiVirus\NAVAPW32.EXE
O4 - Global Startup: strings.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program Files\Microsoft Office\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {1F1DE440-4ECA-11D4-A017-0001031D971F} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://streak.fimc.n...va/cfs31229.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {1227F1FA-F0D0-4FE9-9722-21F65E27A5D0} - http://parissrvr/PAR...n03/Default.cab
O16 - DPF: {15D73F88-277E-42EC-BE97-C64E1C6A18D9} - http://parissrvr/par...OPM04Client.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {7B8F9A70-2B56-453C-A528-ACC5925B3F7F} - http://parissrvr/PAR...ent/Default.cab
O16 - DPF: {7E2D9D44-BAF0-459A-A0F2-C9E84A23E775} - http://parissrvr/PAR...n03/Default.cab
O16 - DPF: {91FCF3A7-4A78-4130-B7AD-E0F439CB0FF4} - http://parissrvr/PAR...03ClientHF5.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://216.157.26.3/svideo3.cab
O16 - DPF: {E839F0A1-4D68-472A-BBB8-08FA530581CF} (MBCInstaller 6.0 object) - http://parissrvr/PAR...INSTaller60.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.14...geWell-ipix.cab
O16 - DPF: {F839F0A1-4D68-472A-BBB8-08FA530581CF} (GEMSInstaller 7.0 object) - http://parissrvr/par...INSTaller70.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = POC.local
O17 - HKLM\Software\..\Telephony: DomainName = POC.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCF64F4D-68F1-4722-8A4C-EAEA6BD079EB}: Domain = cox-internet.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCF64F4D-68F1-4722-8A4C-EAEA6BD079EB}: NameServer = 10.3.25.212,66.76.2.130
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = POC.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = POC.local
O23 - Service: McAfee AntiSpyware Real-Time Scanner - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

[Sabres rock]

Pieter -- I get an error message, "An alarm has gone off on the following monitored item. This means the data within the item has changed. What would you like to do? The file listed is HKLM\Software\Microsoft\Windows\CurrentVersion\Run. Do I want to examine and edit or ignore and reset the alarm? I'm on different computer and have just left the error window up for now. Mercy.

[coachwife6]

mgibson: Please start your own thread. I just spent 10 minutes looking at yourlog thinking it belonged to SabresRock and wondered what had happened to her computer. Once you start your thread, we'll help you out.

[coachwife6]

SR: Other than that alarm going off (it's The Cleaner), how is everything else running. I always allow it to change if it looks harmless.

[Sabres rock]

I don't know how it's running. Once I got that error message I stopped everything to see if I was supposed to edit or ignore. The error window is still up and I am using a different computer -- staring at it in hopes of you telling me what to do. So now I am will go to the other, choose "ignore," and hope for the best. I think it's fine, though, just the annoyances I mentioned in an earlier post. (I did a doubletake on mgibson's post, too, as I thought "what in the world have I done now?" Thanks --

[coachwife6]

Just ignore the alarm or uninstall the cleaner. How has it been running otherwise?

[Sabres rock]

Much, much better, thank you. A pop up and now and then but nothing like before. My SpyBlaster even "caught" an attempt yesterday so that seems to be working at last.

[coachwife6]

Your spyblaster just prevents them from downloading. Do you have something else on there? Try using firefox. I never have had any pop-ups using it. Glad it all worked out and your husband didn't wipe it clean.

[skeer]

1. from log.txt

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\dxprov.dll Wed Jan 5 2005 8:01:38a ..S.R 225,388 220.11 K
C:\WINDOWS\SYSTEM32\fp2203~1.dll Wed Jan 5 2005 8:01:38a ..S.R 225,611 220.32 K
C:\WINDOWS\SYSTEM32\fp8003~1.dll Tue Jan 11 2005 1:51:04p ..S.R 223,537 218.30 K
C:\WINDOWS\SYSTEM32\fplo03~1.dll Tue Jan 4 2005 2:49:34p ..S.R 224,622 219.36 K
C:\WINDOWS\SYSTEM32\irjsl5~1.dll Tue Jan 4 2005 3:02:16p ..S.R 226,004 220.71 K
C:\WINDOWS\SYSTEM32\ktnml7~1.dll Wed Jan 5 2005 9:08:02a ..S.R 222,786 217.56 K
C:\WINDOWS\SYSTEM32\lrnkinfo.dll Wed Jan 5 2005 9:36:56a ..S.R 222,738 217.52 K
C:\WINDOWS\SYSTEM32\o4ns0e~1.dll Tue Jan 11 2005 12:58:08p ..S.R 223,673 218.43 K
C:\WINDOWS\SYSTEM32\skgina.dll Wed Jan 5 2005 9:08:02a ..S.R 225,388 220.11 K
________________________________________________

1,225 items found: 1,225 files (9 H/S), 0 directories.
Total of file sizes: 216,690,438 bytes 206.65 M

Administrator Account = True

--------------------End log---------------------

2. from output.txt

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\hedlundb\Desktop\VX2 Find It\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is DC9E-B97A

Directory of C:\WINDOWS\System32

01/11/2005 02:48 PM <DIR> dllcache
01/11/2005 01:51 PM 223,537 fp8003lme.dll
01/11/2005 12:58 PM 223,673 o4ns0e57eh.dll
01/05/2005 09:36 AM 222,738 lrnkinfo.dll
01/05/2005 09:08 AM 225,388 skgina.dll
01/05/2005 09:08 AM 222,786 ktnml7511.dll
01/05/2005 08:01 AM 225,388 dxprov.dll
01/05/2005 08:01 AM 225,611 fp2203foe.dll
01/04/2005 03:02 PM 226,004 irjsl5171.dll
01/04/2005 02:49 PM 224,622 fplo0333e.dll
12/12/2004 05:35 PM 554 TBPS.ini
08/11/2004 08:13 AM <DIR> Microsoft
10 File(s) 2,020,301 bytes
2 Dir(s) 31,512,145,920 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is DC9E-B97A

Directory of C:\WINDOWS\System32

01/11/2005 02:48 PM <DIR> dllcache
01/10/2005 11:32 AM <DIR> vmss
12/29/2004 10:50 AM 4,212 zllictbl.dat
08/22/2004 10:26 AM <DIR> GroupPolicy
08/11/2004 07:56 AM 488 WindowsLogon.manifest
08/11/2004 07:56 AM 488 logonui.exe.manifest
08/11/2004 07:56 AM 749 sapi.cpl.manifest
08/11/2004 07:56 AM 749 ncpa.cpl.manifest
08/11/2004 07:56 AM 749 nwc.cpl.manifest
08/11/2004 07:56 AM 749 wuaucpl.cpl.manifest
08/11/2004 07:56 AM 749 cdplayer.exe.manifest
8 File(s) 8,933 bytes
3 Dir(s) 31,512,141,824 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is DC9E-B97A

Directory of C:\WINDOWS\System32

01/11/2005 02:32 PM 223,673 guard.tmp
1 File(s) 223,673 bytes
0 Dir(s) 31,512,141,824 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is DC9E-B97A

Directory of C:\WINDOWS\System32

01/11/2005 02:32 PM 223,673 guard.tmp
08/03/2004 11:56 PM 1,236,480 msxml3.dll.tmp
08/03/2004 11:56 PM 1,236,480 ~GLH001a.TMP
07/16/2003 10:19 AM 2,577 CONFIG.TMP
4 File(s) 2,699,210 bytes
0 Dir(s) 31,512,137,728 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D089DB24-DF25-420C-9A3D-BF292F5FAF8B}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\H323TSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\o4ns0e57eh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"StartShell"="NavStartShellEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
dxprov.dll Wed Jan 5 2005 8:01:38a ..S.R 225,388 220.11 K
fp2203~1.dll Wed Jan 5 2005 8:01:38a ..S.R 225,611 220.32 K
fp8003~1.dll Tue Jan 11 2005 1:51:04p ..S.R 223,537 218.30 K
fplo03~1.dll Tue Jan 4 2005 2:49:34p ..S.R 224,622 219.36 K
irjsl5~1.dll Tue Jan 4 2005 3:02:16p ..S.R 226,004 220.71 K
ktnml7~1.dll Wed Jan 5 2005 9:08:02a ..S.R 222,786 217.56 K
lrnkinfo.dll Wed Jan 5 2005 9:36:56a ..S.R 222,738 217.52 K
o4ns0e~1.dll Tue Jan 11 2005 12:58:08p ..S.R 223,673 218.43 K
skgina.dll Wed Jan 5 2005 9:08:02a ..S.R 225,388 220.11 K
tbps.ini Sun Dec 12 2004 5:35:44p ..S.R 554 0.54 K
zllictbl.dat Wed Dec 29 2004 10:50:26a ...H. 4,212 4.11 K

11 items found: 11 files, 0 directories.
Total of file sizes: 2,024,513 bytes 1.93 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\system32\inpeiu.dll: updates.qoologic.com
C:\WINDOWS\system32\lauhlm.exe: updates.qoologic.com
C:\WINDOWS\system32\lquclz.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\randreco.exe: .aspack
C:\WINDOWS\system32\vguwvo.exe: .aspack
C:\WINDOWS\system32\wkupwy.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kighkp.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"ATIModeChange"="Ati2mdxx.exe"
"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\Integrity Client\\iclient.exe\""
"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"Narrator"="C:\\WINDOWS\\System32\\vguwvo.exe"
"PestPatrolCL"="C:\\PROGRA~1\\PESTPA~1\\PestPatrolCL.exe c:\\"
"5sFg3tP"="tweus.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"




3. from vx2.log

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
H323TSP
NavLogon
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{D089DB24-DF25-420C-9A3D-BF292F5FAF8B}


4. No error

5. Yes there is a guard.tmp file.


Thanx for any help you can provide.