I have a Trojan. It's called TrojanDownloader.Win32.WinTool.a It's at C:\program files\common files\wintools\wtoolss.exe

All right, thanks to Sentinel, I got rid of the Trojan, however I still have some spyware and weird pop-ups, but ad-aware's found less each time I've run it. Here's my log:

Logfile of HijackThis v1.99.0
Scan saved at 2:52:02 PM, on 12/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TrojanHunter 4.0\THGuard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Programs\Hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.airamericaradio.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 209.247.51.106 pub106.ezboard.com #2002-07-21 15:46:17
O1 - Hosts: 66.150.2.69 www.dogpile.com #2002-07-21 15:56:11
O1 - Hosts: 64.61.61.200 www.netspace.org #2002-07-22 15:02:07
O1 - Hosts: 198.64.146.110 www.olga.net #2002-07-22 13:48:16
O1 - Hosts: 66.39.8.205 www.slayage.com #2002-07-21 15:55:40
O1 - Hosts: 213.123.214.1 www.tombraiderchronicles.com #2002-07-21 15:56:24
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.2ie.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7b77298...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

OK, I believe we have a solution.

First:
Download DLLCompare from here:
http://www.downloads.subratam.org/DllCompare.exe

Copy the program to its own folder and double click on it.
Press the 'Run Locate.com' button

That should finish quickly, then:
Press the 'Compare' button.

That will run for a while longer.

When it is finished, press the 'Make A Log of What was Found' button
and post the log in this thread.

Press 'Exit' to quit program.


Second:
Download the attached archive and unzip it to your Desktop. Open the FindIt folder and double click on Find.bat.

Copy the Notepad document that opens (output.txt) and paste it contents in this thread.

Thanks for the help, LoPhat. What attached archive? Here's the DLLCompare log.

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\aectres.dll Sun Dec 19 2004 10:54:44p ..S.R 225,733 220.44 K
C:\WINDOWS\SYSTEM32\bbtsprx2.dll Wed Dec 22 2004 12:42:10p ..S.R 225,733 220.44 K
C:\WINDOWS\SYSTEM32\fp4s03~1.dll Wed Dec 22 2004 1:16:44p ..S.R 225,733 220.44 K
C:\WINDOWS\SYSTEM32\fpnm03~1.dll Sat Dec 18 2004 4:34:52p ..S.R 225,733 220.44 K
C:\WINDOWS\SYSTEM32\fprs03~1.dll Sat Dec 18 2004 1:44:56p ..S.R 225,733 220.44 K
C:\WINDOWS\SYSTEM32\fqultrep.dll Mon Dec 20 2004 10:33:02a ..S.R 225,733 220.44 K
C:\WINDOWS\SYSTEM32\krduzb.dll Mon Dec 20 2004 10:11:38a ..S.R 225,733 220.44 K
C:\WINDOWS\SYSTEM32\l82s0i~1.dll Tue Dec 7 2004 4:55:20p ..S.R 223,960 218.71 K
C:\WINDOWS\SYSTEM32\mbrdim.dll Wed Dec 22 2004 1:08:20p ..S.R 223,120 217.89 K
C:\WINDOWS\SYSTEM32\mehtmler.dll Mon Dec 20 2004 10:43:02a ..S.R 225,733 220.44 K
C:\WINDOWS\SYSTEM32\mfdrv.dll Wed Dec 22 2004 12:22:36p ..S.R 225,733 220.44 K
C:\WINDOWS\SYSTEM32\mmrd2x35.dll Wed Dec 22 2004 12:30:50p ..S.R 225,733 220.44 K
C:\WINDOWS\SYSTEM32\mssdk32.dll Sun Jun 6 2004 8:46:36p A.S.. 119 0.11 K
C:\WINDOWS\SYSTEM32\q8nu0i~1.dll Sat Dec 18 2004 9:29:56a ..S.R 224,434 219.17 K
C:\WINDOWS\SYSTEM32\s8880i~1.dll Mon Dec 20 2004 11:48:20p ..S.R 225,733 220.44 K
________________________________________________

1,493 items found: 1,493 files (15 H/S), 0 directories.
Total of file sizes: 281,140,081 bytes 268.11 M

Administrator Account = True

--------------------End log---------------------

Sorry, forgot to attach it -- here it is...

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Amber Andersen\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is EC83-DDB0

Directory of C:\WINDOWS\System32

12/22/2004 02:08 PM 222,687 guard.tmp
12/22/2004 01:16 PM 225,733 fp4s03h7e.dll
12/22/2004 01:08 PM 223,120 mbrdim.dll
12/22/2004 12:42 PM 225,733 bbtsprx2.dll
12/22/2004 12:30 PM 225,733 MMRD2X35.DLL
12/22/2004 12:22 PM 225,733 mfdrv.dll
12/20/2004 11:48 PM 225,733 s8880ilue8q80.dll
12/20/2004 10:43 AM 225,733 mehtmler.dll
12/20/2004 10:33 AM 225,733 fQultrep.dll
12/20/2004 10:11 AM 225,733 krduzb.dll
12/19/2004 10:54 PM 225,733 aectres.dll
12/18/2004 04:34 PM 225,733 fpnm0351e.dll
12/18/2004 01:44 PM 225,733 fprs0397e.dll
12/18/2004 09:29 AM 224,434 q8nu0i59e8.dll
12/07/2004 04:55 PM 223,960 l82s0if7e82.dll
12/02/2004 08:08 AM <DIR> dllcache
08/09/2004 03:48 PM 9,216 Thumbs.db
06/06/2004 08:46 PM 119 mssdk32.dll
03/09/2003 07:02 PM <DIR> Microsoft
17 File(s) 3,386,599 bytes
2 Dir(s) 292,915,200 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is EC83-DDB0

Directory of C:\WINDOWS\System32

12/02/2004 08:08 AM <DIR> dllcache
08/09/2004 03:48 PM 9,216 Thumbs.db
06/09/2004 09:49 AM 4,212 zllictbl.dat
04/07/2004 09:13 PM 488 logonui.exe.manifest
04/07/2004 09:13 PM 488 WindowsLogon.manifest
04/07/2004 09:13 PM 749 cdplayer.exe.manifest
04/07/2004 09:13 PM 749 sapi.cpl.manifest
04/07/2004 09:13 PM 749 wuaucpl.cpl.manifest
04/07/2004 09:13 PM 749 ncpa.cpl.manifest
04/07/2004 09:13 PM 749 nwc.cpl.manifest
05/22/2002 11:19 PM 508 ws785863.ocx
09/02/1998 12:35 PM 12,746 folder.htt
11 File(s) 31,403 bytes
1 Dir(s) 292,914,176 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is HP_PAVILION
Volume Serial Number is EC83-DDB0

Directory of C:\WINDOWS\System32

12/22/2004 02:08 PM 222,687 guard.tmp
1 File(s) 222,687 bytes
0 Dir(s) 292,914,176 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is HP_PAVILION
Volume Serial Number is EC83-DDB0

Directory of C:\WINDOWS\System32

12/22/2004 02:08 PM 222,687 guard.tmp
1 File(s) 222,687 bytes
0 Dir(s) 292,910,080 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1ACE062C-8F9E-4CD6-97B7-3B84463398B8}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvnu0959e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
aectres.dll Sun Dec 19 2004 10:54:44p ..S.R 225,733 220.44 K
bbtsprx2.dll Wed Dec 22 2004 12:42:10p ..S.R 225,733 220.44 K
fp4s03~1.dll Wed Dec 22 2004 1:16:44p ..S.R 225,733 220.44 K
fpnm03~1.dll Sat Dec 18 2004 4:34:52p ..S.R 225,733 220.44 K
fprs03~1.dll Sat Dec 18 2004 1:44:56p ..S.R 225,733 220.44 K
fqultrep.dll Mon Dec 20 2004 10:33:02a ..S.R 225,733 220.44 K
guard.tmp Wed Dec 22 2004 2:08:50p ..S.R 222,687 217.46 K
krduzb.dll Mon Dec 20 2004 10:11:38a ..S.R 225,733 220.44 K
l82s0i~1.dll Tue Dec 7 2004 4:55:20p ..S.R 223,960 218.71 K
mbrdim.dll Wed Dec 22 2004 1:08:20p ..S.R 223,120 217.89 K
mehtmler.dll Mon Dec 20 2004 10:43:02a ..S.R 225,733 220.44 K
mfdrv.dll Wed Dec 22 2004 12:22:36p ..S.R 225,733 220.44 K
mmrd2x35.dll Wed Dec 22 2004 12:30:50p ..S.R 225,733 220.44 K
q8nu0i~1.dll Sat Dec 18 2004 9:29:56a ..S.R 224,434 219.17 K
s8880i~1.dll Mon Dec 20 2004 11:48:20p ..S.R 225,733 220.44 K

15 items found: 15 files, 0 directories.
Total of file sizes: 3,377,264 bytes 3.22 M

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"sureshotpopupkiller"="\"C:\\Program Files\\Stop-the-Pop-Up\\stopthepop.exe\" -minimized"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.0\\THGuard.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




Print these instructions, then disconnect from the internet until you are finished.

Step 1:
Download Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Reboot in Safe Mode

Run Killbox.exe and be sure that 'Delete on Reboot' is selected

Select the Folder Icon to the Right of the right of the Address Area and find the following file(s) one at a time:
C:\WINDOWS\SYSTEM32\fp4s03h7e.dll
C:\WINDOWS\SYSTEM32\mbrdim.dll
C:\WINDOWS\SYSTEM32\bbtsprx2.dll
C:\WINDOWS\SYSTEM32\MMRD2X35.DLL
C:\WINDOWS\SYSTEM32\mfdrv.dll
C:\WINDOWS\SYSTEM32\s8880ilue8q80.dll
C:\WINDOWS\SYSTEM32\mehtmler.dll
C:\WINDOWS\SYSTEM32\fQultrep.dll
C:\WINDOWS\SYSTEM32\krduzb.dll
C:\WINDOWS\SYSTEM32\aectres.dll
C:\WINDOWS\SYSTEM32\fpnm0351e.dll
C:\WINDOWS\SYSTEM32\fprs0397e.dll
C:\WINDOWS\SYSTEM32\q8nu0i59e8.dll
C:\WINDOWS\SYSTEM32\l82s0if7e82.dll
C:\Windows\System32\guard.tmp

Note: You can also cut and paste the files listed above if the full path and file name has been specified. Most files are located in C:\Windows\ or C:\Windows\System32\

After each one, press the delete button on the far right of the address bar

Each time you will get a dialog box asking if you want to reboot
Press 'No' for all but the last file
After the last file has been entered, press 'Yes'
Your computer will reboot and delete the files

Verify that all the files have actually been deleted.


Step 2:
Once you have restarted, then...

Launch Notepad.
Copy/paste the text in the box below into a new text file.
Save it as fixme.reg on your Desktop

[code]REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1ACE062C-8F9E-4CD6-97B7-3B84463398B8}"=-


Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".


Step 3:
We need to use Killbox again to remove one more file...

Run Killbox.exe and be sure that 'Delete on Reboot' is selected

Cut and Paste the follwing file into the address bar in Killbox
C:\Recycler\desktop.ini


Press the delete button on the far right of the address bar

You will get a dialog box asking if you want to reboot
Press 'Yes'
Your computer will reboot and delete the files


Step 4:
Please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HiJackThis:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Close all open windows except HiJackThis and press 'Fix Checked'.

Reboot.
Run HiJackThis again and post a new log in this thread.

I couldn't find guard.tmp. I also couldn't run fixme.reg; it told me it wasn't valid binary script. Other than that, I did everything you said. However, I wasn't sure whether I should stay in safe mode the entire time, so after step 1, I went back to normal. More programs appeared on my desktop overnight.

Logfile of HijackThis v1.99.0
Scan saved at 9:19:09 AM, on 12/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TrojanHunter 4.0\THGuard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\ADDEST~1\ADDEST~1.EXE
C:\PROGRA~1\VBouncer\VIRTUA~1.EXE
C:\WINDOWS\System32\vqioui.exe
C:\WINDOWS\gvpfqoinlf.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Programs\Hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.airamericaradio.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 209.247.51.106 pub106.ezboard.com #2002-07-21 15:46:17
O1 - Hosts: 66.150.2.69 www.dogpile.com #2002-07-21 15:56:11
O1 - Hosts: 64.61.61.200 www.netspace.org #2002-07-22 15:02:07
O1 - Hosts: 198.64.146.110 www.olga.net #2002-07-22 13:48:16
O1 - Hosts: 66.39.8.205 www.slayage.com #2002-07-21 15:55:40
O1 - Hosts: 213.123.214.1 www.tombraiderchronicles.com #2002-07-21 15:56:24
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [kalvsys] c:\windows\system32\kalvxuc32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\gvpfqoinlf.exe] C:\WINDOWS\gvpfqoinlf.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.2ie.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7b77298...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

THere was a typo in my instructions that caused the reg file error; a correct version follows. There are a few things to clean ,then I want to re-check for the VX2 exploit.

First:
Download WinSockFix from here: http://www.softpedia.com/get/Tweak/Network...inSockFix.shtml

Download LSPfix here: »www.cexx.org/lspfix.htm

Launch the Launch LSPFix, and click the "I know what I'm doing" checkbox.
Check all instances of aklsp.dll (and nothing else) , and move them to the "Remove" pane.
Then click Finish

Reboot

Check your internet connection and verify that it is working. In rare instances LSPFix may break your connection. If this happens, run WinSockFix to repair it.


Second:
Launch Notepad.
Copy/paste the text in the box below into a new text file.
Save it as fixme.reg on your Desktop



Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".


Third:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [kalvsys] c:\windows\system32\kalvxuc32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\gvpfqoinlf.exe] C:\WINDOWS\gvpfqoinlf.exe

Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\Program Files\VBouncer\ <-- delete entire folder
C:\Program Files\se\ <-- delete entire folder
c:\windows\system32\kalvxuc32.exe
C:\WINDOWS\gvpfqoinlf.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

HiJackThis version 199.0 is now available.
If you do not already have it installed, download it from here:
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/

Run HiJackThis again and post a new log in this thread.


Last:
OK, I believe we have a solution.

First:
Download DLLCompare from here:
http://www.downloads.subratam.org/DllCompare.exe

Copy the program to its own folder and double click on it.
Press the 'Run Locate.com' button

That should finish quickly, then:
Press the 'Compare' button.

That will run for a while longer.

When it is finished, press the 'Make A Log of What was Found' button
and post the log in this thread.

Press 'Exit' to quit program.


Second:
Download the attached archive and unzip it to your Desktop. Open the FindIt folder and double click on Find.bat.

Copy the Notepad document that opens (output.txt) and paste it contents in this thread.

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\gydef.dll Thu Dec 23 2004 1:41:00p ..S.R 223,829 218.58 K
C:\WINDOWS\SYSTEM32\j8n20i~1.dll Thu Dec 23 2004 1:30:04p ..S.R 223,829 218.58 K
C:\WINDOWS\SYSTEM32\jrl025~1.dll Thu Dec 23 2004 1:39:06p ..S.R 222,645 217.43 K
C:\WINDOWS\SYSTEM32\mssdk32.dll Sun Jun 6 2004 8:46:36p A.S.. 119 0.11 K
C:\WINDOWS\SYSTEM32\rbbdyctl.dll Wed Dec 22 2004 11:33:26p ..S.R 222,645 217.43 K
C:\WINDOWS\SYSTEM32\ukeg.dll Wed Dec 22 2004 11:04:22p ..S.R 225,733 220.44 K
________________________________________________

1,489 items found: 1,489 files (6 H/S), 0 directories.
Total of file sizes: 279,541,466 bytes 266.59 M

Administrator Account = True

--------------------End log---------------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Amber Andersen\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is EC83-DDB0

Directory of C:\WINDOWS\System32

12/23/2004 01:40 PM 223,829 gydef.dll
12/23/2004 01:39 PM 222,645 jrl0253mg.dll
12/23/2004 01:30 PM 223,829 j8n20i5oe8.dll
12/22/2004 11:33 PM 222,645 rbbdyctl.dll
12/22/2004 11:04 PM 225,733 ukeg.dll
12/02/2004 08:08 AM <DIR> dllcache
08/09/2004 03:48 PM 9,216 Thumbs.db
06/06/2004 08:46 PM 119 mssdk32.dll
03/09/2003 07:02 PM <DIR> Microsoft
7 File(s) 1,128,016 bytes
2 Dir(s) 78,806,528 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is EC83-DDB0

Directory of C:\WINDOWS\System32

12/02/2004 08:08 AM <DIR> dllcache
08/09/2004 03:48 PM 9,216 Thumbs.db
06/09/2004 09:49 AM 4,212 zllictbl.dat
04/07/2004 09:13 PM 488 logonui.exe.manifest
04/07/2004 09:13 PM 488 WindowsLogon.manifest
04/07/2004 09:13 PM 749 cdplayer.exe.manifest
04/07/2004 09:13 PM 749 sapi.cpl.manifest
04/07/2004 09:13 PM 749 wuaucpl.cpl.manifest
04/07/2004 09:13 PM 749 ncpa.cpl.manifest
04/07/2004 09:13 PM 749 nwc.cpl.manifest
05/22/2002 11:19 PM 508 ws785863.ocx
09/02/1998 12:35 PM 12,746 folder.htt
11 File(s) 31,403 bytes
1 Dir(s) 78,805,504 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is HP_PAVILION
Volume Serial Number is EC83-DDB0

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is HP_PAVILION
Volume Serial Number is EC83-DDB0

Directory of C:\WINDOWS\System32

08/03/2004 11:56 PM 1,236,480 ~GLH0019.TMP
08/03/2004 11:56 PM 1,236,480 OLD20.tmp
06/19/2002 06:39 PM 384 ~GLH0015.TMP
03/13/2001 02:49 PM 2,494 ~GLH000b.TMP
4 File(s) 2,475,838 bytes
0 Dir(s) 78,801,408 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D4EB28EA-0CDA-4956-9348-F41576A338C8}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\TaskMon]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j8n20i5oe8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
gydef.dll Thu Dec 23 2004 1:41:00p ..S.R 223,829 218.58 K
j8n20i~1.dll Thu Dec 23 2004 1:30:04p ..S.R 223,829 218.58 K
jrl025~1.dll Thu Dec 23 2004 1:39:06p ..S.R 222,645 217.43 K
rbbdyctl.dll Wed Dec 22 2004 11:33:26p ..S.R 222,645 217.43 K
ukeg.dll Wed Dec 22 2004 11:04:22p ..S.R 225,733 220.44 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,118,681 bytes 1.07 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\isoupo.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\liyzuy.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\lxzmuz.exe: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\installer.exe: .aspack
C:\WINDOWS\SYSTEM32\vqioui.exe: .aspack
C:\WINDOWS\SYSTEM32\wgayua.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kfupgu.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"sureshotpopupkiller"="\"C:\\Program Files\\Stop-the-Pop-Up\\stopthepop.exe\" -minimized"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.0\\THGuard.exe\""
"Narrator"="C:\\WINDOWS\\System32\\vqioui.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




Logfile of HijackThis v1.99.0
Scan saved at 2:46:56 PM, on 12/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TrojanHunter 4.0\THGuard.exe
C:\WINDOWS\System32\vqioui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Programs\Hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.airamericaradio.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 209.247.51.106 pub106.ezboard.com #2002-07-21 15:46:17
O1 - Hosts: 66.150.2.69 www.dogpile.com #2002-07-21 15:56:11
O1 - Hosts: 64.61.61.200 www.netspace.org #2002-07-22 15:02:07
O1 - Hosts: 198.64.146.110 www.olga.net #2002-07-22 13:48:16
O1 - Hosts: 66.39.8.205 www.slayage.com #2002-07-21 15:55:40
O1 - Hosts: 213.123.214.1 www.tombraiderchronicles.com #2002-07-21 15:56:24
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.2ie.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7b77298...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Print these instructions, then disconnect from the internet until you are finished.

Step 1:
This will take a little bit to do so keep track and dont miss any files.

Open Killbox, click the option Replace on Reboot & click the box Use Dummy

You'll see the path to the filename appear in the bottom box.

copy & paste 1 at a time starting.

C:\WINDOWS\SYSTEM32\gydef.dll

into the top box

Click the red X, Say yes to the message box that comes up, then say No to the next box asking you to reboot.

This is important, coz if you reboot before you are finished entering all the files, you will have to start over again.

Do the same for this entire list

C:\WINDOWS\SYSTEM32\gydef.dll
C:\WINDOWS\SYSTEM32\jrl0253mg.dll
C:\WINDOWS\SYSTEM32\j8n20i5oe8.dll
C:\WINDOWS\SYSTEM32\rbbdyctl.dll
C:\WINDOWS\SYSTEM32\ukeg.dll
C:\WINDOWS\SYSTEM32\isoupo.dll
C:\WINDOWS\SYSTEM32\liyzuy.dll
C:\WINDOWS\SYSTEM32\lxzmuz.exe
C:\WINDOWS\SYSTEM32\installer.exe
C:\WINDOWS\SYSTEM32\vqioui.exe
C:\WINDOWS\SYSTEM32\wgayua.dat

when these are all done, also add (just in case)

C:\WINDOWS\SYSTEM32\guard.tmp

Ok so a recap of this

1.)Copy a path & file (whole line) from the list here, and paste it to the first line(of killbox)
2.)Check the box 'Use Dummy' & click the Red X (for each File you enter, as it autoclears)
3.)Say "Yes" to first message, and "No" to reboot now(next message)
4.)Repeat for the entire list, and lastly enter C:\WINDOWS\SYSTEM32\guard.tmp as the last file

5.)Reboot, run the DllCompare again and post a new log.

Hopefully that will clear pretty much everything for files, do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.


Step 2:
Once you have restarted, then...

Launch Notepad.
Copy/paste the text in the box below into a new text file.
Save it as fixme.reg on your Desktop



Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".


Step 3:
This will take a little bit to do so keep track and dont miss any files.

Open Killbox, click the option Delete on Reboot

You'll see the path to the filename appear in the bottom box.

copy & paste 1 at a time starting.

C:\Recycler\Desktop.ini

into the top box

Click the red X, Say yes to the message box that comes up, then say Yes to the next box asking you to reboot.

Your computer will reboot.

Step 4:
Download WinSOckFix from here:http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

Download LSPfix here: »www.cexx.org/lspfix.htm

Launch the Launch LSPFix, and click the "I know what I'm doing" checkbox.
Check all instances of calsp.dll (and nothing else) , and move them to the "Remove" pane.
Then click Finish

Reboot

Check your internet connection and verify that it is working. In rare instances LSPFix may break your connection. If this happens, run WinSockFix to repair it.



Step 5:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

Close all windows except HijackThis and click Fix checked.

HiJackThis version 199.0 is now available.
If you do not already have it installed, download it from here:
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/

Run HiJackThis again and post a new log in this thread.

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\mssdk32.dll Sun Jun 6 2004 8:46:36p A.S.. 119 0.11 K
________________________________________________

1,489 items found: 1,489 files (1 H/S), 0 directories.
Total of file sizes: 278,392,969 bytes 265.50 M

Administrator Account = True

--------------------End log---------------------

I'm getting some error messages when I boot up about one of the dll files I removed. I'm also getting an error about another one not matching or something; it says to insert the windows diskette. Other than that, it's looking pretty good. Thanks for your continued help.

Logfile of HijackThis v1.99.0
Scan saved at 10:08:00 PM, on 12/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TrojanHunter 4.0\THGuard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kfupgu.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Programs\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.airamericaradio.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 209.247.51.106 pub106.ezboard.com #2002-07-21 15:46:17
O1 - Hosts: 66.150.2.69 www.dogpile.com #2002-07-21 15:56:11
O1 - Hosts: 64.61.61.200 www.netspace.org #2002-07-22 15:02:07
O1 - Hosts: 198.64.146.110 www.olga.net #2002-07-22 13:48:16
O1 - Hosts: 66.39.8.205 www.slayage.com #2002-07-21 15:55:40
O1 - Hosts: 213.123.214.1 www.tombraiderchronicles.com #2002-07-21 15:56:24
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\vqioui.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: kfupgu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.2ie.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7b77298...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Your log is clean.

Can you give me the exact wording on the error messages, including any file names.

THen we can see if they can be eliminated.

well, it seems the errors have disappeared. thanks for all the help!