.l* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

1,030 items found: 1,030 files, 0 directories.
Total of file sizes: 179,465,749 bytes 171.15 M

Administrator Account = True

--------------------End log---------------------

When I run Qoologic I get (3) The system cannot find the file specified followed by a Checking system folder.... Please wait , which never seems to finish just as Findit did not finish... Whilst it was running I checked the C:\ drive and opened win.txt and it has

C:\WINNTOLD\system32\lygool.dll
C:\WINNTOLD\system32\iozbbi.dll
C:\WINNTOLD\system32\lzpwwl.ex$ (which I think Trojan remover renamed it .ex$)
C:\WINNTOLD\system32\lzpwwl.exe

These are all followed by updates.qoologic.com

I am going to continue running to see if I can get result's from the start.txt and log.txt......

When I run Qoologic I get (3) The system cannot find the file specified followed by a Checking system folder.... Please wait , which never seems to finish just as Findit did not finish... Whilst it was running I checked the C:\ drive and opened win.txt and it has:

C:\WINNTOLD\system32\lygool.dll updates.qoologic.com
C:\WINNTOLD\system32\iozbbi.dll updates.qoologic.com
C:\WINNTOLD\system32\lzpwwl.ex$ updates.qoologic.com (which I think Trojan remover renamed it .ex$)
C:\WINNTOLD\system32\lzpwwl.exe updates.qoologic.com
C:\WINNTOLD\system32\viyrre.exe .aspack
C:\WINNTOLD\system32\waqbbw.dat .aspack
C:\WINNTOLD\system32\trjscan.trb .aspack
C:\WINNTOLD\system32\trupd.trb .aspack
C:\WINNTOLD\system32\vyrbv.txt.exe .aspack
C:\WINNTOLD\system32\installer.exe .aspack


I am going to continue running to see if I can get result's from the start.txt and log.txt.....

Something interesting I found in my C:\ drive is a !Submit folder with 6 Dll's and the dreaded viyrrv.exe

Should I remove this folder?

Ok I think i made some more progress as this time when I ran killbox I killed the viyrrv.exe process first and also deleted entry's in hijack and then rebooted my logs seem to have came back semi clean this time. Now I don't know if they are going to come back now from browsing the web but here they are.

Logfile of HijackThis v1.99.0
Scan saved at 5:47:53 PM, on 12/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\Explorer.EXE
C:\WINNTOLD\system32\wuauclt.exe
C:\WINNTOLD\system32\NOTEPAD.EXE
C:\WINNTOLD\system32\NOTEPAD.EXE
C:\WINNTOLD\system32\NOTEPAD.EXE
C:\Documents and Settings\Thom\Desktop\Hijack backup\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe



* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

1,030 items found: 1,030 files, 0 directories.
Total of file sizes: 179,435,653 bytes 171.12 M

Administrator Account = True

--------------------End log---------------------


Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---
{2BE5D559-30E5-41F7-8335-5D07419E1634}



"Silent Runners.vbs", revision 28, launched at: 17:37
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" [null data]
"{813790D8-68CD-4318-9F5C-1847AD1AB483}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{FA050674-5655-4D8C-A785-EA25A159DEDB}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\su3res.dll" [file not found]
"{F82121F6-B27E-4B55-BF51-41C1B5B3F8EF}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{1BDD258C-7D21-48F0-A4B6-A0AC476250F7}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\pjrfos.dll" [file not found]
"{9159CE34-BF49-40D8-AA6D-E116642E9D8C}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Applets\DLLName" = "C:\WINNTOLD\system32\fpjm0311e.dll" [file not found]
INFECTION WARNING! "Shell Extensions\DLLName" = "C:\WINNTOLD\system32\guard.tmp" [file not found]


Enabled Scheduled Tasks:
------------------------

"avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------



----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

I ran housecalls online virus scan and it found these things:

TROJ AGENT.CAC in C:\WINNTOLD\system32\calsp.dll
TROJ NARRATOR.A in C:\WINNTOLD\system32\lzpwwl.exe

It let me delete these two files but we all know that probably doesnt mean much...

I am going to try and kill those two string's with killbox and see what happens.

Do you think it's time for me to run Adaware and Spybot yet?

Btw... I THINK I am really close to slaying this beast as the computer is running MUCH faster and I don't think I am getting any more pop up's and the icons that used to keep reappearing on the desktop no longer appear. Also I am no longer getting that annoying winlogon.exe needs to restart error and the computer rebooting itself.

I went ahead and ran Adaware and it only found two item's which it successfully got rid of (cookies), and then Spybot S&D came back totally CLEAN!!!.. The hiackthis log is totally clean, and same with dllcompare. The only thing that concerns me now is maybe the VX2 finder Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---
{2BE5D559-30E5-41F7-8335-5D07419E1634}

I sincerely appreciate all your help thus far, and Daniweb.com is on the top of the list now for me.

Here's the most recent silent runner log

"Silent Runners.vbs", revision 28, launched at: 19:44
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" [null data]
"{813790D8-68CD-4318-9F5C-1847AD1AB483}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{FA050674-5655-4D8C-A785-EA25A159DEDB}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\su3res.dll" [file not found]
"{F82121F6-B27E-4B55-BF51-41C1B5B3F8EF}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{1BDD258C-7D21-48F0-A4B6-A0AC476250F7}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\pjrfos.dll" [file not found]
"{9159CE34-BF49-40D8-AA6D-E116642E9D8C}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Applets\DLLName" = "C:\WINNTOLD\system32\fpjm0311e.dll" [file not found]
INFECTION WARNING! "Shell Extensions\DLLName" = "C:\WINNTOLD\system32\guard.tmp" [file not found]


Enabled Scheduled Tasks:
------------------------

"avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------



----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Now that you have finished . Can I have a turn?? I cannot 2nd guess what you are about to do, so, if you want to fix it yourself, you are most welcome . If you need help, you are welcome to that too. It is too difficult (for me at least) to sift through what you have been doing whilst I have been sleeping, then continue on with a fix.
So, you need to decide what to do. I have already twice requested that you do nothing other than what I have asked .

Crunchie I understand that I was only supposed to do as instructed but I am under time constraints to get this back to my uncle. I went ahead and searched other threads for similar issues and just followed some instructions from there. I don't think I have done anything bad to make the issue worse as things seem to be clean now and all the logs are coming up clean. Like I said the Qoollogic never finishe's so it never generates a log which was the same issue with find it.

If you are no longer willing to help me because I am trying to help someone out under the time contraints I have can you at least tell me if you think im still infected? I apologize for anything I did.

Hey, I understand, don't get me wrong. Just look from my side of the fence . You have to realise that not only do I have all the info you have posted to sift through, but I am probably doing a dozen other logs at the same time, here and at other sites . I have a real life too and want to get logs cleaned up as fast as I can too.
I am willing to help, but I cannot 2nd guess what you are doing. I do not want to take the time to write up a set of instructions only to find they are no longer valid because the person it was written for has moved the goal posts .
So, if you are willing to just hold off, I will be able to give you a final clean up procedure .

Just let me know if you have done anything else .