I really need to see that DLL Compare log before we go any further. I am checking with some experts to see if there is a solution. Are you sure it's not working when you click Run Locate.com? It may take a few minutes but you should see "Completed the scan, Click Compare to Continue" in small blue text right in the middle.
C:\DOCUME~1\DANA\Desktop\\locate.com
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS DOS AND microsoft windows applicatoins. Choose close to terminate the program.
What happens is this comes up with a black screen behind it and even when i press ignore it goes away.
After t his, there is the compare part, but there is nothing going on there either
Ok. First verify that you still have a copy of autoexec.nt in your C:\Windows\Repair folder. If you do not, then don't go any further.
If it is still there go to C:\Windows\System32 and find autoexec.nt and delete it. Now go to C:\Windows\Repair and find the autoexec.nt file that is there. Right click on it and select Copy. Now go to C:\Windows\System32 right click and select Paste.
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\azaq0a~1.dll Sun Apr 28 2002 11:01:18p ..S.R 222,656 217.44 K
C:\WINDOWS\SYSTEM32\df32gt.dll Mon Apr 29 2002 12:02:30a ..S.R 225,260 219.98 K
C:\WINDOWS\SYSTEM32\dgmclien.dll Thu Dec 2 2004 11:57:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\ditime.dll Sun Dec 12 2004 4:11:38p ..S.R 225,009 219.73 K
C:\WINDOWS\SYSTEM32\e4200e~1.dll Thu Dec 9 2004 2:51:22p ..S.R 223,193 217.96 K
C:\WINDOWS\SYSTEM32\en2ol1~1.dll Tue Jul 2 2002 7:59:14p ..S.R 224,702 219.43 K
C:\WINDOWS\SYSTEM32\en4ol1~1.dll Thu Dec 2 2004 10:41:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\en8ol1~1.dll Thu Dec 2 2004 10:27:30p ..S.R 222,898 217.67 K
C:\WINDOWS\SYSTEM32\ennql1~1.dll Mon Dec 6 2004 1:48:04p ..S.R 226,116 220.82 K
C:\WINDOWS\SYSTEM32\enpol1~1.dll Thu Dec 9 2004 11:00:36a ..S.R 224,540 219.28 K
C:\WINDOWS\SYSTEM32\enpsl1~1.dll Sun Dec 5 2004 9:03:12p ..S.R 223,093 217.86 K
C:\WINDOWS\SYSTEM32\f02mla~1.dll Tue Jul 2 2002 8:29:58p ..S.R 225,201 219.92 K
C:\WINDOWS\SYSTEM32\f0l0la~1.dll Tue Dec 7 2004 4:09:22p ..S.R 226,290 220.98 K
C:\WINDOWS\SYSTEM32\gstkj.dll Thu Nov 18 2004 10:52:54a A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\h4n0le~1.dll Mon Apr 29 2002 12:02:30a ..S.R 222,735 217.51 K
C:\WINDOWS\SYSTEM32\hr8805~1.dll Sun Dec 5 2004 6:37:18p ..S.R 222,650 217.43 K
C:\WINDOWS\SYSTEM32\hrn805~1.dll Sun Dec 5 2004 6:46:28p ..S.R 222,635 217.41 K
C:\WINDOWS\SYSTEM32\hrns05~1.dll Sun Dec 5 2004 6:58:40p ..S.R 222,585 217.37 K
C:\WINDOWS\SYSTEM32\hrru05~1.dll Sun Dec 5 2004 9:10:56p ..S.R 222,705 217.48 K
C:\WINDOWS\SYSTEM32\i0nmla~1.dll Sun Dec 5 2004 3:07:38p ..S.R 224,178 218.92 K
C:\WINDOWS\SYSTEM32\i6jqlg~1.dll Sun Dec 12 2004 4:11:38p ..S.R 222,966 217.74 K
C:\WINDOWS\SYSTEM32\ir00l5~1.dll Sun Apr 28 2002 11:01:02p ..S.R 222,710 217.49 K
C:\WINDOWS\SYSTEM32\k4lq0e~1.dll Sun Dec 5 2004 7:04:54p ..S.R 222,475 217.26 K
C:\WINDOWS\SYSTEM32\lv0409~1.dll Sat Dec 4 2004 1:31:06p ..S.R 223,052 217.82 K
C:\WINDOWS\SYSTEM32\lv4m09~1.dll Fri Dec 3 2004 7:44:04p ..S.R 222,899 217.67 K
C:\WINDOWS\SYSTEM32\lvr209~1.dll Mon Dec 6 2004 1:50:30p ..S.R 224,864 219.59 K
C:\WINDOWS\SYSTEM32\o0660a~1.dll Mon Dec 6 2004 10:17:20a ..S.R 223,188 217.96 K
C:\WINDOWS\SYSTEM32\onffilt.dll Fri Dec 3 2004 8:16:08p ..S.R 224,696 219.43 K
C:\WINDOWS\SYSTEM32\pbotowiz.dll Sat Dec 4 2004 1:48:06p ..S.R 222,643 217.42 K
C:\WINDOWS\SYSTEM32\pk8q0a~1.dll Mon Dec 6 2004 1:48:04p ..S.R 224,565 219.30 K
C:\WINDOWS\SYSTEM32\q0860a~1.dll Sun Dec 5 2004 9:17:06p ..S.R 222,548 217.33 K
C:\WINDOWS\SYSTEM32\q0rq0a~1.dll Sun Dec 12 2004 11:26:24a ..S.R 225,009 219.73 K
C:\WINDOWS\SYSTEM32\s0pu0a~1.dll Fri Dec 3 2004 8:08:12p ..S.R 224,300 219.04 K
C:\WINDOWS\SYSTEM32\s0rs0a~1.dll Sun Dec 12 2004 11:19:10a ..S.R 225,209 219.93 K
C:\WINDOWS\SYSTEM32\sllwoa.dll Thu Dec 2 2004 10:41:24p ..S.R 225,272 219.99 K
C:\WINDOWS\SYSTEM32\uwpok.dll Tue Nov 23 2004 2:04:30a A.SH. 56,320 55.00 K
________________________________________________
1,226 items found: 1,226 files (36 H/S), 0 directories.
Total of file sizes: 245,549,899 bytes 234.17 M
User Agent String---
{EF19C14C-7AAB-4D42-94DF-9528E34AC1E6}
Logfile of HijackThis v1.98.2
Scan saved at 7:34:36 PM, on 12/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
heres the newest hijack log, i ran adaware and spybot too before doig it
Logfile of HijackThis v1.98.2
Scan saved at 10:20:33 PM, on 12/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Heres most recenthaving ran both adaware and spybot
thanks for the help i really appreciate it!!!!
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\azaq0a~1.dll Sun Apr 28 2002 11:01:18p ..S.R 222,656 217.44 K
C:\WINDOWS\SYSTEM32\df32gt.dll Mon Apr 29 2002 12:02:30a ..S.R 225,260 219.98 K
C:\WINDOWS\SYSTEM32\dgmclien.dll Thu Dec 2 2004 11:57:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\e4200e~1.dll Thu Dec 9 2004 2:51:22p ..S.R 223,193 217.96 K
C:\WINDOWS\SYSTEM32\en2ol1~1.dll Tue Jul 2 2002 7:59:14p ..S.R 224,702 219.43 K
C:\WINDOWS\SYSTEM32\en4ol1~1.dll Thu Dec 2 2004 10:41:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\en8ol1~1.dll Thu Dec 2 2004 10:27:30p ..S.R 222,898 217.67 K
C:\WINDOWS\SYSTEM32\ennql1~1.dll Mon Dec 6 2004 1:48:04p ..S.R 226,116 220.82 K
C:\WINDOWS\SYSTEM32\enpol1~1.dll Thu Dec 9 2004 11:00:36a ..S.R 224,540 219.28 K
C:\WINDOWS\SYSTEM32\enpsl1~1.dll Sun Dec 5 2004 9:03:12p ..S.R 223,093 217.86 K
C:\WINDOWS\SYSTEM32\f02mla~1.dll Tue Jul 2 2002 8:29:58p ..S.R 225,201 219.92 K
C:\WINDOWS\SYSTEM32\f0l0la~1.dll Tue Dec 7 2004 4:09:22p ..S.R 226,290 220.98 K
C:\WINDOWS\SYSTEM32\gstkj.dll Thu Nov 18 2004 10:52:54a A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\h4n0le~1.dll Mon Apr 29 2002 12:02:30a ..S.R 222,735 217.51 K
C:\WINDOWS\SYSTEM32\hr8805~1.dll Sun Dec 5 2004 6:37:18p ..S.R 222,650 217.43 K
C:\WINDOWS\SYSTEM32\hrn805~1.dll Sun Dec 5 2004 6:46:28p ..S.R 222,635 217.41 K
C:\WINDOWS\SYSTEM32\hrns05~1.dll Sun Dec 5 2004 6:58:40p ..S.R 222,585 217.37 K
C:\WINDOWS\SYSTEM32\hrru05~1.dll Sun Dec 5 2004 9:10:56p ..S.R 222,705 217.48 K
C:\WINDOWS\SYSTEM32\i0nmla~1.dll Sun Dec 5 2004 3:07:38p ..S.R 224,178 218.92 K
C:\WINDOWS\SYSTEM32\i6jqlg~1.dll Sun Dec 12 2004 4:11:38p ..S.R 222,966 217.74 K
C:\WINDOWS\SYSTEM32\ir00l5~1.dll Sun Apr 28 2002 11:01:02p ..S.R 222,710 217.49 K
C:\WINDOWS\SYSTEM32\k4lq0e~1.dll Sun Dec 5 2004 7:04:54p ..S.R 222,475 217.26 K
C:\WINDOWS\SYSTEM32\k6lqlg~1.dll Mon Dec 13 2004 8:22:04a ..S.R 224,502 219.24 K
C:\WINDOWS\SYSTEM32\lv0409~1.dll Sat Dec 4 2004 1:31:06p ..S.R 223,052 217.82 K
C:\WINDOWS\SYSTEM32\lv4m09~1.dll Fri Dec 3 2004 7:44:04p ..S.R 222,899 217.67 K
C:\WINDOWS\SYSTEM32\lvr209~1.dll Mon Dec 6 2004 1:50:30p ..S.R 224,864 219.59 K
C:\WINDOWS\SYSTEM32\nkdenb32.dll Mon Dec 13 2004 8:22:04a ..S.R 222,966 217.74 K
C:\WINDOWS\SYSTEM32\o0660a~1.dll Mon Dec 6 2004 10:17:20a ..S.R 223,188 217.96 K
C:\WINDOWS\SYSTEM32\onffilt.dll Fri Dec 3 2004 8:16:08p ..S.R 224,696 219.43 K
C:\WINDOWS\SYSTEM32\pbotowiz.dll Sat Dec 4 2004 1:48:06p ..S.R 222,643 217.42 K
C:\WINDOWS\SYSTEM32\pk8q0a~1.dll Mon Dec 6 2004 1:48:04p ..S.R 224,565 219.30 K
C:\WINDOWS\SYSTEM32\q0860a~1.dll Sun Dec 5 2004 9:17:06p ..S.R 222,548 217.33 K
C:\WINDOWS\SYSTEM32\s0pu0a~1.dll Fri Dec 3 2004 8:08:12p ..S.R 224,300 219.04 K
C:\WINDOWS\SYSTEM32\s0rs0a~1.dll Sun Dec 12 2004 11:19:10a ..S.R 225,209 219.93 K
C:\WINDOWS\SYSTEM32\sllwoa.dll Thu Dec 2 2004 10:41:24p ..S.R 225,272 219.99 K
C:\WINDOWS\SYSTEM32\uwpok.dll Tue Nov 23 2004 2:04:30a A.SH. 56,320 55.00 K
________________________________________________
1,226 items found: 1,226 files (36 H/S), 0 directories.
Total of file sizes: 245,547,349 bytes 234.17 M
Administrator Account = True
End log
Logfile of HijackThis v1.98.2
Scan saved at 11:06:03 AM, on 12/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
You posted the find.bat log once already. I thought you were already aware of it. Here's the instuction for that part.
Can you please download the file "Find It.zip" to your desktop from here - http://computercops.biz/zx/Zupe/Fin...%20NT-2K-XP.zip . Unzip the contents to a folder, then open the folder and double-click on Find.bat. It will run for a minute, then produce a log. Please copy and paste that log here.
If you have rebooted since the time when you posted the DLL Compare log and your last hijackthis log I will need to see new logs for those also.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
System Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Also, I still keep getting pop ups... any reason why? because all i have done is deleted the files that I could, I dont know what to do next.. please give me detailed instructions as to do what to do!! please and thanku in advance!!
Since some files were deleted I need to see a DLL Compare log and the find.bat log once again. If you're unsure of the instructions to get these logs please refer to post #8 in this thread.
Just so you know, if I get that information in the next few hours I will post a fix this morning, otherwise you won't see any further instruction from me for about 24 hours.
Logfile of HijackThis v1.98.2
Scan saved at 10:56:40 AM, on 12/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
System Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Xfind Results
Locate.com Results
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\azaq0a~1.dll Sun Apr 28 2002 11:01:18p ..S.R 222,656 217.44 K
C:\WINDOWS\SYSTEM32\df32gt.dll Mon Apr 29 2002 12:02:30a ..S.R 225,260 219.98 K
C:\WINDOWS\SYSTEM32\dgmclien.dll Thu Dec 2 2004 11:57:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\e4200e~1.dll Thu Dec 9 2004 2:51:22p ..S.R 223,193 217.96 K
C:\WINDOWS\SYSTEM32\en2ol1~1.dll Tue Jul 2 2002 7:59:14p ..S.R 224,702 219.43 K
C:\WINDOWS\SYSTEM32\en4ol1~1.dll Thu Dec 2 2004 10:41:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\en8ol1~1.dll Thu Dec 2 2004 10:27:30p ..S.R 222,898 217.67 K
C:\WINDOWS\SYSTEM32\ennql1~1.dll Mon Dec 6 2004 1:48:04p ..S.R 226,116 220.82 K
C:\WINDOWS\SYSTEM32\enpol1~1.dll Thu Dec 9 2004 11:00:36a ..S.R 224,540 219.28 K
C:\WINDOWS\SYSTEM32\enpsl1~1.dll Sun Dec 5 2004 9:03:12p ..S.R 223,093 217.86 K
C:\WINDOWS\SYSTEM32\f02mla~1.dll Tue Jul 2 2002 8:29:58p ..S.R 225,201 219.92 K
C:\WINDOWS\SYSTEM32\f0l0la~1.dll Tue Dec 7 2004 4:09:22p ..S.R 226,290 220.98 K
C:\WINDOWS\SYSTEM32\h4n0le~1.dll Mon Apr 29 2002 12:02:30a ..S.R 222,735 217.51 K
C:\WINDOWS\SYSTEM32\hr8805~1.dll Sun Dec 5 2004 6:37:18p ..S.R 222,650 217.43 K
C:\WINDOWS\SYSTEM32\hrn805~1.dll Sun Dec 5 2004 6:46:28p ..S.R 222,635 217.41 K
C:\WINDOWS\SYSTEM32\hrns05~1.dll Sun Dec 5 2004 6:58:40p ..S.R 222,585 217.37 K
C:\WINDOWS\SYSTEM32\hrru05~1.dll Sun Dec 5 2004 9:10:56p ..S.R 222,705 217.48 K
C:\WINDOWS\SYSTEM32\i0nmla~1.dll Sun Dec 5 2004 3:07:38p ..S.R 224,178 218.92 K
C:\WINDOWS\SYSTEM32\ir00l5~1.dll Sun Apr 28 2002 11:01:02p ..S.R 222,710 217.49 K
C:\WINDOWS\SYSTEM32\k4lq0e~1.dll Sun Dec 5 2004 7:04:54p ..S.R 222,475 217.26 K
C:\WINDOWS\SYSTEM32\lv0409~1.dll Sat Dec 4 2004 1:31:06p ..S.R 223,052 217.82 K
C:\WINDOWS\SYSTEM32\lv4m09~1.dll Fri Dec 3 2004 7:44:04p ..S.R 222,899 217.67 K
C:\WINDOWS\SYSTEM32\lvp009~1.dll Tue Dec 14 2004 10:47:50a ..S.R 224,581 219.32 K
C:\WINDOWS\SYSTEM32\lvr209~1.dll Mon Dec 6 2004 1:50:30p ..S.R 224,864 219.59 K
C:\WINDOWS\SYSTEM32\o0660a~1.dll Mon Dec 6 2004 10:17:20a ..S.R 223,188 217.96 K
C:\WINDOWS\SYSTEM32\onffilt.dll Fri Dec 3 2004 8:16:08p ..S.R 224,696 219.43 K
C:\WINDOWS\SYSTEM32\pbotowiz.dll Sat Dec 4 2004 1:48:06p ..S.R 222,643 217.42 K
C:\WINDOWS\SYSTEM32\pk8q0a~1.dll Mon Dec 6 2004 1:48:04p ..S.R 224,565 219.30 K
C:\WINDOWS\SYSTEM32\q0860a~1.dll Sun Dec 5 2004 9:17:06p ..S.R 222,548 217.33 K
C:\WINDOWS\SYSTEM32\s0pu0a~1.dll Fri Dec 3 2004 8:08:12p ..S.R 224,300 219.04 K
C:\WINDOWS\SYSTEM32\s0rs0a~1.dll Sun Dec 12 2004 11:19:10a ..S.R 225,209 219.93 K
C:\WINDOWS\SYSTEM32\sllwoa.dll Thu Dec 2 2004 10:41:24p ..S.R 225,272 219.99 K
________________________________________________
1,195 items found: 1,195 files (32 H/S), 0 directories.
Total of file sizes: 244,319,918 bytes 233.00 M
Administrator Account = True
End log
Log for VX2.BetterInternet File Finder (msg126)
User Agent String---
{EF19C14C-7AAB-4D42-94DF-9528E34AC1E6}
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\azaq0a~1.dll Sun Apr 28 2002 11:01:18p ..S.R 222,656 217.44 K
C:\WINDOWS\SYSTEM32\df32gt.dll Mon Apr 29 2002 12:02:30a ..S.R 225,260 219.98 K
C:\WINDOWS\SYSTEM32\dgmclien.dll Thu Dec 2 2004 11:57:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\e4200e~1.dll Thu Dec 9 2004 2:51:22p ..S.R 223,193 217.96 K
C:\WINDOWS\SYSTEM32\en2ol1~1.dll Tue Jul 2 2002 7:59:14p ..S.R 224,702 219.43 K
C:\WINDOWS\SYSTEM32\en4ol1~1.dll Thu Dec 2 2004 10:41:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\en8ol1~1.dll Thu Dec 2 2004 10:27:30p ..S.R 222,898 217.67 K
C:\WINDOWS\SYSTEM32\ennql1~1.dll Mon Dec 6 2004 1:48:04p ..S.R 226,116 220.82 K
C:\WINDOWS\SYSTEM32\enpol1~1.dll Thu Dec 9 2004 11:00:36a ..S.R 224,540 219.28 K
C:\WINDOWS\SYSTEM32\enpsl1~1.dll Sun Dec 5 2004 9:03:12p ..S.R 223,093 217.86 K
C:\WINDOWS\SYSTEM32\f02mla~1.dll Tue Jul 2 2002 8:29:58p ..S.R 225,201 219.92 K
C:\WINDOWS\SYSTEM32\f0l0la~1.dll Tue Dec 7 2004 4:09:22p ..S.R 226,290 220.98 K
C:\WINDOWS\SYSTEM32\h4n0le~1.dll Mon Apr 29 2002 12:02:30a ..S.R 222,735 217.51 K
C:\WINDOWS\SYSTEM32\hr8805~1.dll Sun Dec 5 2004 6:37:18p ..S.R 222,650 217.43 K
C:\WINDOWS\SYSTEM32\hrn805~1.dll Sun Dec 5 2004 6:46:28p ..S.R 222,635 217.41 K
C:\WINDOWS\SYSTEM32\hrns05~1.dll Sun Dec 5 2004 6:58:40p ..S.R 222,585 217.37 K
C:\WINDOWS\SYSTEM32\hrru05~1.dll Sun Dec 5 2004 9:10:56p ..S.R 222,705 217.48 K
C:\WINDOWS\SYSTEM32\i0nmla~1.dll Sun Dec 5 2004 3:07:38p ..S.R 224,178 218.92 K
C:\WINDOWS\SYSTEM32\ir00l5~1.dll Sun Apr 28 2002 11:01:02p ..S.R 222,710 217.49 K
C:\WINDOWS\SYSTEM32\k4lq0e~1.dll Sun Dec 5 2004 7:04:54p ..S.R 222,475 217.26 K
C:\WINDOWS\SYSTEM32\lv0409~1.dll Sat Dec 4 2004 1:31:06p ..S.R 223,052 217.82 K
C:\WINDOWS\SYSTEM32\lv4m09~1.dll Fri Dec 3 2004 7:44:04p ..S.R 222,899 217.67 K
C:\WINDOWS\SYSTEM32\lvp009~1.dll Tue Dec 14 2004 10:47:50a ..S.R 224,581 219.32 K
C:\WINDOWS\SYSTEM32\lvr209~1.dll Mon Dec 6 2004 1:50:30p ..S.R 224,864 219.59 K
C:\WINDOWS\SYSTEM32\o0660a~1.dll Mon Dec 6 2004 10:17:20a ..S.R 223,188 217.96 K
C:\WINDOWS\SYSTEM32\onffilt.dll Fri Dec 3 2004 8:16:08p ..S.R 224,696 219.43 K
C:\WINDOWS\SYSTEM32\pbotowiz.dll Sat Dec 4 2004 1:48:06p ..S.R 222,643 217.42 K
C:\WINDOWS\SYSTEM32\pk8q0a~1.dll Mon Dec 6 2004 1:48:04p ..S.R 224,565 219.30 K
C:\WINDOWS\SYSTEM32\q0860a~1.dll Sun Dec 5 2004 9:17:06p ..S.R 222,548 217.33 K
C:\WINDOWS\SYSTEM32\s0pu0a~1.dll Fri Dec 3 2004 8:08:12p ..S.R 224,300 219.04 K
C:\WINDOWS\SYSTEM32\s0rs0a~1.dll Sun Dec 12 2004 11:19:10a ..S.R 225,209 219.93 K
C:\WINDOWS\SYSTEM32\sllwoa.dll Thu Dec 2 2004 10:41:24p ..S.R 225,272 219.99 K
________________________________________________
1,194 items found: 1,194 files (32 H/S), 0 directories.
Total of file sizes: 244,095,416 bytes 232.79 M
Administrator Account = True
End log
Logfile of HijackThis v1.98.2
Scan saved at 8:34:59 PM, on 12/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
System Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Xfind Results
Locate.com Results
C:\WINDOWS\SYSTEM32\
cdplay~1.man Tue Sep 28 2004 8:37:50p A..HR 749 0.73 K
dgmclien.dll Thu Dec 2 2004 11:57:24p ..S.R 222,878 217.65 K
e4200e~1.dll Thu Dec 9 2004 2:51:22p ..S.R 223,193 217.96 K
en4ol1~1.dll Thu Dec 2 2004 10:41:24p ..S.R 222,878 217.65 K
en8ol1~1.dll Thu Dec 2 2004 10:27:30p ..S.R 222,898 217.67 K
ennql1~1.dll Mon Dec 6 2004 1:48:04p ..S.R 226,116 220.82 K
enpol1~1.dll Thu Dec 9 2004 11:00:36a ..S.R 224,540 219.28 K
enpsl1~1.dll Sun Dec 5 2004 9:03:12p ..S.R 223,093 217.86 K
f0l0la~1.dll Tue Dec 7 2004 4:09:22p ..S.R 226,290 220.98 K
hr8805~1.dll Sun Dec 5 2004 6:37:18p ..S.R 222,650 217.43 K
hrn805~1.dll Sun Dec 5 2004 6:46:28p ..S.R 222,635 217.41 K
hrns05~1.dll Sun Dec 5 2004 6:58:40p ..S.R 222,585 217.37 K
hrru05~1.dll Sun Dec 5 2004 9:10:56p ..S.R 222,705 217.48 K
i0nmla~1.dll Sun Dec 5 2004 3:07:38p ..S.R 224,178 218.92 K
k4lq0e~1.dll Sun Dec 5 2004 7:04:54p ..S.R 222,475 217.26 K
logonu~1.man Tue Sep 28 2004 8:37:56p A..HR 488 0.48 K
lv0409~1.dll Sat Dec 4 2004 1:31:06p ..S.R 223,052 217.82 K
lv4m09~1.dll Fri Dec 3 2004 7:44:04p ..S.R 222,899 217.67 K
lvp009~1.dll Tue Dec 14 2004 10:47:50a ..S.R 224,581 219.32 K
lvr209~1.dll Mon Dec 6 2004 1:50:30p ..S.R 224,864 219.59 K
ncpacp~1.man Tue Sep 28 2004 8:37:50p A..HR 749 0.73 K
nwccpl~1.man Tue Sep 28 2004 8:37:50p A..HR 749 0.73 K
o0660a~1.dll Mon Dec 6 2004 10:17:20a ..S.R 223,188 217.96 K
onffilt.dll Fri Dec 3 2004 8:16:08p ..S.R 224,696 219.43 K
pbotowiz.dll Sat Dec 4 2004 1:48:06p ..S.R 222,643 217.42 K
pk8q0a~1.dll Mon Dec 6 2004 1:48:04p ..S.R 224,565 219.30 K
q0860a~1.dll Sun Dec 5 2004 9:17:06p ..S.R 222,548 217.33 K
s0pu0a~1.dll Fri Dec 3 2004 8:08:12p ..S.R 224,300 219.04 K
s0rs0a~1.dll Sun Dec 12 2004 11:19:10a ..S.R 225,209 219.93 K
sapicp~1.man Tue Sep 28 2004 8:37:50p A..HR 749 0.73 K
sllwoa.dll Thu Dec 2 2004 10:41:24p ..S.R 225,272 219.99 K
window~1.man Tue Sep 28 2004 8:37:56p A..HR 488 0.48 K
wuaucp~1.man Tue Sep 28 2004 8:37:50p A..HR 749 0.73 K
rvices~1.exe Mon Nov 29 2004 6:03:24a ..SHR 389,120 380.00 K
34 items found: 34 files, 0 directories.
Total of file sizes: 6,210,772 bytes 5.92 M
Next, start Killbox and click on Tools->Delete Temp Files.
When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:
C:\WINDOWS\SYSTEM32\azaq0al5edq.dll
C:\WINDOWS\SYSTEM32\e4200efmeh2a0.dll
C:\WINDOWS\SYSTEM32\en2ol1f31.dll
C:\WINDOWS\SYSTEM32\en4ol1h31.dll
C:\WINDOWS\SYSTEM32\en8ol1l31.dll
C:\WINDOWS\SYSTEM32\ennql1551.dll
C:\WINDOWS\SYSTEM32\enpol1731.dll
C:\WINDOWS\SYSTEM32\enpsl1771.dll
C:\WINDOWS\SYSTEM32\f02mlaf11d2.dll
C:\WINDOWS\SYSTEM32\f0l0la3m1d.dll
C:\WINDOWS\SYSTEM32\h4n0le5m1h.dll
C:\WINDOWS\SYSTEM32\hr8805lue.dll
C:\WINDOWS\SYSTEM32\hrn8055ue.dll
C:\WINDOWS\SYSTEM32\hrns0557e.dll
C:\WINDOWS\SYSTEM32\hrru0599e.dll
C:\WINDOWS\SYSTEM32\i0nmla511d.dll
C:\WINDOWS\SYSTEM32\k4lq0e35eh.dll
C:\WINDOWS\SYSTEM32\lv0409dqe.dll
C:\WINDOWS\SYSTEM32\lv4m09h1e.dll
C:\WINDOWS\SYSTEM32\lvr2099oe.dll
C:\WINDOWS\SYSTEM32\o0660ajsedo60.dll
C:\WINDOWS\SYSTEM32\onffilt.dll
C:\WINDOWS\SYSTEM32\pbotowiz.dll
C:\WINDOWS\SYSTEM32\pK8q0al5edq.dll
C:\WINDOWS\SYSTEM32\q0860alsedq60.dll
C:\WINDOWS\SYSTEM32\s0pu0a79ed.dll
C:\WINDOWS\SYSTEM32\s0rs0a97ed.dll
C:\WINDOWS\SYSTEM32\sllwoa.dll
C:\WINDOWS\system32\k6lqlg3516.dll
For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".
When it reboots, please post a new Find.bat log and a new Hijack This log and also a DLL Compare log.
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\df32gt.dll Mon Apr 29 2002 12:02:30a ..S.R 225,260 219.98 K
C:\WINDOWS\SYSTEM32\dgmclien.dll Thu Dec 2 2004 11:57:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\ir00l5~1.dll Sun Apr 28 2002 11:01:02p ..S.R 222,710 217.49 K
C:\WINDOWS\SYSTEM32\lvp009~1.dll Tue Dec 14 2004 10:47:50a ..S.R 224,581 219.32 K
________________________________________________
1,166 items found: 1,166 files (4 H/S), 0 directories.
Total of file sizes: 237,830,650 bytes 226.81 M
Administrator Account = True
End log
Logfile of HijackThis v1.98.2
Scan saved at 9:24:41 PM, on 12/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
System Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
12/14/2004 10:47 AM 224,581 lvp0097me.dll
12/11/2004 12:18 AM <DIR> Microsoft
12/11/2004 12:06 AM <DIR> dllcache
12/02/2004 11:57 PM 222,878 dgmclien.dll
11/29/2004 06:03 AM 389,120 ??rvices.exe
04/29/2002 12:02 AM 225,260 df32gt.dll
04/28/2002 11:01 PM 222,710 ir00l5dm1.dll
5 File(s) 1,284,549 bytes
2 Dir(s) 36,602,454,016 bytes free
Hidden Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
12/11/2004 12:06 AM <DIR> dllcache
11/29/2004 06:03 AM 389,120 ??rvices.exe
09/28/2004 08:37 PM 488 WindowsLogon.manifest
09/28/2004 08:37 PM 488 logonui.exe.manifest
09/28/2004 08:37 PM 749 sapi.cpl.manifest
09/28/2004 08:37 PM 749 nwc.cpl.manifest
09/28/2004 08:37 PM 749 wuaucpl.cpl.manifest
09/28/2004 08:37 PM 749 cdplayer.exe.manifest
09/28/2004 08:37 PM 749 ncpa.cpl.manifest
8 File(s) 393,841 bytes
1 Dir(s) 36,602,454,016 bytes free
Files Named "Guard"
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
Temp Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Xfind Results
'Xfind' is not recognized as an internal or external command,
operable program or batch file.
Locate.com Results
I don't know if the find.bat log is a different one??
Comments
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS DOS AND microsoft windows applicatoins. Choose close to terminate the program.
What happens is this comes up with a black screen behind it and even when i press ignore it goes away.
After t his, there is the compare part, but there is nothing going on there either
If it is still there go to C:\Windows\System32 and find autoexec.nt and delete it. Now go to C:\Windows\Repair and find the autoexec.nt file that is there. Right click on it and select Copy. Now go to C:\Windows\System32 right click and select Paste.
Now reboot your computer.
Try to run DLLCompare again.
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\azaq0a~1.dll Sun Apr 28 2002 11:01:18p ..S.R 222,656 217.44 K
C:\WINDOWS\SYSTEM32\df32gt.dll Mon Apr 29 2002 12:02:30a ..S.R 225,260 219.98 K
C:\WINDOWS\SYSTEM32\dgmclien.dll Thu Dec 2 2004 11:57:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\ditime.dll Sun Dec 12 2004 4:11:38p ..S.R 225,009 219.73 K
C:\WINDOWS\SYSTEM32\e4200e~1.dll Thu Dec 9 2004 2:51:22p ..S.R 223,193 217.96 K
C:\WINDOWS\SYSTEM32\en2ol1~1.dll Tue Jul 2 2002 7:59:14p ..S.R 224,702 219.43 K
C:\WINDOWS\SYSTEM32\en4ol1~1.dll Thu Dec 2 2004 10:41:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\en8ol1~1.dll Thu Dec 2 2004 10:27:30p ..S.R 222,898 217.67 K
C:\WINDOWS\SYSTEM32\ennql1~1.dll Mon Dec 6 2004 1:48:04p ..S.R 226,116 220.82 K
C:\WINDOWS\SYSTEM32\enpol1~1.dll Thu Dec 9 2004 11:00:36a ..S.R 224,540 219.28 K
C:\WINDOWS\SYSTEM32\enpsl1~1.dll Sun Dec 5 2004 9:03:12p ..S.R 223,093 217.86 K
C:\WINDOWS\SYSTEM32\f02mla~1.dll Tue Jul 2 2002 8:29:58p ..S.R 225,201 219.92 K
C:\WINDOWS\SYSTEM32\f0l0la~1.dll Tue Dec 7 2004 4:09:22p ..S.R 226,290 220.98 K
C:\WINDOWS\SYSTEM32\gstkj.dll Thu Nov 18 2004 10:52:54a A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\h4n0le~1.dll Mon Apr 29 2002 12:02:30a ..S.R 222,735 217.51 K
C:\WINDOWS\SYSTEM32\hr8805~1.dll Sun Dec 5 2004 6:37:18p ..S.R 222,650 217.43 K
C:\WINDOWS\SYSTEM32\hrn805~1.dll Sun Dec 5 2004 6:46:28p ..S.R 222,635 217.41 K
C:\WINDOWS\SYSTEM32\hrns05~1.dll Sun Dec 5 2004 6:58:40p ..S.R 222,585 217.37 K
C:\WINDOWS\SYSTEM32\hrru05~1.dll Sun Dec 5 2004 9:10:56p ..S.R 222,705 217.48 K
C:\WINDOWS\SYSTEM32\i0nmla~1.dll Sun Dec 5 2004 3:07:38p ..S.R 224,178 218.92 K
C:\WINDOWS\SYSTEM32\i6jqlg~1.dll Sun Dec 12 2004 4:11:38p ..S.R 222,966 217.74 K
C:\WINDOWS\SYSTEM32\ir00l5~1.dll Sun Apr 28 2002 11:01:02p ..S.R 222,710 217.49 K
C:\WINDOWS\SYSTEM32\k4lq0e~1.dll Sun Dec 5 2004 7:04:54p ..S.R 222,475 217.26 K
C:\WINDOWS\SYSTEM32\lv0409~1.dll Sat Dec 4 2004 1:31:06p ..S.R 223,052 217.82 K
C:\WINDOWS\SYSTEM32\lv4m09~1.dll Fri Dec 3 2004 7:44:04p ..S.R 222,899 217.67 K
C:\WINDOWS\SYSTEM32\lvr209~1.dll Mon Dec 6 2004 1:50:30p ..S.R 224,864 219.59 K
C:\WINDOWS\SYSTEM32\o0660a~1.dll Mon Dec 6 2004 10:17:20a ..S.R 223,188 217.96 K
C:\WINDOWS\SYSTEM32\onffilt.dll Fri Dec 3 2004 8:16:08p ..S.R 224,696 219.43 K
C:\WINDOWS\SYSTEM32\pbotowiz.dll Sat Dec 4 2004 1:48:06p ..S.R 222,643 217.42 K
C:\WINDOWS\SYSTEM32\pk8q0a~1.dll Mon Dec 6 2004 1:48:04p ..S.R 224,565 219.30 K
C:\WINDOWS\SYSTEM32\q0860a~1.dll Sun Dec 5 2004 9:17:06p ..S.R 222,548 217.33 K
C:\WINDOWS\SYSTEM32\q0rq0a~1.dll Sun Dec 12 2004 11:26:24a ..S.R 225,009 219.73 K
C:\WINDOWS\SYSTEM32\s0pu0a~1.dll Fri Dec 3 2004 8:08:12p ..S.R 224,300 219.04 K
C:\WINDOWS\SYSTEM32\s0rs0a~1.dll Sun Dec 12 2004 11:19:10a ..S.R 225,209 219.93 K
C:\WINDOWS\SYSTEM32\sllwoa.dll Thu Dec 2 2004 10:41:24p ..S.R 225,272 219.99 K
C:\WINDOWS\SYSTEM32\uwpok.dll Tue Nov 23 2004 2:04:30a A.SH. 56,320 55.00 K
________________________________________________
1,226 items found: 1,226 files (36 H/S), 0 directories.
Total of file sizes: 245,549,899 bytes 234.17 M
Administrator Account = True
End log
Start vx2finder, then click on "Click to Find VX2.BetterInternet" and then click "Make Log" and copy and paste the entire contents of the log here.
Also please post a new find.bat log and a new hijackthis log.
Do not use Internet Explorer or reboot your computer until we have completed this fix.
og for VX2.BetterInternet File Finder (msg126)
Files Found---
Additional Files---
Keys Under Notify---
crypt32chain
cryptnet
cscdll
RunOnceEx
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon
Guardian Key--- is called:
User Agent String---
{EF19C14C-7AAB-4D42-94DF-9528E34AC1E6}
Logfile of HijackThis v1.98.2
Scan saved at 7:34:36 PM, on 12/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Wiley\IHB\ihb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DANA\Desktop\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
Logfile of HijackThis v1.98.2
Scan saved at 10:20:33 PM, on 12/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DANA\Desktop\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
thanks for the help i really appreciate it!!!!
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\azaq0a~1.dll Sun Apr 28 2002 11:01:18p ..S.R 222,656 217.44 K
C:\WINDOWS\SYSTEM32\df32gt.dll Mon Apr 29 2002 12:02:30a ..S.R 225,260 219.98 K
C:\WINDOWS\SYSTEM32\dgmclien.dll Thu Dec 2 2004 11:57:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\e4200e~1.dll Thu Dec 9 2004 2:51:22p ..S.R 223,193 217.96 K
C:\WINDOWS\SYSTEM32\en2ol1~1.dll Tue Jul 2 2002 7:59:14p ..S.R 224,702 219.43 K
C:\WINDOWS\SYSTEM32\en4ol1~1.dll Thu Dec 2 2004 10:41:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\en8ol1~1.dll Thu Dec 2 2004 10:27:30p ..S.R 222,898 217.67 K
C:\WINDOWS\SYSTEM32\ennql1~1.dll Mon Dec 6 2004 1:48:04p ..S.R 226,116 220.82 K
C:\WINDOWS\SYSTEM32\enpol1~1.dll Thu Dec 9 2004 11:00:36a ..S.R 224,540 219.28 K
C:\WINDOWS\SYSTEM32\enpsl1~1.dll Sun Dec 5 2004 9:03:12p ..S.R 223,093 217.86 K
C:\WINDOWS\SYSTEM32\f02mla~1.dll Tue Jul 2 2002 8:29:58p ..S.R 225,201 219.92 K
C:\WINDOWS\SYSTEM32\f0l0la~1.dll Tue Dec 7 2004 4:09:22p ..S.R 226,290 220.98 K
C:\WINDOWS\SYSTEM32\gstkj.dll Thu Nov 18 2004 10:52:54a A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\h4n0le~1.dll Mon Apr 29 2002 12:02:30a ..S.R 222,735 217.51 K
C:\WINDOWS\SYSTEM32\hr8805~1.dll Sun Dec 5 2004 6:37:18p ..S.R 222,650 217.43 K
C:\WINDOWS\SYSTEM32\hrn805~1.dll Sun Dec 5 2004 6:46:28p ..S.R 222,635 217.41 K
C:\WINDOWS\SYSTEM32\hrns05~1.dll Sun Dec 5 2004 6:58:40p ..S.R 222,585 217.37 K
C:\WINDOWS\SYSTEM32\hrru05~1.dll Sun Dec 5 2004 9:10:56p ..S.R 222,705 217.48 K
C:\WINDOWS\SYSTEM32\i0nmla~1.dll Sun Dec 5 2004 3:07:38p ..S.R 224,178 218.92 K
C:\WINDOWS\SYSTEM32\i6jqlg~1.dll Sun Dec 12 2004 4:11:38p ..S.R 222,966 217.74 K
C:\WINDOWS\SYSTEM32\ir00l5~1.dll Sun Apr 28 2002 11:01:02p ..S.R 222,710 217.49 K
C:\WINDOWS\SYSTEM32\k4lq0e~1.dll Sun Dec 5 2004 7:04:54p ..S.R 222,475 217.26 K
C:\WINDOWS\SYSTEM32\k6lqlg~1.dll Mon Dec 13 2004 8:22:04a ..S.R 224,502 219.24 K
C:\WINDOWS\SYSTEM32\lv0409~1.dll Sat Dec 4 2004 1:31:06p ..S.R 223,052 217.82 K
C:\WINDOWS\SYSTEM32\lv4m09~1.dll Fri Dec 3 2004 7:44:04p ..S.R 222,899 217.67 K
C:\WINDOWS\SYSTEM32\lvr209~1.dll Mon Dec 6 2004 1:50:30p ..S.R 224,864 219.59 K
C:\WINDOWS\SYSTEM32\nkdenb32.dll Mon Dec 13 2004 8:22:04a ..S.R 222,966 217.74 K
C:\WINDOWS\SYSTEM32\o0660a~1.dll Mon Dec 6 2004 10:17:20a ..S.R 223,188 217.96 K
C:\WINDOWS\SYSTEM32\onffilt.dll Fri Dec 3 2004 8:16:08p ..S.R 224,696 219.43 K
C:\WINDOWS\SYSTEM32\pbotowiz.dll Sat Dec 4 2004 1:48:06p ..S.R 222,643 217.42 K
C:\WINDOWS\SYSTEM32\pk8q0a~1.dll Mon Dec 6 2004 1:48:04p ..S.R 224,565 219.30 K
C:\WINDOWS\SYSTEM32\q0860a~1.dll Sun Dec 5 2004 9:17:06p ..S.R 222,548 217.33 K
C:\WINDOWS\SYSTEM32\s0pu0a~1.dll Fri Dec 3 2004 8:08:12p ..S.R 224,300 219.04 K
C:\WINDOWS\SYSTEM32\s0rs0a~1.dll Sun Dec 12 2004 11:19:10a ..S.R 225,209 219.93 K
C:\WINDOWS\SYSTEM32\sllwoa.dll Thu Dec 2 2004 10:41:24p ..S.R 225,272 219.99 K
C:\WINDOWS\SYSTEM32\uwpok.dll Tue Nov 23 2004 2:04:30a A.SH. 56,320 55.00 K
________________________________________________
1,226 items found: 1,226 files (36 H/S), 0 directories.
Total of file sizes: 245,547,349 bytes 234.17 M
Administrator Account = True
End log
Logfile of HijackThis v1.98.2
Scan saved at 11:06:03 AM, on 12/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\DANA\Desktop\VX2Finder(126).exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\DANA\Desktop\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
Log for VX2.BetterInternet File Finder (msg126)
Files Found---
Additional Files---
Keys Under Notify---
crypt32chain
cryptnet
cscdll
IPConfTSP
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon
Guardian Key--- is called:
User Agent String---
{EF19C14C-7AAB-4D42-94DF-9528E34AC1E6}
Can you please download the file "Find It.zip" to your desktop from here - http://computercops.biz/zx/Zupe/Fin...%20NT-2K-XP.zip . Unzip the contents to a folder, then open the folder and double-click on Find.bat. It will run for a minute, then produce a log. Please copy and paste that log here.
If you have rebooted since the time when you posted the DLL Compare log and your last hijackthis log I will need to see new logs for those also.
Do not remove anything unless you are sure you know what you're doing.
System Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
12/12/2004 11:26 AM 224,419 azmparse.dll
12/12/2004 11:26 AM 225,009 q0rq0a95ed.dll
12/12/2004 11:19 AM 225,209 s0rs0a97ed.dll
12/11/2004 09:53 AM 224,419 en26l1fs1.dll
12/11/2004 12:18 AM <DIR> Microsoft
12/11/2004 12:06 AM <DIR> dllcache
12/09/2004 02:51 PM 223,193 e4200efmeh2a0.dll
12/09/2004 11:00 AM 224,540 enpol1731.dll
12/07/2004 04:09 PM 226,290 f0l0la3m1d.dll
12/06/2004 01:50 PM 224,864 lvr2099oe.dll
12/06/2004 01:48 PM 224,565 pK8q0al5edq.dll
12/06/2004 01:48 PM 226,116 ennql1551.dll
12/06/2004 10:17 AM 223,188 o0660ajsedo60.dll
12/05/2004 09:17 PM 222,548 q0860alsedq60.dll
12/05/2004 09:10 PM 222,705 hrru0599e.dll
12/05/2004 09:03 PM 223,093 enpsl1771.dll
12/05/2004 07:04 PM 222,475 k4lq0e35eh.dll
12/05/2004 06:58 PM 222,585 hrns0557e.dll
12/05/2004 06:46 PM 222,635 hrn8055ue.dll
12/05/2004 06:37 PM 222,650 hr8805lue.dll
12/05/2004 03:07 PM 224,178 i0nmla511d.dll
12/05/2004 07:57 AM 11,565 d3tg32.exe
12/04/2004 01:48 PM 222,643 pbotowiz.dll
12/04/2004 01:31 PM 223,052 lv0409dqe.dll
12/03/2004 08:16 PM 224,696 onffilt.dll
12/03/2004 08:08 PM 224,300 s0pu0a79ed.dll
12/03/2004 07:44 PM 222,899 lv4m09h1e.dll
12/02/2004 11:57 PM 222,878 dgmclien.dll
12/02/2004 10:41 PM 225,272 sllwoa.dll
12/02/2004 10:41 PM 222,878 en4ol1h31.dll
12/02/2004 10:27 PM 222,898 en8ol1l31.dll
12/02/2004 02:03 PM 11,573 sdkvj.exe
12/02/2004 10:08 AM 3,347 bekxe.dat
12/02/2004 02:30 AM 29,696 appum.exe
12/01/2004 11:32 PM 3,347 mctiy.log
12/01/2004 04:26 PM 10,829 ievl.exe
12/01/2004 01:33 PM 10,775 winez32.exe
11/30/2004 04:52 PM 10,908 netwv32.exe
11/29/2004 06:03 AM 389,120 ??rvices.exe
11/29/2004 01:38 AM 10,821 winjs32.exe
11/28/2004 02:32 PM 7,305 puzbp.dat
11/27/2004 07:13 PM 11,392 atlar.exe
11/27/2004 06:36 PM 7,305 fefol.dat
11/27/2004 04:55 PM 10,847 atlqy.exe
11/25/2004 04:28 PM 7,305 rmxvl.log
11/23/2004 02:48 PM 29,696 netjr.exe
11/23/2004 02:04 AM 56,320 uwpok.dll
11/21/2004 09:02 AM 11,410 crka.exe
11/21/2004 12:03 AM 7,305 gwike.dat
11/18/2004 11:16 PM 10,890 ipmm.exe
11/18/2004 10:52 AM 56,320 gstkj.dll
11/17/2004 02:19 PM 3,347 qmboa.txt
11/17/2004 01:01 AM 11,213 d3ge32.exe
11/15/2004 06:34 AM 11,170 appip.exe
11/12/2004 10:58 PM 3,347 ivjpj.log
11/12/2004 01:09 PM 29,696 ieha.exe
11/12/2004 09:33 AM 29,696 javace.exe
11/12/2004 08:41 AM 3,347 mjttw.txt
11/09/2004 02:23 PM 7,305 lwtvz.dat
11/05/2004 08:29 AM 3,347 zxsqy.dat
10/28/2004 12:47 AM 7,305 ptlws.txt
07/02/2002 08:29 PM 225,201 f02mlaf11d2.dll
07/02/2002 07:59 PM 224,702 en2ol1f31.dll
06/28/2002 01:32 PM 10,800 addqt32.exe
06/10/2002 06:19 AM 10,958 javaaa.exe
06/07/2002 12:20 PM 11,206 addkn.exe
06/06/2002 11:02 PM 11,373 sdkhk32.exe
06/05/2002 03:54 AM 10,840 crsw.exe
05/15/2002 04:42 PM 3,347 zltnp.log
04/29/2002 12:02 AM 225,260 df32gt.dll
04/29/2002 12:02 AM 222,735 h4n0le5m1h.dll
04/28/2002 11:01 PM 222,656 azaq0al5edq.dll
04/28/2002 11:01 PM 222,710 ir00l5dm1.dll
71 File(s) 8,485,834 bytes
2 Dir(s) 36,630,384,640 bytes free
Hidden Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
12/11/2004 12:06 AM <DIR> dllcache
12/05/2004 07:57 AM 11,565 d3tg32.exe
12/02/2004 02:03 PM 11,573 sdkvj.exe
12/02/2004 10:08 AM 3,347 bekxe.dat
12/02/2004 02:30 AM 29,696 appum.exe
12/01/2004 11:32 PM 3,347 mctiy.log
12/01/2004 04:26 PM 10,829 ievl.exe
12/01/2004 01:33 PM 10,775 winez32.exe
11/30/2004 04:52 PM 10,908 netwv32.exe
11/29/2004 06:03 AM 389,120 ??rvices.exe
11/29/2004 01:38 AM 10,821 winjs32.exe
11/28/2004 02:32 PM 7,305 puzbp.dat
11/27/2004 07:13 PM 11,392 atlar.exe
11/27/2004 06:36 PM 7,305 fefol.dat
11/27/2004 04:55 PM 10,847 atlqy.exe
11/25/2004 04:28 PM 7,305 rmxvl.log
11/23/2004 02:48 PM 29,696 netjr.exe
11/23/2004 02:04 AM 56,320 uwpok.dll
11/21/2004 09:02 AM 11,410 crka.exe
11/21/2004 12:03 AM 7,305 gwike.dat
11/18/2004 11:16 PM 10,890 ipmm.exe
11/18/2004 10:52 AM 56,320 gstkj.dll
11/17/2004 02:19 PM 3,347 qmboa.txt
11/17/2004 01:01 AM 11,213 d3ge32.exe
11/15/2004 06:34 AM 11,170 appip.exe
11/12/2004 10:58 PM 3,347 ivjpj.log
11/12/2004 01:09 PM 29,696 ieha.exe
11/12/2004 09:33 AM 29,696 javace.exe
11/12/2004 08:41 AM 3,347 mjttw.txt
11/09/2004 02:23 PM 7,305 lwtvz.dat
11/05/2004 08:29 AM 3,347 zxsqy.dat
10/28/2004 12:47 AM 7,305 ptlws.txt
09/28/2004 08:37 PM 488 logonui.exe.manifest
09/28/2004 08:37 PM 488 WindowsLogon.manifest
09/28/2004 08:37 PM 749 wuaucpl.cpl.manifest
09/28/2004 08:37 PM 749 nwc.cpl.manifest
09/28/2004 08:37 PM 749 cdplayer.exe.manifest
09/28/2004 08:37 PM 749 sapi.cpl.manifest
09/28/2004 08:37 PM 749 ncpa.cpl.manifest
06/28/2002 01:32 PM 10,800 addqt32.exe
06/10/2002 06:19 AM 10,958 javaaa.exe
06/07/2002 12:20 PM 11,206 addkn.exe
06/06/2002 11:02 PM 11,373 sdkhk32.exe
06/05/2002 03:54 AM 10,840 crsw.exe
05/15/2002 04:42 PM 3,347 zltnp.log
44 File(s) 881,094 bytes
1 Dir(s) 36,630,376,448 bytes free
Files Named "Guard"
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
Temp Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
08/03/2004 11:56 PM 1,236,480 ~GLH0014.TMP
08/18/2001 04:00 AM 2,577 CONFIG.TMP
2 File(s) 1,239,057 bytes
0 Dir(s) 36,630,376,448 bytes free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EF19C14C-7AAB-4D42-94DF-9528E34AC1E6}"=""
Keys Under Notify
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en26l1fs1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
Xfind Results
Locate.com Results
12/02/2004 02:03 PM 11,573 sdkvj.exe
12/02/2004 10:08 AM 3,347 bekxe.dat
12/02/2004 02:30 AM 29,696 appum.exe
12/01/2004 11:32 PM 3,347 mctiy.log
12/01/2004 04:26 PM 10,829 ievl.exe
12/01/2004 01:33 PM 10,775 winez32.exe
11/30/2004 04:52 PM 10,908 netwv32.exe
11/29/2004 06:03 AM 389,120 ??rvices.exe
11/29/2004 01:38 AM 10,821 winjs32.exe
11/28/2004 02:32 PM 7,305 puzbp.dat
11/27/2004 07:13 PM 11,392 atlar.exe
11/27/2004 06:36 PM 7,305 fefol.dat
11/27/2004 04:55 PM 10,847 atlqy.exe
11/25/2004 04:28 PM 7,305 rmxvl.log
11/23/2004 02:48 PM 29,696 netjr.exe
11/23/2004 02:04 AM 56,320 uwpok.dll
11/21/2004 09:02 AM 11,410 crka.exe
11/21/2004 12:03 AM 7,305 gwike.dat
11/18/2004 11:16 PM 10,890 ipmm.exe
11/18/2004 10:52 AM 56,320 gstkj.dll
11/17/2004 02:19 PM 3,347 qmboa.txt
11/17/2004 01:01 AM 11,213 d3ge32.exe
11/15/2004 06:34 AM 11,170 appip.exe
11/12/2004 10:58 PM 3,347 ivjpj.log
11/12/2004 01:09 PM 29,696 ieha.exe
11/12/2004 09:33 AM 29,696 javace.exe
11/12/2004 08:41 AM 3,347 mjttw.txt
11/09/2004 02:23 PM 7,305 lwtvz.dat
11/05/2004 08:29 AM 3,347 zxsqy.dat
10/28/2004 12:47 AM 7,305 ptlws.txt
06/28/2002 01:32 PM 10,800 addqt32.exe
06/10/2002 06:19 AM 10,958 javaaa.exe
06/07/2002 12:20 PM 11,206 addkn.exe
06/06/2002 11:02 PM 11,373 sdkhk32.exe
06/05/2002 03:54 AM 10,840 crsw.exe
05/15/2002 04:42 PM 3,347 zltnp.log
Those files are all bad.
appum.exe
,winsj12/01/2004 04:26 PM 10,829 ievl.exe
12/01/2004 01:33 PM 10,775 winez32.exe
11/30/2004 04:52 PM 10,908 netwv32.exe
11/29/2004 06:03 AM 389,120 ??rvices.exe
12/01/2004 11:32 PM 3,347 mctiy.log
11/27/2004 07:13 PM 11,392 atlar.exe
11/27/2004 06:36 PM 7,305 fefol.dat
11/27/2004 04:55 PM 10,847 atlqy.exe
11/23/2004 02:48 PM 29,696 netjr.exe
11/18/2004 11:16 PM 10,890 ipmm.exe
11/12/2004 01:09 PM 29,696 ieha.exe
11/12/2004 09:33 AM 29,696 javace.exe
06/05/2002 03:54 AM 10,840 crsw.exe
http://www.short-media.com/forum/showpost.php?p=220541&postcount=8
Just so you know, if I get that information in the next few hours I will post a fix this morning, otherwise you won't see any further instruction from me for about 24 hours.
Scan saved at 10:56:40 AM, on 12/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCGUIDE.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Documents and Settings\DANA\Desktop\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
System Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
12/12/2004 11:26 AM 224,419 azmparse.dll
12/12/2004 11:26 AM 225,009 q0rq0a95ed.dll
12/12/2004 11:19 AM 225,209 s0rs0a97ed.dll
12/11/2004 09:53 AM 224,419 en26l1fs1.dll
12/11/2004 12:18 AM <DIR> Microsoft
12/11/2004 12:06 AM <DIR> dllcache
12/09/2004 02:51 PM 223,193 e4200efmeh2a0.dll
12/09/2004 11:00 AM 224,540 enpol1731.dll
12/07/2004 04:09 PM 226,290 f0l0la3m1d.dll
12/06/2004 01:50 PM 224,864 lvr2099oe.dll
12/06/2004 01:48 PM 224,565 pK8q0al5edq.dll
12/06/2004 01:48 PM 226,116 ennql1551.dll
12/06/2004 10:17 AM 223,188 o0660ajsedo60.dll
12/05/2004 09:17 PM 222,548 q0860alsedq60.dll
12/05/2004 09:10 PM 222,705 hrru0599e.dll
12/05/2004 09:03 PM 223,093 enpsl1771.dll
12/05/2004 07:04 PM 222,475 k4lq0e35eh.dll
12/05/2004 06:58 PM 222,585 hrns0557e.dll
12/05/2004 06:46 PM 222,635 hrn8055ue.dll
12/05/2004 06:37 PM 222,650 hr8805lue.dll
12/05/2004 03:07 PM 224,178 i0nmla511d.dll
12/05/2004 07:57 AM 11,565 d3tg32.exe
12/04/2004 01:48 PM 222,643 pbotowiz.dll
12/04/2004 01:31 PM 223,052 lv0409dqe.dll
12/03/2004 08:16 PM 224,696 onffilt.dll
12/03/2004 08:08 PM 224,300 s0pu0a79ed.dll
12/03/2004 07:44 PM 222,899 lv4m09h1e.dll
12/02/2004 11:57 PM 222,878 dgmclien.dll
12/02/2004 10:41 PM 225,272 sllwoa.dll
12/02/2004 10:41 PM 222,878 en4ol1h31.dll
12/02/2004 10:27 PM 222,898 en8ol1l31.dll
12/02/2004 02:03 PM 11,573 sdkvj.exe
12/02/2004 10:08 AM 3,347 bekxe.dat
12/02/2004 02:30 AM 29,696 appum.exe
12/01/2004 11:32 PM 3,347 mctiy.log
12/01/2004 04:26 PM 10,829 ievl.exe
12/01/2004 01:33 PM 10,775 winez32.exe
11/30/2004 04:52 PM 10,908 netwv32.exe
11/29/2004 06:03 AM 389,120 ??rvices.exe
11/29/2004 01:38 AM 10,821 winjs32.exe
11/28/2004 02:32 PM 7,305 puzbp.dat
11/27/2004 07:13 PM 11,392 atlar.exe
11/27/2004 06:36 PM 7,305 fefol.dat
11/27/2004 04:55 PM 10,847 atlqy.exe
11/25/2004 04:28 PM 7,305 rmxvl.log
11/23/2004 02:48 PM 29,696 netjr.exe
11/23/2004 02:04 AM 56,320 uwpok.dll
11/21/2004 09:02 AM 11,410 crka.exe
11/21/2004 12:03 AM 7,305 gwike.dat
11/18/2004 11:16 PM 10,890 ipmm.exe
11/18/2004 10:52 AM 56,320 gstkj.dll
11/17/2004 02:19 PM 3,347 qmboa.txt
11/17/2004 01:01 AM 11,213 d3ge32.exe
11/15/2004 06:34 AM 11,170 appip.exe
11/12/2004 10:58 PM 3,347 ivjpj.log
11/12/2004 01:09 PM 29,696 ieha.exe
11/12/2004 09:33 AM 29,696 javace.exe
11/12/2004 08:41 AM 3,347 mjttw.txt
11/09/2004 02:23 PM 7,305 lwtvz.dat
11/05/2004 08:29 AM 3,347 zxsqy.dat
10/28/2004 12:47 AM 7,305 ptlws.txt
07/02/2002 08:29 PM 225,201 f02mlaf11d2.dll
07/02/2002 07:59 PM 224,702 en2ol1f31.dll
06/28/2002 01:32 PM 10,800 addqt32.exe
06/10/2002 06:19 AM 10,958 javaaa.exe
06/07/2002 12:20 PM 11,206 addkn.exe
06/06/2002 11:02 PM 11,373 sdkhk32.exe
06/05/2002 03:54 AM 10,840 crsw.exe
05/15/2002 04:42 PM 3,347 zltnp.log
04/29/2002 12:02 AM 225,260 df32gt.dll
04/29/2002 12:02 AM 222,735 h4n0le5m1h.dll
04/28/2002 11:01 PM 222,656 azaq0al5edq.dll
04/28/2002 11:01 PM 222,710 ir00l5dm1.dll
71 File(s) 8,485,834 bytes
2 Dir(s) 36,630,384,640 bytes free
Hidden Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
12/11/2004 12:06 AM <DIR> dllcache
12/05/2004 07:57 AM 11,565 d3tg32.exe
12/02/2004 02:03 PM 11,573 sdkvj.exe
12/02/2004 10:08 AM 3,347 bekxe.dat
12/02/2004 02:30 AM 29,696 appum.exe
12/01/2004 11:32 PM 3,347 mctiy.log
12/01/2004 04:26 PM 10,829 ievl.exe
12/01/2004 01:33 PM 10,775 winez32.exe
11/30/2004 04:52 PM 10,908 netwv32.exe
11/29/2004 06:03 AM 389,120 ??rvices.exe
11/29/2004 01:38 AM 10,821 winjs32.exe
11/28/2004 02:32 PM 7,305 puzbp.dat
11/27/2004 07:13 PM 11,392 atlar.exe
11/27/2004 06:36 PM 7,305 fefol.dat
11/27/2004 04:55 PM 10,847 atlqy.exe
11/25/2004 04:28 PM 7,305 rmxvl.log
11/23/2004 02:48 PM 29,696 netjr.exe
11/23/2004 02:04 AM 56,320 uwpok.dll
11/21/2004 09:02 AM 11,410 crka.exe
11/21/2004 12:03 AM 7,305 gwike.dat
11/18/2004 11:16 PM 10,890 ipmm.exe
11/18/2004 10:52 AM 56,320 gstkj.dll
11/17/2004 02:19 PM 3,347 qmboa.txt
11/17/2004 01:01 AM 11,213 d3ge32.exe
11/15/2004 06:34 AM 11,170 appip.exe
11/12/2004 10:58 PM 3,347 ivjpj.log
11/12/2004 01:09 PM 29,696 ieha.exe
11/12/2004 09:33 AM 29,696 javace.exe
11/12/2004 08:41 AM 3,347 mjttw.txt
11/09/2004 02:23 PM 7,305 lwtvz.dat
11/05/2004 08:29 AM 3,347 zxsqy.dat
10/28/2004 12:47 AM 7,305 ptlws.txt
09/28/2004 08:37 PM 488 logonui.exe.manifest
09/28/2004 08:37 PM 488 WindowsLogon.manifest
09/28/2004 08:37 PM 749 wuaucpl.cpl.manifest
09/28/2004 08:37 PM 749 nwc.cpl.manifest
09/28/2004 08:37 PM 749 cdplayer.exe.manifest
09/28/2004 08:37 PM 749 sapi.cpl.manifest
09/28/2004 08:37 PM 749 ncpa.cpl.manifest
06/28/2002 01:32 PM 10,800 addqt32.exe
06/10/2002 06:19 AM 10,958 javaaa.exe
06/07/2002 12:20 PM 11,206 addkn.exe
06/06/2002 11:02 PM 11,373 sdkhk32.exe
06/05/2002 03:54 AM 10,840 crsw.exe
05/15/2002 04:42 PM 3,347 zltnp.log
44 File(s) 881,094 bytes
1 Dir(s) 36,630,376,448 bytes free
Files Named "Guard"
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
Temp Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
08/03/2004 11:56 PM 1,236,480 ~GLH0014.TMP
08/18/2001 04:00 AM 2,577 CONFIG.TMP
2 File(s) 1,239,057 bytes
0 Dir(s) 36,630,376,448 bytes free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EF19C14C-7AAB-4D42-94DF-9528E34AC1E6}"=""
Keys Under Notify
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en26l1fs1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
Xfind Results
Locate.com Results
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\azaq0a~1.dll Sun Apr 28 2002 11:01:18p ..S.R 222,656 217.44 K
C:\WINDOWS\SYSTEM32\df32gt.dll Mon Apr 29 2002 12:02:30a ..S.R 225,260 219.98 K
C:\WINDOWS\SYSTEM32\dgmclien.dll Thu Dec 2 2004 11:57:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\e4200e~1.dll Thu Dec 9 2004 2:51:22p ..S.R 223,193 217.96 K
C:\WINDOWS\SYSTEM32\en2ol1~1.dll Tue Jul 2 2002 7:59:14p ..S.R 224,702 219.43 K
C:\WINDOWS\SYSTEM32\en4ol1~1.dll Thu Dec 2 2004 10:41:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\en8ol1~1.dll Thu Dec 2 2004 10:27:30p ..S.R 222,898 217.67 K
C:\WINDOWS\SYSTEM32\ennql1~1.dll Mon Dec 6 2004 1:48:04p ..S.R 226,116 220.82 K
C:\WINDOWS\SYSTEM32\enpol1~1.dll Thu Dec 9 2004 11:00:36a ..S.R 224,540 219.28 K
C:\WINDOWS\SYSTEM32\enpsl1~1.dll Sun Dec 5 2004 9:03:12p ..S.R 223,093 217.86 K
C:\WINDOWS\SYSTEM32\f02mla~1.dll Tue Jul 2 2002 8:29:58p ..S.R 225,201 219.92 K
C:\WINDOWS\SYSTEM32\f0l0la~1.dll Tue Dec 7 2004 4:09:22p ..S.R 226,290 220.98 K
C:\WINDOWS\SYSTEM32\h4n0le~1.dll Mon Apr 29 2002 12:02:30a ..S.R 222,735 217.51 K
C:\WINDOWS\SYSTEM32\hr8805~1.dll Sun Dec 5 2004 6:37:18p ..S.R 222,650 217.43 K
C:\WINDOWS\SYSTEM32\hrn805~1.dll Sun Dec 5 2004 6:46:28p ..S.R 222,635 217.41 K
C:\WINDOWS\SYSTEM32\hrns05~1.dll Sun Dec 5 2004 6:58:40p ..S.R 222,585 217.37 K
C:\WINDOWS\SYSTEM32\hrru05~1.dll Sun Dec 5 2004 9:10:56p ..S.R 222,705 217.48 K
C:\WINDOWS\SYSTEM32\i0nmla~1.dll Sun Dec 5 2004 3:07:38p ..S.R 224,178 218.92 K
C:\WINDOWS\SYSTEM32\ir00l5~1.dll Sun Apr 28 2002 11:01:02p ..S.R 222,710 217.49 K
C:\WINDOWS\SYSTEM32\k4lq0e~1.dll Sun Dec 5 2004 7:04:54p ..S.R 222,475 217.26 K
C:\WINDOWS\SYSTEM32\lv0409~1.dll Sat Dec 4 2004 1:31:06p ..S.R 223,052 217.82 K
C:\WINDOWS\SYSTEM32\lv4m09~1.dll Fri Dec 3 2004 7:44:04p ..S.R 222,899 217.67 K
C:\WINDOWS\SYSTEM32\lvp009~1.dll Tue Dec 14 2004 10:47:50a ..S.R 224,581 219.32 K
C:\WINDOWS\SYSTEM32\lvr209~1.dll Mon Dec 6 2004 1:50:30p ..S.R 224,864 219.59 K
C:\WINDOWS\SYSTEM32\o0660a~1.dll Mon Dec 6 2004 10:17:20a ..S.R 223,188 217.96 K
C:\WINDOWS\SYSTEM32\onffilt.dll Fri Dec 3 2004 8:16:08p ..S.R 224,696 219.43 K
C:\WINDOWS\SYSTEM32\pbotowiz.dll Sat Dec 4 2004 1:48:06p ..S.R 222,643 217.42 K
C:\WINDOWS\SYSTEM32\pk8q0a~1.dll Mon Dec 6 2004 1:48:04p ..S.R 224,565 219.30 K
C:\WINDOWS\SYSTEM32\q0860a~1.dll Sun Dec 5 2004 9:17:06p ..S.R 222,548 217.33 K
C:\WINDOWS\SYSTEM32\s0pu0a~1.dll Fri Dec 3 2004 8:08:12p ..S.R 224,300 219.04 K
C:\WINDOWS\SYSTEM32\s0rs0a~1.dll Sun Dec 12 2004 11:19:10a ..S.R 225,209 219.93 K
C:\WINDOWS\SYSTEM32\sllwoa.dll Thu Dec 2 2004 10:41:24p ..S.R 225,272 219.99 K
________________________________________________
1,195 items found: 1,195 files (32 H/S), 0 directories.
Total of file sizes: 244,319,918 bytes 233.00 M
Administrator Account = True
End log
Log for VX2.BetterInternet File Finder (msg126)
Files Found---
Additional Files---
Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
Setup
termsrv
wlballoon
Guardian Key--- is called:
User Agent String---
{EF19C14C-7AAB-4D42-94DF-9528E34AC1E6}
Files Found---
Additional Files---
Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
Setup
termsrv
wlballoon
Guardian Key--- is called:
User Agent String---
{EF19C14C-7AAB-4D42-94DF-9528E34AC1E6}
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\azaq0a~1.dll Sun Apr 28 2002 11:01:18p ..S.R 222,656 217.44 K
C:\WINDOWS\SYSTEM32\df32gt.dll Mon Apr 29 2002 12:02:30a ..S.R 225,260 219.98 K
C:\WINDOWS\SYSTEM32\dgmclien.dll Thu Dec 2 2004 11:57:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\e4200e~1.dll Thu Dec 9 2004 2:51:22p ..S.R 223,193 217.96 K
C:\WINDOWS\SYSTEM32\en2ol1~1.dll Tue Jul 2 2002 7:59:14p ..S.R 224,702 219.43 K
C:\WINDOWS\SYSTEM32\en4ol1~1.dll Thu Dec 2 2004 10:41:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\en8ol1~1.dll Thu Dec 2 2004 10:27:30p ..S.R 222,898 217.67 K
C:\WINDOWS\SYSTEM32\ennql1~1.dll Mon Dec 6 2004 1:48:04p ..S.R 226,116 220.82 K
C:\WINDOWS\SYSTEM32\enpol1~1.dll Thu Dec 9 2004 11:00:36a ..S.R 224,540 219.28 K
C:\WINDOWS\SYSTEM32\enpsl1~1.dll Sun Dec 5 2004 9:03:12p ..S.R 223,093 217.86 K
C:\WINDOWS\SYSTEM32\f02mla~1.dll Tue Jul 2 2002 8:29:58p ..S.R 225,201 219.92 K
C:\WINDOWS\SYSTEM32\f0l0la~1.dll Tue Dec 7 2004 4:09:22p ..S.R 226,290 220.98 K
C:\WINDOWS\SYSTEM32\h4n0le~1.dll Mon Apr 29 2002 12:02:30a ..S.R 222,735 217.51 K
C:\WINDOWS\SYSTEM32\hr8805~1.dll Sun Dec 5 2004 6:37:18p ..S.R 222,650 217.43 K
C:\WINDOWS\SYSTEM32\hrn805~1.dll Sun Dec 5 2004 6:46:28p ..S.R 222,635 217.41 K
C:\WINDOWS\SYSTEM32\hrns05~1.dll Sun Dec 5 2004 6:58:40p ..S.R 222,585 217.37 K
C:\WINDOWS\SYSTEM32\hrru05~1.dll Sun Dec 5 2004 9:10:56p ..S.R 222,705 217.48 K
C:\WINDOWS\SYSTEM32\i0nmla~1.dll Sun Dec 5 2004 3:07:38p ..S.R 224,178 218.92 K
C:\WINDOWS\SYSTEM32\ir00l5~1.dll Sun Apr 28 2002 11:01:02p ..S.R 222,710 217.49 K
C:\WINDOWS\SYSTEM32\k4lq0e~1.dll Sun Dec 5 2004 7:04:54p ..S.R 222,475 217.26 K
C:\WINDOWS\SYSTEM32\lv0409~1.dll Sat Dec 4 2004 1:31:06p ..S.R 223,052 217.82 K
C:\WINDOWS\SYSTEM32\lv4m09~1.dll Fri Dec 3 2004 7:44:04p ..S.R 222,899 217.67 K
C:\WINDOWS\SYSTEM32\lvp009~1.dll Tue Dec 14 2004 10:47:50a ..S.R 224,581 219.32 K
C:\WINDOWS\SYSTEM32\lvr209~1.dll Mon Dec 6 2004 1:50:30p ..S.R 224,864 219.59 K
C:\WINDOWS\SYSTEM32\o0660a~1.dll Mon Dec 6 2004 10:17:20a ..S.R 223,188 217.96 K
C:\WINDOWS\SYSTEM32\onffilt.dll Fri Dec 3 2004 8:16:08p ..S.R 224,696 219.43 K
C:\WINDOWS\SYSTEM32\pbotowiz.dll Sat Dec 4 2004 1:48:06p ..S.R 222,643 217.42 K
C:\WINDOWS\SYSTEM32\pk8q0a~1.dll Mon Dec 6 2004 1:48:04p ..S.R 224,565 219.30 K
C:\WINDOWS\SYSTEM32\q0860a~1.dll Sun Dec 5 2004 9:17:06p ..S.R 222,548 217.33 K
C:\WINDOWS\SYSTEM32\s0pu0a~1.dll Fri Dec 3 2004 8:08:12p ..S.R 224,300 219.04 K
C:\WINDOWS\SYSTEM32\s0rs0a~1.dll Sun Dec 12 2004 11:19:10a ..S.R 225,209 219.93 K
C:\WINDOWS\SYSTEM32\sllwoa.dll Thu Dec 2 2004 10:41:24p ..S.R 225,272 219.99 K
________________________________________________
1,194 items found: 1,194 files (32 H/S), 0 directories.
Total of file sizes: 244,095,416 bytes 232.79 M
Administrator Account = True
End log
Logfile of HijackThis v1.98.2
Scan saved at 8:34:59 PM, on 12/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCGUIDE.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\DANA\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
Do not remove anything unless you are sure you know what you're doing.
System Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
12/14/2004 10:47 AM 224,581 lvp0097me.dll
12/12/2004 11:19 AM 225,209 s0rs0a97ed.dll
12/11/2004 12:18 AM <DIR> Microsoft
12/11/2004 12:06 AM <DIR> dllcache
12/09/2004 02:51 PM 223,193 e4200efmeh2a0.dll
12/09/2004 11:00 AM 224,540 enpol1731.dll
12/07/2004 04:09 PM 226,290 f0l0la3m1d.dll
12/06/2004 01:50 PM 224,864 lvr2099oe.dll
12/06/2004 01:48 PM 224,565 pK8q0al5edq.dll
12/06/2004 01:48 PM 226,116 ennql1551.dll
12/06/2004 10:17 AM 223,188 o0660ajsedo60.dll
12/05/2004 09:17 PM 222,548 q0860alsedq60.dll
12/05/2004 09:10 PM 222,705 hrru0599e.dll
12/05/2004 09:03 PM 223,093 enpsl1771.dll
12/05/2004 07:04 PM 222,475 k4lq0e35eh.dll
12/05/2004 06:58 PM 222,585 hrns0557e.dll
12/05/2004 06:46 PM 222,635 hrn8055ue.dll
12/05/2004 06:37 PM 222,650 hr8805lue.dll
12/05/2004 03:07 PM 224,178 i0nmla511d.dll
12/04/2004 01:48 PM 222,643 pbotowiz.dll
12/04/2004 01:31 PM 223,052 lv0409dqe.dll
12/03/2004 08:16 PM 224,696 onffilt.dll
12/03/2004 08:08 PM 224,300 s0pu0a79ed.dll
12/03/2004 07:44 PM 222,899 lv4m09h1e.dll
12/02/2004 11:57 PM 222,878 dgmclien.dll
12/02/2004 10:41 PM 225,272 sllwoa.dll
12/02/2004 10:41 PM 222,878 en4ol1h31.dll
12/02/2004 10:27 PM 222,898 en8ol1l31.dll
11/29/2004 06:03 AM 389,120 ??rvices.exe
07/02/2002 08:29 PM 225,201 f02mlaf11d2.dll
07/02/2002 07:59 PM 224,702 en2ol1f31.dll
04/29/2002 12:02 AM 225,260 df32gt.dll
04/29/2002 12:02 AM 222,735 h4n0le5m1h.dll
04/28/2002 11:01 PM 222,656 azaq0al5edq.dll
04/28/2002 11:01 PM 222,710 ir00l5dm1.dll
33 File(s) 7,549,315 bytes
2 Dir(s) 36,573,900,800 bytes free
Hidden Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
12/11/2004 12:06 AM <DIR> dllcache
11/29/2004 06:03 AM 389,120 ??rvices.exe
09/28/2004 08:37 PM 488 WindowsLogon.manifest
09/28/2004 08:37 PM 488 logonui.exe.manifest
09/28/2004 08:37 PM 749 sapi.cpl.manifest
09/28/2004 08:37 PM 749 nwc.cpl.manifest
09/28/2004 08:37 PM 749 wuaucpl.cpl.manifest
09/28/2004 08:37 PM 749 cdplayer.exe.manifest
09/28/2004 08:37 PM 749 ncpa.cpl.manifest
8 File(s) 393,841 bytes
1 Dir(s) 36,573,896,704 bytes free
Files Named "Guard"
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
Temp Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
08/03/2004 11:56 PM 1,236,480 ~GLH0014.TMP
08/18/2001 04:00 AM 2,577 CONFIG.TMP
2 File(s) 1,239,057 bytes
0 Dir(s) 36,573,892,608 bytes free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EF19C14C-7AAB-4D42-94DF-9528E34AC1E6}"=""
Keys Under Notify
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k6lqlg3516.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
Xfind Results
Locate.com Results
C:\WINDOWS\SYSTEM32\
cdplay~1.man Tue Sep 28 2004 8:37:50p A..HR 749 0.73 K
dgmclien.dll Thu Dec 2 2004 11:57:24p ..S.R 222,878 217.65 K
e4200e~1.dll Thu Dec 9 2004 2:51:22p ..S.R 223,193 217.96 K
en4ol1~1.dll Thu Dec 2 2004 10:41:24p ..S.R 222,878 217.65 K
en8ol1~1.dll Thu Dec 2 2004 10:27:30p ..S.R 222,898 217.67 K
ennql1~1.dll Mon Dec 6 2004 1:48:04p ..S.R 226,116 220.82 K
enpol1~1.dll Thu Dec 9 2004 11:00:36a ..S.R 224,540 219.28 K
enpsl1~1.dll Sun Dec 5 2004 9:03:12p ..S.R 223,093 217.86 K
f0l0la~1.dll Tue Dec 7 2004 4:09:22p ..S.R 226,290 220.98 K
hr8805~1.dll Sun Dec 5 2004 6:37:18p ..S.R 222,650 217.43 K
hrn805~1.dll Sun Dec 5 2004 6:46:28p ..S.R 222,635 217.41 K
hrns05~1.dll Sun Dec 5 2004 6:58:40p ..S.R 222,585 217.37 K
hrru05~1.dll Sun Dec 5 2004 9:10:56p ..S.R 222,705 217.48 K
i0nmla~1.dll Sun Dec 5 2004 3:07:38p ..S.R 224,178 218.92 K
k4lq0e~1.dll Sun Dec 5 2004 7:04:54p ..S.R 222,475 217.26 K
logonu~1.man Tue Sep 28 2004 8:37:56p A..HR 488 0.48 K
lv0409~1.dll Sat Dec 4 2004 1:31:06p ..S.R 223,052 217.82 K
lv4m09~1.dll Fri Dec 3 2004 7:44:04p ..S.R 222,899 217.67 K
lvp009~1.dll Tue Dec 14 2004 10:47:50a ..S.R 224,581 219.32 K
lvr209~1.dll Mon Dec 6 2004 1:50:30p ..S.R 224,864 219.59 K
ncpacp~1.man Tue Sep 28 2004 8:37:50p A..HR 749 0.73 K
nwccpl~1.man Tue Sep 28 2004 8:37:50p A..HR 749 0.73 K
o0660a~1.dll Mon Dec 6 2004 10:17:20a ..S.R 223,188 217.96 K
onffilt.dll Fri Dec 3 2004 8:16:08p ..S.R 224,696 219.43 K
pbotowiz.dll Sat Dec 4 2004 1:48:06p ..S.R 222,643 217.42 K
pk8q0a~1.dll Mon Dec 6 2004 1:48:04p ..S.R 224,565 219.30 K
q0860a~1.dll Sun Dec 5 2004 9:17:06p ..S.R 222,548 217.33 K
s0pu0a~1.dll Fri Dec 3 2004 8:08:12p ..S.R 224,300 219.04 K
s0rs0a~1.dll Sun Dec 12 2004 11:19:10a ..S.R 225,209 219.93 K
sapicp~1.man Tue Sep 28 2004 8:37:50p A..HR 749 0.73 K
sllwoa.dll Thu Dec 2 2004 10:41:24p ..S.R 225,272 219.99 K
window~1.man Tue Sep 28 2004 8:37:56p A..HR 488 0.48 K
wuaucp~1.man Tue Sep 28 2004 8:37:50p A..HR 749 0.73 K
rvices~1.exe Mon Nov 29 2004 6:03:24a ..SHR 389,120 380.00 K
34 items found: 34 files, 0 directories.
Total of file sizes: 6,210,772 bytes 5.92 M
Download Killbox:
http://www.bleepingcomputer.com/files/killbox.php
Disconnect from the internet.
Next, start Killbox and click on Tools->Delete Temp Files.
When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:
C:\WINDOWS\SYSTEM32\azaq0al5edq.dll
C:\WINDOWS\SYSTEM32\e4200efmeh2a0.dll
C:\WINDOWS\SYSTEM32\en2ol1f31.dll
C:\WINDOWS\SYSTEM32\en4ol1h31.dll
C:\WINDOWS\SYSTEM32\en8ol1l31.dll
C:\WINDOWS\SYSTEM32\ennql1551.dll
C:\WINDOWS\SYSTEM32\enpol1731.dll
C:\WINDOWS\SYSTEM32\enpsl1771.dll
C:\WINDOWS\SYSTEM32\f02mlaf11d2.dll
C:\WINDOWS\SYSTEM32\f0l0la3m1d.dll
C:\WINDOWS\SYSTEM32\h4n0le5m1h.dll
C:\WINDOWS\SYSTEM32\hr8805lue.dll
C:\WINDOWS\SYSTEM32\hrn8055ue.dll
C:\WINDOWS\SYSTEM32\hrns0557e.dll
C:\WINDOWS\SYSTEM32\hrru0599e.dll
C:\WINDOWS\SYSTEM32\i0nmla511d.dll
C:\WINDOWS\SYSTEM32\k4lq0e35eh.dll
C:\WINDOWS\SYSTEM32\lv0409dqe.dll
C:\WINDOWS\SYSTEM32\lv4m09h1e.dll
C:\WINDOWS\SYSTEM32\lvr2099oe.dll
C:\WINDOWS\SYSTEM32\o0660ajsedo60.dll
C:\WINDOWS\SYSTEM32\onffilt.dll
C:\WINDOWS\SYSTEM32\pbotowiz.dll
C:\WINDOWS\SYSTEM32\pK8q0al5edq.dll
C:\WINDOWS\SYSTEM32\q0860alsedq60.dll
C:\WINDOWS\SYSTEM32\s0pu0a79ed.dll
C:\WINDOWS\SYSTEM32\s0rs0a97ed.dll
C:\WINDOWS\SYSTEM32\sllwoa.dll
C:\WINDOWS\system32\k6lqlg3516.dll
For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".
When it reboots, please post a new Find.bat log and a new Hijack This log and also a DLL Compare log.
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\df32gt.dll Mon Apr 29 2002 12:02:30a ..S.R 225,260 219.98 K
C:\WINDOWS\SYSTEM32\dgmclien.dll Thu Dec 2 2004 11:57:24p ..S.R 222,878 217.65 K
C:\WINDOWS\SYSTEM32\ir00l5~1.dll Sun Apr 28 2002 11:01:02p ..S.R 222,710 217.49 K
C:\WINDOWS\SYSTEM32\lvp009~1.dll Tue Dec 14 2004 10:47:50a ..S.R 224,581 219.32 K
________________________________________________
1,166 items found: 1,166 files (4 H/S), 0 directories.
Total of file sizes: 237,830,650 bytes 226.81 M
Administrator Account = True
End log
Logfile of HijackThis v1.98.2
Scan saved at 9:24:41 PM, on 12/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\DANA\Desktop\DllCompare.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DANA\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
System Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
12/14/2004 10:47 AM 224,581 lvp0097me.dll
12/11/2004 12:18 AM <DIR> Microsoft
12/11/2004 12:06 AM <DIR> dllcache
12/02/2004 11:57 PM 222,878 dgmclien.dll
11/29/2004 06:03 AM 389,120 ??rvices.exe
04/29/2002 12:02 AM 225,260 df32gt.dll
04/28/2002 11:01 PM 222,710 ir00l5dm1.dll
5 File(s) 1,284,549 bytes
2 Dir(s) 36,602,454,016 bytes free
Hidden Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
12/11/2004 12:06 AM <DIR> dllcache
11/29/2004 06:03 AM 389,120 ??rvices.exe
09/28/2004 08:37 PM 488 WindowsLogon.manifest
09/28/2004 08:37 PM 488 logonui.exe.manifest
09/28/2004 08:37 PM 749 sapi.cpl.manifest
09/28/2004 08:37 PM 749 nwc.cpl.manifest
09/28/2004 08:37 PM 749 wuaucpl.cpl.manifest
09/28/2004 08:37 PM 749 cdplayer.exe.manifest
09/28/2004 08:37 PM 749 ncpa.cpl.manifest
8 File(s) 393,841 bytes
1 Dir(s) 36,602,454,016 bytes free
Files Named "Guard"
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
Temp Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is BC92-9E6E
Directory of C:\WINDOWS\System32
08/03/2004 11:56 PM 1,236,480 ~GLH0014.TMP
08/18/2001 04:00 AM 2,577 CONFIG.TMP
2 File(s) 1,239,057 bytes
0 Dir(s) 36,602,449,920 bytes free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EF19C14C-7AAB-4D42-94DF-9528E34AC1E6}"=""
Keys Under Notify
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k6lqlg3516.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
Xfind Results
'Xfind' is not recognized as an internal or external command,
operable program or batch file.
Locate.com Results
I don't know if the find.bat log is a different one??