Bit of help please

IanMac · #1 May 17th, 2004, 02:47 PM

Hey there, I've had this problem for a while and although I can make it go away for up to 10minutes at a time, it keeps on returning:

My homepage is reset to about:blank but actually shows at site that gives some search page. I also get one of these popups (despite my popup blocker) when I try to visit certain sites (such as this one, I eventually got here via a google search) and also every time I open IE

http://vn.msie.cc/popup3.php?pin=1
http://th.msie.cc/index.php?aid=20038

Today I decided to try and get rid of it:
I installed all the latest windows updates
I ran spybot (with the newest update)
I ran Ad-Aware (with the newest update and on all the deep-scan options etc I saw on another thread on here a while back)
I ran HiJackThis and 'fixed' the normal files that I fix every time I run it (the .dll files that are followed by (obfuscated) and the corresponding BH0 file) - and that, as usual, fixed the problem for about 5minutes, and then it came back again.

Here's a HiJackThis log, and any help would be much appreciated:

Logfile of HijackThis v1.97.7
Scan saved at 19:44:12, on 17/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\Downloaded and Zips\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {ADB37E82-CC5D-4390-A67A-CAB4C5D55A4D} - C:\WINDOWS\System32\hlckcdb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Pro Cam
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Owner\LOCALS~1\Temp\IXP000.TMP\"
O4 - Startup: fix.bat.lnk = C:\fix.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Messenger Addon (HKLM)
O9 - Extra 'Tools' menuitem: &Messenger Addon (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: ChatSpace Full Java Client 3.1.0.245 - http://chat-b3.freeserve.com/Java/cfs31245.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/game...ts/y/nt1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/game...ts/y/ht1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab27571.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...090.3527430556
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab

normally I'd fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
O2 - BHO: (no name) - {ADB37E82-CC5D-4390-A67A-CAB4C5D55A4D} - C:\WINDOWS\System32\hlckcdb.dll

Pieter_Arntz · #2 May 18th, 2004, 07:31 AM

Hi IanMac,

Follow the instructions here:
http://www.wilderssecurity.com/showp...40&postcount=4
to find and delete the responsible file.

Then update Windows and IE to prevent it from reoccurring.

Then scan with CWShredder and AdAware to clean out the remains.

Regards,

Pieter

IanMac · #3 May 18th, 2004, 08:55 AM

thanks very much

I'll get on it now

Pieter_Arntz · #4 May 18th, 2004, 08:56 AM

OK. Keep us posted on your progress.

Regards,

Pieter

IanMac · #5 May 18th, 2004, 09:02 AM

Quote:

1.Run start.bat and press option 1. 'output.txt' will be created in the folder

--===**'FIND-ALL' VERSION 3, 5/11**===--

18/05/2004
13:58

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (C8F1:45CE) - FS:NTFS clusters:4k
Total: 40 015 953 920 [37G] - Free: 16 176 594 944 [15G]

Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\LOG.DLL +++ File read error
\\?\C:\WINDOWS\System32\LOG.DLL +++ File read error

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ADB37E82-CC5D-4390-A67A-CAB4C5D55A4D}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{3E5C2EC7-9F2E-42B0-804C-4F8318090DF9}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{3E5C2EC7-9F2E-42B0-804C-4F8318090DF9}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

----

Logfile of HijackThis v1.97.7
Scan saved at 14:01:00, on 18/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\VM_STI.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\Downloaded and Zips\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {ADB37E82-CC5D-4390-A67A-CAB4C5D55A4D} - C:\WINDOWS\System32\hlckcdb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Pro Cam
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: fix.bat.lnk = C:\fix.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Messenger Addon (HKLM)
O9 - Extra 'Tools' menuitem: &Messenger Addon (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: ChatSpace Full Java Client 3.1.0.245 - http://chat-b3.freeserve.com/Java/cfs31245.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/game...ts/y/nt1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/game...ts/y/ht1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab27571.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...090.3527430556
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab

---

unfortunately I'm now stuck as I have no idea if it found the hidden dll or not...

Pieter_Arntz · #6 May 18th, 2004, 09:06 AM

Yes. It did:

Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\LOG.DLL +++ File read error
\\?\C:\WINDOWS\System32\LOG.DLL +++ File read error

So C:\WINDOWS\System32\LOG.DLL is the one you want to get rid off.

Regards,

Pieter

IanMac · #7 May 18th, 2004, 09:17 AM

righto

ran the fix, it appeared to work (it seemed happy with itself anyway) and then it rebooted my computer and came up with the following logs.txt file
I'm now running ad-aware (which has found more things than usual) which I'll follow with cwsshredder, but when I opened IE to come here, the hijacked homepage was still there - do I need to clean the files in HiJackThis one final time or has the fix failed?

Windows XP Detected
Running from C:\
Scanning for bad files in system32 1st pass
File was not found on first Pass.

Scanning for bad files in system32 2nd pass
A file could not be found.

Here is a directory listing to post.

Volume in drive C has no label.
Volume Serial Number is C8F1-45CE

Directory of C:\WINDOWS\system32

17/05/2004 19:07 31,232 hlckcdb.dll
15/05/2004 15:24 140,520 CModule.dll
09/04/2004 16:53 6,656 spmsg.dll
30/03/2004 02:25 136,704 schannel.dll
30/03/2004 02:25 550,400 rtcdll.dll
30/03/2004 02:25 51,712 msasn1.dll
30/03/2004 02:25 969,216 msgina.dll
30/03/2004 02:25 36,864 mf3216.dll
30/03/2004 02:25 454,656 ipnathlp.dll
30/03/2004 02:25 593,408 h323msp.dll
30/03/2004 02:25 241,664 gdi32.dll
30/03/2004 02:25 48,640 browser.dll
30/03/2004 02:25 301,568 netapi32.dll
29/03/2004 17:25 648,192 lsasrv.dll
16/03/2004 19:44 30,749 vbajet32.dll
16/03/2004 19:44 1,507,356 msjet40.dll
16/03/2004 10:44 380,957 expsrv.dll
12/03/2004 20:26 680,960 DivX.dll
06/03/2004 03:05 97,280 txflog.dll
06/03/2004 03:05 214,528 rpcss.dll
06/03/2004 03:05 442,880 rpcrt4.dll
06/03/2004 03:05 1,105,408 ole32.dll
06/03/2004 03:05 82,432 mtxoci.dll
06/03/2004 03:05 64,512 mtxclu.dll
06/03/2004 03:05 150,528 msdtcuiu.dll
06/03/2004 03:05 977,920 msdtctm.dll
06/03/2004 03:05 365,568 msdtcprx.dll
06/03/2004 03:05 226,816 es.dll
06/03/2004 03:05 499,200 comuid.dll
06/03/2004 03:05 1,177,088 comsvcs.dll
06/03/2004 03:04 64,512 colbact.dll
06/03/2004 03:04 596,480 catsrvut.dll
06/03/2004 03:04 110,080 clbcatex.dll
06/03/2004 03:04 225,280 catsrv.dll
05/03/2004 18:05 499,712 clbcatq.dll
03/03/2004 13:53 595,968 INETCOMM.DLL
01/03/2004 19:55 348,189 msxbde40.dll
01/03/2004 19:55 614,431 mswstr10.dll
01/03/2004 19:55 831,519 mswdat10.dll
01/03/2004 19:55 552,989 msrepl40.dll
01/03/2004 19:55 258,077 mstext40.dll
01/03/2004 19:55 315,423 msrd3x40.dll
01/03/2004 19:55 421,919 msrd2x40.dll
01/03/2004 19:55 348,189 mspbde40.dll
01/03/2004 19:55 213,023 msltus40.dll
01/03/2004 19:55 241,693 msjtes40.dll
01/03/2004 19:55 151,583 msjint40.dll
01/03/2004 19:55 53,279 msjter40.dll
01/03/2004 19:55 319,517 msexcl40.dll
01/03/2004 19:55 512,029 msexch40.dll
01/03/2004 19:52 358,976 msjetoledb40.dll
16/01/2004 03:29 1,024,512 BROWSEUI.DLL
08/01/2004 14:23 585,216 WININET.DLL
08/01/2004 14:23 1,337,344 SHDOCVW.DLL
08/01/2004 14:21 2,764,288 MSHTML.DLL
23/12/2003 13:14 481,792 URLMON.DLL
17/11/2003 00:45 21,840 SIntfNT.dll
17/11/2003 00:45 17,212 SIntf32.dll
17/11/2003 00:45 12,067 SIntf16.dll
27/10/2003 21:10 24,576 odbcbcp.dll
27/10/2003 21:09 94,208 ODBCCP32.dll
27/10/2003 21:09 61,440 DBnetlib.dll
27/10/2003 21:09 356,352 SQLSRV32.dll
27/10/2003 21:05 204,800 ODBC32.dll
25/10/2003 16:01 47,104 KMVIDC32.DLL
21/10/2003 23:42 119,808 wkssvc.dll
21/10/2003 23:42 32,256 msgsvc.dll
26/09/2003 19:51 528,896 user32.dll
18/09/2003 06:53 1,302,528 wmpcore.dll
28/08/2003 09:57 143,872 itircl.dll
25/08/2003 19:06 182,880 iuengine.dll
25/08/2003 18:06 115,808 iuctl.dll
15/08/2003 12:31 109,568 URL.DLL
15/08/2003 12:31 34,304 PNGFILT.DLL
15/08/2003 12:31 391,168 SHLWAPI.DLL
05/08/2003 00:28 138,320 RTCRES.dll
24/07/2003 16:43 476,160 cryptui.dll
11/06/2003 13:53 8,223,744 shell32.dll
15/05/2003 18:17 61,440 VM31bSTI.dll
13/05/2003 12:27 1,123,840 quartz.dll
02/05/2003 11:03 651,264 ntdll.dll
25/04/2003 05:20 54,784 Inetwh32.dll
28/02/2003 18:26 21,264 msjdbc10.dll
28/02/2003 18:26 947,472 msjava.dll
28/02/2003 18:26 286,992 vmhelper.dll
28/02/2003 18:26 171,280 jit.dll
28/02/2003 18:26 154,384 msawt.dll
28/02/2003 18:26 404,752 javart.dll
28/02/2003 18:26 139,536 javaee.dll
28/02/2003 18:26 63,248 javaprxy.dll
28/02/2003 18:26 187,152 javacypt.dll
28/02/2003 16:34 313,856 dx3j.dll
13/01/2003 14:57 589,881 jscript.dll
18/12/2002 22:46 344,064 msvcr70.dll
12/12/2002 13:54 815,760 wmv9dmod.dll
14/11/2002 20:42 218,624 srrstr.dll
30/09/2002 03:33 73,676 EBPMON2.DLL
25/09/2002 12:21 316,928 zipfldr.dll
23/09/2002 15:10 544,256 crypt32.dll
23/09/2002 13:13 37,888 hhsetup.dll
23/09/2002 13:13 122,368 itss.dll
19/09/2002 11:27 126,464 shmedia.dll
31/07/2002 03:25 61,440 ECBTEG.DLL
25/07/2002 18:15 86,016 xactsrv.dll
18/07/2002 18:54 87,048 rdpdd.dll
17/07/2002 10:09 172,664 xenroll.dll
16/07/2002 15:22 32,768 atitvo32.dll
16/07/2002 15:22 73,728 atipdlxx.dll
16/07/2002 15:22 73,728 Oemdspif.dll
16/07/2002 15:22 24,064 ativcoxx.dll
16/07/2002 15:22 3,276,882 atioglxx.dll
16/07/2002 15:22 215,808 ati2dvag.dll
16/07/2002 15:22 852,377 ati3d1ag.dll
16/07/2002 15:22 932,761 ati3d2ag.dll
16/07/2002 15:22 580,279 ati3duag.dll
16/07/2002 15:22 49,152 ATIDDC.DLL
16/07/2002 15:22 331,863 atiicdxx.dll
16/07/2002 15:22 45,056 atiicpxx.dll
16/07/2002 15:22 253,952 atiiiexx.dll
30/06/2002 00:20 5,120 hccoin.dll
05/04/2002 16:20 28,160 ialmrnt5.dll
05/04/2002 16:19 49,152 ialmrem.dll
05/04/2002 16:19 61,440 iAlmCoIn_0_pv1102.dll
05/04/2002 16:19 74,814 ialmdnt5.dll
05/04/2002 16:18 165,373 ialmdev5.dll
05/04/2002 16:18 525,892 ialmdd5.dll
05/04/2002 15:55 147,456 ialmgdev.dll
05/04/2002 15:54 1,785,856 ialmgicd.dll
26/03/2002 21:29 151,552 igfxres.dll
26/03/2002 21:28 200,704 igfxpph.dll
26/03/2002 21:27 221,184 igfxeud.dll
26/03/2002 21:25 28,672 igfxdgps.dll
26/03/2002 21:20 110,592 igfxhk.dll
26/03/2002 21:20 294,912 igfxsrvc.dll
26/03/2002 21:19 524,288 igfxress.dll
26/03/2002 21:19 114,688 hccutils.dll
26/03/2002 21:19 139,264 igfxdev.dll
26/03/2002 21:18 86,016 igfxdo.dll
04/03/2002 19:09 548,864 SHDOCLC.DLL
26/02/2002 14:58 462,906 vbscript.dll
20/02/2002 18:49 252,416 ddraw.dll
20/02/2002 18:48 1,181,184 d3d8.dll
20/02/2002 14:47 262,144 shpshftr.dll
15/02/2002 15:59 1,120,768 msxml3.dll
12/02/2002 18:14 630,784 rasdlg.dll
12/02/2002 18:14 13,824 rassapi.dll
12/02/2002 18:14 218,112 rasapi32.dll
30/01/2002 19:07 927,232 syssetup.dll
22/01/2002 14:51 179,712 qmgr.dll
07/01/2002 17:15 689,424 msxml2.dll
25/12/2001 18:23 12,074 hsfinst.dll
17/12/2001 18:02 119,808 upnp.dll
17/12/2001 18:02 26,624 ssdpapi.dll
17/12/2001 18:02 41,472 ssdpsrv.dll
12/12/2001 11:46 131,072 Epcmlib.dll
02/11/2001 17:05 197,632 termsrv.dll
22/10/2001 22:37 57,344 mdmxsdk.dll
16/10/2001 09:37 1,560,576 sfcfiles.dll
03/10/2001 09:58 656,896 userenv.dll
21/09/2001 15:39 498,960 dxmasf.dll
18/09/2001 19:37 16,973 ZWebAuth.dll
23/08/2001 01:04 139,264 EBAPI2.dll
18/08/2001 13:00 85,020 dgsetup.dll
18/08/2001 13:00 98,816 dhcpcsvc.dll
18/08/2001 13:00 370,176 dhcpmon.dll
18/08/2001 13:00 74,240 dhcpsapi.dll
18/08/2001 13:00 394,240 diactfrm.dll
18/08/2001 13:00 55,808 digest.dll
18/08/2001 13:00 44,032 dimap.dll
18/08/2001 13:00 151,552 dinput.dll
18/08/2001 13:00 168,960 dinput8.dll
18/08/2001 13:00 1,501,696 diskcopy.dll
18/08/2001 13:00 45,083 dispex.dll
18/08/2001 13:00 103,424 dgnet.dll
18/08/2001 13:00 26,112 dmband.dll
18/08/2001 13:00 59,904 dmcompos.dll
18/08/2001 13:00 330,752 dmconfig.dll
18/08/2001 13:00 273,920 dmdlgs.dll
18/08/2001 13:00 184,320 dmdskmgr.dll
18/08/2001 13:00 118,784 dmdskres.dll
18/08/2001 13:00 172,032 dmime.dll
18/08/2001 13:00 18,432 dmintf.dll
18/08/2001 13:00 31,232 dmloader.dll
18/08/2001 13:00 19,456 dmocx.dll
18/08/2001 13:00 77,312 dmscript.dll
18/08/2001 13:00 21,504 dmserver.dll
18/08/2001 13:00 110,080 dmstyle.dll
18/08/2001 13:00 99,840 dmsynth.dll
18/08/2001 13:00 94,720 dmusic.dll
18/08/2001 13:00 50,688 dmutil.dll
18/08/2001 13:00 139,264 dnsapi.dll
18/08/2001 13:00 44,032 dnsrslvr.dll
18/08/2001 13:00 46,080 docprop.dll
18/08/2001 13:00 45,056 docprop2.dll
18/08/2001 13:00 116,736 dpcdll.dll
18/08/2001 13:00 33,040 dplay.dll
18/08/2001 13:00 212,992 dplayx.dll
18/08/2001 13:00 20,992 dpmodemx.dll
18/08/2001 13:00 26,112 dpnaddr.dll
18/08/2001 13:00 156,672 dpnet.dll
18/08/2001 13:00 30,208 dpnhpast.dll
18/08/2001 13:00 55,808 dpnhupnp.dll
18/08/2001 13:00 38,400 dpnlobby.dll
18/08/2001 13:00 62,464 dpnmodem.dll
18/08/2001 13:00 61,952 dpnwsock.dll
18/08/2001 13:00 53,520 dpserial.dll
18/08/2001 13:00 24,064 dpvacm.dll
18/08/2001 13:00 206,336 dpvoice.dll
18/08/2001 13:00 113,152 dpvvox.dll
18/08/2001 13:00 42,768 dpwsock.dll
18/08/2001 13:00 50,176 dpwsockx.dll
18/08/2001 13:00 258,048 drmclien.dll
18/08/2001 13:00 76,830 drmstor.dll
18/08/2001 13:00 589,824 drmv2clt.dll
18/08/2001 13:00 11,776 drprov.dll
18/08/2001 13:00 4,656 ds16gt.dLL
18/08/2001 13:00 16,384 ds32gt.dll
18/08/2001 13:00 62,976 dsauth.dll
18/08/2001 13:00 165,888 dsdmo.dll
18/08/2001 13:00 66,560 dsdmoprp.dll
18/08/2001 13:00 84,992 dskquota.dll
18/08/2001 13:00 144,384 dskquoui.dll
18/08/2001 13:00 338,944 dsound.dll
18/08/2001 13:00 1,293,824 dsound3d.dll
18/08/2001 13:00 131,072 dsprop.dll
18/08/2001 13:00 227,840 dsquery.dll
18/08/2001 13:00 47,104 dssec.dll
18/08/2001 13:00 122,880 dssenh.dll
18/08/2001 13:00 106,496 dsuiext.dll
18/08/2001 13:00 16,896 dswave.dll
18/08/2001 13:00 261,120 duser.dll
18/08/2001 13:00 25,088 dfsshlex.dll
18/08/2001 13:00 595,456 dx7vb.dll
18/08/2001 13:00 1,185,792 dx8vb.dll
18/08/2001 13:00 124,928 dfrgui.dll
18/08/2001 13:00 802,816 dxmrtp.dll
18/08/2001 13:00 337,920 dxtmsft.dll
18/08/2001 13:00 194,560 dxtrans.dll
18/08/2001 13:00 176,157 dgrpsetu.dll
18/08/2001 13:00 9,728 xolehlp.dll
18/08/2001 13:00 41,984 dfrgsnap.dll
18/08/2001 13:00 51,200 dfrgres.dll
18/08/2001 13:00 173,568 els.dll
18/08/2001 13:00 263,680 devmgr.dll
18/08/2001 13:00 103,424 EqnClass.Dll
18/08/2001 13:00 17,408 ersvc.dll
18/08/2001 13:00 51,712 devenum.dll
18/08/2001 13:00 1,018,368 esent.dll
18/08/2001 13:00 1,114,896 esent97.dll
18/08/2001 13:00 17,408 esentprf.dll
18/08/2001 13:00 33,280 eventcls.dll
18/08/2001 13:00 47,616 eventlog.dll
18/08/2001 13:00 18,432 deskperf.dll
18/08/2001 13:00 121,856 exts.dll
18/08/2001 13:00 61,952 faultrep.dll
18/08/2001 13:00 18,432 feclient.dll
18/08/2001 13:00 323,072 filemgmt.dll
18/08/2001 13:00 84,992 fldrclnr.dll
18/08/2001 13:00 16,896 deskmon.dll
18/08/2001 13:00 16,384 deskadp.dll
18/08/2001 13:00 16,384 fmifs.dll
18/08/2001 13:00 361,472 fontext.dll
18/08/2001 13:00 79,360 fontsub.dll
18/08/2001 13:00 184,320 wzcsvc.dll
18/08/2001 13:00 8,832 framebuf.dll
18/08/2001 13:00 81,408 fsusd.dll
18/08/2001 13:00 176,128 ftsrch.dll
18/08/2001 13:00 76,800 gcdef.dll
18/08/2001 13:00 24,064 ddrawex.dll
18/08/2001 13:00 18,944 wzcsapi.dll
18/08/2001 13:00 605,696 getuname.dll
18/08/2001 13:00 285,184 glmf32.dll
18/08/2001 13:00 116,736 glu32.dll
18/08/2001 13:00 101,888 gpkcsp.dll
18/08/2001 13:00 9,728 gpkrsrc.dll
18/08/2001 13:00 39,424 ddeml.dll
18/08/2001 13:00 128,768 hal.dll
18/08/2001 13:00 7,680 dciman32.dll
18/08/2001 13:00 28,672 dbnmpntw.dll
18/08/2001 13:00 24,576 dbmsvinn.dLL
18/08/2001 13:00 22,528 hid.dll
18/08/2001 13:00 24,576 dbmsrpcn.dll
18/08/2001 13:00 77,850 hlink.dll
18/08/2001 13:00 47,616 wzcdlg.dll
18/08/2001 13:00 240,640 hnetcfg.dll
18/08/2001 13:00 14,848 hnetmon.dll
18/08/2001 13:00 315,904 hnetwiz.dll
18/08/2001 13:00 137,216 hotplug.dll
18/08/2001 13:00 20,480 dbmsadsn.dll
18/08/2001 13:00 44,544 hticons.dll
18/08/2001 13:00 39,936 htui.dll
18/08/2001 13:00 489,984 hypertrm.dll
18/08/2001 13:00 486,400 dbghelp.dll
18/08/2001 13:00 847,872 dbgeng.dll
18/08/2001 13:00 22,016 davclnt.dll
18/08/2001 13:00 152,064 datime.dll
18/08/2001 13:00 51,712 dataclen.dll
18/08/2001 13:00 986,112 danim.dll
18/08/2001 13:00 47,616 d3dxof.dll
18/08/2001 13:00 350,208 d3drm.dll
18/08/2001 13:00 23,552 iasacct.dll
18/08/2001 13:00 41,472 iasads.dll
18/08/2001 13:00 32,256 iashlpr.dll
18/08/2001 13:00 62,464 iasnap.dll
18/08/2001 13:00 17,920 iaspolcy.dll
18/08/2001 13:00 116,224 iasrad.dll
18/08/2001 13:00 141,312 iasrecst.dll
18/08/2001 13:00 86,528 iassam.dll
18/08/2001 13:00 247,808 iassdo.dll
18/08/2001 13:00 59,392 iassvcs.dll
18/08/2001 13:00 8,704 icaapi.dll
18/08/2001 13:00 110,592 iccvid.dll
18/08/2001 13:00 16,384 icfgnt5.dll
18/08/2001 13:00 236,032 icm32.dll
18/08/2001 13:00 3,072 icmp.dll
18/08/2001 13:00 54,784 icmui.dll
18/08/2001 13:00 69,632 icwdial.dll
18/08/2001 13:00 61,440 icwphbk.dll
18/08/2001 13:00 110,592 idq.dll
18/08/2001 13:00 126,976 ieakeng.dll
18/08/2001 13:00 203,776 ieaksie.dll
18/08/2001 13:00 221,184 ieakui.dll
18/08/2001 13:00 294,912 iedkcs32.dll
18/08/2001 13:00 230,400 iepeers.dll
18/08/2001 13:00 23,040 iernonce.dll
18/08/2001 13:00 59,392 iesetup.dll
18/08/2001 13:00 125,952 ifmon.dll
18/08/2001 13:00 70,656 ifsutil.dll
18/08/2001 13:00 153,600 wuv3is.dll
18/08/2001 13:00 590,336 d3dramp.dll
18/08/2001 13:00 34,816 d3dpmesh.dll
18/08/2001 13:00 791,040 d3dim700.dll
18/08/2001 13:00 436,224 d3dim.dll
18/08/2001 13:00 8,192 d3d8thk.dll
18/08/2001 13:00 27,200 ctl3dv2.dll
18/08/2001 13:00 27,136 ctl3d32.dll
18/08/2001 13:00 73,728 csseqchk.dll
18/08/2001 13:00 29,184 csrsrv.dll
18/08/2001 13:00 13,312 wupdinfo.dll
18/08/2001 13:00 8,192 igmpagnt.dll
18/08/2001 13:00 73,728 ils.dll
18/08/2001 13:00 126,976 imagehlp.dll
18/08/2001 13:00 36,921 imeshare.dll
18/08/2001 13:00 30,208 imgutil.dll
18/08/2001 13:00 96,768 imm32.dll
18/08/2001 13:00 266,240 inetcfg.dll
18/08/2001 13:00 305,664 cscui.dll
18/08/2001 13:00 110,592 inetcplc.dll
18/08/2001 13:00 31,232 inetmib1.dll
18/08/2001 13:00 68,096 inetpp.dll
18/08/2001 13:00 14,336 inetppui.dll
18/08/2001 13:00 47,616 inetres.dll
18/08/2001 13:00 89,600 cscdll.dll
18/08/2001 13:00 450,560 infosoft.dll
18/08/2001 13:00 144,896 initpki.dll
18/08/2001 13:00 4,096 wuauserv.dll
18/08/2001 13:00 104,448 input.dll
18/08/2001 13:00 69,632 inseng.dll
18/08/2001 13:00 30,720 iologmsg.dll
18/08/2001 13:00 77,312 iphlpapi.dll
18/08/2001 13:00 154,112 ipmontr.dll
18/08/2001 13:00 51,200 cryptsvc.dll
18/08/2001 13:00 318,976 ippromon.dll
18/08/2001 13:00 3,584 iprop.dll
18/08/2001 13:00 4,096 iprtprio.dll
18/08/2001 13:00 169,984 iprtrmgr.dll
18/08/2001 13:00 332,800 ipsecsnp.dll
18/08/2001 13:00 152,576 ipsecsvc.dll
18/08/2001 13:00 364,032 ipsmsnap.dll
18/08/2001 13:00 121,344 ipv6mon.dll
18/08/2001 13:00 83,968 ipxmontr.dll
18/08/2001 13:00 69,120 ipxpromn.dll
18/08/2001 13:00 21,504 ipxrip.dll
18/08/2001 13:00 39,936 ipxrtmgr.dll
18/08/2001 13:00 66,560 ipxsap.dll
18/08/2001 13:00 20,992 ipxwan.dll
18/08/2001 13:00 199,168 ir32_32.dll
18/08/2001 13:00 120,320 ir41_qc.dll
18/08/2001 13:00 338,432 ir41_qcx.dll
18/08/2001 13:00 755,200 ir50_32.dll
18/08/2001 13:00 200,192 ir50_qc.dll
18/08/2001 13:00 183,808 ir50_qcx.dll
18/08/2001 13:00 13,312 irclass.dll
18/08/2001 13:00 77,824 isign32.dll
18/08/2001 13:00 28,672 isrdbg32.dll
18/08/2001 13:00 53,248 cryptnet.dll
18/08/2001 13:00 48,640 cryptext.dll
18/08/2001 13:00 29,184 cryptdll.dll
18/08/2001 13:00 70,144 cryptdlg.dll
18/08/2001 13:00 49,152 ixsso.dll
18/08/2001 13:00 95,744 wuaueng.dll
18/08/2001 13:00 149,019 crtdll.dll
18/08/2001 13:00 161,792 credui.dll
18/08/2001 13:00 14,877 corpol.dll
18/08/2001 13:00 66,560 console.dll
18/08/2001 13:00 362,496 jet500.dll
18/08/2001 13:00 44,544 jgaw400.dll
18/08/2001 13:00 144,896 jgdw400.dll
18/08/2001 13:00 35,840 jgmd400.dll
18/08/2001 13:00 42,496 jgpl400.dll
18/08/2001 13:00 45,568 jgsd400.dll
18/08/2001 13:00 65,536 jgsh400.dll
18/08/2001 13:00 345,600 confmsp.dll
18/08/2001 13:00 47,952 jobexec.dll
18/08/2001 13:00 16,896 wtsapi32.dll
18/08/2001 13:00 147,456 comsnap.dll
18/08/2001 13:00 12,288 jsproxy.dll
18/08/2001 13:00 46,080 wstdecod.dll
18/08/2001 13:00 6,656 KBDAL.DLL
18/08/2001 13:00 5,632 kbdaze.dll
18/08/2001 13:00 5,632 kbdazel.dll
18/08/2001 13:00 6,144 kbdbe.dll
18/08/2001 13:00 6,144 kbdbene.dll
18/08/2001 13:00 5,632 kbdblr.dll
18/08/2001 13:00 6,144 kbdbr.dll
18/08/2001 13:00 5,632 kbdbu.dll
18/08/2001 13:00 6,144 kbdca.dll
18/08/2001 13:00 7,680 kbdcan.dll
18/08/2001 13:00 6,656 kbdcr.dll
18/08/2001 13:00 7,168 kbdcz.dll
18/08/2001 13:00 6,656 kbdcz1.dll
18/08/2001 13:00 6,656 kbdcz2.dll
18/08/2001 13:00 6,144 kbdda.dll
18/08/2001 13:00 5,120 kbddv.dll
18/08/2001 13:00 6,144 kbdes.dll
18/08/2001 13:00 6,144 kbdest.dll
18/08/2001 13:00 6,144 kbdfc.dll
18/08/2001 13:00 6,144 kbdfi.dll
18/08/2001 13:00 6,144 kbdfo.dll
18/08/2001 13:00 6,144 kbdfr.dll
18/08/2001 13:00 5,632 kbdgae.dll
18/08/2001 13:00 6,144 kbdgkl.dll
18/08/2001 13:00 6,144 kbdgr.dll
18/08/2001 13:00 6,144 kbdgr1.dll
18/08/2001 13:00 5,632 kbdhe.dll
18/08/2001 13:00 5,632 kbdhe220.dll
18/08/2001 13:00 5,632 kbdhe319.dll
18/08/2001 13:00 6,144 kbdhela2.dll
18/08/2001 13:00 6,656 kbdhela3.dll
18/08/2001 13:00 8,192 kbdhept.dll
18/08/2001 13:00 6,656 kbdhu.dll
18/08/2001 13:00 5,632 kbdhu1.dll
18/08/2001 13:00 6,144 kbdic.dll
18/08/2001 13:00 5,632 kbdir.dll
18/08/2001 13:00 5,632 kbdit.dll
18/08/2001 13:00 5,632 kbdit142.dll
18/08/2001 13:00 5,632 kbdkaz.dll
18/08/2001 13:00 5,632 kbdkyr.dll
18/08/2001 13:00 6,656 kbdla.dll
18/08/2001 13:00 5,632 kbdlt.dll
18/08/2001 13:00 5,632 kbdlt1.dll
18/08/2001 13:00 6,144 kbdlv.dll
18/08/2001 13:00 6,144 kbdlv1.dll
18/08/2001 13:00 6,144 kbdmac.dll
18/08/2001 13:00 5,632 kbdmon.dll
18/08/2001 13:00 6,144 kbdne.dll
18/08/2001 13:00 7,168 kbdnec.dll
18/08/2001 13:00 6,144 kbdno.dll
18/08/2001 13:00 6,656 kbdpl.dll
18/08/2001 13:00 5,632 kbdpl1.dll

IanMac · #8 May 18th, 2004, 09:17 AM

and here's the rest of the log - wouldn't let me post it in one:

18/08/2001 13:00 6,144 kbdpo.dll
18/08/2001 13:00 5,632 kbdro.dll
18/08/2001 13:00 5,632 kbdru.dll
18/08/2001 13:00 5,632 kbdru1.dll
18/08/2001 13:00 6,144 kbdsf.dll
18/08/2001 13:00 6,656 kbdsg.dll
18/08/2001 13:00 6,656 kbdsl.dll
18/08/2001 13:00 6,656 kbdsl1.dll
18/08/2001 13:00 6,144 kbdsp.dll
18/08/2001 13:00 6,144 kbdsw.dll
18/08/2001 13:00 5,632 kbdtat.dll
18/08/2001 13:00 6,144 kbdtuf.dll
18/08/2001 13:00 6,144 kbdtuq.dll
18/08/2001 13:00 5,632 kbduk.dll
18/08/2001 13:00 5,632 kbdur.dll
18/08/2001 13:00 5,632 kbdus.dll
18/08/2001 13:00 6,144 kbdusl.dll
18/08/2001 13:00 6,144 kbdusr.dll
18/08/2001 13:00 6,144 kbdusx.dll
18/08/2001 13:00 5,632 kbduzb.dll
18/08/2001 13:00 5,632 kbdycc.dll
18/08/2001 13:00 6,656 kbdycl.dll
18/08/2001 13:00 44,160 kd1394.dll
18/08/2001 13:00 7,040 kdcom.dll
18/08/2001 13:00 265,216 kerberos.dll
18/08/2001 13:00 926,720 kernel32.dll
18/08/2001 13:00 146,432 keymgr.dll
18/08/2001 13:00 792,064 comres.dll
18/08/2001 13:00 21,504 wsock32.dll
18/08/2001 13:00 89,600 langwrbk.dll
18/08/2001 13:00 6,656 laprxy.dll
18/08/2001 13:00 38,912 wsnmp32.dll
18/08/2001 13:00 17,408 wshtcpip.dll
18/08/2001 13:00 10,240 WshRm.dll
18/08/2001 13:00 7,168 wshnetbs.dll
18/08/2001 13:00 11,776 wshisn.dll
18/08/2001 13:00 13,824 wship6.dll
18/08/2001 13:00 65,585 wshext.dll
18/08/2001 13:00 28,721 wshcon.dll
18/08/2001 13:00 9,216 wshatm.dll
18/08/2001 13:00 75,264 ws2_32.dll
18/08/2001 13:00 18,944 ws2help.dll
18/08/2001 13:00 13,824 wowfaxui.dll
18/08/2001 13:00 308,736 licdll.dll
18/08/2001 13:00 19,456 licmgr10.dll
18/08/2001 13:00 57,344 licwmi.dll
18/08/2001 13:00 15,360 linkinfo.dll
18/08/2001 13:00 12,288 lmhsvc.dll
18/08/2001 13:00 381,440 lmrt.dll
18/08/2001 13:00 91,648 loadperf.dll
18/08/2001 13:00 202,752 localsec.dll
18/08/2001 13:00 292,352 localspl.dll
18/08/2001 13:00 10,240 localui.dll
18/08/2001 13:00 50,176 loghours.dll
18/08/2001 13:00 18,944 lpk.dll
18/08/2001 13:00 8,704 lprhelp.dll
18/08/2001 13:00 9,216 lprmonui.dll
18/08/2001 13:00 82,432 comrepl.dll
18/08/2001 13:00 3,200 wowfax.dll
18/08/2001 13:00 247,808 wow32.dll
18/08/2001 13:00 446,464 wmvdmoe.dll
18/08/2001 13:00 294,912 wmvdmod.dll
18/08/2001 13:00 1,216,512 wmvcore.dll
18/08/2001 13:00 222,208 compstui.dll
18/08/2001 13:00 311,327 wmv8dmod.dll
18/08/2001 13:00 298,496 wmstream.dll
18/08/2001 13:00 118,784 wmsdmoe.dll
18/08/2001 13:00 2,560 lz32.dll
18/08/2001 13:00 9,936 lzexpand.dll
18/08/2001 13:00 8,192 mag_hook.dll
18/08/2001 13:00 112,128 mapi32.dll
18/08/2001 13:00 112,128 mapistub.dll
18/08/2001 13:00 12,800 mcastmib.dll
18/08/2001 13:00 10,240 mcd32.dll
18/08/2001 13:00 10,496 mcdsrv32.dll
18/08/2001 13:00 4,608 mchgrcoi.dll
18/08/2001 13:00 80,384 mciavi32.dll
18/08/2001 13:00 17,408 mcicda.dll
18/08/2001 13:00 8,192 mciole16.dll
18/08/2001 13:00 30,160 compobj.dll
18/08/2001 13:00 33,280 mciqtz32.dll
18/08/2001 13:00 20,992 mciseq.dll
18/08/2001 13:00 22,016 mciwave.dll
18/08/2001 13:00 50,176 mdhcp.dll
18/08/2001 13:00 108,544 mdminst.dll
18/08/2001 13:00 238,592 compatUI.dll
18/08/2001 13:00 147,968 mdwmdmsp.dll
18/08/2001 13:00 32,816 commdlg.dll
18/08/2001 13:00 924,432 mfc40.dll
18/08/2001 13:00 924,432 mfc40u.dll
18/08/2001 13:00 995,383 mfc42.dll
18/08/2001 13:00 110,592 wmsdmod.dll
18/08/2001 13:00 995,384 mfc42u.dll
18/08/2001 13:00 1,392,640 wmpui.dll
18/08/2001 13:00 20,992 mfcsubs.dll
18/08/2001 13:00 77,824 wmpshell.dll
18/08/2001 13:00 12,800 mgmtapi.dll
18/08/2001 13:00 17,920 midimap.dll
18/08/2001 13:00 56,320 miglibnt.dll
18/08/2001 13:00 18,944 mimefilt.dll
18/08/2001 13:00 163,840 mindex.dll
18/08/2001 13:00 577,024 mlang.dll
18/08/2001 13:00 3,584 mll_hp.dll
18/08/2001 13:00 7,680 mll_mtf.dll
18/08/2001 13:00 5,632 mll_qic.dll
18/08/2001 13:00 66,560 mmcbase.dll
18/08/2001 13:00 1,136,128 mmcndmgr.dll
18/08/2001 13:00 46,592 mmcshext.dll
18/08/2001 13:00 12,288 mmdrv.dll
18/08/2001 13:00 16,384 mmfutil.dll
18/08/2001 13:00 68,928 mmsystem.dll
18/08/2001 13:00 119,808 mmutilse.dll
18/08/2001 13:00 32,384 mnmdd.dll
18/08/2001 13:00 196,096 mobsync.dll
18/08/2001 13:00 145,408 modemui.dll
18/08/2001 13:00 10,112 modex.dll
18/08/2001 13:00 185,344 moricons.dll
18/08/2001 13:00 233,472 mpg4dmod.dll
18/08/2001 13:00 55,808 mpr.dll
18/08/2001 13:00 79,360 mprapi.dll
18/08/2001 13:00 69,120 mprddm.dll
18/08/2001 13:00 49,152 mprdim.dll
18/08/2001 13:00 99,840 mprmsg.dll
18/08/2001 13:00 47,104 mprui.dll
18/08/2001 13:00 102,912 msaatext.dll
18/08/2001 13:00 61,168 msacm.dll
18/08/2001 13:00 67,072 msacm32.dll
18/08/2001 13:00 3,584 msafd.dll
18/08/2001 13:00 80,128 msapsspc.dll
18/08/2001 13:00 258,048 comdlg32.dll
18/08/2001 13:00 65,024 msaudite.dll
18/08/2001 13:00 557,568 comctl32.dll
18/08/2001 13:00 7,168 mscat32.dll
18/08/2001 13:00 68,096 mscms.dll
18/08/2001 13:00 65,536 msconf.dll
18/08/2001 13:00 12,288 mscpx32r.dLL
18/08/2001 13:00 36,864 mscpxl32.dLL
18/08/2001 13:00 293,888 MSCTF.dll
18/08/2001 13:00 65,536 MSCTFP.dll
18/08/2001 13:00 126,976 msdart.dll
18/08/2001 13:00 11,264 msdmo.dll
18/08/2001 13:00 54,784 msdtclog.dll
18/08/2001 13:00 3,584 comcat.dll
18/08/2001 13:00 25,600 comaddin.dll
18/08/2001 13:00 26,624 cnvfat.dll
18/08/2001 13:00 74,240 msdvdopt.dll
18/08/2001 13:00 4,126 msdxmlc.dll
18/08/2001 13:00 94,282 msencode.dll
18/08/2001 13:00 32,768 cnetcfg.dll
18/08/2001 13:00 45,568 cnbjmon.dll
18/08/2001 13:00 36,352 cmutil.dll
18/08/2001 13:00 174,592 cmprops.dll
18/08/2001 13:00 14,336 cmpbk32.dll
18/08/2001 13:00 438,272 mshtmled.dll
18/08/2001 13:00 56,320 mshtmler.dll
18/08/2001 13:00 2,044,928 msi.dll
18/08/2001 13:00 44,032 msident.dll
18/08/2001 13:00 5,120 msidle.dll
18/08/2001 13:00 14,848 msidntld.dll
18/08/2001 13:00 232,448 msieftp.dll
18/08/2001 13:00 304,640 msihnd.dll
18/08/2001 13:00 4,608 msimg32.dll
18/08/2001 13:00 847,872 msimsg.dll
18/08/2001 13:00 156,672 MSIMTF.dll
18/08/2001 13:00 368,710 msisam11.dll
18/08/2001 13:00 39,936 msisip.dll
18/08/2001 13:00 314,880 cmdial32.dll
18/08/2001 13:00 12,288 cmcfg32.dll
18/08/2001 13:00 1,998,848 wmploc.dll
18/08/2001 13:00 53,248 clusapi.dll
18/08/2001 13:00 127,552 cliconfg.dll
18/08/2001 13:00 10,752 clb.dll
18/08/2001 13:00 62,976 ciodm.dll
18/08/2001 13:00 253,952 wmpcd.dll
18/08/2001 13:00 109,568 cic.dll
18/08/2001 13:00 163,328 ciadmin.dll
18/08/2001 13:00 46,080 mslbui.dll
18/08/2001 13:00 253,952 wmnetmgr.dll
18/08/2001 13:00 146,432 msls31.dll
18/08/2001 13:00 16,896 cfgmgr32.dll
18/08/2001 13:00 174,592 msnetobj.dll
18/08/2001 13:00 116,272 msnsspc.dll
18/08/2001 13:00 33,280 msobjs.dll
18/08/2001 13:00 228,864 msoeacct.dll
18/08/2001 13:00 90,624 msoert2.dll
18/08/2001 13:00 20,480 msorc32r.dll
18/08/2001 13:00 131,072 msorcl32.dll
18/08/2001 13:00 27,136 mspatcha.dll
18/08/2001 13:00 32,768 cfgbkend.dll
18/08/2001 13:00 175,104 mspmsp.dll
18/08/2001 13:00 47,104 mspmspsv.dll
18/08/2001 13:00 41,984 msports.dll
18/08/2001 13:00 45,056 msprivs.dll
18/08/2001 13:00 69,632 msr2c.dll
18/08/2001 13:00 7,168 msr2cenu.dll
18/08/2001 13:00 60,416 msratelc.dll
18/08/2001 13:00 132,096 msrating.dll
18/08/2001 13:00 73,802 msrclr40.dll
18/08/2001 13:00 179,712 cewmdm.dll
18/08/2001 13:00 436,736 certmgr.dll
18/08/2001 13:00 18,944 wmiprop.dll
18/08/2001 13:00 28,746 msrecr40.dll
18/08/2001 13:00 5,632 wmi.dll
18/08/2001 13:00 184,320 certcli.dll
18/08/2001 13:00 9,728 msrle32.dll
18/08/2001 13:00 245,760 msscp.dll
18/08/2001 13:00 35,840 mssign32.dll
18/08/2001 13:00 4,608 mssip32.dll
18/08/2001 13:00 51,200 wmerrenu.dll
18/08/2001 13:00 20,480 wmdmps.dll
18/08/2001 13:00 13,312 msswch.dll
18/08/2001 13:00 249,856 mstask.dll
18/08/2001 13:00 2,028,032 cdosys.dll
18/08/2001 13:00 497,152 mstime.dll
18/08/2001 13:00 103,936 mstlsapi.dll
18/08/2001 13:00 503,296 mstscax.dll
18/08/2001 13:00 364,544 mstvca.dll
18/08/2001 13:00 308,736 mstvgs.dll
18/08/2001 13:00 241,725 msuni11.dll
18/08/2001 13:00 209,920 msutb.dll
18/08/2001 13:00 108,032 msv1_0.dll
18/08/2001 13:00 1,355,776 msvbvm50.dll
18/08/2001 13:00 1,388,544 msvbvm60.dll
18/08/2001 13:00 50,688 msvcirt.dll
18/08/2001 13:00 565,760 msvcp50.dll
18/08/2001 13:00 401,462 msvcp60.dll
18/08/2001 13:00 15,872 cdmodem.dll
18/08/2001 13:00 322,560 msvcrt.dll
18/08/2001 13:00 253,952 msvcrt20.dll
18/08/2001 13:00 65,024 msvcrt40.dll
18/08/2001 13:00 113,152 msvfw32.dll
18/08/2001 13:00 25,600 msvidc32.dll
18/08/2001 13:00 979,968 msvidctl.dll
18/08/2001 13:00 126,912 msvideo.dll
18/08/2001 13:00 66,048 msw3prt.dll
18/08/2001 13:00 9,728 cdm.dll
18/08/2001 13:00 243,712 mswebdvd.dll
18/08/2001 13:00 155,648 mswmdm.dll
18/08/2001 13:00 228,352 mswsock.dll
18/08/2001 13:00 142,336 cdfview.dll
18/08/2001 13:00 27,648 ccfgnt.dll
18/08/2001 13:00 495,376 msxml.dll
18/08/2001 13:00 85,504 catsrvps.dll
18/08/2001 13:00 37,916 msxml2r.dll
18/08/2001 13:00 359,936 cards.dll
18/08/2001 13:00 44,032 msxml3r.dll
18/08/2001 13:00 26,624 msxmlr.dll
18/08/2001 13:00 22,528 wmdmlog.dll
18/08/2001 13:00 142,848 capesnpn.dll
18/08/2001 13:00 20,480 mtxdm.dll
18/08/2001 13:00 4,096 mtxex.dll
18/08/2001 13:00 25,088 mtxlegih.dll
18/08/2001 13:00 45,056 camocx.dll
18/08/2001 13:00 90,112 mycomput.dll
18/08/2001 13:00 88,064 mydocs.dll
18/08/2001 13:00 35,840 narrhook.dll
18/08/2001 13:00 42,496 ncobjapi.dll
18/08/2001 13:00 7,680 ncxpnt.dll
18/08/2001 13:00 15,360 nddeapi.dll
18/08/2001 13:00 16,384 nddenb32.dll
18/08/2001 13:00 108,464 netapi.dll
18/08/2001 13:00 80,384 cabview.dll
18/08/2001 13:00 584,704 netcfgx.dll
18/08/2001 13:00 214,016 netevent.dll
18/08/2001 13:00 253,952 neth.dll
18/08/2001 13:00 134,656 netid.dll
18/08/2001 13:00 397,824 netlogon.dll
18/08/2001 13:00 147,968 netman.dll
18/08/2001 13:00 171,008 netmsg.dll
18/08/2001 13:00 857,600 netplwiz.dll
18/08/2001 13:00 10,752 netrap.dll
18/08/2001 13:00 1,618,944 netshell.dll
18/08/2001 13:00 74,752 netui0.dll
18/08/2001 13:00 230,400 netui1.dll
18/08/2001 13:00 308,224 netui2.dll
18/08/2001 13:00 238,080 newdev.dll
18/08/2001 13:00 91,136 nlhtml.dll
18/08/2001 13:00 12,288 nmevtmsg.dll
18/08/2001 13:00 24,576 nmmkcert.dll
18/08/2001 13:00 49,152 npptools.dll
18/08/2001 13:00 274,432 wmasf.dll
18/08/2001 13:00 58,880 cabinet.dll
18/08/2001 13:00 64,512 ntdsapi.dll
18/08/2001 13:00 38,400 ntlanman.dll
18/08/2001 13:00 57,856 ntlanui.dll
18/08/2001 13:00 14,336 ntlanui2.dll
18/08/2001 13:00 6,656 ntlsapi.dll
18/08/2001 13:00 110,080 ntmarta.dll
18/08/2001 13:00 37,376 ntmsapi.dll
18/08/2001 13:00 165,888 ntmsdba.dll
18/08/2001 13:00 36,864 ntmsevt.dll
18/08/2001 13:00 460,288 ntmsmgr.dll
18/08/2001 13:00 392,192 ntmssvc.dll
18/08/2001 13:00 80,896 ntprint.dll
18/08/2001 13:00 36,864 ntsdexts.dll
18/08/2001 13:00 137,216 ntshrui.dll
18/08/2001 13:00 13,312 ntvdmd.dll
18/08/2001 13:00 133,632 nwprovau.dll
18/08/2001 13:00 210,432 oakley.dll
18/08/2001 13:00 271,360 objsel.dll
18/08/2001 13:00 87,552 occache.dll
18/08/2001 13:00 442,398 wmadmoe.dll
18/08/2001 13:00 60,928 ocmanage.dll
18/08/2001 13:00 26,224 odbc16gt.dll
18/08/2001 13:00 71,680 browsewm.dll
18/08/2001 13:00 16,384 odbc32gt.dll
18/08/2001 13:00 62,976 browselc.dll
18/08/2001 13:00 122,880 odbcconf.dll
18/08/2001 13:00 12,288 bootvid.dll
18/08/2001 13:00 61,440 odbccr32.dll
18/08/2001 13:00 61,440 odbccu32.dll
18/08/2001 13:00 90,112 odbcint.dll
18/08/2001 13:00 53,279 odbcji32.dll
18/08/2001 13:00 270,365 odbcjt32.dll
18/08/2001 13:00 12,288 odbcp32r.dll
18/08/2001 13:00 147,456 odbctrac.dll
18/08/2001 13:00 20,554 oddbse32.dll
18/08/2001 13:00 20,553 odexl32.dll
18/08/2001 13:00 20,553 odfox32.dll
18/08/2001 13:00 20,553 odpdx32.dll
18/08/2001 13:00 20,554 odtext32.dll
18/08/2001 13:00 204,800 blackbox.dll
18/08/2001 13:00 102,400 offfilt.dll
18/08/2001 13:00 39,744 ole2.dll
18/08/2001 13:00 169,520 ole2disp.dll
18/08/2001 13:00 153,008 ole2nls.dll
18/08/2001 13:00 14,848 bidispl.dll
18/08/2001 13:00 163,328 oleacc.dll
18/08/2001 13:00 16,896 oleaccrc.dll
18/08/2001 13:00 569,344 oleaut32.dll
18/08/2001 13:00 82,944 olecli.dll
18/08/2001 13:00 68,608 olecli32.dll
18/08/2001 13:00 34,304 olecnv32.dll
18/08/2001 13:00 117,760 oledlg.dll
18/08/2001 13:00 98,304 oleprn.dll
18/08/2001 13:00 106,496 olepro32.dll
18/08/2001 13:00 24,064 olesvr.dll
18/08/2001 13:00 22,016 olesvr32.dll
18/08/2001 13:00 69,120 olethk32.dll
18/08/2001 13:00 685,568 opengl32.dll
18/08/2001 13:00 61,952 osuninst.dll
18/08/2001 13:00 10,240 panmap.dll
18/08/2001 13:00 157,696 paqsp.dll
18/08/2001 13:00 58,368 pautoenr.dll
18/08/2001 13:00 184,320 wmadmod.dll
18/08/2001 13:00 250,880 pdh.dll
18/08/2001 13:00 37,376 perfctrs.dll
18/08/2001 13:00 23,552 perfdisk.dll
18/08/2001 13:00 16,896 perfnet.dll
18/08/2001 13:00 23,040 perfos.dll
18/08/2001 13:00 32,256 perfproc.dll
18/08/2001 13:00 12,288 perfts.dll
18/08/2001 13:00 166,912 photowiz.dll
18/08/2001 13:00 31,744 pid.dll
18/08/2001 13:00 27,136 pidgen.dll
18/08/2001 13:00 35,328 pifmgr.dll
18/08/2001 13:00 12,800 pjlmon.dll
18/08/2001 13:00 30,720 plustab.dll
18/08/2001 13:00 46,592 pmspl.dll
18/08/2001 13:00 6,656 batt.dll
18/08/2001 13:00 87,552 polstore.dll
18/08/2001 13:00 14,848 powrprof.dll
18/08/2001 13:00 16,384 prflbmsg.dll
18/08/2001 13:00 522,240 printui.dll
18/08/2001 13:00 28,672 profmap.dll
18/08/2001 13:00 17,408 psapi.dll
18/08/2001 13:00 82,944 psbase.dll
18/08/2001 13:00 10,752 pschdprf.dll
18/08/2001 13:00 8,192 psnppagn.dll
18/08/2001 13:00 37,888 pstorec.dll
18/08/2001 13:00 25,600 pstorsvc.dll
18/08/2001 13:00 86,016 wlnotify.dll
18/08/2001 13:00 152,576 qasf.dll
18/08/2001 13:00 184,832 qcap.dll
18/08/2001 13:00 266,752 qdv.dll
18/08/2001 13:00 356,352 qdvd.dll
18/08/2001 13:00 511,488 qedit.dll
18/08/2001 13:00 734,208 qedwipes.dll
18/08/2001 13:00 27,136 batmeter.dll
18/08/2001 13:00 17,408 qmgrprxy.dll
18/08/2001 13:00 8,192 qosname.dll
18/08/2001 13:00 45,056 basesrv.dll
18/08/2001 13:00 1,337,856 query.dll
18/08/2001 13:00 33,280 racpldlg.dll
18/08/2001 13:00 6,144 rasadhlp.dll
18/08/2001 13:00 73,216 avwav.dll
18/08/2001 13:00 82,944 rasauto.dll
18/08/2001 13:00 34,304 raschap.dll
18/08/2001 13:00 11,776 rasctrs.dll
18/08/2001 13:00 227,840 avtapi.dll
18/08/2001 13:00 55,808 rasman.dll
18/08/2001 13:00 159,744 rasmans.dll
18/08/2001 13:00 143,360 rasmontr.dll
18/08/2001 13:00 22,528 rasmxs.dll
18/08/2001 13:00 193,536 rasppp.dll
18/08/2001 13:00 23,552 rasrad.dll
18/08/2001 13:00 16,384 avmeter.dll
18/08/2001 13:00 12,800 rasser.dll
18/08/2001 13:00 53,760 rastapi.dll
18/08/2001 13:00 52,224 rastls.dll
18/08/2001 13:00 96,256 rcbdyctl.dll
18/08/2001 13:00 134,656 rdchost.dll
18/08/2001 13:00 167,936 wldap32.dll
18/08/2001 13:00 4,096 rdpcfgex.dll
18/08/2001 13:00 109,456 avifile.dll
18/08/2001 13:00 14,848 rdpsnd.dll
18/08/2001 13:00 73,864 rdpwsx.dll
18/08/2001 13:00 44,032 regapi.dll
18/08/2001 13:00 51,712 regsvc.dll
18/08/2001 13:00 387,584 regwizc.dll
18/08/2001 13:00 56,320 remotepg.dll
18/08/2001 13:00 107,520 rend.dll
18/08/2001 13:00 54,784 resutils.dll
18/08/2001 13:00 426,496 riched20.dll
18/08/2001 13:00 3,584 riched32.dll
18/08/2001 13:00 3,072 rnr20.dll
18/08/2001 13:00 76,288 avifil32.dll
18/08/2001 13:00 6,656 routetab.dll
18/08/2001 13:00 22,016 rpcns4.dll
18/08/2001 13:00 64,000 avicap32.dll
18/08/2001 13:00 69,584 avicap.dll
18/08/2001 13:00 131,584 rsaenh.dll
18/08/2001 13:00 35,840 rshx32.dll
18/08/2001 13:00 18,432 rsmps.dll
18/08/2001 13:00 23,552 rsvpmsg.dll
18/08/2001 13:00 9,728 rsvpperf.dll
18/08/2001 13:00 90,112 rsvpsp.dll
18/08/2001 13:00 80,384 autodisc.dll
18/08/2001 13:00 51,200 authz.dll
18/08/2001 13:00 29,696 rtipxmib.dll
18/08/2001 13:00 98,304 rtm.dll
18/08/2001 13:00 39,936 rtutils.dll
18/08/2001 13:00 39,424 safrcdlg.dll
18/08/2001 13:00 26,624 safrdm.dll
18/08/2001 13:00 40,960 safrslv.dll
18/08/2001 13:00 54,784 samlib.dll
18/08/2001 13:00 411,136 samsrv.dll
18/08/2001 13:00 66,560 scarddlg.dll
18/08/2001 13:00 118,784 scardssp.dll
18/08/2001 13:00 169,984 sccbase.dll
18/08/2001 13:00 171,008 sccsccp.dll
18/08/2001 13:00 174,080 scecli.dll
18/08/2001 13:00 295,936 scesrv.dll
18/08/2001 13:00 37,888 audiosrv.dll
18/08/2001 13:00 158,720 schedsvc.dll
18/08/2001 13:00 18,432 sclgntfy.dll
18/08/2001 13:00 166,912 wintrust.dll
18/08/2001 13:00 26,624 scredir.dll
18/08/2001 13:00 57,856 scripto.dll
18/08/2001 13:00 155,675 scrobj.dll
18/08/2001 13:00 147,483 scrrun.dll
18/08/2001 13:00 130,048 sdpblb.dll
18/08/2001 13:00 20,992 seclogon.dll
18/08/2001 13:00 52,224 secur32.dll
18/08/2001 13:00 5,632 security.dll
18/08/2001 13:00 27,136 sendcmsg.dll
18/08/2001 13:00 53,248 sendmail.dll
18/08/2001 13:00 35,840 sens.dll
18/08/2001 13:00 6,144 sensapi.dll
18/08/2001 13:00 13,824 senscfg.dll
18/08/2001 13:00 14,336 serialui.dll
18/08/2001 13:00 53,248 servdeps.dll
18/08/2001 13:00 14,848 serwvdrv.dll
18/08/2001 13:00 922,624 setupapi.dll
18/08/2001 13:00 414,208 setupdll.dll
18/08/2001 13:00 4,096 sfc.dll
18/08/2001 13:00 11,264 atrace.dll
18/08/2001 13:00 132,608 sfc_os.dll
18/08/2001 13:00 23,552 sfmapi.dll
18/08/2001 13:00 34,816 atmpvcno.dll
18/08/2001 13:00 27,136 atmlib.dll
18/08/2001 13:00 5,120 shell.dll
18/08/2001 13:00 272,768 atmfd.dll
18/08/2001 13:00 435,712 shellstyle.dll
18/08/2001 13:00 22,528 shfolder.dll
18/08/2001 13:00 62,464 shgina.dll
18/08/2001 13:00 54,784 shimeng.dll
18/08/2001 13:00 419,840 shimgvw.dll
18/08/2001 13:00 74,802 atl.dll
18/08/2001 13:00 13,312 atkctrs.dll
18/08/2001 13:00 77,824 asycfilt.dll
18/08/2001 13:00 23,040 shscrap.dll
18/08/2001 13:00 114,688 shsvcs.dll
18/08/2001 13:00 11,776 sigtab.dll
18/08/2001 13:00 14,366 asfsipc.dll
18/08/2001 13:00 5,120 asferror.dll
18/08/2001 13:00 104,448 apphelp.dll
18/08/2001 13:00 13,824 sisbkup.dll
18/08/2001 13:00 5,632 skdll.dll
18/08/2001 13:00 22,016 slayerxp.dll
18/08/2001 13:00 276,480 slbcsp.dll
18/08/2001 13:00 89,600 slbiop.dll
18/08/2001 13:00 14,848 slbrccsp.dll
18/08/2001 13:00 332,288 smlogcfg.dll
18/08/2001 13:00 16,896 snmpapi.dll
18/08/2001 13:00 172,032 snmpsnap.dll
18/08/2001 13:00 5,632 softpub.dll
18/08/2001 13:00 102,912 apcups.dll
18/08/2001 13:00 69,632 spnike.dll
18/08/2001 13:00 66,560 spoolss.dll
18/08/2001 13:00 70,656 sprio600.dll
18/08/2001 13:00 72,192 sprio800.dll
18/08/2001 13:00 24,661 spxcoins.dll
18/08/2001 13:00 63,488 amstream.dll
18/08/2001 13:00 180,800 sqlunirl.dll
18/08/2001 13:00 24,603 sqlwid.dll
18/08/2001 13:00 49,179 sqlwoa.dll
18/08/2001 13:00 61,952 srclient.dll
18/08/2001 13:00 15,872 alrsvc.dll
18/08/2001 13:00 155,136 srsvc.dll
18/08/2001 13:00 87,040 srvsvc.dll
18/08/2001 13:00 91,136 advpack.dll
18/08/2001 13:00 549,888 advapi32.dll
18/08/2001 13:00 54,272 stclient.dll
18/08/2001 13:00 60,928 sti.dll
18/08/2001 13:00 132,096 sti_ci.dll
18/08/2001 13:00 117,760 stobject.dll
18/08/2001 13:00 4,208 storage.dll
18/08/2001 13:00 18,944 winstrm.dll
18/08/2001 13:00 8,192 streamci.dll
18/08/2001 13:00 246,302 strmdll.dll
18/08/2001 13:00 6,144 svcpack.dll
18/08/2001 13:00 138,752 swprv.dll
18/08/2001 13:00 647,680 sxs.dll
18/08/2001 13:00 51,712 synceng.dll
18/08/2001 13:00 183,296 syncui.dll
18/08/2001 13:00 15,872 sysinv.dll
18/08/2001 13:00 239,616 adsnt.dll
18/08/2001 13:00 198,656 t2embed.dll
18/08/2001 13:00 19,200 tapi.dll
18/08/2001 13:00 829,952 tapi3.dll
18/08/2001 13:00 163,328 tapi32.dll
18/08/2001 13:00 5,632 tapiperf.dll
18/08/2001 13:00 233,984 tapisrv.dll
18/08/2001 13:00 78,848 tapiui.dll
18/08/2001 13:00 13,312 tcpmib.dll
18/08/2001 13:00 40,448 tcpmon.dll
18/08/2001 13:00 40,960 tcpmonui.dll
18/08/2001 13:00 343,552 termmgr.dll
18/08/2001 13:00 62,464 adsmsext.dll
18/08/2001 13:00 383,488 themeui.dll
18/08/2001 13:00 13,888 toolhelp.dll
18/08/2001 13:00 31,232 traffic.dll
18/08/2001 13:00 80,384 trkwks.dll
18/08/2001 13:00 52,224 tsappcmp.dll
18/08/2001 13:00 47,104 winsta.dll
18/08/2001 13:00 88,576 tscfgwmi.dll
18/08/2001 13:00 15,360 tsd32.dll
18/08/2001 13:00 8,456 tsddd.dll
18/08/2001 13:00 275,968 winsrv.dll
18/08/2001 13:00 2,864 winsock.dll
18/08/2001 13:00 139,264 adsldpc.dll
18/08/2001 13:00 177,856 typelib.dll
18/08/2001 13:00 21,504 udhisapi.dll
18/08/2001 13:00 82,432 ufat.dll
18/08/2001 13:00 268,800 ulib.dll
18/08/2001 13:00 31,744 umandlg.dll
18/08/2001 13:00 13,312 umdmxfrm.dll
18/08/2001 13:00 105,472 umpnpmgr.dll
18/08/2001 13:00 93,184 winscard.dll
18/08/2001 13:00 69,120 unimdmat.dll
18/08/2001 13:00 13,824 uniplat.dll
18/08/2001 13:00 302,080 untfs.dll
18/08/2001 13:00 160,768 adsldp.dll
18/08/2001 13:00 162,816 upnphost.dll
18/08/2001 13:00 231,424 upnpui.dll
18/08/2001 13:00 17,920 ureg.dll
18/08/2001 13:00 26,112 adptif.dll
18/08/2001 13:00 57,344 admparse.dll
18/08/2001 13:00 14,848 usbmon.dll
18/08/2001 13:00 14,848 winrnr.dll
18/08/2001 13:00 98,304 actxprxy.dll
18/08/2001 13:00 181,760 activeds.dll
18/08/2001 13:00 339,456 usp10.dll
18/08/2001 13:00 61,500 usrcntra.dll
18/08/2001 13:00 69,699 usrcoina.dll
18/08/2001 13:00 77,890 usrdpa.dll
18/08/2001 13:00 323,641 usrdtea.dll
18/08/2001 13:00 86,073 usrfaxa.dll
18/08/2001 13:00 53,305 usrlbva.dll
18/08/2001 13:00 77,883 usrrtosa.dll
18/08/2001 13:00 49,211 usrsdpia.dll
18/08/2001 13:00 41,019 usrsvpia.dll
18/08/2001 13:00 102,457 usrv42a.dll
18/08/2001 13:00 49,209 usrv80a.dll
18/08/2001 13:00 45,116 usrvoica.dll
18/08/2001 13:00 49,211 usrvpa.dll
18/08/2001 13:00 25,600 utildll.dll
18/08/2001 13:00 202,752 uxtheme.dll
18/08/2001 13:00 762,368 winntbbu.dll
18/08/2001 13:00 5,120 winnls.dll
18/08/2001 13:00 107,008 aclui.dll
18/08/2001 13:00 170,496 winmm.dll
18/08/2001 13:00 129,536 acledit.dll
18/08/2001 13:00 7,680 vcdex.dll
18/08/2001 13:00 24,064 vdmdbg.dll
18/08/2001 13:00 48,640 vdmredir.dll
18/08/2001 13:00 9,008 ver.dll
18/08/2001 13:00 13,312 verifier.dll
18/08/2001 13:00 16,384 version.dll
18/08/2001 13:00 20,535 vfpodbc.dll
18/08/2001 13:00 25,600 winipsec.dll
18/08/2001 13:00 9,344 vga.dll
18/08/2001 13:00 51,456 vga256.dll
18/08/2001 13:00 18,176 vga64k.dll
18/08/2001 13:00 4,608 vjoy.dll
18/08/2001 13:00 64,512 acctres.dll
18/08/2001 13:00 25,600 aaaamon.dll
18/08/2001 13:00 409,088 vssapi.dll
18/08/2001 13:00 16,896 vss_ps.dll
18/08/2001 13:00 165,376 w32time.dll
18/08/2001 13:00 22,016 w32topl.dll
18/08/2001 13:00 208,896 wavemsp.dll
18/08/2001 13:00 46,592 wdigest.dll
18/08/2001 13:00 258,560 webcheck.dll
18/08/2001 13:00 61,440 webclnt.dll
18/08/2001 13:00 40,448 webhits.dll
18/08/2001 13:00 124,928 webvw.dll
18/08/2001 13:00 7,680 mciole32.dll
18/08/2001 13:00 449,536 wiadefui.dll
18/08/2001 13:00 118,272 wiadss.dll
18/08/2001 13:00 70,656 wiascr.dll
18/08/2001 13:00 314,368 wiaservc.dll
18/08/2001 13:00 568,832 wiashext.dll
18/08/2001 13:00 104,448 wiavideo.dll
18/08/2001 13:00 145,408 wiavusd.dll
18/08/2001 13:00 9,216 wifeman.dll
18/08/2001 13:00 95,232 win32spl.dll
18/08/2001 13:00 13,312 win87em.dll
18/08/2001 13:00 9,216 winfax.dll
18/08/2001 13:00 35,840 6to4svc.dll
17/08/2001 23:36 8,192 tsbyuv.dll
17/08/2001 23:36 49,664 vfwwdm32.dll
17/08/2001 23:36 70,656 storprop.dll
17/08/2001 23:36 16,384 msyuv.dll
17/08/2001 23:36 4,096 ksuser.dll
17/08/2001 23:36 45,568 iyuv_32.dll
17/08/2001 22:36 67,072 usbui.dll
17/08/2001 15:55 6,144 kbd101b.dll
09/08/2001 18:33 24,642 csddial.dll
25/07/2001 10:00 123,664 msjint35.dll
25/07/2001 10:00 24,848 msjter35.dll
25/07/2001 10:00 415,504 msrepl35.dll
25/07/2001 10:00 1,050,384 msjet35.dll
09/05/2001 16:47 466,944 wmv8dmoe.dll
02/03/2001 20:52 8,704 npwmsdrm.dll
15/07/2000 01:00 101,888 VB6STKIT.DLL
13/07/2000 21:00 31,744 hlp95en.dll
13/07/2000 21:00 76,288 Pubole32.dll
13/07/2000 21:00 37,888 ochlp30e.dll
13/07/2000 21:00 212,480 PCDLIB32.DLL
13/07/2000 21:00 36,864 lfbmp11n.dll
13/07/2000 21:00 285,184 LFCMP11n.DLL
13/07/2000 21:00 31,232 lfeps11n.dll
13/07/2000 21:00 91,136 msls2.dll
13/07/2000 21:00 81,408 lffax11n.dll
13/07/2000 21:00 41,472 lfgif11n.dll
13/07/2000 21:00 26,112 lfpcd11n.dll
13/07/2000 21:00 5,632 mfcuia32.dll
13/07/2000 21:00 133,904 mfcans32.dll
13/07/2000 21:00 33,280 lfpcx11n.dll
13/07/2000 21:00 716,288 Ltwvc11n.dll
13/07/2000 21:00 172,032 Lfpng11n.dll
13/07/2000 21:00 392,192 ltkrn11n.dll
13/07/2000 21:00 56,320 lfpsd11n.dll
13/07/2000 21:00 27,648 lftga11n.dll
13/07/2000 21:00 127,488 ltimg11n.dll
13/07/2000 21:00 152,064 lftif11n.dll
13/07/2000 21:00 118,784 ltfil11n.DLL
13/07/2000 21:00 59,392 lfwmf11n.dll
13/07/2000 21:00 262,656 LTDIS11n.dll
07/06/2000 02:01 34,304 EBPCHP.DLL
09/08/1999 14:40 163,600 wmaudsdk.dll
29/03/1999 18:37 317,952 Roboex32.dll
12/01/1999 19:54 1,109,264 FM20.DLL
12/01/1999 19:54 26,384 FM20ENU.DLL
24/12/1998 11:23 40,960 VBAME.DLL
01/12/1998 15:18 34,304 IGLZW32S.DLL
01/12/1998 13:04 1,228,288 GEAR32PD.DLL
17/09/1998 06:20 151,552 RDOCURS.DLL
17/09/1998 06:20 393,216 MSRDO20.DLL
09/08/1998 10:07 94,208 MSSTKPRP.DLL
09/08/1998 10:07 118,784 MSSTDFMT.DLL
17/06/1998 02:08 53,248 MFC42ENU.DLL
27/04/1998 23:53 68,096 IGFPX32P.DLL
27/04/1998 23:42 65,024 JPEGACC.DLL
27/04/1998 23:40 269,312 FPXIG.DLL
04/04/1998 06:22 107,008 ltimg90n.dll
04/04/1998 06:21 98,304 ltfil90n.DLL
04/04/1998 06:21 220,160 LTDIS90n.dll
04/04/1998 06:21 288,256 ltkrn90n.dll
24/03/1998 20:54 15,872 SCP32.DLL
22/07/1997 16:03 101,376 WELSOF32.DLL
20/10/1996 08:52 87,392 Twain.dll
20/10/1996 08:52 77,312 Twain_32.dll
15/10/1996 10:53 78,848 INLOADER.DLL
24/08/1996 12:11 197,648 Unidrv.dll
25/04/1996 14:48 722,192 VB40032.DLL
1158 File(s) 206,142,269 bytes
0 Dir(s) 16,310,046,720 bytes free

Pieter_Arntz · #9 May 18th, 2004, 09:18 AM

Post a new HijackThis log when you are done.
If anything is left it will be easy to clean out.

Regards,

Pieter

IanMac · #10 May 18th, 2004, 09:21 AM

aye aye sir, shall do, Ad-aware is taking it's time though, only scanned 100,000 files so far, hehe

IanMac · #11 May 18th, 2004, 09:33 AM

here's the log, pretty sure I can see what to kill, but I'll just let you take a look in case =)

Logfile of HijackThis v1.97.7
Scan saved at 14:33:03, on 18/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\VM_STI.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Owner\Desktop\Downloaded and Zips\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hlckcdb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {73539971-77D7-4D85-8551-0B286FF7053A} - C:\WINDOWS\System32\hlckcdb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Pro Cam
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - Startup: fix.bat.lnk = C:\fix.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Messenger Addon (HKLM)
O9 - Extra 'Tools' menuitem: &Messenger Addon (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: ChatSpace Full Java Client 3.1.0.245 - http://chat-b3.freeserve.com/Java/cfs31245.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/game...ts/y/nt1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/game...ts/y/ht1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab27571.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...090.3527430556
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab

Pieter_Arntz · #12 May 18th, 2004, 09:40 AM

OK. You probably guessed you should Fix every entry that contains:
C:\WINDOWS\System32\hlckcdb.dll

Which is correct, but you are not ready yet. (Windows Update)
And I would advise to uninstall P2P Networking in Add/Remove Software.

Regards,

Pieter

IanMac · #13 May 18th, 2004, 09:48 AM

Windows updates installed
hlckcdb.dll entries fixed
problem is hopefully gone

Pieter you're a legend (=
Thank you

Pieter_Arntz · #14 May 18th, 2004, 11:09 AM

My pleasure IanMac,

Get yourself some protection:
http://www.wilderssecurity.com/showthread.php?t=27971

Regards,

Pieter

IanMac · #15 May 20th, 2004, 11:30 AM

Well I've installed every single thing in the thread you mentioned pieter, along with every critical update and service pack from the windows update thingy

however, the problem has returned and when I run the dllfix program it keeps telling me that it found log.dll - and then my computer restarts and I run cwshredder and hijack this (fixing all the entries with xxx.dll) and yet I'm still infected again 5mins later, and the log.dll file is still found.

any suggestions?

here's a HJT log if that helps (it's interesting to note that now, every single time I get infected it's with nciba.dll - as opposed to a new .dll name every time, as I used to get):

Logfile of HijackThis v1.97.7
Scan saved at 16:29:00, on 20/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\VM_STI.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Downloaded and Zips\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nciba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nciba.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nciba.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nciba.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nciba.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nciba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0E73360E-0DE8-4310-87D2-FCCA6FEE02FA} - C:\WINDOWS\System32\nciba.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Pro Cam
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: fix.bat.lnk = C:\fix.bat
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Messenger Addon (HKLM)
O9 - Extra 'Tools' menuitem: &Messenger Addon (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: ChatSpace Full Java Client 3.1.0.245 - http://chat-b3.freeserve.com/Java/cfs31245.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/game...ts/y/nt1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/game...ts/y/ht1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab27571.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...090.3527430556
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab

---

here's the logs.txt from dllfix:

CWSDLL Appinit Fix By Shadowwar
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
20/05/2004
15:25

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully

Deleting temp value

The operation completed successfully

Running from C:\Documents and Settings\Owner\Desktop\dllfix
Processing File Manually
C:\WINDOWS\system32\log.dll
Md5 Check of C:\WINDOWS\system32\log.dll

File was found but md5 didnt match
MD5 was: D41D8CD98F00B204E9800998ECF8427E
Resetting file attributes
Processing ACL of: <\\?\C:\WINDOWS\system32\log.dll>

SetACL finished successfully.
File was zipped for submission to Shadowwar
File is located at C:\Documents and Settings\Owner\Desktop\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

----

and here's the output.txt:

--===**'FIND-ALL' VERSION 3, 5/11**===--

20/05/2004
15:30

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (C8F1:45CE) - FS:NTFS clusters:4k
Total: 40 015 953 920 [37G] - Free: 14 022 541 312 [13G]

Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\SYSTEM32\LOG.DLL +++ File read error
\\?\C:\WINDOWS\System32\LOG.DLL +++ File read error

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E73360E-0DE8-4310-87D2-FCCA6FEE02FA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{5D2B242B-39B2-4620-9BD0-B4737C9010AA}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{5D2B242B-39B2-4620-9BD0-B4737C9010AA}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

=)

IanMac · #16 May 22nd, 2004, 09:13 AM

anything guys?

Pieter_Arntz · #17 May 23rd, 2004, 08:27 AM

Hi IanMac,

If log.dll is now visible in explorer, you should be able to get rid of the entire thing by using AdAware (latest build and reffile ofcourse) as described here: http://www.wilderssecurity.com/showthread.php?t=15913

Regards,

Pieter

Pieter_Arntz · #18 May 24th, 2004, 10:30 AM

Delete C:\WINDOWS\system32\log.dll from the Recovery Console

How to install and use the Recovery Console in Windows XP

Then boot normally and use AdAware as described here:
http://www.wilderssecurity.com/showthread.php?t=15913
to clean out the rest.

Regards,

Pieter

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search