[PUG]

Ran as said and it restarted.

HLPNIEF.DLL was not in said System32 folder
did a search and nothing found with that name...??

mmmmmmmmm

[Flrman1]

Did you run Fix.bat first?

[PUG]

Shall I do it agian?

[Flrman1]

Did it give you the countdown and then restart like it is supposed to?

[PUG]

Yes it came up with a sqarish grey box with a few words and a White X in a Red cicle with the countdown saying restarting in 10 secs I believe.

[Flrman1]

Click on My Computer then click Tools > Folder Options. In Folder options click on the View tab. Under Files and Folders tick "Show hidden files and folders" then uncheck "Hide file extensions for known file types" and uncheck "Hide protected operating system files (recommended)". Now click "Like current folder" then "Apply" and "OK"

Now see if you can find the file.

[Flrman1]

Don't do a search for the file. Physically navigate the the System32 folder and look for the file.

[PUG]

Sorry Im taking so long just looked at email send/recieve and its at 5mins.Really sorry to waste your time.

I have not needed to check uncheck as my settings are what you said (YAY). I have show hidden files....

[PUG]

Is it worth replaying the FIX and having it restart again???

[Flrman1]

Quote:

Originally Posted by flrman1

Don't do a search for the file. Physically navigate the the System32 folder and look for the file.

Did you do this?

[PUG]

yes I did navigate to the folder then did a c:drive search....

[Flrman1]

Try running Fix.bat again then.

I'm going to bed. I'll check back in the morning before I go to work.

[PUG]

Thankyou I did see your timezone indicates the night of Sun, please take your time, obviously im still able to do everything 99.999999 percent unaffected here.

I re-ran FIX and it restarted but again navagating to c:WNNT/system32 was fruitless for the HLPNIEF.DLL. Your time is very much appreciated. Have a good week!

[Flrman1]

I will have to do some thinking on this one and deal with it when I get home this evening. I'm not sure what to do at this point.

[PUG]

Thankyou here is the new log.



»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»
--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
and is the destination for the file to be moved..
-*Previous directions will no longer work...
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

Microsoft Windows 2000 [Version 5.00.2195]
»»»IE build and last SP(s)
6.0.2800.1106 SP1
The type of the file system is NTFS.
C: is not dirty.

Tue 20 Jul 04 10:58:29
10:58am up 0 days, 0:08

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
*For *Helpers/Mods and/or users that are not familiar with any of the
items on the scan results- I recommend using an alternative, once
you know what to look for!
»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/16)»»»»»»»»»»»»»»»»

»»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»*

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINNT\System32\HLPNIEF.DLL +++ File read error
\\?\C:\WINNT\System32\HLPNIEF.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
HLPNIEF.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINNT\SYSTEM32\
hlpnief.dll Tue 8 Jun 2004 13:56:16 A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\HLPNIEF.DLL

»»»»»(*5*)»»»»»
**File C:\WINNT\SYSTEM32\DLLXXX.TXT
¯ Access denied ® ..................... HLPNIEF.DLL .....57344 08.06.2004

»»»»»(*6*)»»»»»
fgrep: can't open input C:\WINNT\SYSTEM32\HLPNIEF.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...


C:\WINNT\SYSTEM32\
hlpnief.dll Tue 8 Jun 2004 13:56:16 A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINNT\SYSTEM32\HLPNIEF.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read Everyone
(ID-IO) ALLOW Read Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read Everyone
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group SAR-4QGSHPLS3D7\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.


»»»»»»Backups created...»»»»»»
10:59am up 0 days, 0:09
Tue 20 Jul 04 10:59:27

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-19-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-19-2004 winkey.reg
*Temp backups...
.
..
keyback2.hi_
winkey2.re_


C:\FINDNFIX\
JUNKXXX Mon 19 Jul 2004 13:36:22 .D... <Dir>

1 item found: 0 files, 1 directory.

»»Performing string scan....
00001150: ?
00001190: ` 8 @
000011D0: vk < \ AppInit_DLLsa n C : \ W I N N T \ s
00001210:y s t e m 3 2 \ h l p n i e f . d l l vk h "
00001250eviceNotSelectedTimeout 1 5 ` vk '
00001290: o GDIProcessHandleQuota n vk i Spooler
000012D0: y e s g \ vk , swapdisk vk 0
00001310: R TransmissionRetryTimeout 9 0 ` vk '
00001350: g USERProcessHandleQuotaO 7W| C
00001390: <C B U U W| 9W| U Ag C [Ag C
000013D0:P U $ B B 7C d U d U hto uAgd U B d U P U $ B
00001410: B @.C D U hk W d U x U HAg h B B
00001450: d U B 3 $ KS x C x x x C C
00001490: C 2 C 2 w <C C U wg <C C
000014D0: C x k w w C ^g F C J Ag
00001510: D x C x x x C @Bge p# My ^
00001550: L ] H C My ? U U U w(% w U 7W|
00001590: C <C B U U W| 9W| ( U Ag
000015D0: C [Ag C $ B B 7C p U p U hto

---------- WIN.TXT
AppInit_DLLsa
--------------
--------------
$011E8: AppInit_DLLsa
$01250: DeviceNotSelectedTimeout
$01298: GDIProcessHandleQuota
$01318: TransmissionRetryTimeout
$01358: USERProcessHandleQuotaO
--------------
--------------
C:\WINNT\system32\hlpnief.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 60 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINNT\system32\hlpnief.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 4e 00 54 00 | C.:.\.W.I.N.N.T.
0010 5c 00 73 00 79 00 73 00 74 00 65 00 6d 00 33 00 | \.s.y.s.t.e.m.3.
0020 32 00 5c 00 68 00 6c 00 70 00 6e 00 69 00 65 00 | 2.\.h.l.p.n.i.e.
0030 66 00 2e 00 64 00 6c 00 6c 00 00 00 | f...d.l.l...