Still get the RUNDLL error at startup. Ran those three programs, and here's the new scan results:
Find ItWarning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is D4E6-3EB5
Directory of C:\WINDOWS\System32
12/14/2004 09:38 PM 222,954 p2r4lc9q1f.dll
12/14/2004 11:37 AM 225,546 k6440ghqe64e0.dll
10/11/2004 08:07 PM <DIR> dllcache
08/04/2004 08:10 PM <DIR> Microsoft
2 File(s) 448,500 bytes
2 Dir(s) 44,846,403,584 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is D4E6-3EB5
Directory of C:\WINDOWS\System32
10/11/2004 08:07 PM <DIR> dllcache
02/22/2004 10:56 PM 488 WindowsLogon.manifest
02/22/2004 10:56 PM 488 logonui.exe.manifest
02/22/2004 10:56 PM 749 wuaucpl.cpl.manifest
02/22/2004 10:56 PM 749 sapi.cpl.manifest
02/22/2004 10:56 PM 749 cdplayer.exe.manifest
02/22/2004 10:56 PM 749 nwc.cpl.manifest
02/22/2004 10:56 PM 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
1 Dir(s) 44,846,403,584 bytes free
---------- Files Named "Guard" -------------
Volume in drive C has no label.
Volume Serial Number is D4E6-3EB5
Directory of C:\WINDOWS\System32
12/14/2004 09:40 PM 225,546 guard.tmp
1 File(s) 225,546 bytes
0 Dir(s) 44,846,403,584 bytes free
--------- Temp Files in System32 Directory --------
Volume in drive C has no label.
Volume Serial Number is D4E6-3EB5
Directory of C:\WINDOWS\System32
12/14/2004 09:40 PM 225,546 guard.tmp
08/11/2004 12:45 AM 86,016 SET95.tmp
06/16/2003 11:05 AM 720,896 OLD23.tmp
08/23/2001 04:00 AM 2,577 CONFIG.TMP
4 File(s) 1,035,035 bytes
0 Dir(s) 44,846,403,584 bytes free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3675F06B-33EE-4F4E-A9C0-5FD3AA94647A}"=""
------------ Keys Under Notify ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k6440ghqe64e0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WPAEvents]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\aosmsext.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Version"="126"
"ID"="{8EDB5D38-39D2-4266-B0D2-1E713A7F237C}"
"IDex"="DS3"
---------------- Xfind Results -----------------
C:\WINDOWS\System32\K6440G~1.DLL +++ File read error
-------------- Locate.com Results ---------------
C:\WINDOWS\SYSTEM32\
k6440g~1.dll Tue Dec 14 2004 11:37:54a ..S.R 225,546 220.26 K
p2r4lc~1.dll Tue Dec 14 2004 9:38:36p ..S.R 222,954 217.73 K
2 items found: 2 files, 0 directories.
Total of file sizes: 448,500 bytes 437.99 K
DLL Compare* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\k6440g~1.dll Tue Dec 14 2004 11:37:54a ..S.R 225,546 220.26 K
C:\WINDOWS\SYSTEM32\p2r4lc~1.dll Tue Dec 14 2004 9:38:36p ..S.R 222,954 217.73 K
________________________________________________
1,334 items found: 1,334 files (2 H/S), 0 directories.
Total of file sizes: 280,568,962 bytes 267.57 M
Administrator Account = True
--------------------End log---------------------
Hijack ThisLogfile of HijackThis v1.98.2
Scan saved at 9:44:36 PM, on 12/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Leslie\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.metacrawl...orms/search.htmR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.metacrawler.com/info.metac/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.metacrawler.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.metacrawl...orms/search.htmR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.metacrawler.com/info.metac/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.metacrawler.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.metacrawl...orms/search.htmR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.metacrawl...orms/search.htmR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.metacrawl....metac.toolbar/R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.metacrawl....metac.toolbar/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.we1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.attbb.net;<local>
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Metacrawler - {AACBDEE8-0813-4308-8121-94CB60848B2C} - C:\Program Files\MetacrawlerToolbar\insptbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} -
http://ipgweb.cce.hp...ads/sysinfo.cabO16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) -
http://www.ipswitch....tp_le/setup.exeO16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} -
http://www.kungfuche...ivex/web665.cabO16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) -
http://www.webshots....SDownloader.ocxO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -
http://ipgweb.cce.hp...oads/msxml4.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn...pDownloader.cabO16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
http://us.dl1.yimg.c...utocomplete.cabO16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) -
http://www.live365.c...ers/play365.cabO16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
http://ax.phobos.app.../ITDetector.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://download.game...aploader_v5.cabO16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -
http://by22fd.bay22....ex/HMAtchmt.ocx