Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Frustrated......need help please!

Started by goodtimes , Dec 05 2004 08:28 PM

  • Please log in to reply

#16
admin
Posted 10 December 2004 - 01:11 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Haven't forgot about you. Just no new developments. For the heck of it, reboot your system and post a new find_it.bat log. Maybe guard.tmp wil show up. whistling.gif
  • 0

Advertisements

#17
goodtimes
Posted 10 December 2004 - 01:21 AM

goodtimes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
New log.



Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
AppPaths
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{9CE94E41-B526-45CD-9423-56A34C64B556}
  • 0

#18
admin
Posted 16 December 2004 - 01:30 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.

  • 0

#19
goodtimes
Posted 16 December 2004 - 01:37 AM

goodtimes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
This the log from find.bat.


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is F052-3FD2

Directory of C:\WINDOWS\System32

12/15/2004 12:26 PM 224,579 cnwmdm.dll
12/15/2004 12:24 PM 223,892 l64q0gh5e64.dll
12/15/2004 12:24 PM <DIR> DLLCACHE
12/15/2004 12:21 PM 224,579 jt8607lse.dll
12/15/2004 02:01 AM 224,797 g2jolc131f.dll
12/13/2004 01:40 AM 223,019 jtr4079qe.dll
12/12/2004 03:53 AM 226,237 mv4sl9h71.dll
12/11/2004 03:48 AM 225,363 k662lgjo16oc.dll
12/10/2004 04:44 PM 225,363 hr0s05d7e.dll
12/10/2004 03:45 AM 225,332 k4260efseh260.dll
11/17/2004 03:46 AM 56 204A5D8557.sys
11/17/2004 03:46 AM 1,682 KGyGaAvL.sys
02/03/2004 03:24 AM 71 SYSDRVREB.SYS
02/02/2002 09:22 PM <DIR> Microsoft
12 File(s) 2,024,970 bytes
2 Dir(s) 51,015,372,800 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is F052-3FD2

Directory of C:\WINDOWS\System32

12/15/2004 12:24 PM <DIR> DLLCACHE
11/17/2004 03:46 AM 56 204A5D8557.sys
11/17/2004 03:46 AM 1,682 KGyGaAvL.sys
02/03/2004 03:24 AM 71 SYSDRVREB.SYS
05/19/2003 11:03 PM 94 tbd_G1ssg.ini
01/06/2003 01:57 AM 555 ws875731.ocx
5 File(s) 2,458 bytes
1 Dir(s) 51,015,372,800 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is F052-3FD2

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is F052-3FD2

Directory of C:\WINDOWS\System32

08/11/2004 12:45 AM 5,550,080 setb7.tmp
04/06/2004 03:44 PM 0 _r_a_p_.tmp
08/21/2003 10:51 PM 0 VDM11.tmp
08/21/2003 10:51 PM 0 VDM10.tmp
01/20/2003 06:08 PM 0 VDM15.tmp
01/20/2003 06:08 PM 0 VDM14.tmp
01/09/2003 01:04 AM 0 VDM2B4.tmp
01/09/2003 01:04 AM 0 VDM2B3.tmp
08/18/2001 08:00 AM 2,577 CONFIG.TMP
9 File(s) 5,552,657 bytes
0 Dir(s) 51,015,372,800 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9CE94E41-B526-45CD-9423-56A34C64B556}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt8607lse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------

C:\WINDOWS\System32\CNWMDM.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
204a5d~1.sys Wed Nov 17 2004 3:46:16a ..SHR 56 0.05 K
cnwmdm.dll Wed Dec 15 2004 12:26:40p ..S.R 224,579 219.31 K
g2jolc~1.dll Wed Dec 15 2004 2:01:46a ..S.R 224,797 219.53 K
hr0s05~1.dll Fri Dec 10 2004 4:44:56p ..S.R 225,363 220.08 K
jt8607~1.dll Wed Dec 15 2004 12:21:58p ..S.R 224,579 219.31 K
jtr407~1.dll Mon Dec 13 2004 1:40:30a ..S.R 223,019 217.79 K
k4260e~1.dll Fri Dec 10 2004 3:45:44a ..S.R 225,332 220.05 K
k662lg~1.dll Sat Dec 11 2004 3:48:42a ..S.R 225,363 220.08 K
kgygaavl.sys Wed Nov 17 2004 3:46:16a A.SH. 1,682 1.64 K
l64q0g~1.dll Wed Dec 15 2004 12:25:00p ..S.R 223,892 218.64 K
mv4sl9~1.dll Sun Dec 12 2004 3:53:54a ..S.R 226,237 220.93 K

11 items found: 11 files, 0 directories.
Total of file sizes: 2,024,899 bytes 1.93 M

  • 0

#20
admin
Posted 16 December 2004 - 07:47 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\cnwmdm.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\l64q0gh5e64.dll
    • C:\WINDOWS\System32\jt8607lse.dll
    • C:\WINDOWS\System32\g2jolc131f.dll
    • C:\WINDOWS\System32\jtr4079qe.dll
    • C:\WINDOWS\System32\mv4sl9h71.dll
    • C:\WINDOWS\System32\k662lgjo16oc.dll
    • C:\WINDOWS\System32\hr0s05d7e.dll
    • C:\WINDOWS\System32\k4260efseh260.dll
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • Double-click on find.bat and post the new output.txt.

  • 0

#21
tr0gd0r
Posted 16 December 2004 - 11:41 AM

tr0gd0r

    New Member

  • Member
  • Pip
  • 1 posts
Searching for a solution to our problem, we came across this post.

In safe mode on XP Pro we were getting pop-up ads.

In safe mode on XP Pro, AdAware reported that lv0m09d1e.dll was spyware that was in memory.

Once we reoved the dll everything seemed ok.

That dll might be part of your problem.
  • 0

#22
goodtimes
Posted 16 December 2004 - 03:29 PM

goodtimes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
My new find.bat file.


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is F052-3FD2

Directory of C:\WINDOWS\System32

12/16/2004 04:24 PM 224,579 nersar.dll
12/16/2004 04:24 PM 224,782 fp0203doe.dll
12/16/2004 02:40 AM 224,579 n26qlcj51fo.dll
12/15/2004 12:24 PM <DIR> DLLCACHE
11/17/2004 03:46 AM 56 204A5D8557.sys
11/17/2004 03:46 AM 1,682 KGyGaAvL.sys
02/03/2004 03:24 AM 71 SYSDRVREB.SYS
02/02/2002 09:22 PM <DIR> Microsoft
6 File(s) 675,749 bytes
2 Dir(s) 51,010,859,008 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is F052-3FD2

Directory of C:\WINDOWS\System32

12/15/2004 12:24 PM <DIR> DLLCACHE
11/17/2004 03:46 AM 56 204A5D8557.sys
11/17/2004 03:46 AM 1,682 KGyGaAvL.sys
02/03/2004 03:24 AM 71 SYSDRVREB.SYS
05/19/2003 11:03 PM 94 tbd_G1ssg.ini
01/06/2003 01:57 AM 555 ws875731.ocx
5 File(s) 2,458 bytes
1 Dir(s) 51,010,859,008 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is F052-3FD2

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is F052-3FD2

Directory of C:\WINDOWS\System32

08/11/2004 12:45 AM 5,550,080 setb7.tmp
04/06/2004 03:44 PM 0 _r_a_p_.tmp
08/21/2003 10:51 PM 0 VDM11.tmp
08/21/2003 10:51 PM 0 VDM10.tmp
01/20/2003 06:08 PM 0 VDM15.tmp
01/20/2003 06:08 PM 0 VDM14.tmp
01/09/2003 01:04 AM 0 VDM2B4.tmp
01/09/2003 01:04 AM 0 VDM2B3.tmp
08/18/2001 08:00 AM 2,577 CONFIG.TMP
9 File(s) 5,552,657 bytes
0 Dir(s) 51,010,859,008 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9CE94E41-B526-45CD-9423-56A34C64B556}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinFiles]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n26qlcj51fo.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------

C:\WINDOWS\System32\FP0203~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
204a5d~1.sys Wed Nov 17 2004 3:46:16a ..SHR 56 0.05 K
fp0203~1.dll Thu Dec 16 2004 4:24:10p ..S.R 224,782 219.51 K
kgygaavl.sys Wed Nov 17 2004 3:46:16a A.SH. 1,682 1.64 K
n26qlc~1.dll Thu Dec 16 2004 2:40:28a ..S.R 224,579 219.31 K
nersar.dll Thu Dec 16 2004 4:24:10p ..S.R 224,579 219.31 K

5 items found: 5 files, 0 directories.
Total of file sizes: 675,678 bytes 659.84 K

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP