Yesterday I forgot to tell you that I'm receiving E-mails from somebody I don't know. The [bleep] keeps changing is adress, their is no message, no attachment and no subject... Maybe that the reason why I keep getting that f... problem again and again. Do you think so?
This is a new Find It log if you can help me again :
________________________________________
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Anti-virus-malware\Find It NT-2K-XP
------- System Files in System32 Directory -------
Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10
R‚pertoire de C:\WINDOWS\System32
12/01/2005 03:00 <REP> dllcache
06/12/2004 15:00 56 F2AF79BDFA.sys
12/03/2003 12:13 7˙168 Thumbs.db
15/10/2002 22:18 <REP> Microsoft
2 fichier(s) 7˙224 octets
2 R‚p(s) 9˙577˙050˙112 octets libres
------- Hidden Files in System32 Directory -------
Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10
R‚pertoire de C:\WINDOWS\System32
12/01/2005 03:00 <REP> dllcache
06/12/2004 15:00 56 F2AF79BDFA.sys
04/07/2004 18:57 508 ws045380.ocx
12/03/2003 12:13 7˙168 Thumbs.db
25/05/2002 14:24 8˙628 Ridger.GID
22/01/2002 18:10 10˙833 Cnbjhlp.GID
22/12/2001 14:46 488 WindowsLogon.manifest
22/12/2001 14:46 488 logonui.exe.manifest
22/12/2001 14:45 749 nwc.cpl.manifest
22/12/2001 14:45 749 ncpa.cpl.manifest
22/12/2001 14:45 749 sapi.cpl.manifest
22/12/2001 14:45 749 cdplayer.exe.manifest
22/12/2001 14:45 749 wuaucpl.cpl.manifest
12 fichier(s) 31˙914 octets
1 R‚p(s) 9˙577˙046˙016 octets libres
---------- Files Named "Guard" -------------
Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10
R‚pertoire de C:\WINDOWS\System32
--------- Temp Files in System32 Directory --------
Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10
R‚pertoire de C:\WINDOWS\System32
14/03/2004 14:00 59 E_S86.tmp
06/02/2002 14:24 59 E_SA7.tmp
28/08/2001 04:00 3˙072 CONFIG.TMP
3 fichier(s) 3˙190 octets
0 R‚p(s) 9˙577˙041˙920 octets libres
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
------------ Keys Under Notify ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"StartShell"="NavStartShellEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM32\
f2af79~1.sys Mon 6 Dec 2004 15:00:52 ..SHR 56 0,05 K
1 item found: 1 file, 0 directories.
Total of file sizes: 56 bytes 0,05 K
------------ Strings.exe Qoologic Results ------------
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\system32\HDBHO.dll: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
----------------- HKLM Run Key ------------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="\"C:\\Program Files\\Fichiers communs\\Real\\Update_OB\\realsched.exe\" -osboot"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
___________________________________
Thanks a lot
Regards.
Bobo