Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Lost PC


  • This topic is locked This topic is locked

#1
skeer

skeer

    New Member

  • Member
  • Pip
  • 2 posts
:tazz: Please tell me how to get my computer back. I have lost days to this pest and all sorts of unnatural things are happening. If I read the instructions correctly I am including the necessary log files below. Please tell me this is an easy fix.

1. From log.txt

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\dxprov.dll Wed Jan 5 2005 8:01:38a ..S.R 225,388 220.11 K
C:\WINDOWS\SYSTEM32\fp2203~1.dll Wed Jan 5 2005 8:01:38a ..S.R 225,611 220.32 K
C:\WINDOWS\SYSTEM32\fp8003~1.dll Tue Jan 11 2005 1:51:04p ..S.R 223,537 218.30 K
C:\WINDOWS\SYSTEM32\fplo03~1.dll Tue Jan 4 2005 2:49:34p ..S.R 224,622 219.36 K
C:\WINDOWS\SYSTEM32\irjsl5~1.dll Tue Jan 4 2005 3:02:16p ..S.R 226,004 220.71 K
C:\WINDOWS\SYSTEM32\ktnml7~1.dll Wed Jan 5 2005 9:08:02a ..S.R 222,786 217.56 K
C:\WINDOWS\SYSTEM32\lrnkinfo.dll Wed Jan 5 2005 9:36:56a ..S.R 222,738 217.52 K
C:\WINDOWS\SYSTEM32\o4ns0e~1.dll Tue Jan 11 2005 12:58:08p ..S.R 223,673 218.43 K
C:\WINDOWS\SYSTEM32\skgina.dll Wed Jan 5 2005 9:08:02a ..S.R 225,388 220.11 K
________________________________________________

1,225 items found: 1,225 files (9 H/S), 0 directories.
Total of file sizes: 216,690,438 bytes 206.65 M

Administrator Account = True

--------------------End log---------------------

2. from output.txt

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\hedlundb\Desktop\VX2 Find It\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is DC9E-B97A

Directory of C:\WINDOWS\System32

01/11/2005 02:48 PM <DIR> dllcache
01/11/2005 01:51 PM 223,537 fp8003lme.dll
01/11/2005 12:58 PM 223,673 o4ns0e57eh.dll
01/05/2005 09:36 AM 222,738 lrnkinfo.dll
01/05/2005 09:08 AM 225,388 skgina.dll
01/05/2005 09:08 AM 222,786 ktnml7511.dll
01/05/2005 08:01 AM 225,388 dxprov.dll
01/05/2005 08:01 AM 225,611 fp2203foe.dll
01/04/2005 03:02 PM 226,004 irjsl5171.dll
01/04/2005 02:49 PM 224,622 fplo0333e.dll
12/12/2004 05:35 PM 554 TBPS.ini
08/11/2004 08:13 AM <DIR> Microsoft
10 File(s) 2,020,301 bytes
2 Dir(s) 31,512,145,920 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is DC9E-B97A

Directory of C:\WINDOWS\System32

01/11/2005 02:48 PM <DIR> dllcache
01/10/2005 11:32 AM <DIR> vmss
12/29/2004 10:50 AM 4,212 zllictbl.dat
08/22/2004 10:26 AM <DIR> GroupPolicy
08/11/2004 07:56 AM 488 WindowsLogon.manifest
08/11/2004 07:56 AM 488 logonui.exe.manifest
08/11/2004 07:56 AM 749 sapi.cpl.manifest
08/11/2004 07:56 AM 749 ncpa.cpl.manifest
08/11/2004 07:56 AM 749 nwc.cpl.manifest
08/11/2004 07:56 AM 749 wuaucpl.cpl.manifest
08/11/2004 07:56 AM 749 cdplayer.exe.manifest
8 File(s) 8,933 bytes
3 Dir(s) 31,512,141,824 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is DC9E-B97A

Directory of C:\WINDOWS\System32

01/11/2005 02:32 PM 223,673 guard.tmp
1 File(s) 223,673 bytes
0 Dir(s) 31,512,141,824 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is DC9E-B97A

Directory of C:\WINDOWS\System32

01/11/2005 02:32 PM 223,673 guard.tmp
08/03/2004 11:56 PM 1,236,480 msxml3.dll.tmp
08/03/2004 11:56 PM 1,236,480 ~GLH001a.TMP
07/16/2003 10:19 AM 2,577 CONFIG.TMP
4 File(s) 2,699,210 bytes
0 Dir(s) 31,512,137,728 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D089DB24-DF25-420C-9A3D-BF292F5FAF8B}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\H323TSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\o4ns0e57eh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"StartShell"="NavStartShellEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
dxprov.dll Wed Jan 5 2005 8:01:38a ..S.R 225,388 220.11 K
fp2203~1.dll Wed Jan 5 2005 8:01:38a ..S.R 225,611 220.32 K
fp8003~1.dll Tue Jan 11 2005 1:51:04p ..S.R 223,537 218.30 K
fplo03~1.dll Tue Jan 4 2005 2:49:34p ..S.R 224,622 219.36 K
irjsl5~1.dll Tue Jan 4 2005 3:02:16p ..S.R 226,004 220.71 K
ktnml7~1.dll Wed Jan 5 2005 9:08:02a ..S.R 222,786 217.56 K
lrnkinfo.dll Wed Jan 5 2005 9:36:56a ..S.R 222,738 217.52 K
o4ns0e~1.dll Tue Jan 11 2005 12:58:08p ..S.R 223,673 218.43 K
skgina.dll Wed Jan 5 2005 9:08:02a ..S.R 225,388 220.11 K
tbps.ini Sun Dec 12 2004 5:35:44p ..S.R 554 0.54 K
zllictbl.dat Wed Dec 29 2004 10:50:26a ...H. 4,212 4.11 K

11 items found: 11 files, 0 directories.
Total of file sizes: 2,024,513 bytes 1.93 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\system32\inpeiu.dll: updates.qoologic.com
C:\WINDOWS\system32\lauhlm.exe: updates.qoologic.com
C:\WINDOWS\system32\lquclz.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\randreco.exe: .aspack
C:\WINDOWS\system32\vguwvo.exe: .aspack
C:\WINDOWS\system32\wkupwy.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kighkp.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"ATIModeChange"="Ati2mdxx.exe"
"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\Integrity Client\\iclient.exe\""
"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"Narrator"="C:\\WINDOWS\\System32\\vguwvo.exe"
"PestPatrolCL"="C:\\PROGRA~1\\PESTPA~1\\PestPatrolCL.exe c:\\"
"5sFg3tP"="tweus.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"




3. from vx2.log

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
H323TSP
NavLogon
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{D089DB24-DF25-420C-9A3D-BF292F5FAF8B}


4. I did not get an error message

5. Yes there is a guard.tmp file


Where do I start? ;)

Closed: duplicate post.

http://www.geekstogo...=45

Edited by coachwife6, 11 January 2005 - 04:44 PM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP