Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Look2Me is on my computer, HELP!


  • Please log in to reply

#16
infaddict

infaddict

    Visiting Staff

  • Member
  • PipPipPip
  • 734 posts
Hey there SlappyMuttMutt :)

Thanks for posting back with the info. As you say, the infection remains :woot:. Sadly SpySweeper is one of the only tools that would help us remove this automatically, but we can't use it in your case.

Do not despair though, because we can still tackle the infection the old fashioned way :tazz:. To give you an idea of the direction I'm taking and to help you understand my intended course, here's the new plan :
  • Run a FindIt tool which examines your computer for bad files and bad reg keys
  • I analyse the FindIt tool to pick out the truly bad files and reg keys
  • Killbox the bad files by replacing them with dummy files (this works better with L2M rather than a standard kill)
  • Make sure all the files have definitely gone by re-running the FindIt tool
  • Clean registry entries - I will provide a script to do this
  • Clean up left overs (e.g. problems with Recycle Bin, Debug policies)
  • Breath a sigh of relief :woot:
Once again, we CAN fix this and I encourage you to stick with me on this :) Please do the first step in the plan :
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
Thanks.

P.S. Don't try to remove anything or fix anything after this, because doing so will cause the infection to mutate again, rendering the FindIt log useless.

Edited by infaddict, 31 October 2005 - 11:43 AM.

  • 0

Advertisements


#17
SlappyMuttMutt

SlappyMuttMutt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is Programs and files
Volume Serial Number is DC1C-18F4

Directory of C:\windows\System32

10/31/2005 05:10 PM 233,741 guard.tmp
10/31/2005 10:02 AM 236,565 dn8q01l5e.dll
10/31/2005 10:01 AM 233,741 jt8u07l9e.dll
10/23/2005 12:20 PM <DIR> dllcache
04/27/2005 07:53 PM <DIR> Microsoft
3 File(s) 704,047 bytes
2 Dir(s) 32,488,402,944 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Programs and files
Volume Serial Number is DC1C-18F4

Directory of C:\windows\System32

10/23/2005 12:20 PM <DIR> dllcache
04/27/2005 01:30 PM 488 logonui.exe.manifest
04/27/2005 01:30 PM 488 WindowsLogon.manifest
04/27/2005 01:30 PM 749 nwc.cpl.manifest
04/27/2005 01:30 PM 749 sapi.cpl.manifest
04/27/2005 01:30 PM 749 wuaucpl.cpl.manifest
04/27/2005 01:30 PM 749 cdplayer.exe.manifest
04/27/2005 01:30 PM 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
1 Dir(s) 32,488,402,944 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is Programs and files
Volume Serial Number is DC1C-18F4

Directory of C:\windows\System32

10/31/2005 05:10 PM 233,741 guard.tmp
1 File(s) 233,741 bytes
0 Dir(s) 32,488,398,848 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C is Programs and files
Volume Serial Number is DC1C-18F4

Directory of C:\windows\System32

10/31/2005 05:10 PM 233,741 guard.tmp
08/18/2001 08:00 AM 2,577 CONFIG.TMP
2 File(s) 236,318 bytes
0 Dir(s) 32,488,398,848 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{CD1508FE-CFE5-7B34-E05C-8458C06FE03C}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServicesOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\windows\\system32\\jt8u07l9e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
"Asynchronous"=dword:00000000
"DllName"="C:\\Custom\\WINDOW~1\\fastload.dll"
"Startup"="StartSys"
"Logon"="StartWB"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
dn8q01~1.dll Mon Oct 31 2005 10:02:52a ..S.R 236,565 231.02 K
guard.tmp Mon Oct 31 2005 5:10:52p A.S.R 233,741 228.26 K
jt8u07~1.dll Mon Oct 31 2005 10:01:50a ..S.R 233,741 228.26 K

3 items found: 3 files, 0 directories.
Total of file sizes: 704,047 bytes 687.54 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\d3dx9_25.dll: D3DXUVAtlasPack
C:\WINDOWS\system32\d3dx9_27.dll: D3DXUVAtlasPack
C:\WINDOWS\system32\HDBHO.dll: .aspack
C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: (AsPack2k)
C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.1)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.12)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.000)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.001)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x)
C:\WINDOWS\system32\MRT.exe: ASPack2000
C:\WINDOWS\system32\MRT.exe: ASPack 1.61
C:\WINDOWS\system32\MRT.exe: ASPack 1.084
C:\WINDOWS\system32\MRT.exe: ASPack 1.083
C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\system32\MRT.exe: ASPack 1.07b
C:\WINDOWS\system32\MRT.exe: ASPack 1.05b
C:\WINDOWS\system32\MRT.exe: ASPack 1.02
C:\WINDOWS\system32\MRT.exe: ASPACK
C:\WINDOWS\system32\ntdll(2).dll: .aspack
C:\WINDOWS\system32\ntdll(3).dll: .aspack
C:\WINDOWS\system32\ntdll(4).dll: .aspack
C:\WINDOWS\system32\ntdll(5).dll: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="C:\\Program Files\\ASUS\\Probe\\AsusProb.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\windows\\system32\\NvCpl.dll,NvStartup"
"KAVPersonal50"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe\" /minimize"
"nwiz"="nwiz.exe /install"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#18
infaddict

infaddict

    Visiting Staff

  • Member
  • PipPipPip
  • 734 posts
Hey SlappyMuttMutt :)

Thanks for the reply - the log has shown up exactly what we need to continue with the fix.

Before we continue though, I notice you still don't have a firewall installed. I can't stress enough how important it is to use a proper firewall rather than the built-in Windows firewall. Personally, I use the free version of ZoneAlarm, but there are other free firewalls that come recommended. Please check these out :Ok, on with the fix...

Please run the Killbox and then :
  • Click "Replace on Reboot"
  • Check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\dn8q01l5e.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\jt8u07l9e.dll
  • Click "Replace on Reboot"
  • Check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
Now, double-click on find.bat and post the new output.txt

Thanks :tazz:
  • 0

#19
SlappyMuttMutt

SlappyMuttMutt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is Programs and files
Volume Serial Number is DC1C-18F4

Directory of C:\windows\System32

10/31/2005 09:18 PM 235,127 guard.tmp
10/31/2005 09:17 PM 235,369 i2420choef4c0.dll
10/31/2005 09:15 PM 233,741 MZC71ENU.DLL
10/31/2005 09:15 PM 235,127 n68olgl316q.dll
10/31/2005 09:11 PM 234,483 bppanui.dll
10/23/2005 12:20 PM <DIR> dllcache
04/27/2005 07:53 PM <DIR> Microsoft
5 File(s) 1,173,847 bytes
2 Dir(s) 39,562,829,824 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Programs and files
Volume Serial Number is DC1C-18F4

Directory of C:\windows\System32

10/23/2005 12:20 PM <DIR> dllcache
04/27/2005 01:30 PM 488 logonui.exe.manifest
04/27/2005 01:30 PM 488 WindowsLogon.manifest
04/27/2005 01:30 PM 749 nwc.cpl.manifest
04/27/2005 01:30 PM 749 sapi.cpl.manifest
04/27/2005 01:30 PM 749 wuaucpl.cpl.manifest
04/27/2005 01:30 PM 749 cdplayer.exe.manifest
04/27/2005 01:30 PM 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
1 Dir(s) 39,562,829,824 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is Programs and files
Volume Serial Number is DC1C-18F4

Directory of C:\windows\System32

10/31/2005 09:18 PM 235,127 guard.tmp
1 File(s) 235,127 bytes
0 Dir(s) 39,562,825,728 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C is Programs and files
Volume Serial Number is DC1C-18F4

Directory of C:\windows\System32

10/31/2005 09:18 PM 235,127 guard.tmp
08/18/2001 08:00 AM 2,577 CONFIG.TMP
2 File(s) 237,704 bytes
0 Dir(s) 39,562,825,728 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{CD1508FE-CFE5-7B34-E05C-8458C06FE03C}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DateTime]
"Asynchronous"=dword:00000000
"DllName"="C:\\windows\\system32\\n68olgl316q.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\windows\\system32\\dn8q01l5e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
"Asynchronous"=dword:00000000
"DllName"="C:\\Custom\\WINDOW~1\\fastload.dll"
"Startup"="StartSys"
"Logon"="StartWB"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
bppanui.dll Mon Oct 31 2005 9:11:28p ..S.R 234,483 228.98 K
guard.tmp Mon Oct 31 2005 9:18:16p A.S.R 235,127 229.61 K
i2420c~1.dll Mon Oct 31 2005 9:17:16p ..S.R 235,369 229.85 K
mzc71enu.dll Mon Oct 31 2005 9:15:10p ..S.R 233,741 228.26 K
n68olg~1.dll Mon Oct 31 2005 9:15:08p ..S.R 235,127 229.61 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,173,847 bytes 1.12 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\d3dx9_25.dll: D3DXUVAtlasPack
C:\WINDOWS\system32\d3dx9_27.dll: D3DXUVAtlasPack
C:\WINDOWS\system32\HDBHO.dll: .aspack
C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: (AsPack2k)
C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.1)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.12)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.000)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.001)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x)
C:\WINDOWS\system32\MRT.exe: ASPack2000
C:\WINDOWS\system32\MRT.exe: ASPack 1.61
C:\WINDOWS\system32\MRT.exe: ASPack 1.084
C:\WINDOWS\system32\MRT.exe: ASPack 1.083
C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\system32\MRT.exe: ASPack 1.07b
C:\WINDOWS\system32\MRT.exe: ASPack 1.05b
C:\WINDOWS\system32\MRT.exe: ASPack 1.02
C:\WINDOWS\system32\MRT.exe: ASPACK
C:\WINDOWS\system32\ntdll(2).dll: .aspack
C:\WINDOWS\system32\ntdll(3).dll: .aspack
C:\WINDOWS\system32\ntdll(4).dll: .aspack
C:\WINDOWS\system32\ntdll(5).dll: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="C:\\Program Files\\ASUS\\Probe\\AsusProb.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\windows\\system32\\NvCpl.dll,NvStartup"
"KAVPersonal50"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe\" /minimize"
"nwiz"="nwiz.exe /install"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#20
infaddict

infaddict

    Visiting Staff

  • Member
  • PipPipPip
  • 734 posts
Hey Slappy :)

Before we proceed, I'd like you to try something for me :

Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder


Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.


Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Reboot your computer into normal windows.

Please re-run the find.bat and post the new output.txt in your next reply.

:tazz:
  • 0

#21
SlappyMuttMutt

SlappyMuttMutt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I've tried Shredder before, didn't work then, does not work now. Why do I have the feeling that we are just gona keep trying with every single scanner on the net haha...Oh well. Here is my log, maybe I did the killbox thing wrong, which ones should I kill now?



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is Programs and files
Volume Serial Number is DC1C-18F4

Directory of C:\windows\System32

11/01/2005 05:07 PM 234,179 mvd32.dll
11/01/2005 05:07 PM 234,618 lvl4093qe.dll
11/01/2005 05:05 PM 234,179 q268lcju1fo8.dll
11/01/2005 01:30 PM 236,861 uypnpmgr(3).dll
11/01/2005 12:48 AM 235,127 oze32.dll
10/31/2005 09:11 PM 234,483 bppanui.dll
10/23/2005 12:20 PM <DIR> dllcache
04/27/2005 07:53 PM <DIR> Microsoft
6 File(s) 1,409,447 bytes
2 Dir(s) 38,411,374,592 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Programs and files
Volume Serial Number is DC1C-18F4

Directory of C:\windows\System32

10/23/2005 12:20 PM <DIR> dllcache
04/27/2005 01:30 PM 488 logonui.exe.manifest
04/27/2005 01:30 PM 488 WindowsLogon.manifest
04/27/2005 01:30 PM 749 nwc.cpl.manifest
04/27/2005 01:30 PM 749 sapi.cpl.manifest
04/27/2005 01:30 PM 749 wuaucpl.cpl.manifest
04/27/2005 01:30 PM 749 cdplayer.exe.manifest
04/27/2005 01:30 PM 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
1 Dir(s) 38,411,374,592 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is Programs and files
Volume Serial Number is DC1C-18F4

Directory of C:\windows\System32


------ Temp Files in System32 Directory ------

Volume in drive C is Programs and files
Volume Serial Number is DC1C-18F4

Directory of C:\windows\System32

08/18/2001 08:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 38,411,370,496 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{CD1508FE-CFE5-7B34-E05C-8458C06FE03C}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\windows\\system32\\q268lcju1fo8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
"Asynchronous"=dword:00000000
"DllName"="C:\\Custom\\WINDOW~1\\fastload.dll"
"Startup"="StartSys"
"Logon"="StartWB"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
bppanui.dll Mon Oct 31 2005 9:11:28p ..S.R 234,483 228.98 K
lvl409~1.dll Tue Nov 1 2005 5:07:42p ..S.R 234,618 229.12 K
mvd32.dll Tue Nov 1 2005 5:07:42p ..S.R 234,179 228.69 K
oze32.dll Tue Nov 1 2005 12:48:46a ..S.R 235,127 229.61 K
q268lc~1.dll Tue Nov 1 2005 5:05:50p ..S.R 234,179 228.69 K
uypnpm~1.dll Tue Nov 1 2005 1:30:52p ..S.R 236,861 231.31 K

6 items found: 6 files, 0 directories.
Total of file sizes: 1,409,447 bytes 1.34 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\d3dx9_25.dll: D3DXUVAtlasPack
C:\WINDOWS\system32\d3dx9_27.dll: D3DXUVAtlasPack
C:\WINDOWS\system32\HDBHO.dll: .aspack
C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: (AsPack2k)
C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.1)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.12)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.000)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.001)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x)
C:\WINDOWS\system32\MRT.exe: ASPack2000
C:\WINDOWS\system32\MRT.exe: ASPack 1.61
C:\WINDOWS\system32\MRT.exe: ASPack 1.084
C:\WINDOWS\system32\MRT.exe: ASPack 1.083
C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\system32\MRT.exe: ASPack 1.07b
C:\WINDOWS\system32\MRT.exe: ASPack 1.05b
C:\WINDOWS\system32\MRT.exe: ASPack 1.02
C:\WINDOWS\system32\MRT.exe: ASPACK
C:\WINDOWS\system32\ntdll(2).dll: .aspack
C:\WINDOWS\system32\ntdll(3).dll: .aspack
C:\WINDOWS\system32\ntdll(4).dll: .aspack
C:\WINDOWS\system32\ntdll(5).dll: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="C:\\Program Files\\ASUS\\Probe\\AsusProb.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\windows\\system32\\NvCpl.dll,NvStartup"
"KAVPersonal50"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe\" /minimize"
"nwiz"="nwiz.exe /install"
"Launch PC Probe II"="\"C:\\Program Files\\ASUS\\PC Probe II\\Probe2.exe\" 1"
"OutpostFeedBack"="C:\\Program Files\\Agnitum\\Outpost Firewall\\feedback.exe /dump:os_startup"
"Outpost Firewall"="C:\\Program Files\\Agnitum\\Outpost Firewall\\outpost.exe /waitservice"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#22
SlappyMuttMutt

SlappyMuttMutt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hum. I think I might of fixed it myself. I will let you know if I didn't. Thanks for your help, I learned much.
  • 0

#23
infaddict

infaddict

    Visiting Staff

  • Member
  • PipPipPip
  • 734 posts
Ok, let me know how you are getting on :)

If you have fixed it then great!! If not then I have a cunning plan we can try which involves using a boot disk and deleting the infected files from DOS. I have tested this on my own machine and in theory it should work.

Please post back if you need my help :tazz:
  • 0

#24
SlappyMuttMutt

SlappyMuttMutt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Oh wow, how would you get in DOS? That is all I want to know.
  • 0

#25
infaddict

infaddict

    Visiting Staff

  • Member
  • PipPipPip
  • 734 posts
User PM'd me to say problem is resolved.

Glad we could help you :tazz:
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP