Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Posting findit log

Started by ph0enix2005 , Jan 24 2005 02:35 PM

  • Please log in to reply

#1
ph0enix2005
Posted 24 January 2005 - 02:35 PM

ph0enix2005

    New Member

  • Member
  • Pip
  • 7 posts 
Warning! This utility will find legitimate files in addition to malware.

Do not remove anything unless you are sure you know what you're doing.



Find.bat is running from: C:\jacks\Find It NT-2K-XP



------- System Files in System32 Directory -------



Volume in drive C has no label.

Volume Serial Number is 4C4A-A266



Directory of C:\WINDOWS\System32



01/21/2005 08:38 AM <DIR> dllcache

03/30/2003 10:28 PM <DIR> Microsoft

0 File(s) 0 bytes

2 Dir(s) 3,587,588,096 bytes free



------- Hidden Files in System32 Directory -------



Volume in drive C has no label.

Volume Serial Number is 4C4A-A266



Directory of C:\WINDOWS\System32



01/21/2005 08:38 AM <DIR> dllcache

01/19/2005 09:19 AM 488 logonui.exe.manifest

01/19/2005 09:19 AM 488 WindowsLogon.manifest

01/19/2005 09:19 AM 749 wuaucpl.cpl.manifest

01/19/2005 09:19 AM 749 sapi.cpl.manifest

01/19/2005 09:19 AM 749 cdplayer.exe.manifest

01/19/2005 09:19 AM 749 nwc.cpl.manifest

01/19/2005 09:19 AM 749 ncpa.cpl.manifest

7 File(s) 4,721 bytes

1 Dir(s) 3,587,588,096 bytes free



------------ Files Named "Guard" ---------------



Volume in drive C has no label.

Volume Serial Number is 4C4A-A266



Directory of C:\WINDOWS\System32



01/20/2005 02:24 PM 5 guard.tmp

1 File(s) 5 bytes

0 Dir(s) 3,587,584,000 bytes free



------ Temp Files in System32 Directory ------



Volume in drive C has no label.

Volume Serial Number is 4C4A-A266



Directory of C:\WINDOWS\System32



01/20/2005 02:24 PM 5 guard.tmp

08/18/2001 07:00 AM 2,577 CONFIG.TMP

2 File(s) 2,582 bytes

0 Dir(s) 3,587,584,000 bytes free



------------------ User Agent ----------------



REGEDIT4



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{73BF820A-BF7F-4E56-9222-005FB4BE1431}"=""





------------- Keys Under Notify -------------



REGEDIT4



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00

"Logoff"="ChainWlxLogoffEvent"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00

"Logoff"="CryptnetWlxLogoffEvent"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\irp0l57m1.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]

"Logoff"="NavLogoffEvent"

"DllName"="C:\\WINDOWS\\system32\\NavLogon.dll"

"StartShell"="NavStartShellEvent"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001





------------- Locate.com Results -------------



C:\WINDOWS\SYSTEM32\

cdplay~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K

logonu~1.man Wed Jan 19 2005 9:19:32a A..HR 488 0.48 K

ncpacp~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K

nwccpl~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K

sapicp~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K

window~1.man Wed Jan 19 2005 9:19:32a A..HR 488 0.48 K

wuaucp~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K



7 items found: 7 files, 0 directories.

Total of file sizes: 4,721 bytes 4.61 K



-------- Strings.exe Qoologic Results --------



C:\WINDOWS\system32\eznssb.dll: updates.qoologic.com

C:\WINDOWS\system32\hpaxxw.exe: updates.qoologic.com



--------- Strings.exe Aspack Results ---------



C:\WINDOWS\system32\ntdll.dll: .aspack



-------------- HKLM Run Key ----------------



REGEDIT4



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""

"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"

"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

  • 0

Advertisements

#2
ph0enix2005
Posted 25 January 2005 - 10:21 AM

ph0enix2005

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I'd appreciate some help with this. JohnnyRotten mentioned that I still have a small trace of VX2. Which entry is that?

Thanks!
  • 0

#3
admin
Posted 25 January 2005 - 11:27 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP