Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. Find.bat is running from: C:\jacks\Find It NT-2K-XP ------- System Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 4C4A-A266 Directory of C:\WINDOWS\System32 01/21/2005 08:38 AM <DIR> dllcache 03/30/2003 10:28 PM <DIR> Microsoft 0 File(s) 0 bytes 2 Dir(s) 3,587,588,096 bytes free ------- Hidden Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 4C4A-A266 Directory of C:\WINDOWS\System32 01/21/2005 08:38 AM <DIR> dllcache 01/19/2005 09:19 AM 488 logonui.exe.manifest 01/19/2005 09:19 AM 488 WindowsLogon.manifest 01/19/2005 09:19 AM 749 wuaucpl.cpl.manifest 01/19/2005 09:19 AM 749 sapi.cpl.manifest 01/19/2005 09:19 AM 749 cdplayer.exe.manifest 01/19/2005 09:19 AM 749 nwc.cpl.manifest 01/19/2005 09:19 AM 749 ncpa.cpl.manifest 7 File(s) 4,721 bytes 1 Dir(s) 3,587,588,096 bytes free ------------ Files Named "Guard" --------------- Volume in drive C has no label. Volume Serial Number is 4C4A-A266 Directory of C:\WINDOWS\System32 01/20/2005 02:24 PM 5 guard.tmp 1 File(s) 5 bytes 0 Dir(s) 3,587,584,000 bytes free ------ Temp Files in System32 Directory ------ Volume in drive C has no label. Volume Serial Number is 4C4A-A266 Directory of C:\WINDOWS\System32 01/20/2005 02:24 PM 5 guard.tmp 08/18/2001 07:00 AM 2,577 CONFIG.TMP 2 File(s) 2,582 bytes 0 Dir(s) 3,587,584,000 bytes free ------------------ User Agent ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{73BF820A-BF7F-4E56-9222-005FB4BE1431}"="" ------------- Keys Under Notify ------------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\irp0l57m1.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon] "Logoff"="NavLogoffEvent" "DllName"="C:\\WINDOWS\\system32\\NavLogon.dll" "StartShell"="NavStartShellEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ------------- Locate.com Results ------------- C:\WINDOWS\SYSTEM32\ cdplay~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K logonu~1.man Wed Jan 19 2005 9:19:32a A..HR 488 0.48 K ncpacp~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K nwccpl~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K sapicp~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K window~1.man Wed Jan 19 2005 9:19:32a A..HR 488 0.48 K wuaucp~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K 7 items found: 7 files, 0 directories. Total of file sizes: 4,721 bytes 4.61 K -------- Strings.exe Qoologic Results -------- C:\WINDOWS\system32\eznssb.dll: updates.qoologic.com C:\WINDOWS\system32\hpaxxw.exe: updates.qoologic.com --------- Strings.exe Aspack Results --------- C:\WINDOWS\system32\ntdll.dll: .aspack -------------- HKLM Run Key ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\"" "Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe" "gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1"
Posting findit log
Started by
ph0enix2005
, Jan 24 2005 02:35 PM
#1
Posted 24 January 2005 - 02:35 PM
#2
Posted 25 January 2005 - 10:21 AM
I'd appreciate some help with this. JohnnyRotten mentioned that I still have a small trace of VX2. Which entry is that?
Thanks!
Thanks!
#3
Posted 25 January 2005 - 11:27 AM
Download L2mfix from one of these two locations:
http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users