Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Posting findit log


  • Please log in to reply

#1
ph0enix2005

ph0enix2005

    New Member

  • Member
  • Pip
  • 7 posts
Warning! This utility will find legitimate files in addition to malware.

Do not remove anything unless you are sure you know what you're doing.



Find.bat is running from: C:\jacks\Find It NT-2K-XP



------- System Files in System32 Directory -------



Volume in drive C has no label.

Volume Serial Number is 4C4A-A266



Directory of C:\WINDOWS\System32



01/21/2005 08:38 AM <DIR> dllcache

03/30/2003 10:28 PM <DIR> Microsoft

0 File(s) 0 bytes

2 Dir(s) 3,587,588,096 bytes free



------- Hidden Files in System32 Directory -------



Volume in drive C has no label.

Volume Serial Number is 4C4A-A266



Directory of C:\WINDOWS\System32



01/21/2005 08:38 AM <DIR> dllcache

01/19/2005 09:19 AM 488 logonui.exe.manifest

01/19/2005 09:19 AM 488 WindowsLogon.manifest

01/19/2005 09:19 AM 749 wuaucpl.cpl.manifest

01/19/2005 09:19 AM 749 sapi.cpl.manifest

01/19/2005 09:19 AM 749 cdplayer.exe.manifest

01/19/2005 09:19 AM 749 nwc.cpl.manifest

01/19/2005 09:19 AM 749 ncpa.cpl.manifest

7 File(s) 4,721 bytes

1 Dir(s) 3,587,588,096 bytes free



------------ Files Named "Guard" ---------------



Volume in drive C has no label.

Volume Serial Number is 4C4A-A266



Directory of C:\WINDOWS\System32



01/20/2005 02:24 PM 5 guard.tmp

1 File(s) 5 bytes

0 Dir(s) 3,587,584,000 bytes free



------ Temp Files in System32 Directory ------



Volume in drive C has no label.

Volume Serial Number is 4C4A-A266



Directory of C:\WINDOWS\System32



01/20/2005 02:24 PM 5 guard.tmp

08/18/2001 07:00 AM 2,577 CONFIG.TMP

2 File(s) 2,582 bytes

0 Dir(s) 3,587,584,000 bytes free



------------------ User Agent ----------------



REGEDIT4



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{73BF820A-BF7F-4E56-9222-005FB4BE1431}"=""





------------- Keys Under Notify -------------



REGEDIT4



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00

"Logoff"="ChainWlxLogoffEvent"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00

"Logoff"="CryptnetWlxLogoffEvent"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\irp0l57m1.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]

"Logoff"="NavLogoffEvent"

"DllName"="C:\\WINDOWS\\system32\\NavLogon.dll"

"StartShell"="NavStartShellEvent"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001





------------- Locate.com Results -------------



C:\WINDOWS\SYSTEM32\

cdplay~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K

logonu~1.man Wed Jan 19 2005 9:19:32a A..HR 488 0.48 K

ncpacp~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K

nwccpl~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K

sapicp~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K

window~1.man Wed Jan 19 2005 9:19:32a A..HR 488 0.48 K

wuaucp~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K



7 items found: 7 files, 0 directories.

Total of file sizes: 4,721 bytes 4.61 K



-------- Strings.exe Qoologic Results --------



C:\WINDOWS\system32\eznssb.dll: updates.qoologic.com

C:\WINDOWS\system32\hpaxxw.exe: updates.qoologic.com



--------- Strings.exe Aspack Results ---------



C:\WINDOWS\system32\ntdll.dll: .aspack



-------------- HKLM Run Key ----------------



REGEDIT4



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""

"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"

"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

  • 0

Advertisements


#2
ph0enix2005

ph0enix2005

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I'd appreciate some help with this. JohnnyRotten mentioned that I still have a small trace of VX2. Which entry is that?

Thanks!
  • 0

#3
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP