Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - thirstee

Pages: [1]

Tech Clinic / cws.bootconf

« on: December 13, 2004, 08:50:55 AM »

OK notes 1st.The 2 files in the same timeframe and the 218k size are: IGIresize.dll and Guard.tmp. I also noticed these files that didnt look good: idleui.dll (41k) and 2ndsrch.dll (68). They were the same day just smaller.
Also, when i did the killbox, on the 2 that wouldnt delete initially, i got an error as follows from killbox: "Pending file rename operation registry data has been removed by external process"

I did not find the file ?hkdsk.exe, only saw chkdsk.exe in that directory.

Here are the updated logs

Hijack this

Logfile of HijackThis v1.98.2
Scan saved at 7:55:40 AM, on 12/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\winnt\system32\svchost.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\RUNDLL32.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\YAC\yac.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WATCHPNP_SAMSUNG] watchpnp.exe SAMSUNG
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\winnt\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\winnt\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: yac.lnk = C:\Program Files\YAC\yac.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

Find.bat log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
3 File(s) 396,770 bytes
1 Dir(s) 173,053,349,888 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
09/26/2004 08:00p <DIR> GroupPolicy
09/26/2004 07:56p 21,692 folder.htt
09/26/2004 07:56p 271 desktop.ini
5 File(s) 418,733 bytes
2 Dir(s) 173,053,349,888 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/13/2004 07:24a 223,706 guard.tmp
1 File(s) 223,706 bytes
0 Dir(s) 173,053,349,888 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/13/2004 07:24a 223,706 guard.tmp
12/07/1999 06:00a 2,577 CONFIG.TMP
2 File(s) 226,283 bytes
0 Dir(s) 173,053,349,888 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OfficeUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\winnt\\system32\\n8p40i7qe8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

---------------- Xfind Results -----------------

-------------- Locate.com Results ---------------

C:\WINNT\SYSTEM32\
ced9f6~1.sys Tue Nov 23 2004 6:38:46p ..SHR 56 0.05 K
desktop.ini Sun Sep 26 2004 7:56:32p ...H. 271 0.26 K
folder.htt Sun Sep 26 2004 7:56:32p ...H. 21,692 21.18 K
kgygaavl.sys Tue Nov 23 2004 6:43:46p A.SH. 11,690 11.41 K
hkdsk~1.exe Fri Nov 12 2004 7:52:22a ..SHR 385,024 376.00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 418,733 bytes 408.92 K

DLL COmpare log

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />"
________________________________________________

1,150 items found: 1,150 files, 0 directories.
Total of file sizes: 251,902,817 bytes 240.23 M

Administrator Account = True

--------------------End log---------------------

Thanks again for all your help!

Tech Clinic / cws.bootconf

« on: December 13, 2004, 12:33:46 AM »

OK, Update:
Recycle Bin option 3 worked. Had No Such File exists on the 1st 2 attempts.

AS I opened this page, i got a spotresults searcher page open at the same time. Here are the logs:
Hijack This

Logfile of HijackThis v1.98.2
Scan saved at 11:41:14 PM, on 12/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\rundll32.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\RUNDLL32.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\YAC\yac.exe
C:\winnt\system32\winupdt.exe
C:\winnt\system32\RUNDLL32.exe
C:\winnt\system32\winupdt.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WATCHPNP_SAMSUNG] watchpnp.exe SAMSUNG
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\winnt\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\winnt\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [stcloader] C:\winnt\system32\stcloader.exe
O4 - HKLM\..\Run: [winupdtl] C:\winnt\system32\winupdtl.exe
O4 - Startup: yac.lnk = C:\Program Files\YAC\yac.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install007.exe

dllcompare log

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\bt549.dll Sun Dec 12 2004 11:37:04p ..S.R 223,706 218.46 K
C:\WINNT\SYSTEM32\lvj609~1.dll Sun Dec 12 2004 11:30:40p ..S.R 223,706 218.46 K
C:\WINNT\SYSTEM32\n8p40i~1.dll Sun Dec 12 2004 11:37:04p ..S.R 224,184 218.93 K
________________________________________________

1,153 items found: 1,153 files (3 H/S), 0 directories.
Total of file sizes: 252,574,413 bytes 240.87 M

Administrator Account = True

--------------------End log---------------------

Find.bat Log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/12/2004 11:37p 223,706 bt549.dll
12/12/2004 11:37p 224,184 n8p40i7qe8.dll
12/12/2004 11:30p 223,706 lvj6091se.dll
12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
6 File(s) 1,068,366 bytes
1 Dir(s) 173,197,762,560 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
09/26/2004 08:00p <DIR> GroupPolicy
09/26/2004 07:56p 21,692 folder.htt
09/26/2004 07:56p 271 desktop.ini
5 File(s) 418,733 bytes
2 Dir(s) 173,197,762,560 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

--------- Temp Files in System32 Directory --------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/07/1999 06:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 173,197,762,560 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0D47A9A6-8109-4488-B37A-840F2EA290B4}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\winnt\\system32\\lvj6091se.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

---------------- Xfind Results -----------------

C:\winnt\System32\BT549.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINNT\SYSTEM32\
bt549.dll Sun Dec 12 2004 11:37:04p ..S.R 223,706 218.46 K
ced9f6~1.sys Tue Nov 23 2004 6:38:46p ..SHR 56 0.05 K
desktop.ini Sun Sep 26 2004 7:56:32p ...H. 271 0.26 K
folder.htt Sun Sep 26 2004 7:56:32p ...H. 21,692 21.18 K
kgygaavl.sys Tue Nov 23 2004 6:43:46p A.SH. 11,690 11.41 K
lvj609~1.dll Sun Dec 12 2004 11:30:40p ..S.R 223,706 218.46 K
n8p40i~1.dll Sun Dec 12 2004 11:37:04p ..S.R 224,184 218.93 K
hkdsk~1.exe Fri Nov 12 2004 7:52:22a ..SHR 385,024 376.00 K

8 items found: 8 files, 0 directories.
Total of file sizes: 1,090,329 bytes 1.04 M

Tech Clinic / cws.bootconf

« on: December 12, 2004, 09:35:01 PM »

Findit

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/12/2004 04:27p 222,914 n82u0if9e82.dll
12/12/2004 04:10p 226,259 nv0029dmg.dll
12/12/2004 04:08p 222,914 gpj4l31q1.dll
12/12/2004 03:59p 222,750 k480lelm1hqa.dll
12/12/2004 03:00p 224,359 lv6809jue.dll
12/12/2004 10:00a 224,359 wpvdmoe.dll
12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
9 File(s) 1,740,325 bytes
1 Dir(s) 175,603,798,016 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
09/26/2004 08:00p <DIR> GroupPolicy
09/26/2004 07:56p 21,692 folder.htt
09/26/2004 07:56p 271 desktop.ini
5 File(s) 418,733 bytes
2 Dir(s) 175,603,793,920 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

--------- Temp Files in System32 Directory --------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/07/1999 06:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 175,603,793,920 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0D47A9A6-8109-4488-B37A-840F2EA290B4}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\winnt\\system32\\gpj4l31q1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

---------------- Xfind Results -----------------

C:\winnt\System32\GPJ4L3~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINNT\SYSTEM32\
ced9f6~1.sys Tue Nov 23 2004 6:38:46p ..SHR 56 0.05 K
desktop.ini Sun Sep 26 2004 7:56:32p ...H. 271 0.26 K
folder.htt Sun Sep 26 2004 7:56:32p ...H. 21,692 21.18 K
gpj4l3~1.dll Sun Dec 12 2004 4:08:10p ..S.R 222,914 217.69 K
k480le~1.dll Sun Dec 12 2004 3:59:46p ..S.R 222,750 217.53 K
kgygaavl.sys Tue Nov 23 2004 6:43:46p A.SH. 11,690 11.41 K
lv6809~1.dll Sun Dec 12 2004 3:00:48p ..S.R 224,359 219.10 K
n82u0i~1.dll Sun Dec 12 2004 4:27:18p ..S.R 222,914 217.69 K
nv0029~1.dll Sun Dec 12 2004 4:10:10p ..S.R 226,259 220.95 K
wpvdmoe.dll Sun Dec 12 2004 10:00:42a ..S.R 224,359 219.10 K
hkdsk~1.exe Fri Nov 12 2004 7:52:22a ..SHR 385,024 376.00 K

11 items found: 11 files, 0 directories.
Total of file sizes: 1,762,288 bytes 1.68 M

Filefind

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\WINNT\System32

06/19/2003 11:05a 13,584 chkdsk.exe
11/12/2004 07:52a 385,024 ?hkdsk.exe
2 File(s) 398,608 bytes

Directory of C:\Documents and Settings\Lanny\Desktop

DLL Compare

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\gpj4l3~1.dll Sun Dec 12 2004 4:08:10p ..S.R 222,914 217.69 K
C:\WINNT\SYSTEM32\k480le~1.dll Sun Dec 12 2004 3:59:46p ..S.R 222,750 217.53 K
C:\WINNT\SYSTEM32\lv6809~1.dll Sun Dec 12 2004 3:00:48p ..S.R 224,359 219.10 K
C:\WINNT\SYSTEM32\n82u0i~1.dll Sun Dec 12 2004 4:27:18p ..S.R 222,914 217.69 K
C:\WINNT\SYSTEM32\nv0029~1.dll Sun Dec 12 2004 4:10:10p ..S.R 226,259 220.95 K
C:\WINNT\SYSTEM32\wpvdmoe.dll Sun Dec 12 2004 10:00:42a ..S.R 224,359 219.10 K
________________________________________________

1,154 items found: 1,154 files (6 H/S), 0 directories.
Total of file sizes: 253,135,268 bytes 241.41 M

Administrator Account = True

--------------------End log---------------------

Hijack This

Logfile of HijackThis v1.98.2
Scan saved at 8:44:02 PM, on 12/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\rundll32.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\RUNDLL32.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\YAC\yac.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\winnt\system32\cmd.exe
C:\winnt\system32\notepad.exe
C:\downloads\DllCompare.exe
C:\winnt\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WATCHPNP_SAMSUNG] watchpnp.exe SAMSUNG
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\winnt\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\winnt\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: yac.lnk = C:\Program Files\YAC\yac.exe

ANythign else? Im sorry were starting over, but this darn thing is driving me nuts

Tech Clinic / cws.bootconf

« on: December 12, 2004, 09:25:59 PM »

that was me above!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Tech Clinic / cws.bootconf

« on: December 12, 2004, 08:32:33 AM »

VX2 Log

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
sclgntfy
SensLogn
URL
wzcnotif

Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{0D47A9A6-8109-4488-B37A-840F2EA290B4}

Fresh Find.bat Log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
3 File(s) 396,770 bytes
1 Dir(s) 175,703,322,624 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
09/26/2004 08:00p <DIR> GroupPolicy
09/26/2004 07:56p 21,692 folder.htt
09/26/2004 07:56p 271 desktop.ini
5 File(s) 418,733 bytes
2 Dir(s) 175,703,322,624 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:16p 224,359 guard.tmp
1 File(s) 224,359 bytes
0 Dir(s) 175,703,322,624 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:16p 224,359 guard.tmp
12/07/1999 06:00a 2,577 CONFIG.TMP
2 File(s) 226,936 bytes
0 Dir(s) 175,703,322,624 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0D47A9A6-8109-4488-B37A-840F2EA290B4}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL]
"Asynchronous"=dword:00000000
"DllName"="C:\\winnt\\system32\\kt2ml7f11.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

---------------- Xfind Results -----------------

C:\winnt\System32\KT2ML7~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINNT\SYSTEM32\
ced9f6~1.sys Tue Nov 23 2004 6:38:46p ..SHR 56 0.05 K
desktop.ini Sun Sep 26 2004 7:56:32p ...H. 271 0.26 K
folder.htt Sun Sep 26 2004 7:56:32p ...H. 21,692 21.18 K
kgygaavl.sys Tue Nov 23 2004 6:43:46p A.SH. 11,690 11.41 K
hkdsk~1.exe Fri Nov 12 2004 7:52:22a ..SHR 385,024 376.00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 418,733 bytes 408.92 K

Fresh dllcompare log

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />"
________________________________________________

2,534 items found: 2,534 files, 0 directories.
Total of file sizes: 478,892,931 bytes 456.71 M

Administrator Account = True

--------------------End log---------------------

Recycle Bin Test

Does NOT end up in recycle bin

Tech Clinic / cws.bootconf

« on: December 12, 2004, 12:16:46 AM »

New Find.bat Results

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
3 File(s) 396,770 bytes
1 Dir(s) 175,631,810,560 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
09/26/2004 08:00p <DIR> GroupPolicy
09/26/2004 07:56p 21,692 folder.htt
09/26/2004 07:56p 271 desktop.ini
5 File(s) 418,733 bytes
2 Dir(s) 175,631,806,464 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:16p 224,359 guard.tmp
1 File(s) 224,359 bytes
0 Dir(s) 175,631,806,464 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:16p 224,359 guard.tmp
12/07/1999 06:00a 2,577 CONFIG.TMP
2 File(s) 226,936 bytes
0 Dir(s) 175,631,806,464 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0D47A9A6-8109-4488-B37A-840F2EA290B4}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL]
"Asynchronous"=dword:00000000
"DllName"="C:\\winnt\\system32\\kt2ml7f11.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

---------------- Xfind Results -----------------

C:\winnt\System32\KT2ML7~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINNT\SYSTEM32\
ced9f6~1.sys Tue Nov 23 2004 6:38:46p ..SHR 56 0.05 K
desktop.ini Sun Sep 26 2004 7:56:32p ...H. 271 0.26 K
folder.htt Sun Sep 26 2004 7:56:32p ...H. 21,692 21.18 K
kgygaavl.sys Tue Nov 23 2004 6:43:46p A.SH. 11,690 11.41 K
hkdsk~1.exe Fri Nov 12 2004 7:52:22a ..SHR 385,024 376.00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 418,733 bytes 408.92 K

New dllcompare info

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />"
________________________________________________

1,150 items found: 1,150 files, 0 directories.
Total of file sizes: 252,240,749 bytes 240.55 M

Administrator Account = True

--------------------End log---------------------

New Hijackthis Log

Logfile of HijackThis v1.98.2
Scan saved at 11:24:09 PM, on 12/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\winnt\system32\svchost.exe
C:\winnt\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\YAC\yac.exe
C:\Program Files\Turbo Torrent\ttorrent.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WATCHPNP_SAMSUNG] watchpnp.exe SAMSUNG
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\winnt\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\winnt\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: yac.lnk = C:\Program Files\YAC\yac.exe

and thats all there was for hijack this!

Any and all help is appreciated!

Tech Clinic / cws.bootconf

« on: December 10, 2004, 07:49:01 PM »

OK, ive been reading the logs here and would like some help.. This stupid cws.bootconf wont go away and when I maximize my IE it stops 1" from the top. Other apps use full screen, but not IE. Well, heres the stuff people asked for in other posts!

Log from find.bat

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/02/2004 06:58a <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
09/26/2004 08:00p <DIR> GroupPolicy
09/26/2004 07:56p 21,692 folder.htt
09/26/2004 07:56p 271 desktop.ini
5 File(s) 418,733 bytes
2 Dir(s) 175,704,399,872 bytes free
Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/07/1999 06:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 175,704,395,776 bytes free
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\winnt\\system32\\n48o0el3ehq.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

Log from VX2 Finder

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
Internet Settings
sclgntfy
SensLogn
wzcnotif

Guardian Key--- is called:

User Agent String---
{0D47A9A6-8109-4488-B37A-840F2EA290B4}

Log from dllcompare

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\aksetupc.dll Fri Dec 10 2004 6:27:24p ..S.R 223,616 218.38 K
C:\WINNT\SYSTEM32\gp0ml3~1.dll Fri Dec 10 2004 6:25:12p ..S.R 223,232 218.00 K
C:\WINNT\SYSTEM32\n48o0e~1.dll Fri Dec 10 2004 7:46:10a ..S.R 223,616 218.38 K
________________________________________________

1,152 items found: 1,152 files (3 H/S), 0 directories.
Total of file sizes: 252,809,143 bytes 241.09 M

Administrator Account = True

--------------------End log---------------------

Log from Hijack this

Logfile of HijackThis v1.98.2
Scan saved at 6:57:46 PM, on 12/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\rundll32.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\RUNDLL32.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\YAC\yac.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\winnt\system32\NOTEPAD.EXE
C:\downloads\hijackthis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WATCHPNP_SAMSUNG] watchpnp.exe SAMSUNG
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\winnt\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\winnt\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: yac.lnk = C:\Program Files\YAC\yac.exe

ANy help would be appreciated!

Pages: [1]

TheTechGuide Forum

News:

Show Posts

Messages - thirstee

Tech Clinic / cws.bootconf

Tech Clinic / cws.bootconf

Tech Clinic / cws.bootconf

Tech Clinic / cws.bootconf

Tech Clinic / cws.bootconf

Tech Clinic / cws.bootconf

Tech Clinic / cws.bootconf