Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware


  • This topic is locked This topic is locked
1 reply to this topic

#1 lmt_box

lmt_box

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 27 January 2005 - 08:32 PM

Hi,
Please help,

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 8C92-34B5

Directory of C:\WINDOWS\System32

01/27/2005 08:13 PM <DIR> dllcache
01/27/2005 08:12 PM 224,303 oqeaccrc.dll
01/27/2005 08:12 PM 225,325 e220lcfm1f2a.dll
01/27/2005 05:32 PM 224,303 o6nslg5716.dll
01/25/2005 05:58 PM 222,992 mv6ql9j51.dll
01/25/2005 05:50 PM 222,828 en42l1ho1.dll
01/24/2005 07:15 PM 223,935 ktl0l73m1.dll
01/24/2005 04:58 PM 224,129 irp4l57q1.dll
01/24/2005 12:30 PM 224,129 dc8vb.dll
01/23/2005 11:44 PM 223,875 p6p60g7se6.dll
01/23/2005 05:26 PM 223,652 kmdfi1.dll
01/23/2005 05:19 PM 223,053 gp8ql3l51.dll
01/23/2005 01:35 PM 225,313 r4r6le9s1h.dll
01/23/2005 10:52 AM 225,313 gfdef.dll
12/03/2004 04:12 AM <DIR> Microsoft
13 File(s) 2,913,150 bytes
2 Dir(s) 69,675,474,944 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 8C92-34B5

Directory of C:\WINDOWS\System32

01/27/2005 08:13 PM <DIR> dllcache
01/27/2005 08:12 PM 890 vsconfig.xml
01/17/2005 09:12 PM 4,212 zllictbl.dat
12/03/2004 03:50 AM 488 WindowsLogon.manifest
12/03/2004 03:50 AM 488 logonui.exe.manifest
12/03/2004 03:50 AM 749 sapi.cpl.manifest
12/03/2004 03:50 AM 749 wuaucpl.cpl.manifest
12/03/2004 03:50 AM 749 cdplayer.exe.manifest
12/03/2004 03:50 AM 749 ncpa.cpl.manifest
12/03/2004 03:50 AM 749 nwc.cpl.manifest
9 File(s) 9,823 bytes
1 Dir(s) 69,675,470,848 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 8C92-34B5

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 8C92-34B5

Directory of C:\WINDOWS\System32

07/16/2003 03:25 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 69,675,454,464 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{ADC3C622-55E0-4646-B876-051FE11C3A26}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\system32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\o6nslg5716.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Fri Dec 3 2004 3:50:18a A..HR 749 0.73 K
dc8vb.dll Mon Jan 24 2005 12:30:04p ..S.R 224,129 218.88 K
e220lc~1.dll Thu Jan 27 2005 8:12:50p ..S.R 225,325 220.04 K
en42l1~1.dll Tue Jan 25 2005 5:50:28p ..S.R 222,828 217.61 K
gfdef.dll Sun Jan 23 2005 10:52:34a ..S.R 225,313 220.03 K
gp8ql3~1.dll Sun Jan 23 2005 5:19:02p ..S.R 223,053 217.82 K
irp4l5~1.dll Mon Jan 24 2005 4:58:46p ..S.R 224,129 218.88 K
kmdfi1.dll Sun Jan 23 2005 5:26:28p ..S.R 223,652 218.41 K
ktl0l7~1.dll Mon Jan 24 2005 7:15:02p ..S.R 223,935 218.68 K
logonu~1.man Fri Dec 3 2004 3:50:22a A..HR 488 0.48 K
mv6ql9~1.dll Tue Jan 25 2005 5:58:18p ..S.R 222,992 217.77 K
ncpacp~1.man Fri Dec 3 2004 3:50:18a A..HR 749 0.73 K
nwccpl~1.man Fri Dec 3 2004 3:50:18a A..HR 749 0.73 K
o6nslg~1.dll Thu Jan 27 2005 5:32:44p ..S.R 224,303 219.04 K
oqeaccrc.dll Thu Jan 27 2005 8:12:50p ..S.R 224,303 219.04 K
p6p60g~1.dll Sun Jan 23 2005 11:44:56p ..S.R 223,875 218.63 K
r4r6le~1.dll Sun Jan 23 2005 1:35:34p ..S.R 225,313 220.03 K
sapicp~1.man Fri Dec 3 2004 3:50:18a A..HR 749 0.73 K
vsconfig.xml Thu Jan 27 2005 8:13:00p A..H. 890 0.87 K
window~1.man Fri Dec 3 2004 3:50:22a A..HR 488 0.48 K
wuaucp~1.man Fri Dec 3 2004 3:50:18a A..HR 749 0.73 K
zllictbl.dat Mon Jan 17 2005 9:12:30p ...H. 4,212 4.11 K

22 items found: 22 files, 0 directories.
Total of file sizes: 2,922,973 bytes 2.79 M

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\glozli.dll: updates.qoologic.com
C:\WINDOWS\system32\plwmlx.exe: updates.qoologic.com
C:\WINDOWS\system32\zibuis.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\qwbywg.dat: .aspack
C:\WINDOWS\system32\yvrovq.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\yktpkf.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"netdaemon"="C:\\WINDOWS\\system32\\netdaemon /v"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"Narrator"="C:\\WINDOWS\\system32\\yvrovq.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:07:15 PM

Posted 28 January 2005 - 02:19 PM

Duplicate

Topic closed

http://www.bleepingcomputer.com/forums/ind...02&f=22&t=10132
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users