getting rid of Admilliserve log file

Thread Solved
1 2 3 Last »

Join Date: Dec 2004
Posts: 18
Reputation: stephencallgood is an unknown quantity at this point 
Solved Threads: 0
stephencallgood stephencallgood is offline Offline
Newbie Poster

Re: getting rid of Admilliserve log file

 
0
  #11
Jan 1st, 2005
I cant get the killbox to download!!! what next?

Originally Posted by crunchie
Download the Pocket KillBox
Unzip the file to your desktop.
Open TheKillbox.

Stay offline when doing the following fix.

Next paste the full file path of each of the below files in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file (see the files below).

C:\WINDOWS\SYSTEM32\sbazbs.dll
C:\WINDOWS\SYSTEM32\xwqpwx.exe
C:\WINDOWS\SYSTEM32\gbvqbg.dat
C:\WINDOWS\SYSTEM32\qrkyrq.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ftnytf.exe

Reboot afterwards if the files are successfully deleted.

If all files are not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.

Post another qoologic log after. Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.
Reply With Quote Quick reply to this message  
Join Date: Aug 2003
Posts: 9,800
Reputation: caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold 
Solved Threads: 514
Team Colleague
caperjack's Avatar
caperjack caperjack is offline Offline
Posting Prodigy

Re: getting rid of Admilliserve log file

 
0
  #12
Jan 1st, 2005
Originally Posted by stephencallgood
I cant get the killbox to download!!! what next?


EDIT: Sorry MIsss Read your post .
Win7 whats it all about .
http://www.microsoft.com/canada/windows/windows-7/
Going with the Flow ,but the water is low and the rocks are big
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 10,117
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 770
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: getting rid of Admilliserve log file

 
0
  #13
Jan 1st, 2005
Why can't you download it? Try right clicking on the download link and select *save as* and save it to your desktop.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Dec 2004
Posts: 18
Reputation: stephencallgood is an unknown quantity at this point 
Solved Threads: 0
stephencallgood stephencallgood is offline Offline
Newbie Poster

Re: getting rid of Admilliserve log file

 
0
  #14
Jan 1st, 2005
Originally Posted by crunchie
Why can't you download it? Try right clicking on the download link and select *save as* and save it to your desktop.
When i click on your killbox link i get a redirect to bleeping computer and an open ie page. seems to be running but no down load forthcoming. I went to and joined bleepingcomp. and tried to download killbox but got the same blank, running page. anything else i can do to dl killbox?
Reply With Quote Quick reply to this message  
Join Date: Aug 2003
Posts: 9,800
Reputation: caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold 
Solved Threads: 514
Team Colleague
caperjack's Avatar
caperjack caperjack is offline Offline
Posting Prodigy

Re: getting rid of Admilliserve log file

 
0
  #15
Jan 1st, 2005
Originally Posted by stephencallgood
When i click on your killbox link i get a redirect to bleeping computer and an open ie page. seems to be running but no down load forthcoming. I went to and joined bleepingcomp. and tried to download killbox but got the same blank, running page. anything else i can do to dl killbox?
Try downloading it from here
http://www.downloads.subratam.org/KillBox.exe
Win7 whats it all about .
http://www.microsoft.com/canada/windows/windows-7/
Going with the Flow ,but the water is low and the rocks are big
Reply With Quote Quick reply to this message  
Join Date: Dec 2004
Posts: 18
Reputation: stephencallgood is an unknown quantity at this point 
Solved Threads: 0
stephencallgood stephencallgood is offline Offline
Newbie Poster

Re: getting rid of Admilliserve log file

 
0
  #16
Jan 1st, 2005
same thing. redirects and just sits there. I tried dropping my firewall and lowering my security but didnt help. I will try from netscape.
Reply With Quote Quick reply to this message  
Join Date: Aug 2003
Posts: 9,800
Reputation: caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold 
Solved Threads: 514
Team Colleague
caperjack's Avatar
caperjack caperjack is offline Offline
Posting Prodigy

Re: getting rid of Admilliserve log file

 
0
  #17
Jan 1st, 2005
I got mine setup tighter than a drum and can download form both ,Go figure !!
Win7 whats it all about .
http://www.microsoft.com/canada/windows/windows-7/
Going with the Flow ,but the water is low and the rocks are big
Reply With Quote Quick reply to this message  
Join Date: Dec 2004
Posts: 18
Reputation: stephencallgood is an unknown quantity at this point 
Solved Threads: 0
stephencallgood stephencallgood is offline Offline
Newbie Poster

Re: getting rid of Admilliserve log file

 
0
  #18
Jan 1st, 2005
Originally Posted by caperjack
I got mine setup tighter than a drum and can download form both ,Go figure !!
It looks like I have lost my ability to download ANYTHING. I had DAP even the Icon has gone. but I should have still been able to download. Any ideas how to regain my download ability.
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 10,117
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 770
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: getting rid of Admilliserve log file

 
0
  #19
Jan 1st, 2005
At the moment I would say the easiest thing to do would be to do a system restore back to when you could download. Then download what I have listed. Post hijackthis log and qoologic log.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Dec 2004
Posts: 18
Reputation: stephencallgood is an unknown quantity at this point 
Solved Threads: 0
stephencallgood stephencallgood is offline Offline
Newbie Poster

Re: getting rid of Admilliserve log file

 
0
  #20
Jan 2nd, 2005
ok got my download back. did a killbox. (thanks for being patient) heres hjt and qoologic. then what.

Logfile of HijackThis v1.99.0
Scan saved at 11:01:49 PM, on 1/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\qrkyrq.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Documents and Settings\daddy-o\My Documents\My Received Files\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app...DQ6NTo5&Terms=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\daddy-o\Application Data\Mozilla\Profiles\default\ccna80vw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\daddy-o\Application Data\Mozilla\Profiles\default\ccna80vw.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.114-deleon.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll (file missing)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {3794669C-CF5B-4197-9EC0-A96111C98E84} - (no file)
O3 - Toolbar: (no name) - {5BEE6FFE-A6FC-42D0-9D26-BCD25A204614} - (no file)
O3 - Toolbar: (no name) - {9EBC2838-F902-4FA2-AB96-02125FEFD3AB} - (no file)
O3 - Toolbar: (no name) - {92FF8F8E-B0AE-482F-A385-EFE3206F8E74} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.114-deleon.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.114-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar_en_2.0.114-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.114-deleon.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.114-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.114-deleon.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://pcpitstop.com/antivirus/PCPAV.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/...ler/dwnldr.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex...te/sdkinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: STOPzilla NT Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\daddy-o\My Documents\filelib\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 38E0-DA07

Directory of C:\WINDOWS\System32

12/16/2004 07:56 PM <DIR> dllcache
09/21/2004 08:11 PM 952 KGyGaAvL.sys
04/30/2003 09:43 AM <DIR> Microsoft
04/09/2003 03:30 PM 196,608 archlib.dll
01/05/2002 04:40 AM 487,424 msvcp70.dll
3 File(s) 684,984 bytes
2 Dir(s) 73,597,386,752 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38E0-DA07

Directory of C:\WINDOWS\System32

01/01/2005 07:19 PM 0 RBK20EF.tmp.LOG
01/01/2005 07:19 PM 0 RBK20EC.tmp.LOG
01/01/2005 07:19 PM 0 RBK20E7.tmp.LOG
01/01/2005 07:19 PM 0 RBK20E4.tmp.LOG
01/01/2005 07:19 PM 0 RBK20DF.tmp.LOG
01/01/2005 07:19 PM 0 RBK20DC.tmp.LOG
01/01/2005 07:19 PM 0 RBK20D7.tmp.LOG
01/01/2005 07:19 PM 0 RBK20D4.tmp.LOG
01/01/2005 07:19 PM 0 RBK20CF.tmp.LOG
01/01/2005 07:19 PM 0 RBK20CC.tmp.LOG
01/01/2005 07:19 PM 0 RBK20C7.tmp.LOG
01/01/2005 07:19 PM 0 RBK20C4.tmp.LOG
12/16/2004 07:56 PM <DIR> dllcache
09/21/2004 08:11 PM 952 KGyGaAvL.sys
07/18/2003 10:16 PM 115 NTICDMK32.dll
07/15/2003 12:05 AM 32,768 SZMFC.dll
07/15/2003 12:05 AM 65,536 SZTargetC.dll
07/15/2003 12:05 AM 184,320 StopzillaSVC.dll
07/15/2003 12:05 AM 319,488 StopzillaBHO.dll
07/15/2003 12:05 AM 86,016 SZCore.dll
07/15/2003 12:05 AM 57,344 IS3Persist.dll
07/15/2003 12:05 AM 36,864 SZBHOCore.dll
07/15/2003 12:05 AM 143,360 IS3Http.dll
07/15/2003 12:05 AM 57,344 IS3Sys32.dll
07/15/2003 12:05 AM 57,344 IS3Hook.dll
05/15/2003 09:46 PM 73,728 IETie.dll
04/30/2003 09:38 AM 488 logonui.exe.manifest
04/30/2003 09:38 AM 488 WindowsLogon.manifest
04/30/2003 09:38 AM 749 nwc.cpl.manifest
04/30/2003 09:38 AM 749 ncpa.cpl.manifest
04/30/2003 09:38 AM 749 cdplayer.exe.manifest
04/30/2003 09:38 AM 749 sapi.cpl.manifest
04/30/2003 09:38 AM 749 wuaucpl.cpl.manifest
32 File(s) 1,119,900 bytes
1 Dir(s) 73,597,382,656 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 38E0-DA07

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 38E0-DA07

Directory of C:\WINDOWS\System32

01/01/2005 07:19 PM 57,344 RBK20C4.tmp
09/01/2004 10:48 AM 1,335,296 nsd3C.tmp
09/01/2004 10:48 AM 1,335,296 nsl69.tmp
07/12/2004 04:06 PM 1,335,296 nsv84.tmp
08/29/2002 07:00 AM 2,577 CONFIG.TMP
07/29/2002 12:59 PM 73,728 cnm176.tmp
6 File(s) 4,139,537 bytes
0 Dir(s) 73,597,382,656 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\system32\iopgoi.dll: updates.qoologic.com
C:\WINDOWS\system32\RBK20EC.bak: qoologic.zipices
C:\WINDOWS\system32\RBK20EC.bak: qoologic
C:\WINDOWS\system32\sbazbs.dll: updates.qoologic.com
C:\WINDOWS\system32\xwqpwx.exe: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\gbvqbg.dat: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\PAV.SIG: .aspack
C:\WINDOWS\system32\PAV.SIG: :.aspackze
C:\WINDOWS\system32\PAV.SIG: .aspack.text
C:\WINDOWS\system32\PAV.SIG: H.aspack.text
C:\WINDOWS\system32\PAV.SIG: .aspack.text
C:\WINDOWS\system32\PAV.SIG: 4.aspack
C:\WINDOWS\system32\PAV.SIG: .aspack
C:\WINDOWS\system32\PAV.SIG: F<SW.aspack
C:\WINDOWS\system32\PAV.SIG: [.aspack
C:\WINDOWS\system32\PAV.SIG: H@.aspack.text.pmj
C:\WINDOWS\system32\PAV.SIG: AsPack
C:\WINDOWS\system32\PAV.SIG: :.aspack
C:\WINDOWS\system32\PAV.SIG: H@.aspack
C:\WINDOWS\system32\PAV.SIG: .aspack
C:\WINDOWS\system32\PAV.SIG: .aspack
C:\WINDOWS\system32\PAV.SIG: H.aspack
C:\WINDOWS\system32\PAV.SIG: .aspack
C:\WINDOWS\system32\PAV.SIG: 4.aspack
C:\WINDOWS\system32\PAV.SIG: .aspack
C:\WINDOWS\system32\PAV.SIG: [.aspack
C:\WINDOWS\system32\PAV.SIG: F<SW.aspack
C:\WINDOWS\system32\qrkyrq.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ftnytf.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe /r"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"Synchronization Manager"="%SystemRoot%\\system32\\mobsync.exe /logon"
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"Narrator"="C:\\WINDOWS\\system32\\qrkyrq.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



Reply With Quote Quick reply to this message  
Reply
1 2 3 Last »

Quick Reply to Thread
This thread has been marked solved.
Perhaps start a new thread instead?
Message:



Other Threads in the Viruses, Spyware and other Nasties Forum


Views: 7293 | Replies: 39
Thread Tools Search this Thread



Tag cloud for Viruses, Spyware and other Nasties
acrobat adobe adware anti-malware antivirus apple audio avg botnet botnets censorship combofix commercial commercials conficker crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email exam exploit explorer facebook firefox gaming gtaiv gumblar halloween herss.exe hosting ie8 internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft msn nazi news norton obama onlinethreats paedophile panel patch pc pdf phishing police policeprovirusmba-mblockedinternetaccess privacy pro problem redirecting reliability report research risk samhain sans scareware school search security sites software spam spyware sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update virus viruses vista volume vulnerability war warning web windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC