View Single Post
  #15  
Old December 10th, 2005, 03:34 AM
BikerAlley's Avatar
BikerAlley BikerAlley is offline
New Member
 
Join Date: Dec 2005
Posts: 9
Ok Here is the find it log.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\HP_Administrator\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is 7C2D-F4C7

Directory of C:\WINDOWS\System32

12/09/2005 08:23 PM 371,775 wybeg.ini
12/09/2005 12:35 PM 370,903 wybeg.bak2
12/06/2005 05:41 PM 557,108 gebyw.dll
12/06/2005 05:40 AM 27,661 mljjh.dll
12/06/2005 05:40 AM 27,661 vtsqo.dll
12/06/2005 05:40 AM 27,661 vturo.dll
12/04/2005 08:49 PM <DIR> dllcache
11/25/2005 10:19 AM 848 KGyGaAvL.sys
01/27/2005 08:26 PM <DIR> Microsoft
7 File(s) 1,383,617 bytes
2 Dir(s) 171,820,605,440 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is 7C2D-F4C7

Directory of C:\WINDOWS\System32

12/09/2005 08:23 PM 371,775 wybeg.ini
12/09/2005 12:35 PM 370,903 wybeg.bak2
12/06/2005 05:41 PM 557,108 gebyw.dll
12/06/2005 05:40 AM 27,661 mljjh.dll
12/06/2005 05:40 AM 27,661 vtsqo.dll
12/06/2005 05:40 AM 27,661 vturo.dll
12/04/2005 08:49 PM <DIR> dllcache
11/25/2005 10:19 AM 848 KGyGaAvL.sys
01/28/2005 03:39 AM 488 logonui.exe.manifest
01/28/2005 03:39 AM 488 WindowsLogon.manifest
01/28/2005 03:39 AM 749 sapi.cpl.manifest
01/28/2005 03:39 AM 749 ncpa.cpl.manifest
01/28/2005 03:39 AM 749 wuaucpl.cpl.manifest
01/28/2005 03:39 AM 749 nwc.cpl.manifest
01/28/2005 03:39 AM 749 cdplayer.exe.manifest
14 File(s) 1,388,338 bytes
1 Dir(s) 171,820,584,960 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is HP_PAVILION
Volume Serial Number is 7C2D-F4C7

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C is HP_PAVILION
Volume Serial Number is 7C2D-F4C7

Directory of C:\WINDOWS\System32

12/09/2005 07:08 PM 143 mcrh.tmp
08/10/2004 12:00 PM 2,577 CONFIG.TMP
2 File(s) 2,720 bytes
0 Dir(s) 171,820,584,960 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c, 00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c, 6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebyw]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\gebyw.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c, 6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEven t"
"Logoff"="UnregisterTicketExpiredNotificationEvent "
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
gebyw.dll Tue Dec 6 2005 5:41:02p ..SH. 557,108 544.05 K
kgygaavl.sys Fri Nov 25 2005 10:19:34a A.SH. 848 0.83 K
mljjh.dll Tue Dec 6 2005 5:40:56a ..SH. 27,661 27.01 K
vtsqo.dll Tue Dec 6 2005 5:40:46a ..SH. 27,661 27.01 K
vturo.dll Tue Dec 6 2005 5:40:34a ..SH. 27,661 27.01 K
wybeg.ini Fri Dec 9 2005 8:23:26p ..SH. 371,790 363.07 K
wybeg~1.bak Fri Dec 9 2005 12:35:02p ..SH. 370,903 362.21 K

7 items found: 7 files, 0 directories.
Total of file sizes: 1,383,632 bytes 1.32 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\d3dx9_27.dll: D3DXUVAtlasPack
C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: (AsPack2k)
C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.1)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.12)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.000)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.001)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x)
C:\WINDOWS\system32\MRT.exe: ASPack2000
C:\WINDOWS\system32\MRT.exe: ASPack 1.61
C:\WINDOWS\system32\MRT.exe: ASPack 1.084
C:\WINDOWS\system32\MRT.exe: ASPack 1.083
C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\system32\MRT.exe: ASPack 1.07b
C:\WINDOWS\system32\MRT.exe: ASPack 1.05b
C:\WINDOWS\system32\MRT.exe: ASPack 1.02
C:\WINDOWS\system32\MRT.exe: ASPACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.ex e"
"AGRSMMSG"="AGRSMMSG.exe"
"HPHUPD06"="c:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"HPHmon06"="C:\\WINDOWS\\system32\\hphmon06.ex e"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsbur nwatcher.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r"
"CTDVDDET"="C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDet.E XE"
"CTHelper"="CTHELPER.EXE"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"dvd43"="C:\\Program Files\\dvd43\\dvd43_tray.exe"
"Mirabilis ICQ"="C:\\PROGRA~1\\ICQ\\ICQNet.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"




Im running SpySweeper now
Reply With Quote