Thread: HJT Log
View Single Post
Old 03-17-2005, 01:19 PM   #8 (permalink)
TechPaul
Registered User
 
Join Date: Mar 2005
Posts: 17
OS: Win XP


All right, that took a bit, but I think I've got everything. Qoologic ran, but there isn't much in the log, don't know if that's a problem, or if it simply did what it was supposed to.

Again, thanks for the assistance!

Paul


Here's the Startup List Log

StartupList report, 3/17/2005, 11:26:53 AM
StartupList version: 1.52.2
Started from : C:\hijackthis\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Utilities\Notebook Utilities\hptasks.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QT4HPOT = C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
Presentation Ready = C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r
PreloadApp = c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
hpsysdrv = c:\windows\system\hpsysdrv.exe
hpScannerFirstBoot = c:\hp\drivers\scanners\scannerfb.exe
hp Silent Service = C:\Windows\system32\HpSrvUI.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
Display Settings = C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s
CARPService = carpserv.exe
AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ss3dfo.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub...sh/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,109 bytes
Report generated in 0.150 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Silent RUnner log:

"Silent Runners.vbs", revision 29, launched at: 11:31
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"StorageGuard" = ""C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."]
"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"QT4HPOT" = "C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE" ["Dritek System Inc."]
"Presentation Ready" = "C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r" ["Hewlett-Packard"]
"PreloadApp" = "c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d" [null data]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"hpScannerFirstBoot" = "c:\hp\drivers\scanners\scannerfb.exe" ["Hewlett-Packard Co."]
"hp Silent Service" = "C:\Windows\system32\HpSrvUI.exe" ["Hewlett-Packard Co."]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."]
"Display Settings" = "C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s" ["Hewlett-Packard"]
"CARPService" = "carpserv.exe" ["Conexant Systems, Inc."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{C46B2FE9-4E97-41F4-9729-7CCD6C174125}" = "HP Notebook Utilities"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Utilities\Notebook Utilities\hpnbcpex.dll" ["Hewlett-Packard Co."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\dla\tfswshx.dll" ["VERITAS Software, Inc."]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{918E9A48-6797-47EA-BE96-DA555E96C981}" = (no title provided)
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\iietcomm.dll" [file not found]
"{6420135A-397A-444A-BB0C-248CFC4A8DCB}" = (no title provided)
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\kcdbene.dll" [null data]
"{5C36201D-AECC-470C-A092-5E69B7E24829}" = (no title provided)
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\avi3duag.dll" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "OemStartMenuData\DLLName" = "C:\WINDOWS\system32\u0ru0a99ed.dll" [null data]


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"America Online 7.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 7.0\aoltray.exe -check" ["America Online, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
HP Configuration Interface Service, HPConfig, "C:\WINDOWS\system32\HPConfig.exe" ["Hewlett-Packard"]
HPWirelessMgr, HPWirelessMgr, "C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe" ["Hewlett-Packard Co."]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


qoologic

C:\Documents and Settings\Owner\Desktop\Find-qoologic\qoologic

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------


dllcompare log:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\aenbho.dll Fri Mar 4 2005 11:25:34a ..S.R 231,046 225.63 K
C:\WINDOWS\SYSTEM32\afvpack.dll Wed Feb 23 2005 5:47:14p ..S.R 229,736 224.35 K
C:\WINDOWS\SYSTEM32\agctres.dll Mon Mar 14 2005 11:19:58a ..S.R 231,046 225.63 K
C:\WINDOWS\SYSTEM32\avi3duag.dll Wed Mar 16 2005 5:22:30a ..S.R 229,083 223.71 K
C:\WINDOWS\SYSTEM32\cmmcat.dll Fri Mar 4 2005 11:20:24a ..S.R 232,141 226.70 K
C:\WINDOWS\SYSTEM32\cutsrvps.dll Fri Mar 4 2005 8:32:06a ..S.R 231,502 226.07 K
C:\WINDOWS\SYSTEM32\dccpmon.dll Fri Mar 4 2005 11:14:26a ..S.R 232,141 226.70 K
C:\WINDOWS\SYSTEM32\ddmasf.dll Fri Mar 4 2005 12:19:08p ..S.R 231,255 225.83 K
C:\WINDOWS\SYSTEM32\di32gt.dll Wed Mar 16 2005 5:04:24a ..S.R 230,326 224.93 K
C:\WINDOWS\SYSTEM32\domsvinn.dll Thu Mar 3 2005 10:48:50a ..S.R 231,502 226.07 K
C:\WINDOWS\SYSTEM32\dwtmsft.dll Mon Mar 14 2005 12:43:14p ..S.R 231,205 225.79 K
C:\WINDOWS\SYSTEM32\dy8vb.dll Fri Mar 4 2005 11:32:28a ..S.R 231,255 225.83 K
C:\WINDOWS\SYSTEM32\en66l1~1.dll Sun Feb 27 2005 6:44:38p ..S.R 229,736 224.35 K
C:\WINDOWS\SYSTEM32\hqetcfg.dll Tue Mar 15 2005 6:29:02a ..S.R 229,611 224.23 K
C:\WINDOWS\SYSTEM32\hr8605~1.dll Wed Mar 16 2005 5:29:16a ..S.R 230,758 225.35 K
C:\WINDOWS\SYSTEM32\ieq.dll Wed Mar 16 2005 4:58:58a ..S.R 230,931 225.52 K
C:\WINDOWS\SYSTEM32\iumontr.dll Mon Mar 14 2005 11:51:04a ..S.R 231,046 225.63 K
C:\WINDOWS\SYSTEM32\jgvaee.dll Fri Mar 4 2005 12:02:20p ..S.R 231,046 225.63 K
C:\WINDOWS\SYSTEM32\kcdbene.dll Wed Mar 16 2005 5:29:16a ..S.R 230,073 224.68 K
C:\WINDOWS\SYSTEM32\kcdhe319.dll Fri Mar 4 2005 11:21:40a ..S.R 228,745 223.38 K
C:\WINDOWS\SYSTEM32\khdlt1.dll Tue Mar 15 2005 4:35:10a ..S.R 231,504 226.08 K
C:\WINDOWS\SYSTEM32\kjuser.dll Fri Mar 11 2005 12:09:52p ..S.R 231,195 225.77 K
C:\WINDOWS\SYSTEM32\ktdes.dll Mon Mar 14 2005 11:33:48a ..S.R 231,290 225.87 K
C:\WINDOWS\SYSTEM32\mfc42.dll Sat Aug 18 2001 4:00:00a A.SH. 995,383 972.05 K
C:\WINDOWS\SYSTEM32\moaudite.dll Wed Feb 23 2005 6:24:12p ..S.R 231,502 226.07 K
C:\WINDOWS\SYSTEM32\msvcirt.dll Sat Aug 18 2001 4:00:00a A.SH. 50,688 49.50 K
C:\WINDOWS\SYSTEM32\msvcp60.dll Sat Aug 18 2001 4:00:00a A.SH. 401,462 392.05 K
C:\WINDOWS\SYSTEM32\msvcrt.dll Sat Aug 18 2001 4:00:00a A.SH. 322,560 315.00 K
C:\WINDOWS\SYSTEM32\myrddm.dll Tue Mar 15 2005 6:12:44a ..S.R 229,188 223.82 K
C:\WINDOWS\SYSTEM32\mzc40u.dll Fri Mar 4 2005 8:51:50a ..S.R 232,272 226.83 K
C:\WINDOWS\SYSTEM32\nimarta.dll Tue Mar 15 2005 6:19:28a ..S.R 229,287 223.91 K
C:\WINDOWS\SYSTEM32\npvdmd.dll Tue Mar 15 2005 6:31:20a ..S.R 230,326 224.93 K
C:\WINDOWS\SYSTEM32\ohbctrac.dll Thu Mar 3 2005 10:23:06a ..S.R 231,502 226.07 K
C:\WINDOWS\SYSTEM32\oleaut32.dll Sat Aug 18 2001 4:00:00a A.SH. 569,344 556.00 K
C:\WINDOWS\SYSTEM32\olepro32.dll Sat Aug 18 2001 4:00:00a A.SH. 106,496 104.00 K
C:\WINDOWS\SYSTEM32\pllmon.dll Thu Mar 3 2005 10:57:48a ..S.R 232,272 226.83 K
C:\WINDOWS\SYSTEM32\pqrfctrs.dll Fri Mar 4 2005 11:00:06a ..S.R 231,591 226.16 K
C:\WINDOWS\SYSTEM32\qidwipes.dll Fri Mar 4 2005 11:23:38a ..S.R 229,625 224.24 K
C:\WINDOWS\SYSTEM32\rupcfgex.dll Fri Mar 11 2005 11:13:20a ..S.R 231,046 225.63 K
C:\WINDOWS\SYSTEM32\rvutetab.dll Wed Mar 16 2005 5:19:38a ..S.R 231,111 225.69 K
C:\WINDOWS\SYSTEM32\u0ru0a~1.dll Wed Mar 16 2005 5:22:30a ..S.R 230,073 224.68 K
C:\WINDOWS\SYSTEM32\wdn32spl.dll Wed Mar 16 2005 5:08:46a ..S.R 231,111 225.69 K
C:\WINDOWS\SYSTEM32\wfigest.dll Fri Mar 4 2005 9:00:18a ..S.R 231,502 226.07 K
C:\WINDOWS\SYSTEM32\wgnetmgr.dll Fri Mar 4 2005 11:19:06a ..S.R 228,279 222.93 K
C:\WINDOWS\SYSTEM32\wpashext.dll Wed Mar 16 2005 5:14:42a ..S.R 229,148 223.78 K
C:\WINDOWS\SYSTEM32\wwwfax.dll Fri Mar 4 2005 10:38:40a ..S.R 231,591 226.16 K
________________________________________________

1,160 items found: 1,160 files (46 H/S), 0 directories.
Total of file sizes: 212,208,855 bytes 202.38 M

Administrator Account = True

--------------------End log---------------------

Find It Log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\WINDOWS\system32

------- System Files in System32 Directory -------

Volume in drive C is NOTEBOOK
Volume Serial Number is D482-D55F

Directory of C:\WINDOWS\System32

03/16/2005 05:29 AM 230,073 kcdbene.dll
03/16/2005 05:29 AM 230,758 hr8605lse.dll
03/16/2005 05:22 AM 229,083 avi3duag.dll
03/16/2005 05:22 AM 230,073 u0ru0a99ed.dll
03/16/2005 05:19 AM 231,111 rvutetab.dll
03/16/2005 05:14 AM 229,148 wpashext.dll
03/16/2005 05:08 AM 231,111 wdn32spl.dll
03/16/2005 05:04 AM 230,326 di32gt.dll
03/16/2005 04:58 AM 230,931 ieq.dll
03/15/2005 06:31 AM 230,326 npvdmd.dll
03/15/2005 06:29 AM 229,611 hqetcfg.dll
03/15/2005 06:19 AM 229,287 nimarta.dll
03/15/2005 06:12 AM 229,188 myrddm.dll
03/15/2005 04:35 AM 231,504 khdlt1.dll
03/14/2005 12:43 PM 231,205 dwtmsft.dll
03/14/2005 12:24 PM <DIR> dllcache
03/14/2005 11:51 AM 231,046 iumontr.dll
03/14/2005 11:33 AM 231,290 ktdes.dll
03/14/2005 11:19 AM 231,046 agctres.dll
03/11/2005 12:09 PM 231,195 kjuser.dll
03/11/2005 11:13 AM 231,046 rupcfgex.dll
03/04/2005 12:19 PM 231,255 ddmasf.dll
03/04/2005 12:02 PM 231,046 jGvaee.dll
03/04/2005 11:32 AM 231,255 dy8vb.dll
03/04/2005 11:25 AM 231,046 AENBHO.dll
03/04/2005 11:23 AM 229,625 qidwipes.dll
03/04/2005 11:21 AM 228,745 kcdhe319.dll
03/04/2005 11:20 AM 232,141 cmmcat.dll
03/04/2005 11:19 AM 228,279 wgnetmgr.dll
03/04/2005 11:14 AM 232,141 dccpmon.dll
03/04/2005 11:00 AM 231,591 pqrfctrs.dll
03/04/2005 10:38 AM 231,591 wwwfax.dll
03/04/2005 09:00 AM 231,502 wfigest.dll
03/04/2005 08:51 AM 232,272 mzc40u.dll
03/04/2005 08:32 AM 231,502 cUtsrvps.dll
03/03/2005 10:57 AM 232,272 pllmon.dll
03/03/2005 10:48 AM 231,502 domsvinn.dLL
03/03/2005 10:23 AM 231,502 ohbctrac.dll
02/27/2005 06:44 PM 229,736 en66l1js1.dll
02/23/2005 06:24 PM 231,502 moaudite.dll
02/23/2005 05:47 PM 229,736 afvpack.dll
10/10/2002 10:38 AM <DIR> Microsoft
08/18/2001 04:00 AM 401,462 msvcp60.dll
08/18/2001 04:00 AM 106,496 olepro32.dll
08/18/2001 04:00 AM 569,344 oleaut32.dll
08/18/2001 04:00 AM 322,560 msvcrt.dll
08/18/2001 04:00 AM 9,728 regsvr32.exe
08/18/2001 04:00 AM 50,688 msvcirt.dll
08/18/2001 04:00 AM 995,383 mfc42.dll
47 File(s) 11,685,260 bytes
2 Dir(s) 23,638,061,056 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is NOTEBOOK
Volume Serial Number is D482-D55F

Directory of C:\WINDOWS\System32

03/14/2005 12:24 PM <DIR> dllcache
10/10/2002 09:16 AM 488 logonui.exe.manifest
10/10/2002 09:16 AM 488 WindowsLogon.manifest
10/10/2002 09:16 AM 749 cdplayer.exe.manifest
10/10/2002 09:16 AM 749 sapi.cpl.manifest
10/10/2002 09:16 AM 749 nwc.cpl.manifest
10/10/2002 09:16 AM 749 ncpa.cpl.manifest
10/10/2002 09:16 AM 749 wuaucpl.cpl.manifest
08/18/2001 04:00 AM 569,344 oleaut32.dll
08/18/2001 04:00 AM 106,496 olepro32.dll
08/18/2001 04:00 AM 9,728 regsvr32.exe
08/18/2001 04:00 AM 50,688 msvcirt.dll
08/18/2001 04:00 AM 995,383 mfc42.dll
08/18/2001 04:00 AM 401,462 msvcp60.dll
08/18/2001 04:00 AM 322,560 msvcrt.dll
14 File(s) 2,460,382 bytes
1 Dir(s) 23,638,056,960 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is NOTEBOOK
Volume Serial Number is D482-D55F

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C is NOTEBOOK
Volume Serial Number is D482-D55F

Directory of C:\WINDOWS\System32

08/18/2001 04:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 23,638,056,960 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{73FF33F8-E486-44D3-A9E6-CD5E856ECCCB}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OemStartMenuData]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\u0ru0a99ed.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QT4HPOT"="C:\\PROGRA~1\\UTILIT~1\\ONE-TO~1\\OneTouch.EXE"
"Presentation Ready"="C:\\Program Files\\Utilities\\Presentation Ready\\PresRdy.exe -r"
"PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"hpScannerFirstBoot"="c:\\hp\\drivers\\scanners\\scannerfb.exe"
"hp Silent Service"="C:\\Windows\\system32\\HpSrvUI.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"Display Settings"="C:\\Program Files\\Utilities\\Notebook Utilities\\hptasks.exe /s"
"CARPService"="carpserv.exe"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
TechPaul is offline