Good morning,
Here's the next set of logs. Still have the connection trying to take place after deleting all that stuff and restarting.
Again, thank you for your continued assistance!
Paul
HJT Log
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at
http://www.greyknight17.com/download.htm#programs
***Security Programs Detected***
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of HijackThis v1.99.1
Scan saved at 4:40:40 AM, on 3/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe
C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
C:\Program Files\Utilities\Notebook Utilities\hptasks.exe
C:\WINDOWS\System32\DLA\TFSWCMD.EXE
C:\WINDOWS\System32\rasautou.exe
C:\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
http://localhost;
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [Presentation Ready] C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\hr8605lse.dll (file missing)
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\guard.tmp
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
End of KRC HijackThis Analyzer Log.
====================================================================
HJT Startup:
StartupList report, 3/18/2005, 4:41:34 AM
StartupList version: 1.52.2
Started from : C:\hijackthis\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Utilities\Notebook Utilities\hptasks.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\DLA\TFSWCMD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\rasautou.exe
C:\hijackthis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QT4HPOT = C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE
Presentation Ready = C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r
PreloadApp = c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
hpsysdrv = c:\windows\system\hpsysdrv.exe
hpScannerFirstBoot = c:\hp\drivers\scanners\scannerfb.exe
hp Silent Service = C:\Windows\system32\HpSrvUI.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
Display Settings = C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s
CARPService = carpserv.exe
AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ss3dfo.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
--------------------------------------------------
Enumerating Download Program Files:
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE =
http://fpdownload.macromedia.com/pub...sh/swflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
End of report, 5,212 bytes
Report generated in 0.050 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Dll Compare:
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\kcdbene.dll Wed Mar 16 2005 5:29:16a ..S.R 230,073 224.68 K
C:\WINDOWS\SYSTEM32\mfc42.dll Sat Aug 18 2001 4:00:00a A.SH. 995,383 972.05 K
C:\WINDOWS\SYSTEM32\msvcirt.dll Sat Aug 18 2001 4:00:00a A.SH. 50,688 49.50 K
C:\WINDOWS\SYSTEM32\msvcp60.dll Sat Aug 18 2001 4:00:00a A.SH. 401,462 392.05 K
C:\WINDOWS\SYSTEM32\msvcrt.dll Sat Aug 18 2001 4:00:00a A.SH. 322,560 315.00 K
C:\WINDOWS\SYSTEM32\oleaut32.dll Sat Aug 18 2001 4:00:00a A.SH. 569,344 556.00 K
C:\WINDOWS\SYSTEM32\olepro32.dll Sat Aug 18 2001 4:00:00a A.SH. 106,496 104.00 K
________________________________________________
1,122 items found: 1,122 files (7 H/S), 0 directories.
Total of file sizes: 203,439,402 bytes 194.01 M
Administrator Account = True
--------------------End log---------------------
quoologic:
C:\Documents and Settings\Owner\Desktop\Find-qoologic\qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\output.txt: -------- Strings.exe Qoologic Results --------
C:\WINDOWS\system32\output.txt: --------- Strings.exe Aspack Results ---------
Files Found in all users startup Folder............
------------------------
Silent Runner:
"Silent Runners.vbs", revision 29, launched at: 04:43
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP
Startup items buried in registry:
---------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"StorageGuard" = ""C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."]
"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"QT4HPOT" = "C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE" ["Dritek System Inc."]
"Presentation Ready" = "C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r" ["Hewlett-Packard"]
"PreloadApp" = "c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d" [null data]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"hpScannerFirstBoot" = "c:\hp\drivers\scanners\scannerfb.exe" ["Hewlett-Packard Co."]
"hp Silent Service" = "C:\Windows\system32\HpSrvUI.exe" ["Hewlett-Packard Co."]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."]
"Display Settings" = "C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s" ["Hewlett-Packard"]
"CARPService" = "carpserv.exe" ["Conexant Systems, Inc."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{C46B2FE9-4E97-41F4-9729-7CCD6C174125}" = "HP Notebook Utilities"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Utilities\Notebook Utilities\hpnbcpex.dll" ["Hewlett-Packard Co."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\dla\tfswshx.dll" ["VERITAS Software, Inc."]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{6420135A-397A-444A-BB0C-248CFC4A8DCB}" = (no title provided)
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\guard.tmp" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "ShellScrap\DLLName" = "C:\WINDOWS\system32\hr8605lse.dll" [file not found]
INFECTION WARNING! "SMDEn\DLLName" = "C:\WINDOWS\system32\guard.tmp" [null data]
Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"America Online 7.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 7.0\aoltray.exe -check" ["America Online, Inc."]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
HP Configuration Interface Service, HPConfig, "C:\WINDOWS\system32\HPConfig.exe" ["Hewlett-Packard"]
HPWirelessMgr, HPWirelessMgr, "C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe" ["Hewlett-Packard Co."]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Find It:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Documents and Settings\Owner\Desktop\Find It NT-2K-XP\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is NOTEBOOK
Volume Serial Number is D482-D55F
Directory of C:\WINDOWS\System32
03/17/2005 01:56 PM 230,073 guard.tmp
03/16/2005 05:29 AM 230,073 kcdbene.dll
03/14/2005 12:24 PM <DIR> dllcache
10/10/2002 10:38 AM <DIR> Microsoft
08/18/2001 04:00 AM 995,383 mfc42.dll
08/18/2001 04:00 AM 50,688 msvcirt.dll
08/18/2001 04:00 AM 401,462 msvcp60.dll
08/18/2001 04:00 AM 322,560 msvcrt.dll
08/18/2001 04:00 AM 569,344 oleaut32.dll
08/18/2001 04:00 AM 106,496 olepro32.dll
08/18/2001 04:00 AM 9,728 regsvr32.exe
9 File(s) 2,915,807 bytes
2 Dir(s) 23,636,529,152 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is NOTEBOOK
Volume Serial Number is D482-D55F
Directory of C:\WINDOWS\System32
03/14/2005 12:24 PM <DIR> dllcache
10/10/2002 09:16 AM 488 logonui.exe.manifest
10/10/2002 09:16 AM 488 WindowsLogon.manifest
10/10/2002 09:16 AM 749 cdplayer.exe.manifest
10/10/2002 09:16 AM 749 sapi.cpl.manifest
10/10/2002 09:16 AM 749 nwc.cpl.manifest
10/10/2002 09:16 AM 749 ncpa.cpl.manifest
10/10/2002 09:16 AM 749 wuaucpl.cpl.manifest
08/18/2001 04:00 AM 569,344 oleaut32.dll
08/18/2001 04:00 AM 106,496 olepro32.dll
08/18/2001 04:00 AM 9,728 regsvr32.exe
08/18/2001 04:00 AM 50,688 msvcirt.dll
08/18/2001 04:00 AM 995,383 mfc42.dll
08/18/2001 04:00 AM 401,462 msvcp60.dll
08/18/2001 04:00 AM 322,560 msvcrt.dll
14 File(s) 2,460,382 bytes
1 Dir(s) 23,636,525,056 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C is NOTEBOOK
Volume Serial Number is D482-D55F
Directory of C:\WINDOWS\System32
03/17/2005 01:56 PM 230,073 guard.tmp
1 File(s) 230,073 bytes
0 Dir(s) 23,636,525,056 bytes free
------ Temp Files in System32 Directory ------
Volume in drive C is NOTEBOOK
Volume Serial Number is D482-D55F
Directory of C:\WINDOWS\System32
03/17/2005 01:56 PM 230,073 guard.tmp
08/18/2001 04:00 AM 2,577 CONFIG.TMP
2 File(s) 232,650 bytes
0 Dir(s) 23,636,525,056 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{73FF33F8-E486-44D3-A9E6-CD5E856ECCCB}"=""
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr8605lse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------- Locate.com Results -------------
C:\WINDOWS\SYSTEM32\
guard.tmp Thu Mar 17 2005 1:56:10p ..S.R 230,073 224.68 K
kcdbene.dll Wed Mar 16 2005 5:29:16a ..S.R 230,073 224.68 K
2 items found: 2 files, 0 directories.
Total of file sizes: 460,146 bytes 449.36 K
-------- Strings.exe Qoologic Results --------
C:\WINDOWS\system32\output.txt: -------- Strings.exe Qoologic Results --------
C:\WINDOWS\system32\output.txt: -------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
C:\WINDOWS\system32\output.txt: --------- Strings.exe Aspack Results ---------
C:\WINDOWS\system32\output.txt: --------- Strings.exe Aspack Results ---------
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QT4HPOT"="C:\\PROGRA~1\\UTILIT~1\\ONE-TO~1\\OneTouch.EXE"
"Presentation Ready"="C:\\Program Files\\Utilities\\Presentation Ready\\PresRdy.exe -r"
"PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"hpScannerFirstBoot"="c:\\hp\\drivers\\scanners\\scannerfb.exe"
"hp Silent Service"="C:\\Windows\\system32\\HpSrvUI.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"Display Settings"="C:\\Program Files\\Utilities\\Notebook Utilities\\hptasks.exe /s"
"CARPService"="carpserv.exe"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"