NOWFIND will NOT give up - HJT log

[kris84]

Hi

I have looked at other solutions for the nowfind infection and all have failed on my computer. EVEN IN SAFEMODE, my homepage automatically changes back to nowfind. The application or service that changes the registry MUST BE RUNNING IN SAFE MODE TOO! AAARGH! Here's a logfile.

Logfile of HijackThis v1.99.1
Scan saved at 7:47:30 PM, on 3/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Rossow\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/003/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/003/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/003/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nowfind.net/003/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/003/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nowfind.net/003/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/003/clickpps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/003/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/003/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/003/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/003/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/003/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/003/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/003/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/003/clickpps.php
O1 - Hosts: auto.search.msn.com 127.0.0.1
O13 - DefaultPrefix: http://101.nowfind.net/gall.php?url=
O13 - WWW Prefix: http://101.nowfind.net/gall.php?url=
O13 - Home Prefix: http://101.nowfind.net/gall.php?url=
O13 - Mosaic Prefix: http://101.nowfind.net/gall.php?url=
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Any input would be greatly appreciated.

Thanks,

Kris

[Bobrocks]

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

[kris84]

Thankyou, Bobrocks.

Looking forward to hearing back from you.

[Bobrocks]

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Turn off System Restore by doing the following:

Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Download CWShredder and click on 'Fix' (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.

Open Hijack This and click on Scan. Check the following entries, if they are still there.(make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/003/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/003/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/003/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nowfind.net/003/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/003/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nowfind.net/003/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/003/clickpps.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/003/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/003/clickpps.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/003/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/003/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/003/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/003/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/003/clickpps.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/003/clickpps.php
O1 - Hosts: auto.search.msn.com 127.0.0.1
O13 - DefaultPrefix: http://101.nowfind.net/gall.php?url=
O13 - WWW Prefix: http://101.nowfind.net/gall.php?url=
O13 - Home Prefix: http://101.nowfind.net/gall.php?url=
O13 - Mosaic Prefix: http://101.nowfind.net/gall.php?url=

Please remember to close all other windows, including browsers then click Fix checked.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

[kris84]

Hi Bobrocks,

Thankyou for your prompt reply. I tried doing what you suggested, however, after I fixed the entries with hijack this (in safe mode), about two minutes later, they all went back to how they were (still in safe mode). There must be an application or service that is running and constantly 'refreshing' the nowfind entries back into the registry...

have you guys heard of a case like this one yet? It's driving me nuts!

[Bobrocks]

Hello,

I am going to need another HijackThis Log please.

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

[kris84]

Hi Bobrocks

Thanks again for the prompt reply.

Before I post the log, some info that may be useful

All the stuff in the 'Launch Manager' is to do with the acer laptop (this computer)
The 'Synaptics' refers to the touch pad
(Just incase you were wonder what some of them are.)
Ok here it is

----------------------------------

StartDreck (build 2.1.7 public stable) - 2005-03-24 @ 09:27:26 (GMT +10:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Rossow at LAPTOP

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
*AcerNotebookManager=C:\Program Files\Acer\Notebook Manager\almxptray.exe
*LaunchAp=C:\Program Files\Launch Manager\LaunchAp.exe
*PowerKey="C:\Program Files\Launch Manager\PowerKey.exe"
*LManager=C:\Program Files\Launch Manager\HotkeyApp.exe
*CtrlVol=C:\Program Files\Launch Manager\CtrlVol.exe
*Wbutton="C:\Program Files\Launch Manager\Wbutton.exe"
*WG511WLU=C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
*gcasServ="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player 8/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
+Fax/{8b15971b-5355-4c82-8c07-7e181ea07608}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
»Browser Helper Objects (LM)
»Internet Explorer
»Current User
*Default_Page_URL=http://www.nowfind.net/003/clickpps.php
*Default_Search_URL=http://www.nowfind.net/003/clickpps.php
*Local Page=C:\WINDOWS\System32\blank.htm
*Search Bar=http://www.nowfind.net/003/clickpps.php
*Search Page=http://www.nowfind.net/003/clickpps.php
*Start Page=http://www.nowfind.net/003/clickpps.php
*CustomizeSearch=http://www.nowfind.net/003/clickpps.php
*SearchAssistant=http://www.nowfind.net/003/clickpps.php
+SearchUrl
*provider=
»Default User
»Local Machine
*Default_Page_URL=http://www.google.com
*Default_Search_URL=http://www.nowfind.net/003/clickpps.php
*Local Page=C:\WINDOWS\System32\blank.htm
*Search Bar=http://www.google.com
*Search Page=http://www.nowfind.net/003/clickpps.php
*Start Page=http://www.nowfind.net/003/clickpps.php
*CustomizeSearch=http://www.nowfind.net/003/clickpps.php
*SearchAssistant=http://www.nowfind.net/003/clickpps.php
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Rossow\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\System32\drivers\etc\hosts
`auto.search.msn.com 127.0.0.1
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\System32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\System32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
+C:\WINDOWS\System32\agrsmdel.exe
*C:\WINDOWS\agrsmdel.exe
+C:\WINDOWS\System32\notepad.exe
*C:\WINDOWS\notepad.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+564=\SystemRoot\System32\smss.exe
+664=\??\C:\WINDOWS\system32\csrss.exe
+688=\??\C:\WINDOWS\system32\winlogon.exe
+732=C:\WINDOWS\system32\services.exe
+744=C:\WINDOWS\system32\lsass.exe
+912=C:\WINDOWS\system32\svchost.exe
+1040=C:\WINDOWS\System32\svchost.exe
+1204=C:\WINDOWS\System32\svchost.exe
+1256=C:\WINDOWS\System32\svchost.exe
+1496=C:\WINDOWS\Explorer.EXE
+1744=C:\WINDOWS\system32\spoolsv.exe
+320=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
+332=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
+340=C:\Program Files\Acer\Notebook Manager\almxptray.exe
+392=C:\Program Files\Launch Manager\LaunchAp.exe
+412=C:\Program Files\Launch Manager\PowerKey.exe
+432=C:\Program Files\Launch Manager\HotkeyApp.exe
+440=C:\Program Files\Launch Manager\CtrlVol.exe
+452=C:\Program Files\Launch Manager\Wbutton.exe
+460=C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
+468=C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
+1012=C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
+1236=C:\Program Files\Internet Explorer\iexplore.exe
+172=C:\Documents and Settings\Rossow\Desktop\StartDreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
*C:\WINDOWS\System32\IoSubSys\iomega.vxd
*C:\WINDOWS\System32\IoSubSys\NTI4CDR.VXD
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

[Bobrocks]

Download Find It and unzip it. Open up the folder and double click on the find.bat file. Let it run for a while. After it's finished, open up file. Copy and paste the contents to the forums.


If you haven't already go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Use the windows search to search for this file
xofAo.dll

Post back with the log and let me know if that file exists please

cheers

[kris84]

WAAHOOOOOOOOOOOOOOOOOOOOO!!!!!!!! Problem Solved!

Bobrocks, I thankyou so much for your time and assistance on this matter. Without your help I would still have the same problem.

I was infected with Trojan.Bookmarker.C

When you mentioned the xofAo.dll file, I did a quick google search on it, and it came back with ONE result - http://www.geekstogo.com/forum/Blood...t7533-s15.html


It appears this poor bugger has had the exact same problem as me. I went to this page, as it is linked to in the thread.http://securityresponse.symantec.com...kmarker.c.html I followed the instructions with a variation, because I couldnt find a particular subkey that was mentioned on that page.




This is what I done -
renamed mtwirl.dll to mtwirl.bak
renamed Mtwcnl32.dll to Mtwcnl32.bak
I could NOT fing the key mentioned on the symantec site ({3F143C3A-1457-6CCA-03A7-7AA23B61E40F})

HOWEVER When I navigated to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler, The "DDE Control Module" was there, BUT WITH A DIFFERENT NAME! It was like {4Asomethin-a-rather}, I cant exactly remember. I took a mental note of that name, then navigated back to HKEY_CLASSES_ROOT\CLSID and searched for that subkey. It was there! So I deleted it. I restarted, and ran HijackThis, and fixed the all the nowfind things that came up. Since then, the system has been running fine.

ALSO There was a new reference to a file called ifgxsrvc.dll in HijackThis. I deleted the reference and aslo renamed the file to igfxsrvc.bak. I think this is an unrelated incident.


Thankyou once again, Bobrocks.

[MicroBell]

Great news you fixed it. Please post that log though. If the service and file is still under the notify key...this infection will reinstall itself. Include a new hijackthis log as well.

[kris84]

Hi

Here is the FindIt log that I done before I solved the problem. I will gladly run a new one if you guys want.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Rossow\Desktop\Find It NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is ACER
Volume Serial Number is 2629-16F0

Directory of C:\WINDOWS\System32

05/20/2003 05:39 PM <DIR> Microsoft
05/20/2003 05:21 PM <DIR> dllcache
0 File(s) 0 bytes
2 Dir(s) 8,844,828,672 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is ACER
Volume Serial Number is 2629-16F0

Directory of C:\WINDOWS\System32

06/02/2003 04:11 PM 1,024 NTICDMK32.dll
05/20/2003 05:32 PM 488 logonui.exe.manifest
05/20/2003 05:32 PM 488 WindowsLogon.manifest
05/20/2003 05:32 PM 749 wuaucpl.cpl.manifest
05/20/2003 05:32 PM 749 cdplayer.exe.manifest
05/20/2003 05:32 PM 749 sapi.cpl.manifest
05/20/2003 05:32 PM 749 nwc.cpl.manifest
05/20/2003 05:32 PM 749 ncpa.cpl.manifest
05/20/2003 05:21 PM <DIR> dllcache
8 File(s) 5,745 bytes
1 Dir(s) 8,844,820,480 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is ACER
Volume Serial Number is 2629-16F0

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C is ACER
Volume Serial Number is 2629-16F0

Directory of C:\WINDOWS\System32

08/18/2001 08:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 8,844,804,096 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

No matches found.

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"AcerNotebookManager"="C:\\Program Files\\Acer\\Notebook Manager\\almxptray.exe"
"LaunchAp"="C:\\Program Files\\Launch Manager\\LaunchAp.exe"
"PowerKey"="\"C:\\Program Files\\Launch Manager\\PowerKey.exe\""
"LManager"="C:\\Program Files\\Launch Manager\\HotkeyApp.exe"
"CtrlVol"="C:\\Program Files\\Launch Manager\\CtrlVol.exe"
"Wbutton"="\"C:\\Program Files\\Launch Manager\\Wbutton.exe\""
"WG511WLU"="C:\\Program Files\\NETGEAR\\WG511\\Utility\\WG511WLU.exe -hide"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




-------------------------------------------------------------------

I ran HijackThis but it returned no results whatsoever. However, there are a few items in the ignore list. If there is anything else I can do just post back here and I'll do it.

Thanks again guys,

Kris

[greyknight17]

Your log is clean. If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.

[kris84]

Greyknight17, thankyou for looking over my logs. To hear that they are clean is great news. I will re-enable system restore right away. There are no other problems on this computer now. I am being very selective about the sites that I go to now!

Thanks again guys for your help,

Kris