Unknown log files

[sakumar79]

I am seeing log files being created in each partition of my hard disk apparently everyday that is named [date]_ppf.log (such as 8_11_2005_ppf.log). It contains a list of programs start and end time. What creates these log files?

Non-Microsoft Programs/Services running:
AVG Antivirus
Kerio Personal Firewall
Logitech Webcam
Ad Munch

Is it one of these programs or something in the OS (WinXP Prof with SP2) or could it be a virus/spyware. Please help asap.

Thanks in advance,
Arun

 

[swatkat]

Hmmmm...this is interesting. We need to know which process/app is creating those logs.


You can use FileMon for that. Download Filemon.zip and extract it to a folder.

Run Filemon.exe and go to Options menu > Filter/Highlights. Here in the Include text box, type .log and click "Apply" and "OK" (Delete the * that will be present in that text box by default).

Due to this Filemon displays only the processes which are creating/interacting with files ending with log extension. Allow Filemon to run for some period (preferbly until you shutdown).

Then go to File Menu > Save and save the Filemon log. You can open this log in NotePad and examine for entries of date_ppf.log and corresponding applications which created it.

You can also look directly in the Filemon window to know about the application/process creating the log files especially ppf.log files.

 

[sakumar79]

Thanks for the link swatkat... I have downloaded it and am running it now... Will leave it on all night and see what happens...

I just modified ur suggestion a bit - I changed the filter to *ppf.log to make it a bit easier...

Thanks again,
Arun

PS: BTW, r u T-Bone or Razor?

 

[sakumar79]

Well, I checked with Filemon and found that the programs themselves were opening the file and adding the entries. It appears to me that as soon as the program tried to access the internet, log would make a note and then, when that application was closed, it would make another note...

Any idea what is the cause?

Arun

 

[swatkat]

This is even more interesting!!I am not sure, but it could be Kerio Firewall thats causing this. You can check this by uninstalling it and then deleting all the ppf.log files. And then connect to Internet and check whether those files are recreated. (Dont forget to enable Windows built-in firewall!)

 

[sakumar79]

Windows Firewall? No thanks... I think I will remove Kerio, install ZoneAlarm and then try it... Will post tonight or tomorrow morning results...

Arun

 

[sakumar79]

I was outstation last weekend and could not get to my computer until last night... Removed Kerio, installed Sygate and logged onto the internet.

The result was the same... I am still getting the log files.... I have googled for these files but am unable to find any info...

It also made a note of Explorer.exe when it was doing some local accessing...

Please help asap...

Arun

 

[swatkat]

Hi,
Download WinPFind.ZIP and completely extract it to a folder. Then run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here.

 

[sakumar79]

I am posting results from WinPF and from Rootkit Revealer

WinPF Output:

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 12/07/2005 15:33:26 15321923 C:\WINDOWS\lpt$vpn.727
qoologic 12/07/2005 15:33:26 15321923 C:\WINDOWS\lpt$vpn.727
SAHAgent 12/07/2005 15:33:26 15321923 C:\WINDOWS\lpt$vpn.727
UPX! 22/07/2005 23:36:26 65171456 C:\WINDOWS\MEMORY.DMP
FSG! 22/07/2005 23:36:26 65171456 C:\WINDOWS\MEMORY.DMP
aspack 22/07/2005 23:36:26 65171456 C:\WINDOWS\MEMORY.DMP
UPX! 03/05/2005 11:44:44 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 10/01/2005 16:17:24 170053 C:\WINDOWS\tsc.exe
PECompact2 12/07/2005 15:33:26 15321923 C:\WINDOWS\VPTNFILE.727
qoologic 12/07/2005 15:33:26 15321923 C:\WINDOWS\VPTNFILE.727
SAHAgent 12/07/2005 15:33:26 15321923 C:\WINDOWS\VPTNFILE.727
UPX! 18/02/2005 18:40:14 1044560 C:\WINDOWS\vsapi32.dll
aspack 18/02/2005 18:40:14 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! 16/10/2005 22:58:28 181760 C:\WINDOWS\SYSTEM32\AM-Install.exe
PEC2 23/08/2001 20:30:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 10/06/2005 02:02:28 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10/06/2005 02:02:28 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 08/09/2005 21:36:32 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 08/09/2005 21:36:32 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04/08/2004 00:56:38 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04/08/2004 00:56:46 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 23/08/2001 20:30:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 24/10/2005 01:09:26 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 24/10/2005 01:09:26 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 24/10/2005 01:09:26 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 24/10/2005 01:09:26 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 03/08/2004 22:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
16/11/2005 10:56:22 S 2048 C:\WINDOWS\bootstat.dat
29/09/2005 08:45:42 H 31795 C:\WINDOWS\system32\vsconfig.xml
29/09/2005 06:50:22 H 4212 C:\WINDOWS\system32\zllictbl.dat
16/11/2005 11:24:00 H 1024 C:\WINDOWS\system32\config\default.LOG
16/11/2005 10:56:32 H 1024 C:\WINDOWS\system32\config\SAM.LOG
16/11/2005 10:56:56 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
16/11/2005 11:24:00 H 1024 C:\WINDOWS\system32\config\software.LOG
16/11/2005 11:24:00 H 1024 C:\WINDOWS\system32\config\system.LOG
07/11/2005 21:28:10 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
26/09/2005 22:08:34 HS 616448 C:\WINDOWS\Temp\jhfhepki.TMP

Checking for CPL files...
Microsoft Corporation 04/08/2004 00:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04/08/2004 00:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04/08/2004 00:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
29/07/2004 12:56:00 221184 C:\WINDOWS\SYSTEM32\cttune.cpl
Microsoft Corporation 04/08/2004 00:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 30/09/2004 15:47:14 135168 C:\WINDOWS\SYSTEM32\directx.cpl
Microsoft Corporation 04/08/2004 00:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
GlobeSpan, Inc. 02/05/2002 11:12:28 286720 C:\WINDOWS\SYSTEM32\gsi.cpl
Microsoft Corporation 04/08/2004 00:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04/08/2004 00:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04/08/2004 00:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 00:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 00:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 26/06/2005 14:47:48 49262 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 23/08/2001 20:30:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04/08/2004 00:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 23/08/2001 20:30:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Ahead Software AG 09/10/2002 17:06:12 R 57344 C:\WINDOWS\SYSTEM32\NeroBurnRights.cpl
Microsoft Corporation 04/08/2004 00:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04/08/2004 00:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 23/08/2001 20:30:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 04/08/2004 00:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Autodesk, Inc. 25/03/1999 08:58:40 393216 C:\WINDOWS\SYSTEM32\PLOTMAN.CPL
Microsoft Corporation 04/08/2004 00:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 14/12/2003 09:20:50 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
29/12/2002 04:44:38 81920 C:\WINDOWS\SYSTEM32\startup.cpl
Autodesk, Inc. 25/03/1999 08:58:46 393216 C:\WINDOWS\SYSTEM32\STYLEMAN.CPL
Microsoft Corporation 04/08/2004 00:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 23/08/2001 20:30:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 00:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 00:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04/08/2004 00:56:58 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 04/08/2004 00:56:58 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 04/08/2004 00:56:58 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 04/08/2004 00:56:58 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 04/08/2004 00:56:58 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 04/08/2004 00:56:58 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 04/08/2004 00:56:58 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 04/08/2004 00:56:58 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 04/08/2004 00:56:58 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 04/08/2004 00:56:58 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 23/08/2001 20:30:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 04/08/2004 00:56:58 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 23/08/2001 20:30:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 04/08/2004 00:56:58 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 04/08/2004 00:56:58 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 23/08/2001 20:30:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 04/08/2004 00:56:58 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 04/08/2004 00:56:58 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 04/08/2004 00:56:58 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 04/08/2004 00:56:58 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 23/08/2001 20:30:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 04/08/2004 00:56:58 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 04/08/2004 00:56:58 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
26/06/2005 13:32:46 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
26/06/2005 18:49:06 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
07/07/2005 10:13:22 1239 C:\Documents and Settings\All Users\Application Data\qcaddemorc

Checking files in %USERPROFILE%\Startup folder...
26/06/2005 13:32:46 HS 84 C:\Documents and Settings\Arun\Start Menu\Programs\Startup\desktop.ini
28/06/2005 06:47:20 1413 C:\Documents and Settings\Arun\Start Menu\Programs\Startup\Task Manager.lnk

Checking files in %USERPROFILE%\Application Data folder...
26/06/2005 18:49:06 HS 62 C:\Documents and Settings\Arun\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = d:\Program Files\Grisoft\AVG\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZipGenius 6
{C169E5F0-E2B3-41F3-B81A-7BA529CBE193} = D:\PROGRA~1\ZIPGEN~1\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = d:\Program Files\Grisoft\AVG\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZipGenius 6
{C169E5F0-E2B3-41F3-B81A-7BA529CBE193} = D:\PROGRA~1\ZIPGEN~1\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
= "D:\Program Files\OpenOffice.org\program\shlxthdl.dll"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = D:\Program Files\Adobe\Acrobat\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : D:\Program Files\Java\jre150\bin\npjpi150.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
ButtonText = Yahoo! Messenger : D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC d:\PROGRA~1\Grisoft\AVG\avgcc.exe /STARTUP
AVG7_EMC d:\PROGRA~1\Grisoft\AVG\avgemc.exe
LVCOMSX C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Ad Muncher D:\Program Files\Ad Muncher\AdMunch.exe /bt

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\ATITEC~1\ATI.ACE\CLI.exe SystemTray
item ATI CATALYST System Tray

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATICCC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cli
hkey HKLM
command "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cli
hkey HKLM
command "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIModeChange
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ati2mdxx
hkey HKLM
command Ati2mdxx.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ati2mdxx
hkey HKLM
command Ati2mdxx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 2
win.ini 0
bootini 2
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoWelcomeScreen 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\comdlg32
NoBackButton 0
NoFileMru 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoRecentDocsHistory 1
NoStartMenuEjectPC 1
NoWelcomeScreen 1
NoStartBanner 1
NoSMConfigurePrograms 1
NoRecentDocsMenu

NoRecentDocsNetHood

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} =
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Rootkit Revealer:
HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg40 16/11/2005 10:56 0 bytes Hidden from Windows API.


Arun

 

[sakumar79]

One more thing. In WinPF options, there are some plugins that might be added... Should I add them to the result?

Arun

 

[swatkat]

Hi,
Delete these files (you may need to enable the "Show hidden files" option to see these files) :-
C:\WINDOWS\MEMORY.DMP
C:\WINDOWS\RMAgentOutput.dll

Also, delete the contents of Temp folder. Next, go to Start > Run and type %prefetch% and press Enter key. Now, the Prefetch folder should open. Here select all the files and delete them.
After this check whether those log files are created or not.


Do you know what these files are:-
C:\WINDOWS\SYSTEM32\cttune.cpl
C:\WINDOWS\SYSTEM32\startup.cpl
Do they display as applets in Control Panel?


And, the Registry entry that Rootkit Revealer found is related to Alcohol 120% software.

 

[sakumar79]

Hey Swatkat, thanks for the reply... I will check it out tonight and follow up...

cttune should be the Clear Type Tune util and Startup should be the Startup Program editing util (like msconfig). They are in the Control Panel...

And yes, I figured out that the registry entry was for Alcohol 120% by going into safe mode and checking it out...

BTW, what are the memory.dmp and the RMAgentOutput.dll files? Any virus or spyware?

Thanks again,
Arun

 

[sakumar79]

Swatkat, I removed the files and did as per your post but still I am getting the log files....

Arun

 

[swatkat]

Hmm....WinPFind and Rootkit Revealer logs doesnt show anything dangerours! I dont know why these logs are created. Can you post back the non Microsoft services running in the System?

(You can use HijackThis for this, it shows non MS services in its log.)

 

[cymtron]

I am seeing log files being created in each partition of my hard disk apparently everyday that is named [date]_ppf.log (such as 8_11_2005_ppf.log). It contains a list of programs start and end time. What creates these log files?

Non-Microsoft Programs/Services running:
AVG Antivirus
Kerio Personal Firewall
Logitech Webcam
Ad Munch

Is it one of these programs or something in the OS (WinXP Prof with SP2) or could it be a virus/spyware. Please help asap.

Thanks in advance,
Arun

hi,
since few days I have the same problem. I was also testing the Kerio Personal Firewall, found it unstable and uninstalled it. It could be these log files started to appear then, I'm not sure. Have you found out the generator of these files ?
tx
Cymtron

 

[sakumar79]

Nope... I had some issues later with my OS and had to install again. I purchased a new HD and made it primary and then installed on it... I still have Kerio but I dont get the log file on my new installation these days... I use Avast instead of AVG these days but I doubt if that was the culprit... Also, I no longer have the Webcam or the Ad Munch utility in the new installation... Could have been one of them also...

Arun