Results 1 to 3 of 3

Thread: Crypt32Chain

  1. 2006-02-08, 02:18 #1
    Trentos
    Trentos is offline
    Junior Member
    Join Date
    Feb 2006
    Posts
    2

    Default Crypt32Chain

    I just upgraded to Spybot 1.4 tonight and noticed some things in my startup that were not there previously. They are as follows.


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2006-02-07 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2005-05-31 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2005-05-31 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2006-02-03 Includes\Cookies.sbi
    2006-02-03 Includes\Dialer.sbi
    2006-02-03 Includes\Hijackers.sbi
    2006-02-03 Includes\Keyloggers.sbi
    2006-02-03 Includes\Malware.sbi
    2003-03-16 Includes\plugin-ignore.ini
    2006-02-03 Includes\PUPS.sbi
    2003-11-12 Includes\QA Tests.sbi
    2006-02-03 Includes\Revision.sbi
    2006-02-03 Includes\Security.sbi
    2006-02-03 Includes\Spybots.sbi
    2003-11-21 Includes\Temporary.sbi
    2005-02-17 Includes\Tracks.uti
    2006-02-03 Includes\Trojans.sbi

    Located: HK_LM:Run,
    command:
    file:

    Located: HK_LM:Run, AVG7_CC
    command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    size: 356352
    MD5: 6492815fc67068a11420740637946b0e

    Located: HK_LM:Run, AVG7_EMC
    command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    size: 279040
    MD5: ffeffa201b60d9095c2ca826af9f167b

    Located: HK_LM:Run, CTStartup
    command: C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    file:

    Located: HK_LM:Run, iTunesHelper
    command: "C:\Program Files\iTunes\iTunesHelper.exe"
    file: C:\Program Files\iTunes\iTunesHelper.exe
    size: 278528
    MD5: ff95f200b0cb3810382b355cf9f0bed9

    Located: HK_LM:Run, NeroCheck
    command: C:\WINDOWS\System32\\NeroCheck.exe
    file: C:\WINDOWS\System32\\NeroCheck.exe
    size: 155648
    MD5: 3e4c03cefad8de135263236b61a49c90

    Located: HK_LM:Run, CTHelper (DISABLED)
    command: CTHELPER.EXE
    file: C:\WINDOWS\system32\CTHELPER.EXE
    size: 24576
    MD5: 15f71a562eb274baae347a7a224e3bf9

    Located: Startup (common), InterVideo WinCinema Manager.lnk
    command: C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    file: C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    size: 98304
    MD5: 9c98dff6e6ae125cb3ff52e7fb063d9f

    Located: Startup (user), Microsoft Find Fast.lnk
    command: C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    file: C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    size: 111376
    MD5: d57a0ed2472934865e950fb05f8dfd21

    Located: Startup (user), Office Startup.lnk
    command: C:\Program Files\Microsoft Office\Office\OSA.EXE
    file: C:\Program Files\Microsoft Office\Office\OSA.EXE
    size: 51984
    MD5: d06276d4cad46cdceabefdeb1a0d3c0d

    Located: System.ini, AtiExtEvent
    command: Ati2evxx.dll
    file: Ati2evxx.dll

    Located: System.ini, crypt32chain
    command: crypt32.dll
    file: crypt32.dll

    Located: System.ini, cryptnet
    command: cryptnet.dll
    file: cryptnet.dll

    Located: System.ini, cscdll
    command: cscdll.dll
    file: cscdll.dll

    Located: System.ini, ScCertProp
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, Schedule
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, sclgntfy
    command: sclgntfy.dll
    file: sclgntfy.dll

    Located: System.ini, SensLogn
    command: WlNotify.dll
    file: WlNotify.dll

    Located: System.ini, termsrv
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, wlballoon
    command: wlnotify.dll
    file: wlnotify.dll

    These last files that are bolded are the new files that suddenly showed up. I researched some of them are supposedly trojans/virus's etc. Such as Crypt32Chain. Can someone explain how to get rid of them? And which? Can I simply nuke them using Spybots StartUp List option? Pretty confused here. I have never seen them before....

    Thanks for any help anyone can give!
    Reply With Quote Reply With Quote
  2. 2006-02-08, 08:02 #2
    bitman
    bitman is offline
    Esteemed Member
    Join Date
    Oct 2005
    Posts
    554

    Default

    The entries you've highlighted are normal for a Windows XP system, are related to the Windows 2000/XP WinLogon Event Handler Service and Spybot S&D 1.4 was the first version to display them. Malware that affect these entries do exist, but you don't appear to have any, so leave them alone.

    You do have one additional entry that isn't included in XP by default, but it's there to support your ATI video:

    Code:
    Located: System.ini, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
    ati2evxx.dll
    ATI2EVXX.DLL is an ATI External Event Utility DLL Module.
    ATI Technologies Inc.
    ATI External Event Utility for NT, W2K and W9X
    The following is much more technical information about these entries found on the Microsoft Developers site.

    The general description of these entries displayed by Spybot 1.4 is found in the Microspoft MSDN Library here:
    http://msdn.microsoft.com/library/en...n_packages.asp
    Winlogon Notification Packages
    Winlogon notification packages are DLLs that receive and handle events generated by Winlogon. You can implement such a notification package to monitor and respond to Winlogon events. This is useful for applications that need to perform additional processing during logon or logoff, or maintain state information that must be updated when Winlogon events occur.


    For more information about Winlogon and GINAs, see Winlogon and GINA.

    Windows NT and Windows Me/98/95: Winlogon notification packages are not supported.
    Note the last line, these entries have existed in Windows 2000 and XP, but not earlier versions of Windows. They were NOT added by Spybot S&D 1.4, it simply was the first version that started to display them.

    The description of how the specific registry entries are created is:
    http://msdn.microsoft.com/library/de...ry_entries.asp
    Registry Entries
    In order for your package to receive event notifications from Winlogon, you must provide the name of the package, the names of the event handler functions in the package, the DLL responsible for implementing the package, and information about whether the DLL supports asynchronous events and impersonation.


    You should create the notification package registry key as a subkey of

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

    The name of the key is usually the same as the name of the DLL; however, this is not mandatory. The name chosen for your package must not conflict with the names of other installed notification packages.
    Reply With Quote Reply With Quote
  3. 2006-02-08, 21:15 #3
    Trentos
    Trentos is offline
    Junior Member
    Join Date
    Feb 2006
    Posts
    2

    Default

    Thank you very much!! This gives me a bit of relief. :D
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules