I am trying to save an XP home box.
I have run and installed HJT, NAV2005, Ad-Aware, Spy Bot S&D, FindIt Nt-2000-XP
as well as LSPfix.
In my tool kit I have TDS3, l2mfix (I have the look2me crap in the machine) and killbox.
So i am ready to KILL KILL KILL.
I have run FindIt and I don't quite know what to do next.
It is currently 645PM PST February 25, 2005.
I will on- and off-line all night.
Here is the log file from FindIt
*********************************************
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\temp\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 2853-88F8
Directory of C:\WINDOWS\System32
02/25/2005 06:12 PM 229,715 lvn4095qe.dll
02/25/2005 05:18 PM 231,243 kt8ul7l91.dll
02/25/2005 04:13 PM 229,256 oaesvr.dll
02/25/2005 04:13 PM 230,971 irjsl5171.dll
02/25/2005 04:13 PM <DIR> dllcache
02/25/2005 02:20 PM 229,256 wispdmod.dll
02/25/2005 02:20 PM 229,655 lvro0993e.dll
02/25/2005 12:51 PM 229,256 nfrsptb.dll
02/25/2005 12:51 PM 230,393 ktlml7311.dll
02/25/2005 08:31 AM 229,256 sotupdll.dll
02/25/2005 08:31 AM 230,749 gpr4l39q1.dll
02/25/2005 07:44 AM 229,256 n66q0gj5e6o.dll
02/24/2005 09:02 PM 228,714 e4200efmeh2a0.dll
02/24/2005 07:00 PM 229,750 i060lajm1doa.dll
02/24/2005 06:23 PM 232,078 bfowselc.dll
02/24/2005 06:21 PM 228,502 k2pm0c71ef.dll
02/24/2005 04:16 PM 229,021 m246lchs1f46.dll
02/24/2005 04:02 PM 232,078 drband.dll
02/24/2005 04:02 PM 228,405 h0j40a1qed.dll
02/24/2005 08:19 AM 228,600 k0080adued080.dll
02/24/2005 07:50 AM 231,473 hr6605jse.dll
02/23/2005 08:38 PM 231,003 iz41_qcx.dll
02/23/2005 08:38 PM 228,925 enn4l15q1.dll
02/23/2005 04:18 PM 231,003 dpcprop2.dll
02/23/2005 02:21 PM 229,148 cqfview.dll
02/23/2005 02:12 PM 231,003 mhscp.dll
02/23/2005 01:01 PM 229,148 lvcalsec.dll
02/23/2005 12:39 PM 231,003 SLP32.DLL
02/23/2005 12:09 PM 231,191 crrsrv.dll
02/23/2005 11:59 AM 231,003 mpvcp60.dll
02/23/2005 10:30 AM 231,003 uupnpmgr.dll
02/23/2005 10:30 AM 232,248 ir42l5ho1.dll
02/23/2005 10:10 AM 230,836 sclwid.dll
02/22/2005 03:32 PM 231,003 cml3d32.dll
02/22/2005 03:13 PM 230,836 ctrpol.dll
02/22/2005 02:46 PM 230,836 sarmdll.dll
02/22/2005 02:46 PM 231,379 fp4q03h5e.dll
02/19/2005 01:41 PM 229,434 ceiconfg.dll
02/19/2005 01:29 PM 229,434 cNpesnpn.dll
02/19/2005 01:27 PM 229,434 lvr2099oe.dll
02/19/2005 01:21 PM 229,434 vua.dll
02/19/2005 01:21 PM 231,065 enl6l13s1.dll
02/19/2005 01:17 PM 229,434 dvofile.dll
02/19/2005 01:17 PM 229,568 g4lm0e31eh.dll
02/18/2005 05:03 PM 228,975 dnlayx.dll
02/18/2005 04:46 PM 229,434 mdrapi.dll
02/18/2005 04:26 PM 228,975 ikwdial.dll
02/16/2005 12:00 PM 229,088 lv0s09d7e.dll
02/16/2005 11:49 AM 229,088 mbgsvc.dll
02/16/2005 11:29 AM 229,088 iornonce.dll
02/16/2005 11:05 AM 229,088 lkasrv.dll
02/15/2005 09:52 AM 229,088 ixakeng.dll
02/15/2005 09:35 AM 228,975 mfrclr40.dll
01/25/2005 09:29 AM <DIR> Microsoft
08/18/2001 04:00 AM 84,112 wsmct.exe
53 File(s) 12,042,909 bytes
2 Dir(s) 14,964,109,312 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 2853-88F8
Directory of C:\WINDOWS\System32
02/25/2005 04:13 PM <DIR> dllcache
05/14/2002 05:18 PM 488 WindowsLogon.manifest
05/14/2002 05:18 PM 488 logonui.exe.manifest
05/14/2002 05:18 PM 749 cdplayer.exe.manifest
05/14/2002 05:18 PM 749 wuaucpl.cpl.manifest
05/14/2002 05:18 PM 749 sapi.cpl.manifest
05/14/2002 05:18 PM 749 nwc.cpl.manifest
05/14/2002 05:18 PM 749 ncpa.cpl.manifest
08/18/2001 04:00 AM 84,112 wsmct.exe
8 File(s) 88,833 bytes
1 Dir(s) 14,964,105,216 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C has no label.
Volume Serial Number is 2853-88F8
Directory of C:\WINDOWS\System32
------ Temp Files in System32 Directory ------
Volume in drive C has no label.
Volume Serial Number is 2853-88F8
Directory of C:\WINDOWS\System32
08/18/2001 04:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 14,964,105,216 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{47064461-9804-4E7F-8A40-D554621FCF9A}"=""
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\sotupdll.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
------------- Locate.com Results -------------
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
C:\WINDOWS\system32\ntdll.dll: .aspack
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe /install"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
Any, and All help is very much appreciated
Portnoy