Thank you! here's the find it log -
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Documents and Settings\Owner\Desktop\finditnt2000xp\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 303C-6B38
Directory of C:\WINDOWS\System32
07/04/2005 09:48 AM <DIR> dllcache
06/10/2005 04:20 PM <DIR> Microsoft
10/27/2004 04:39 PM 512 TafqX5mo.dvc
1 File(s) 512 bytes
2 Dir(s) 25,016,750,080 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 303C-6B38
Directory of C:\WINDOWS\System32
07/04/2005 09:48 AM <DIR> dllcache
10/27/2004 05:47 PM 0 RO7700.tmp.LOG
10/27/2004 05:47 PM 0 RO76FB.tmp.LOG
10/27/2004 05:47 PM 0 RO76F8.tmp.LOG
10/27/2004 05:47 PM 0 RO76F3.tmp.LOG
10/27/2004 05:47 PM 0 RO76F0.tmp.LOG
10/27/2004 05:47 PM 0 RO76EB.tmp.LOG
10/27/2004 05:47 PM 0 RO76E8.tmp.LOG
10/27/2004 05:47 PM 0 RO76E3.tmp.LOG
10/27/2004 05:47 PM 0 RO76E0.tmp.LOG
10/27/2004 05:47 PM 0 RO76DB.tmp.LOG
10/27/2004 05:47 PM 0 RO76D8.tmp.LOG
10/27/2004 05:47 PM 0 RO76D3.tmp.LOG
10/27/2004 04:39 PM 512 TafqX5mo.dvc
10/26/2004 10:33 PM 262,144 RO621C.bac
10/26/2004 10:33 PM 262,144 RO6214.bac
10/26/2004 10:33 PM 262,144 RO6217.bac
10/26/2004 10:33 PM 262,144 RO621F.bac
10/26/2004 10:33 PM 262,144 RO6227.bac
10/26/2004 10:33 PM 2,883,584 RO6224.bac
10/26/2004 10:32 PM 0 RO6227.tmp.LOG
10/26/2004 10:32 PM 0 RO6224.tmp.LOG
10/26/2004 10:32 PM 0 RO621F.tmp.LOG
10/26/2004 10:32 PM 0 RO621C.tmp.LOG
10/26/2004 10:32 PM 0 RO6217.tmp.LOG
10/26/2004 10:32 PM 0 RO6214.tmp.LOG
10/26/2004 10:32 PM 0 RO620F.tmp.LOG
10/26/2004 10:32 PM 0 RO620C.tmp.LOG
10/26/2004 10:32 PM 0 RO6207.tmp.LOG
10/26/2004 10:32 PM 0 RO6204.tmp.LOG
10/26/2004 10:32 PM 0 RO61FF.tmp.LOG
10/26/2004 10:32 PM 0 RO61FC.tmp.LOG
01/08/2002 06:20 AM 488 logonui.exe.manifest
01/08/2002 06:20 AM 488 WindowsLogon.manifest
01/08/2002 06:20 AM 749 cdplayer.exe.manifest
01/08/2002 06:20 AM 749 wuaucpl.cpl.manifest
01/08/2002 06:20 AM 749 ncpa.cpl.manifest
01/08/2002 06:20 AM 749 nwc.cpl.manifest
01/08/2002 06:20 AM 749 sapi.cpl.manifest
38 File(s) 4,199,537 bytes
1 Dir(s) 25,016,745,984 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C has no label.
Volume Serial Number is 303C-6B38
Directory of C:\WINDOWS\System32
------ Temp Files in System32 Directory ------
Volume in drive C has no label.
Volume Serial Number is 303C-6B38
Directory of C:\WINDOWS\System32
10/26/2004 10:32 PM 36,864 RO61FC.tmp
09/26/2004 05:02 PM 0 ~GLH0011.TMP
03/08/2004 06:58 PM 646,656 SET1D.tmp
08/18/2001 05:00 AM 2,577 CONFIG.TMP
06/26/2001 04:06 PM 147,512 scrrun.dll.tmp
5 File(s) 833,609 bytes
0 Dir(s) 25,016,745,984 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------- Locate.com Results -------------
No matches found.
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: ASPack 1.61
C:\WINDOWS\system32\MRT.exe: ASPack 1.084
C:\WINDOWS\system32\MRT.exe: ASPack 1.083
C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\system32\MRT.exe: ASPack 1.07b
C:\WINDOWS\system32\MRT.exe: ASPack 1.05b
C:\WINDOWS\system32\MRT.exe: ASPack 1.02
C:\WINDOWS\system32\MRT.exe: ASPACK
C:\WINDOWS\system32\ntdll.dll: .aspack
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\\PROGRA~1\\NavNT\\vptray.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"VTPreset"="VTPreset.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
Edited by kchristine7, 17 July 2005 - 04:58 PM.