Getting shorter all the time.
Thank you again. Please advise the next step, sans hammer.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\unzipped\finditnt2000xp\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is D4F4-3C57
Directory of C:\WINDOWS\System32
09/28/2004 05:20 AM <DIR> DLLCACHE
06/16/2003 08:00 AM 89 SftGrd.cfg
11/26/2001 10:56 AM <DIR> Microsoft
1 File(s) 89 bytes
2 Dir(s) 67,107,987,456 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is D4F4-3C57
Directory of C:\WINDOWS\System32
09/28/2004 05:20 AM <DIR> DLLCACHE
06/16/2003 08:00 AM 89 SftGrd.cfg
1 File(s) 89 bytes
1 Dir(s) 67,107,987,456 bytes free
---------- Files Named "Guard" -------------
Volume in drive C has no label.
Volume Serial Number is D4F4-3C57
Directory of C:\WINDOWS\System32
12/29/2004 10:27 PM 56 Guard.tmp
05/27/1999 07:30 PM 208,896 SoftGuard6.ocx
2 File(s) 208,952 bytes
0 Dir(s) 67,107,987,456 bytes free
--------- Temp Files in System32 Directory --------
Volume in drive C has no label.
Volume Serial Number is D4F4-3C57
Directory of C:\WINDOWS\System32
12/29/2004 10:27 PM 56 Guard.tmp
08/18/2001 07:00 AM 2,577 CONFIG.TMP
2 File(s) 2,633 bytes
0 Dir(s) 67,107,983,360 bytes free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C6F11B0C-6A1D-4EF2-A33F-CBB1D583D743}"=""
------------ Keys Under Notify ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Fonts]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\m4po0e73eh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------------ Locate.com Results ------------------
No matches found.
------------ Strings.exe Qoologic Results ------------
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
----------------- HKLM Run Key ------------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"="C:\\WINDOWS\\MMKeybd.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"UpdReg"="C:\\WINDOWS\\Updreg.exe"
"AHQInit"="C:\\Program Files\\Creative\\SBLive\\Program\\AHQInit.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"MMTray"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"HP SchedIndexer"="C:\\Program Files\\Hewlett-Packard\\LaserJet 33xx\\hppschedindexer.exe"
"HP AutoIndexer"="C:\\Program Files\\Hewlett-Packard\\LaserJet 33xx\\hppautoindexer.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"