Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from:
------- System Files in System32 Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB
Directory of C:\WINDOWS\System32
12/20/2004 05:50a 223,548 mjacm32.dll
12/19/2004 10:48p 223,100 n4n60e5seh.dll
12/19/2004 02:45p 223,548 k8440ihqe84e0.dll
12/18/2004 07:45a <DIR> dllcache
12/18/2004 07:40a 225,050 q0nula591d.dll
12/15/2004 10:39p 224,723 f6l00g3me6.dll
12/15/2004 09:55p 225,336 lv4609hse.dll
12/15/2004 09:53p 225,992 ir0ol5d31.dll
12/15/2004 08:34p 223,703 mkhcp.dll
12/14/2004 10:05p 225,640 ktlul7391.dll
12/14/2004 08:07p 223,816 fNxmapi.dll
12/14/2004 05:18p 224,513 i0lola331d.dll
12/14/2004 06:01a 224,890 rem.dll
12/11/2004 06:20p 223,304 e802lido180c.dll
12/08/2004 06:21p 223,123 gpj8l31u1.dll
12/07/2004 06:27p 223,123 r6r60g9se6.dll
12/07/2004 06:18p 226,129 j00s0ad7ed0.dll
12/06/2004 04:21p 226,129 ITMFILTER.DLL
17 File(s) 3,815,667 bytes
1 Dir(s) 7,233,389,056 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB
Directory of C:\WINDOWS\System32
12/18/2004 07:45a <DIR> dllcache
08/13/2004 09:50p <DIR> GroupPolicy
08/13/2004 09:31p 21,692 folder.htt
08/13/2004 09:31p 271 desktop.ini
2 File(s) 21,963 bytes
2 Dir(s) 7,233,396,736 bytes free
---------- Files Named "Guard" -------------
Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB
Directory of C:\WINDOWS\System32
--------- Temp Files in System32 Directory --------
Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB
Directory of C:\WINDOWS\System32
12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 7,233,392,640 bytes free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B050EB16-A35D-4FE1-98F4-A172E7A572BA}"=""
------------ Keys Under Notify ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k8440ihqe84e0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
------------------ Locate.com Results ------------------
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\SYSTEM32\bo.exe: .aspack
----------------- HKLM Run Key ------------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MCAgentExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\McAgent.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"