Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Downloads\FindIt\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0
Directory of C:\WINDOWS\System32
12/27/2004 08:59 AM <DIR> dllcache
03/10/2004 07:31 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 126,789,492,736 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0
Directory of C:\WINDOWS\System32
12/30/2004 01:04 PM 238 vsconfig.xml
12/30/2004 01:04 PM 4,212 zllictbl.dat
12/27/2004 09:35 AM <DIR> vmss
12/27/2004 08:59 AM <DIR> dllcache
03/10/2004 04:42 PM 488 WindowsLogon.manifest
03/10/2004 04:42 PM 488 logonui.exe.manifest
03/10/2004 04:42 PM 749 ncpa.cpl.manifest
03/10/2004 04:42 PM 749 nwc.cpl.manifest
03/10/2004 04:42 PM 749 sapi.cpl.manifest
03/10/2004 04:42 PM 749 wuaucpl.cpl.manifest
03/10/2004 04:42 PM 749 cdplayer.exe.manifest
9 File(s) 9,171 bytes
2 Dir(s) 126,789,488,640 bytes free
---------- Files Named "Guard" -------------
Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0
Directory of C:\WINDOWS\System32
12/30/2004 02:02 AM 223,467 guard.tmp
1 File(s) 223,467 bytes
0 Dir(s) 126,789,488,640 bytes free
--------- Temp Files in System32 Directory --------
Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0
Directory of C:\WINDOWS\System32
12/30/2004 02:02 AM 223,467 guard.tmp
08/23/2001 06:00 AM 2,577 CONFIG.TMP
2 File(s) 226,044 bytes
0 Dir(s) 126,789,484,544 bytes free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
------------ Keys Under Notify ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM32\
vsconfig.xml Thu Dec 30 2004 1:04:30p A..H. 238 0.23 K
zllictbl.dat Thu Dec 30 2004 1:04:04p ...H. 4,212 4.11 K
2 items found: 2 files, 0 directories.
Total of file sizes: 4,450 bytes 4.34 K
------------ Strings.exe Qoologic Results ------------
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\system32\ntdll.dll: .aspack
----------------- HKLM Run Key ------------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VetTray"="C:\\PROGRA~1\\CA\\ETRUST~1\\ETRUST~1\\VetTray.exe"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"EPSON Stylus CX5200"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P19 \"EPSON Stylus CX5200\" /O6 \"USB001\" /M \"Stylus CX5200\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust PestPatrol\\PPActiveDetection.exe\""
"mediamotor.exe"="C:\\WINDOWS\\mmups.exe"
"winupdtl"="C:\\WINDOWS\\system32\\winupdtl.exe"
"CSV10P70"="C:\\Program Files\\CSBB\\CSv10P070.exe"
"kalvsys"="C:\\windows\\system32\\kalvjwd32.exe"
"Desktop Search"="C:\\WINDOWS\\isrvs\\desktop.exe"
"ffis"="C:\\WINDOWS\\isrvs\\ffisearch.exe"
"USB controller"="\"C:\\WINDOWS\\TEMP\\ICD1.tmp\\svcmm32.exe\" /startup"
"vmss"="C:\\WINDOWS\\system32\\vmss\\vmss.exe"
"satmat"="C:\\WINDOWS\\satmat.exe"
"hpmncc"="C:\\WINDOWS\\system32\\hpmncc.exe"
"fvkiyc"="C:\\WINDOWS\\system32\\fvkiyc.exe"
"Dvx"="C:\\WINDOWS\\system32\\wsxsvc\\wsxsvc.exe"
"BCPC"="\"C:\\Program Files\\Bcpc\\bcpc.exe\""
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Plus\\Ad-Watch.exe\""
"aldoexxm"="C:\\WINDOWS\\system32\\nbnoraj.exe"
"rs3i34l"="wmpip32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"