Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Documents and Settings\Jana Chapman\Desktop\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is B831-3EF8
Directory of C:\WINDOWS\System32
02/05/2005 02:45 PM 222,690 oihlp30t.dll
02/05/2005 02:45 PM 222,872 l28m0cl1efq.dll
02/05/2005 02:29 PM 224,483 gprsl3971.dll
02/05/2005 02:13 PM 222,690 kt88l7lu1.dll
02/05/2005 01:36 PM 222,690 s2rslc971f.dll
02/05/2005 01:27 PM 222,690 kt2ql7f51.dll
02/05/2005 04:37 AM 222,690 l08mlal11dq.dll
02/04/2005 10:47 PM 222,857 gp06l3ds1.dll
02/04/2005 04:57 AM 222,690 wlnmp32.dll
02/02/2005 09:07 PM 225,870 h6j40g1qe6.dll
01/26/2005 05:00 AM 225,870 iml8l53u1.dll
01/24/2005 09:17 PM 222,690 fce.dll
01/23/2005 09:03 PM 224,968 h6n0lg5m16.dll
01/22/2005 08:23 PM 225,696 l82s0if7e82.dll
01/22/2005 07:18 PM 224,968 szrrun.dll
01/22/2005 12:06 PM 225,962 owesvr.dll
01/21/2005 06:33 PM 225,948 k6080gdue6080.dll
01/20/2005 04:57 PM 226,227 mvn2l95o1.dll
01/19/2005 04:38 PM 223,896 apdbres.dll
01/18/2005 05:09 PM 224,968 cxbcatex.dll
01/18/2005 04:18 PM 223,896 dbnwsock.dll
01/18/2005 04:37 AM 224,968 syrio800.dll
01/16/2005 11:46 AM 223,951 mevcrt.dll
01/15/2005 06:17 AM 223,896 ismon.dll
01/13/2005 04:22 AM 223,951 IOETWH32.dll
01/12/2005 09:20 PM 223,896 kidsw.dll
01/12/2005 06:02 PM 223,951 iketres.dll
01/09/2005 12:50 PM 223,896 f60olgd3160.dll
01/06/2005 04:06 AM 223,896 o666lgjs16o6.dll
01/05/2005 10:37 PM 223,745 mv68l9ju1.dll
01/05/2005 09:57 PM 6,656 Thumbs.db
01/05/2005 06:28 PM 224,081 i6lo0g33e6.dll
01/05/2005 05:21 AM 224,991 m428lefu1h28.dll
01/03/2005 04:25 PM 223,910 hr6m05j1e.dll
01/02/2005 10:09 PM 223,232 irl8l53u1.dll
12/05/2004 07:34 AM <DIR> DLLCACHE
08/15/2002 08:16 PM <DIR> Microsoft
35 File(s) 7,626,331 bytes
2 Dir(s) 26,578,739,200 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is B831-3EF8
Directory of C:\WINDOWS\System32
02/05/2005 02:12 PM <DIR> wsxsvc
01/05/2005 09:57 PM 6,656 Thumbs.db
12/05/2004 07:34 AM <DIR> DLLCACHE
08/14/2004 04:03 PM 488 WindowsLogon.manifest
08/14/2004 04:03 PM 488 logonui.exe.manifest
08/14/2004 04:03 PM 749 sapi.cpl.manifest
08/14/2004 04:03 PM 749 nwc.cpl.manifest
08/14/2004 04:03 PM 749 cdplayer.exe.manifest
08/14/2004 04:03 PM 749 wuaucpl.cpl.manifest
08/14/2004 04:03 PM 749 ncpa.cpl.manifest
08/09/2004 05:20 PM <DIR> GroupPolicy
8 File(s) 11,377 bytes
3 Dir(s) 26,578,735,104 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C has no label.
Volume Serial Number is B831-3EF8
Directory of C:\WINDOWS\System32
------ Temp Files in System32 Directory ------
Volume in drive C has no label.
Volume Serial Number is B831-3EF8
Directory of C:\WINDOWS\System32
08/18/2001 05:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 26,578,735,104 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{29F5E539-E336-4DB7-8465-4D390698B52D}"=""
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NetCache]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\s2rslc971f.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------- Locate.com Results -------------
-------- Strings.exe Qoologic Results --------
C:\WINDOWS\SYSTEM32\ipspzi.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\luiugl.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\luxupl.exe: updates.qoologic.com
--------- Strings.exe Aspack Results ---------
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\vuquyv.exe: .aspack
C:\WINDOWS\SYSTEM32\wuguqw.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kgfgyk.exe: .aspack
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"Dell|Alert"="C:\\Program Files\\Dell\\Support\\Alert\\bin\\DAMon.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"HPHUPD05"="c:\\Program Files\\Hewlett-Packard\\\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\\hphupd05.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPHmon05"="C:\\WINDOWS\\system32\\hphmon05.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"Logitech Utility"="Logi_MwX.Exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
Thank you so much...
TheNimirRaj