|
Registered User
Join Date: Aug 2004
Posts: 22
OS: WinXP
|
Sorry I jumped the gun. find.bat eventually gave this log:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: D:\Documents and Settings\NEV90175\Desktop\Find It\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is D8B2-D8BF
Directory of C:\WINNT\System32
04/21/2005 11:52a <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 27,135,434,752 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is D8B2-D8BF
Directory of C:\WINNT\System32
04/21/2005 11:52a <DIR> dllcache
04/21/2005 10:19a 22,415 FFASTLOG.TXT
02/06/2004 11:54p <DIR> GroupPolicy
02/06/2004 11:48p 21,692 folder.htt
02/06/2004 11:48p 271 desktop.ini
3 File(s) 44,378 bytes
2 Dir(s) 27,135,434,752 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C is SYSTEM
Volume Serial Number is D8B2-D8BF
Directory of C:\WINNT\System32
------ Temp Files in System32 Directory ------
Volume in drive C is SYSTEM
Volume Serial Number is D8B2-D8BF
Directory of C:\WINNT\System32
07/30/2001 10:42a 1,118,720 msxml3.tmp
07/30/2001 10:40a 24,576 msxml3a.tmp
07/30/2001 10:40a 44,032 msxml3r.tmp
12/07/1999 05:00a 2,577 CONFIG.TMP
4 File(s) 1,189,905 bytes
0 Dir(s) 27,135,434,752 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"iebar"=""
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINNT\\system32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"
"Logoff"="NavLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------- Locate.com Results -------------
C:\WINNT\SYSTEM32\
ffastlog.txt Thu Apr 21 2005 10:19:38a A..H. 22,415 21.89 K
1 item found: 1 file, 0 directories.
Total of file sizes: 22,415 bytes 21.89 K
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\System32\\hkcmd.exe"
"CreateCD50"="\"C:\\Program Files\\Common Files\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"TempRemove"="\"C:\\Program Files\\Crystal Ball\\CB Predictor\\terminator.exe\""
"vptray"="C:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\vptray.exe"
"MULTIMEDIA KEYBOARD"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"
"RUNCIS"="C:\\Program Files\\1E\\CIS\\\\RUNCIS.EXE"
"SMS Application Launcher"="C:\\WINNT\\MS\\SMS\\CORE\\BIN\\LAUNCH32.EXE"
"Asset Insight SUM"="C:\\INSIGHT\\TOOLS\\AISOFTMN.EXE -B"
"VerifyStartMenu"="RunDLL32 C:\\NETMANAG.32\\NMGOINN.DLL,VerifyStartMenu"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"MMTray"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe"
"Matrox Powerdesk"="C:\\WINNT\\system32\\PDesk\\PDesk.exe /Autolaunch"
"MGA_CD_Install"="E:\\mgasetup.exe /No_Welcome /Lang:English"
"oaksoyc"="c:\\winnt\\system32\\ujbegy.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
�
|