Hey Rocky, watch me pull a rabbit out of my hat....
Here's the output...
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Documents and Settings\kgareau\Desktop\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is Local Disk
Volume Serial Number is BCB1-2535
Directory of C:\WINNT\System32
12/06/2004 11:32a <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 12,581,941,248 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is Local Disk
Volume Serial Number is BCB1-2535
Directory of C:\WINNT\System32
12/06/2004 11:32a <DIR> dllcache
07/13/2001 01:19p <DIR> GroupPolicy
07/13/2001 12:36p 21,692 folder.htt
07/13/2001 12:36p 271 desktop.ini
2 File(s) 21,963 bytes
2 Dir(s) 12,581,941,248 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C is Local Disk
Volume Serial Number is BCB1-2535
Directory of C:\WINNT\System32
------ Temp Files in System32 Directory ------
Volume in drive C is Local Disk
Volume Serial Number is BCB1-2535
Directory of C:\WINNT\System32
05/21/2003 09:18a 44,032 msxml3r.tmp
05/21/2003 09:18a 24,576 msxml3a.tmp
12/19/2002 12:06p 1,129,472 msxml3.tmp
12/07/1999 04:00a 2,577 CONFIG.TMP
4 File(s) 1,200,657 bytes
0 Dir(s) 12,581,941,248 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"YComp 5.0.0.0"="Yahoo! Companion"
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\dtnetlib.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
------------- Locate.com Results -------------
No matches found.
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"OfficeScanNT Monitor"="\"C:\\Program Files\\OfficeScan NT\\pccntmon.exe\" -HideWindow"
"CClient"="C:\\PROGRA~1\\TALLYS~1\\TSCensus\\bin\\cclient.exe"
"Logitech Utility"="Logi_MwX.Exe"
"SoDA Startup"="C:\\Program Files\\Rational\\SoDAWord\\Wizards\\SodaStartup.exe StartUp"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"