Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HIJACKER.COSTRAT.E

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby bnkrldy » September 7th, 2006, 8:33 pm

The only thing I remember about the Ewido scan of a week ago was that the hijacker.costrat.e file was flagged High Risk.

I am still unable to merge the reg file under Leanna's name. I can merge it under Gale and Rich, though.

Here is the updated Ewido log from the Administrator name in SafeMode:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:42:47 PM 9/7/2006

+ Scan result:



Nothing found.



::Report end


and here is the HJT I ran in SafeMode:

Logfile of HijackThis v1.99.1
Scan saved at 5:16:21 PM, on 9/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\Hijackthis\check.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe



PLUS another HJT log I ran in normal mode:

Logfile of HijackThis v1.99.1
Scan saved at 5:30:56 PM, on 9/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\dllhost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Hijackthis\check.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [asp4tray] asp4tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am
Advertisement
Register to Remove

Unread postby whisperer » September 8th, 2006, 4:16 am

Hi bnkridy,

Time to move up apiece and bring in some more diagnostic kit, so please download WinPFind we will use this to try and find hidden files that could be blocking the cures.

  1. Please save the WinPFind.zip to a folder that you can access from Leanna.

    I suggest that you print out the following instructions or highlight the remainder and save to a WordPad file on your desktop as you will no longer have an internet connection until we have finished the clean up
  2. Physically disconnect your computer from the internet by unplugging the lead.
  3. Reboot the computer into safe mode using the System Configuration Utility.
    1. Once SysConfig is reset then select the Start button and Turn Off Computer
    2. Select the Turn Off option, when the computer has shut down switch off the power supply.
    3. After 10 seconds, restore the power supply and switch on the computer
  4. To reduce the chance of AntiSpyware interfering with the fixes, please stop all antispyware on your computer. If you right-click on the icon(s) in the systems tray you will find an option to ‘exit’. When you reboot, this will all return to normal.
    1. Locate the WinPFind.zip file, right-click and extract it to your C:\ folder
    2. This will create a folder called WinPFind in the C:\ folder. Navigate to the C:\WinPFind directory and click the file called WinPFind.exe .to open it
    3. Once it is open, click on the Start Scan button and wait for it to finish.
      This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
    4. When it is done, it will show the results of the scan.
    5. Click on the Copy to Clipboard button
  5. Paste the contents of the log in your clipboard as a reply in your next post.
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 8th, 2006, 8:50 pm

I did the download, and the scan in SafeMode, but I am not able to access Leanna while in SafeMode, even though all names have "administrator" status. I can only access Gale or Administrator, so I did the scan in Administrator. If there is something I need to configure so I can access Leanna in Safemode, please let me know and I will rescan. Meanwhile here is the WinPFind info:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 9/8/2006 5:01:46 PM
WinPFind v1.5.0 Folder = C:\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
FSG! 2/15/2005 7:23:08 PM 11191694 C:\Program Files\wdm_a369.exe (Realtek Semiconductor Corp.)

Checking %WinDir% folder...
PECompact2 9/23/2005 8:31:14 PM 15881841 C:\WINDOWS\VPTNFILE.855 ()
qoologic 9/23/2005 8:31:14 PM 15881841 C:\WINDOWS\VPTNFILE.855 ()
SAHAgent 9/23/2005 8:31:14 PM 15881841 C:\WINDOWS\VPTNFILE.855 ()
UPX! 9/23/2005 10:43:34 PM 1044560 C:\WINDOWS\vsapi32.dll (Trend Micro Inc.)
aspack 9/23/2005 10:43:34 PM 1044560 C:\WINDOWS\vsapi32.dll (Trend Micro Inc.)
PECompact2 9/23/2005 8:31:14 PM 15881841 C:\WINDOWS\LPT$VPN.855 ()
qoologic 9/23/2005 8:31:14 PM 15881841 C:\WINDOWS\LPT$VPN.855 ()
SAHAgent 9/23/2005 8:31:14 PM 15881841 C:\WINDOWS\LPT$VPN.855 ()

Checking %System% folder...
PEC2 8/4/2004 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
winsync 8/4/2004 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
aspack 8/4/2004 12:00:00 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
PECompact2 8/2/2006 6:22:50 PM 8255912 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 8/2/2006 6:22:50 PM 8255912 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
WSUD 8/4/2004 12:00:00 PM 1200128 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
WSUD 8/4/2004 12:00:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 8/4/2004 12:00:00 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe (Microsoft Corporation)
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/8/2006 4:56:56 PM S 2048 C:\WINDOWS\bootstat.dat ()
9/8/2006 4:31:36 PM HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\desktop.ini ()
9/8/2006 4:31:38 PM HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\U94Z07OB\desktop.ini ()
9/8/2006 4:31:38 PM HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\8XANCP23\desktop.ini ()
9/8/2006 4:31:38 PM HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\OL27S1I3\desktop.ini ()
9/8/2006 4:31:38 PM HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\EBWPO1KH\desktop.ini ()
9/8/2006 4:31:38 PM HS 113 C:\WINDOWS\TEMP\History\History.IE5\desktop.ini ()
8/16/2006 12:09:10 PM HS 102400 C:\WINDOWS\All Users\DRM\drmstore.hds ()
8/19/2006 4:47:26 PM HS 462 C:\WINDOWS\SYSTEM32\tsvut.tmp ()
8/19/2006 4:48:46 PM HS 462 C:\WINDOWS\SYSTEM32\tsvut.ini2 ()
9/8/2006 4:53:44 PM H 950272 C:\WINDOWS\SYSTEM32\config\system.LOG ()
9/8/2006 4:53:44 PM H 94208 C:\WINDOWS\SYSTEM32\config\software.LOG ()
9/8/2006 4:53:44 PM H 16384 C:\WINDOWS\SYSTEM32\config\default.LOG ()
9/2/2006 1:15:22 PM H 24576 C:\WINDOWS\SYSTEM32\config\userdiff.LOG ()
9/8/2006 4:57:32 PM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG ()
9/8/2006 4:56:58 PM H 16384 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG ()
8/8/2006 11:48:14 PM H 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat.LOG ()
7/21/2006 2:03:14 AM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920670.cat ()
7/28/2006 5:16:08 AM S 23751 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918899.cat ()
7/13/2006 7:24:46 AM S 13050 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB921398.cat ()
7/14/2006 8:53:20 AM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB922616.cat ()
7/14/2006 9:13:00 AM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB921883.cat ()
7/27/2006 7:00:28 AM S 10337 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920214.cat ()
9/8/2006 4:53:32 PM H 6 C:\WINDOWS\Tasks\SA.DAT ()
9/8/2006 5:00:30 PM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job ()

Checking for CPL files...
4/8/2004 2:12:42 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl (Apple Computer, Inc.)
7/11/1997 22528 C:\WINDOWS\SYSTEM32\FINDFAST.CPL ()
8/4/2004 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
12/7/2003 10:54:52 PM 229487 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems)
7/11/1997 53520 C:\WINDOWS\SYSTEM32\mlcfg32.cpl (Microsoft Corporation)
5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
4/22/1998 2:24:58 PM R 121344 C:\WINDOWS\SYSTEM32\Asp4cpl.cpl (Aureal Semiconductor)
8/4/2004 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl (Microsoft Corporation)
8/4/2004 4:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
8/4/2004 12:00:00 PM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl (Microsoft Corporation)
5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)
4/22/1998 2:24:58 PM R 121344 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\Asp4cpl.cpl (Aureal Semiconductor)

Checking for Downloaded Program Files...
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/english/ka ... nicode.cab
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeupdat ... /opuc3.cab
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - McAfee.com Operating System Class - CodeBase = http://download.mcafee.com/molbin/share ... insctl.cab
{5F8469B4-B055-49DD-83F7-62B522420ECC} - Facebook Photo Uploader Control - CodeBase = http://upload.facebook.com/controls/Fac ... loader.cab
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - DwnldGroupMgr Class - CodeBase = http://download.mcafee.com/molbin/share ... cgdmgr.cab
{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} - - CodeBase =
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.macromedia.com/pub/sh ... wflash.cab
DirectAnimation Java Classes - - CodeBase =
Microsoft XML Parser for Java - - CodeBase =

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/24/2005 11:04:30 AM 793 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk ()
12/28/2005 3:26:24 PM 1661 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk ()
2/11/2006 9:26:54 PM 735 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk ()
2/12/2005 2:58:40 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
10/31/2004 9:18:36 AM 280 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Background Monitor.lnk ()
6/13/2005 9:05:42 PM 1712 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2/12/2005 2:36:02 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()

Checking files in %USERPROFILE%\Startup folder...
2/12/2005 2:58:40 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
2/12/2005 2:36:02 PM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - about:blank
\\Search Page - http://www.microsoft.com/isapi/redir.dl ... r=iesearch
\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dl ... r=iesearch
\\Local Page - C:\WINDOWS\SYSTEM32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - about:blank
\\Search Bar - http://channels.aimtoday.com/search/aimtoolbar.jsp
\\Search Page - http://www.microsoft.com/isapi/redir.dl ... r=iesearch
\\Local Page - C:\WINDOWS\SYSTEM32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\_{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - = ()
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{30D02401-6A81-11D0-8274-00C04FD5AE38} - Search Band = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = C:\WINDOWS\SYSTEM32\BROWSEUI.DLL (Microsoft Corporation)
\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{BA52B914-B692-46c4-B683-905236F6F655} - McAfee VirusScan = c:\progra~1\mcafee.com\vso\mcvsshl.dll (McAfee, Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - = ()
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - = ()
\WebBrowser\\{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - = ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\NEXTID - 8200
\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8193 =
\\{99EFB53C-C965-43CF-9F45-52242D134187} - 8194 =
\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - 8195 =
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8197 =
\\{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - 8198 =
\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} - 8199 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\CmdMapping - MenuText: = ()

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} - Autoplay for SlideShow = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealOne Player\rpshell.dll (RealNetworks, Inc.)
\\{52B87208-9CCF-42C9-B88E-069281105805} - Trojan Remover Shell Extension = ()
\\{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} - TrojanHunter Menu Shell Extension = ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\Trojan Remover - {52B87208-9CCF-42C9-B88E-069281105805} = ()
\TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\{CFC7205E-2792-4378-9591-3879CC6C9022} - = c:\progra~1\mcafee.com\vso\mcvsshl.dll (McAfee, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\Trojan Remover - {52B87208-9CCF-42C9-B88E-069281105805} = ()
\TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\{CFC7205E-2792-4378-9591-3879CC6C9022} - = c:\progra~1\mcafee.com\vso\mcvsshl.dll (McAfee, Inc.)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Windows Defender - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
MPFExe - C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe (McAfee Security)
MCAgentExe - c:\PROGRA~1\mcafee.com\agent\mcagent.exe (McAfee, Inc)
MCUpdateExe - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe (McAfee, Inc)
VSOCheckTask - C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe (McAfee, Inc.)
VirusScan Online - C:\Program Files\McAfee.com\VSO\mcvsshld.exe (McAfee, Inc.)
OASClnt - C:\Program Files\McAfee.com\VSO\oasclnt.exe (McAfee, Inc.)
MsmqIntCert - regsvr32 /s mqrt.dll ()
IntelliType - C:\Program Files\Microsoft Hardware\Keyboard\type32.exe (Microsoft Corporation)
HP Software Update - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co.)
asp4tray - asp4tray.exe ()
AOLDialer - C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (America Online, Inc)
MSConfig - C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Weather - C:\Program Files\AWS\WeatherBug\Weather.exe (AWS Convergence Technologies, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Background Monitor.lnk - C:\Esm2\Stms.exe (SEIKO EPSON CORPORATION)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0


[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\SV1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
\\UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - Microsoft AntiMalware ShellExecuteHook = C:\PROGRA~1\WINDOW~2\MpShHook.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\WgaLogon - WgaLogon.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{ACBEB740-3DDF-4DF4-BE30-5AE078A78D38} - (Realtek RTL8139 Family PCI Fast Ethernet NIC)
{DE715CB6-CB8C-4548-9BB0-B4A3BFB80F60} - ()

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000004\\LibraryPath - %SystemRoot%\System32\nwprovau.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000019\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000020\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000021\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000022\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000023\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000024\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000025\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000026\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000027\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000028\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000029\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000030\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\BPC - ()
\ipp - ()
\msdaipp - ()
\vnd.ms.radio - C:\WINDOWS\SYSTEM32\msdxm.ocx ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 9th, 2006, 4:54 am

Hi bnkridy,

The analysis of the WinPFind will take a little while (to say the least). I will be back as soon as I can.

GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby whisperer » September 9th, 2006, 2:13 pm

Hi bnkridy,

My mentor requests the following adaption of WinPFind, please follow the instructions exactly.

I assume that Leanna's account has full Admin privileges?

From Leanna's account and in Normal mode...
  1. Please open WinPFind.exe.
  2. Click on Configure Scan Options.
  3. Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All,
  4. Under Run Addon's check policies.def and click Apply.
  5. Click on the Start Scan button and wait for it to finish.
  6. Please be patient while it works.

When it is done, the results of the scan will be displayed and it will create a log file named C:\WinPFind\WinPFind.txt. Please copy that file into your next reply.

GT :thumbup:
Last edited by whisperer on September 9th, 2006, 3:04 pm, edited 1 time in total.
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 9th, 2006, 2:36 pm

here is the WinPfind.txt as requested:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 9/9/2006 11:35:17 AM
WinPFind v1.5.0 Folder = C:\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - about:blank
\\Search Page - http://www.microsoft.com/isapi/redir.dl ... r=iesearch
\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dl ... r=iesearch
\\Local Page - C:\WINDOWS\SYSTEM32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{BA52B914-B692-46c4-B683-905236F6F655} - McAfee VirusScan = c:\progra~1\mcafee.com\vso\mcvsshl.dll (McAfee, Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\CmdMapping - MenuText: = ()

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} - Autoplay for SlideShow = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealOne Player\rpshell.dll (RealNetworks, Inc.)
\\{52B87208-9CCF-42C9-B88E-069281105805} - Trojan Remover Shell Extension = ()
\\{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} - TrojanHunter Menu Shell Extension = ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\Trojan Remover - {52B87208-9CCF-42C9-B88E-069281105805} = ()
\TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\{CFC7205E-2792-4378-9591-3879CC6C9022} - = c:\progra~1\mcafee.com\vso\mcvsshl.dll (McAfee, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\Trojan Remover - {52B87208-9CCF-42C9-B88E-069281105805} = ()
\TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\{CFC7205E-2792-4378-9591-3879CC6C9022} - = c:\progra~1\mcafee.com\vso\mcvsshl.dll (McAfee, Inc.)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Windows Defender - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
MPFExe - C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe (McAfee Security)
MCAgentExe - c:\PROGRA~1\mcafee.com\agent\mcagent.exe (McAfee, Inc)
MCUpdateExe - C:\PROGRA~1\mcafee.com\agent\McUpdate.exe (McAfee, Inc)
VSOCheckTask - C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe (McAfee, Inc.)
VirusScan Online - C:\Program Files\McAfee.com\VSO\mcvsshld.exe (McAfee, Inc.)
OASClnt - C:\Program Files\McAfee.com\VSO\oasclnt.exe (McAfee, Inc.)
MsmqIntCert - regsvr32 /s mqrt.dll ()
IntelliType - C:\Program Files\Microsoft Hardware\Keyboard\type32.exe (Microsoft Corporation)
HP Software Update - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co.)
asp4tray - asp4tray.exe ()
AOLDialer - C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (America Online, Inc)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Background Monitor.lnk - C:\Esm2\Stms.exe (SEIKO EPSON CORPORATION)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Background Monitor.lnk - C:\Esm2\Stms.exe (SEIKO EPSON CORPORATION)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0


[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\SV1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
\\UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - Microsoft AntiMalware ShellExecuteHook = C:\PROGRA~1\WINDOW~2\MpShHook.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Documents and Settings\Leanna\Desktop\Ewido\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\WgaLogon - WgaLogon.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{ACBEB740-3DDF-4DF4-BE30-5AE078A78D38} - (Realtek RTL8139 Family PCI Fast Ethernet NIC)
{DE715CB6-CB8C-4548-9BB0-B4A3BFB80F60} - ()

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000004\\LibraryPath - %SystemRoot%\System32\nwprovau.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000019\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000020\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000021\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000022\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000023\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000024\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000025\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000026\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000027\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000028\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000029\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000030\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\BPC - ()
\ipp - ()
\msdaipp - ()
\vnd.ms.radio - C:\WINDOWS\SYSTEM32\msdxm.ocx ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<

>>>>Output for AddOn file Policies.def<<<<
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\Attachments\\ScanWithAntiVirus - 2
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\Explorer\\NoDriveTypeAutoRun - 149
policies\System\\DisableRegistryTools - 0


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 9th, 2006, 3:09 pm

Please confirm that Leanna does have Admin privileges

GT :)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 9th, 2006, 4:15 pm

Yes, Leanna does have Admin privileges. When I set up Win XP PRO, I gave all three names Admin privileges. BUT, when I am in SafeMode, I only see access to Gale or Admin.
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 10th, 2006, 4:44 pm

Hi bnkridy,

More investigation but we are making progress in that nothing in the WinPFind shows a problem on your Leanna account.

Please download Gmer and save it somewhere that you can access from the Leanna account

Switch to the Leanna Acoount and click to open the Gmer.zip file and extract it to your Desktop.

Disconnect from internet and close running programs.

There is a small chance this application may crash your computer so save any work you have open.

Double click gmer.exe.

Let the gmer.sys driver load if asked.

If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.

If no warning.... Click the rootkit tab and click Scan.

Wait for scan to finish.
Once done click the Copy button.
Open Notepad and hit Ctrl+V to paste the log. Save the file for posting here.

Next ...

Click the Autostart tab then the scan button. Once its done click the Copy button and paste it into a new notepad document. Save that document for posting here

Close Gmer.


Run HijackThis, click on Open the Misc Tools Section
Click on Open ADS Spy
uncheck the "Quick Scan"
check the "Ignore safe system info data streams"
Finally, click Scan button. ADS Spy will scan the system and report all the ADS present in the system.
Click Save log and post the ADS log back here.

Reconnect to internet and post the 2 Gmer logs and the ADS spy log.
GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 10th, 2006, 7:05 pm

I am unable to open the Gmer app. If I double click, the system crashes. If I left click and choose "run as", a warning comes up: "running Gmer's drive version is incompatible with the currently running Gmer app. You need to stop the driver with the command 'net stop Gmer' or restart computer". When I click ok, another warning: "system\current control set\services\Gmer: the handle is invalid". When I click ok, it opens then a request to send the error to microsoft, then closes it self. I tried running it in safe mode, and from the C directory.

As for the ADS log, it only gave the message "Alternate Data Streams are only possible on NTFS systems" and would not scan.
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 11th, 2006, 4:47 am

Seeking advice about the Gmer situation.

Do you have Windows installed on a FAT32 format? (Right-click the OS directory - usually the C drive - and select Properties. On the General tab you can see the File System) GT :)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby whisperer » September 11th, 2006, 3:19 pm

Hi bnkridy,

This one is proving to be a little stubborn! :) For interest gmer will not 'run as'. I assume that you succeeded in extracting the gmer.exe file to your Desktop. It is imperative that NOTHING else is open when you open the gmer.exe file. You could try a right-click and select Open in the drop-down menu. If that still fails you could try going back to Gale's account and re-extract the file to their desktop and try running it from there. It is really a step-up from HijackThis and will find things that the current version of HijackThis can not do. If that succeeds then do annotate your reply as to which account you succeeded to run gmer.exe

Regardless of the outcome of your efforts with gmer we will try another scanner so please run a RootkitRevealer Scan

  1. Download RootkitRevealer from here and save to the Desktop
    1. Right-click the RootkitRevealer.zip file and choose Extract
    2. In the new dialogue box, at the top, type C:\RKR and click the Extract button
    3. Open Leanna's account and with all other windows closed, navigate to the C:\RKR directory and double-click RootkitRevealer.exe
    4. You may get a warning from your protection systems that a new service is being installed; this will have a random name, and is generated by RootkitRevealer. Allow it please.
    5. Click Scan
    6. Once the scan is complete, click File -> Save... and save the log to your Desktop as rkr.txt
  2. Post the rkr.txt file as a reply here.


I would like to try and determine which file was supposed to be infected with HIJACKER.COSTRAT.E. Please open Ewido, click on the Infections icon at the top and in the quarantine tab see if you can find which entry has been flagged as infected with the HIJACKER.COSTRAT.E

If you can find it then please copy the full path to that file, there may be more than one!

Please advise the outcome of, the method used and the account for gmer.exe. Please post the rkr.txt file and, hopefully, the path of the infected file(s)

GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby bnkrldy » September 11th, 2006, 9:19 pm

To answer your earlier post, I am running FAT32 on my system.

The Gmer app just will not run on my machine. I closed out all programs, disconnected from the Internet, tried to run from the desktop of all 3 names, did the left click then click Open, all to no avail. It kept crashing.

As for Ewido, I did not save the information from the scan that picked up Hijacker.Costrat.e. SORRY!!!!! =(

Lastly, I had to run RootKitRevealer from Gale, it would not open from Leanna. When I tried to open from Leanna, I got this message: "Unable to install RootKit Revealer service. Access is denied".
Here is that log:

HKLM\SOFTWARE\Classes\webcal\URL Protocol 3/28/2005 4:42 PM 13 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Gale\Cookies\gale@aol[2].txt 9/11/2006 5:33 PM 107 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Cookies\gale@atwola[1].txt 9/11/2006 5:32 PM 98 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Cookies\gale@check[1].txt 9/11/2006 5:27 PM 88 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Cookies\gale@comcast[1].txt 9/11/2006 5:38 PM 340 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Cookies\gale@cp[1].txt 9/11/2006 5:27 PM 64 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Cookies\gale@forum.malwareremoval[2].txt 9/11/2006 4:43 PM 182 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Cookies\gale@lmu[2].txt 9/11/2006 5:27 PM 66 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Cookies\gale@manegate.lmu[1].txt 9/11/2006 5:27 PM 76 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Cookies\gale@mcafee[2].txt 9/11/2006 4:30 PM 122 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Cookies\gale@my.screenname.aol[1].txt 9/11/2006 5:33 PM 322 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Cookies\gale@serviceh.comcast[2].txt 9/11/2006 5:38 PM 432 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Cookies\gale@webmail-vmd.webmail.aol[1].txt 9/11/2006 5:31 PM 89 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Cookies\gale@webmail.aol[2].txt 9/11/2006 5:33 PM 168 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Cookies\gale@wellsfargo[2].txt 9/11/2006 5:25 PM 184 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Cookies\gale@www.comcast[2].txt 9/11/2006 4:43 PM 153 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Desktop\gmer.exe 6/6/2006 8:49 PM 728.06 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Desktop\gmer.zip 9/11/2006 4:32 PM 279.99 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\Cookies 9/11/2006 4:40 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\Cookies\index.dat 9/11/2006 4:42 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\History 9/11/2006 4:40 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\History\History.IE5 9/11/2006 4:40 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\History\History.IE5\desktop.ini 9/11/2006 4:40 PM 113 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\History\History.IE5\index.dat 9/11/2006 4:42 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\mcu5.tmp 9/11/2006 4:31 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\mcu5.tmp\UpdReq.mcaf 9/11/2006 4:31 PM 1.75 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\mcu5.tmp\UpdResp.mcaf 9/11/2006 4:31 PM 795 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\mcu5.tmp\vso 9/11/2006 4:31 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\mcu5.tmp\vso\48484849.upm 9/11/2006 4:31 PM 28.79 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\mcu5.tmp\vso\mcdelta.ini 9/11/2006 4:31 PM 997 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\Temporary Internet Files 9/11/2006 4:40 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\Temporary Internet Files\Content.IE5 9/11/2006 4:40 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\Temporary Internet Files\Content.IE5\21S5MV2D 9/11/2006 4:40 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\Temporary Internet Files\Content.IE5\21S5MV2D\desktop.ini 9/11/2006 4:40 PM 67 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\Temporary Internet Files\Content.IE5\72RVKE95 9/11/2006 4:40 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\Temporary Internet Files\Content.IE5\72RVKE95\desktop.ini 9/11/2006 4:40 PM 67 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini 9/11/2006 4:40 PM 67 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat 9/11/2006 4:42 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q9KZCFM1 9/11/2006 4:40 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q9KZCFM1\desktop.ini 9/11/2006 4:40 PM 67 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\Temporary Internet Files\Content.IE5\QDYZIBER 9/11/2006 4:40 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\Temporary Internet Files\Content.IE5\QDYZIBER\desktop.ini 9/11/2006 4:40 PM 67 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temp\TWAIN.LOG 9/11/2006 6:04 PM 4.20 KB Hidden from Windows API.
C:\Documents and Settings\Gale\Local Settings\Temp\Twain001.Mtx 9/11/2006 6:04 PM 2 bytes Hidden from Windows API.
C:\Documents and Settings\Gale\Local Settings\Temp\Twunk001.MTX 9/11/2006 6:04 PM 156 bytes Hidden from Windows API.
C:\Documents and Settings\Gale\Local Settings\Temp\Twunk002.MTX 9/11/2006 6:04 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Gale\Local Settings\Temp\wzs8.tmp 9/11/2006 4:33 PM 48 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\001[1].css 9/11/2006 5:38 PM 57.96 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\001[2].css 9/11/2006 5:38 PM 52.47 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\190729534@Right[1].js 9/11/2006 5:38 PM 1.45 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\asset-67206[1].jpg 9/11/2006 5:38 PM 11.48 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\br-10574[1].jpg 9/11/2006 5:38 PM 6.80 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\bullets[1].gif 9/11/2006 5:38 PM 138 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\files[1].htm 9/11/2006 5:38 PM 6.51 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\global[1].js 9/11/2006 5:38 PM 67.11 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\hb_main_new[1].js 9/11/2006 5:38 PM 13.99 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\home[1].xml 9/11/2006 5:38 PM 48.37 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\index[1].htm 9/11/2006 5:38 PM 603 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\index[1].js 9/11/2006 5:38 PM 6.02 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\net1[1].jpg 9/11/2006 5:39 PM 3.97 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\process1[1].jpg 9/11/2006 5:39 PM 4.35 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\search[1].css 9/11/2006 5:38 PM 14.19 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\012RSHIJ\UrlGenerator[1].js 9/11/2006 5:38 PM 20.74 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\112423613@Top3[1].js 9/11/2006 5:38 PM 419 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\asset-74573[1].jpg 9/11/2006 5:38 PM 9.91 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\br-10487[1].jpg 9/11/2006 5:38 PM 31.55 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\comcast[1].htm 9/11/2006 5:38 PM 6.99 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\file1[1].jpg 9/11/2006 5:39 PM 3.95 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\flash_detection[1].js 9/11/2006 5:38 PM 7.25 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\fsrFunctions[1].js 9/11/2006 5:38 PM 7.85 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\fsrParams[1].js 9/11/2006 5:38 PM 3.04 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\go[1].gif 9/11/2006 5:38 PM 440 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\header_c_001[1].js 9/11/2006 5:38 PM 72.36 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\home[1].htm 9/11/2006 5:38 PM 35.13 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\index[1].htm 9/11/2006 5:38 PM 1.21 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\nav2[1].gif 9/11/2006 5:38 PM 5.44 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\search.comcast[1].htm 9/11/2006 5:38 PM 16.87 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\signin[1].gif 9/11/2006 5:38 PM 473 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\130678806@Top3[1].js 9/11/2006 5:39 PM 420 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\160x600_US_Recipes_gif_fall06[1].gif 9/11/2006 5:38 PM 17.91 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\ad-bg[1].gif 9/11/2006 5:38 PM 725 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\asset-12048[1].gif 9/11/2006 5:38 PM 2.75 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\asset-2485[1].jpg 9/11/2006 5:38 PM 22.81 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\checkNetwork[1].js 9/11/2006 5:38 PM 674 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\comcast_services[1].gif 9/11/2006 5:38 PM 1.43 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\CoverSA[1].swf 9/11/2006 5:38 PM 77.24 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\explore2[1].gif 9/11/2006 5:38 PM 10.83 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\global[1].css 9/11/2006 5:38 PM 49.12 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\gmer1[1].jpg 9/11/2006 5:39 PM 9.40 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\home[1].css 9/11/2006 5:38 PM 5.47 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\index[1].htm 9/11/2006 5:38 PM 1.14 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\lib1[1].jpg 9/11/2006 5:39 PM 3.83 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\search[1].gif 9/11/2006 5:38 PM 1.59 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\JTFTUSVP\topsearch2[1].gif 9/11/2006 5:38 PM 346 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\W1UVKLMR\ad[1].gif 9/11/2006 5:38 PM 164 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\W1UVKLMR\asset-26448[1].gif 9/11/2006 5:38 PM 15.22 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\W1UVKLMR\asset-6042[1].jpg 9/11/2006 5:38 PM 6.85 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\W1UVKLMR\br-10486[1].jpg 9/11/2006 5:38 PM 5.48 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\W1UVKLMR\br-62642[1].jpg 9/11/2006 5:38 PM 4.58 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\W1UVKLMR\fsrParams[1].js 9/11/2006 5:38 PM 3.10 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\W1UVKLMR\hbx[1].js 9/11/2006 5:38 PM 16.12 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\W1UVKLMR\header_c_001[1].js 9/11/2006 5:38 PM 86.59 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\W1UVKLMR\header_c_002[1].js 9/11/2006 5:38 PM 73.87 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\W1UVKLMR\index[1].js 9/11/2006 5:38 PM 13.06 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\W1UVKLMR\reg1[1].jpg 9/11/2006 5:39 PM 4.06 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\W1UVKLMR\rootkit1[1].jpg 9/11/2006 5:39 PM 8.90 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\W1UVKLMR\search_nubby[1].gif 9/11/2006 5:38 PM 212 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\W1UVKLMR\searchToolBar[1].gif 9/11/2006 5:38 PM 12.71 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Gale\Local Settings\Temporary Internet Files\Content.IE5\W1UVKLMR\topsearch[1].gif 9/11/2006 5:38 PM 430 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\NetworkService\Local Settings\Temp\MpCmdRun.log 9/11/2006 5:28 PM 582 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{B18D442F-836D-4BF0-95C5-54395E937425}\RP14\A0017026.INI 9/11/2006 4:39 PM 65 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B18D442F-836D-4BF0-95C5-54395E937425}\RP14\A0017027.exe 6/6/2006 8:49 PM 728.06 KB Hidden from Windows API.
C:\System Volume Information\_restore{B18D442F-836D-4BF0-95C5-54395E937425}\RP14\A0017028.ini 3/1/2006 10:19 AM 1.43 KB Hidden from Windows API.
C:\System Volume Information\_restore{B18D442F-836D-4BF0-95C5-54395E937425}\RP14\A0017029.ini 10/15/1999 10:49 AM 1.22 KB Hidden from Windows API.
C:\System Volume Information\_restore{B18D442F-836D-4BF0-95C5-54395E937425}\RP14\A0017030.ini 3/1/2006 10:18 AM 8.08 KB Hidden from Windows API.
C:\System Volume Information\CATALOG.WCI\00010002.CI 9/11/2006 6:12 PM 8.36 MB Hidden from Windows API.
C:\System Volume Information\CATALOG.WCI\00010002.DIR 9/11/2006 6:12 PM 43.67 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010003.ci 9/11/2006 5:08 PM 148.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010003.dir 9/11/2006 5:08 PM 1.14 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010004.ci 9/11/2006 5:08 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010004.dir 9/11/2006 5:08 PM 635 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010005.ci 9/11/2006 5:09 PM 36.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010005.dir 9/11/2006 5:09 PM 522 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010006.ci 9/11/2006 5:10 PM 28.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010006.dir 9/11/2006 5:10 PM 472 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010008.ci 9/11/2006 4:26 PM 7.27 MB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010008.dir 9/11/2006 4:26 PM 37.21 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010009.ci 9/11/2006 5:11 PM 132.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010009.dir 9/11/2006 5:11 PM 1.15 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000A.ci 9/11/2006 5:12 PM 68.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000A.dir 9/11/2006 5:12 PM 706 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000B.ci 9/11/2006 5:22 PM 36.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000B.dir 9/11/2006 5:22 PM 480 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000C.ci 9/11/2006 5:23 PM 100.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000C.dir 9/11/2006 5:23 PM 950 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000E.ci 9/11/2006 5:24 PM 136.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000E.dir 9/11/2006 5:24 PM 1.17 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000F.ci 9/11/2006 5:43 PM 36.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000F.dir 9/11/2006 5:43 PM 468 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010010.ci 9/11/2006 5:43 PM 36.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010010.dir 9/11/2006 5:43 PM 496 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010013.ci 9/11/2006 4:58 PM 408.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010013.dir 9/11/2006 4:58 PM 2.65 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010019.ci 9/11/2006 6:08 PM 868.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010019.dir 9/11/2006 6:08 PM 5.45 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001001A.ci 9/11/2006 5:05 PM 1.18 MB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001001A.dir 9/11/2006 5:05 PM 7.06 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffc.000 9/11/2006 6:08 PM 240 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffc.001 9/11/2006 6:08 PM 512.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffc.002 9/11/2006 6:08 PM 512.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\CATALOG.WCI\CiFLfffd.000 9/11/2006 6:12 PM 240 bytes Hidden from Windows API.
C:\System Volume Information\CATALOG.WCI\CiFLfffd.001 9/11/2006 6:12 PM 512.00 KB Hidden from Windows API.
C:\System Volume Information\CATALOG.WCI\CiFLfffd.002 9/11/2006 6:12 PM 512.00 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\AC.EXE-184898FC.pf 9/11/2006 5:08 PM 9.81 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\ADOBE GAMMA LOADER.EXE-1DBD7BA3.pf 9/11/2006 4:39 PM 6.29 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\AOLDIAL.EXE-13C23121.pf 9/11/2006 4:29 PM 3.90 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\AOLTRAY.EXE-14A53A74.pf 9/11/2006 4:29 PM 9.72 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\BGWF.EXE-03563930.pf 9/11/2006 5:08 PM 9.81 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\BYVCH.EXE-0375E47E.pf 9/11/2006 5:07 PM 10.66 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\CHCP.COM-18156052.pf 9/11/2006 5:43 PM 4.93 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\CIDAEMON.EXE-27AE97A4.pf 9/11/2006 4:44 PM 22.88 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf 9/11/2006 5:43 PM 12.42 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\CSRSS.EXE-12B63473.pf 9/11/2006 4:46 PM 23.63 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\DIAGZ.EXE-35D7F262.pf 9/11/2006 5:12 PM 9.81 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\DLLHOST.EXE-2FBB8F00.pf 9/11/2006 4:39 PM 18.12 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\DMADMIN.EXE-00BCB146.pf 9/11/2006 4:39 PM 11.81 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\DRWTSN32.EXE-2B4B52AC.pf 9/11/2006 4:42 PM 23.25 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf 9/11/2006 4:42 PM 29.76 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\EBRR.EXE-2F9E9ABE.pf 9/11/2006 4:39 PM 18.48 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\EWIDO.EXE-26DF1210.pf 9/11/2006 4:47 PM 16.13 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf 9/11/2006 5:09 PM 45.37 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\GMER.EXE-16B2E7F9.pf 9/11/2006 4:42 PM 26.70 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\HH.EXE-2D1A70B3.pf 9/11/2006 5:10 PM 43.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\HPQTRA08.EXE-17E37E7E.pf 9/11/2006 4:29 PM 4.58 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\HPWUSCHD2.EXE-02F6D2DD.pf 9/11/2006 4:29 PM 7.75 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf 9/11/2006 5:38 PM 111.73 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf 9/11/2006 4:39 PM 15.69 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\INETINFO.EXE-04CDB6D9.pf 9/11/2006 4:39 PM 15.80 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf 9/11/2006 5:29 PM 70.16 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MCAGENT.EXE-168D195B.pf 9/11/2006 4:42 PM 16.40 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MCINFO.EXE-35A0A279.pf 9/11/2006 4:32 PM 35.49 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MCINSUPD.EXE-2AF4B93F.pf 9/11/2006 4:31 PM 36.72 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MCMNHDLR.EXE-1D1F2FA0.pf 9/11/2006 4:28 PM 8.68 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MCSHIELD.EXE-1E42372E.pf 9/11/2006 4:39 PM 9.25 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MCUPDATE.EXE-2A2835B2.pf 9/11/2006 4:32 PM 38.66 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MCUPDMGR.EXE-21452C82.pf 9/11/2006 4:31 PM 23.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MCUPDUI.EXE-273AE1BA.pf 9/11/2006 4:31 PM 17.99 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MCVSESCN.EXE-00F61003.pf 9/11/2006 4:29 PM 17.18 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MCVSMAP.EXE-155ED7D3.pf 9/11/2006 4:32 PM 17.37 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MCVSSHLD.EXE-251E55A0.pf 9/11/2006 4:28 PM 8.22 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPCMDRUN.EXE-1F9D1CA1.pf 9/11/2006 5:01 PM 22.89 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPFAGENT.EXE-0E966950.pf 9/11/2006 4:42 PM 28.12 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPFSERVICE.EXE-1480E3A3.pf 9/11/2006 4:39 PM 14.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPFTRAY.EXE-12E089C1.pf 9/11/2006 4:28 PM 9.83 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPFWIZARD.EXE-16F0BE7A.pf 9/11/2006 4:42 PM 10.87 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MQSVC.EXE-08588470.pf 9/11/2006 4:39 PM 2.31 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MQTGSVC.EXE-3797CD60.pf 9/11/2006 4:40 PM 45.49 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MSASCUI.EXE-08BEC8D8.pf 9/11/2006 4:28 PM 8.37 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MTNOK.EXE-0A399777.pf 9/11/2006 5:11 PM 9.81 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf 9/11/2006 5:08 PM 11.98 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf 9/11/2006 4:39 PM 321.43 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\OASCLNT.EXE-3B482479.pf 9/11/2006 4:39 PM 8.91 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\OWZTP.EXE-373DE895.pf 9/11/2006 5:09 PM 9.81 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\PAPRPORT.EXE-17AF5244.pf 9/11/2006 6:04 PM 28.22 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\PPLINKS.EXE-1D3BC7E3.pf 9/11/2006 6:04 PM 18.57 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\PPSCANMG.EXE-2CEB49ED.pf 9/11/2006 6:04 PM 32.99 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf 9/11/2006 4:39 PM 9.05 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf 9/11/2006 4:28 PM 10.40 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\ROOTKITREVEALER.EXE-09860847.pf 9/11/2006 5:12 PM 31.05 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\ROOTKITREVEALER.EXE-34A693FD.pf 9/11/2006 5:08 PM 36.93 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf 9/11/2006 4:47 PM 28.98 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SNMP.EXE-0E0E1166.pf 9/11/2006 4:39 PM 26.86 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SSSTARS.SCR-2D6FC20D.pf 9/11/2006 5:12 PM 9.49 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\STMS.EXE-08030B4B.pf 9/11/2006 4:29 PM 768 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf 9/11/2006 4:42 PM 49.35 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\TCPSVCS.EXE-05847ECC.pf 9/11/2006 4:39 PM 37.13 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\TYIKJUH.EXE-27804E10.pf 9/11/2006 5:12 PM 9.82 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\TYPE32.EXE-281B80FA.pf 9/11/2006 4:29 PM 8.76 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\UPS.EXE-32E3119D.pf 9/11/2006 4:39 PM 16.10 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf 9/11/2006 4:46 PM 30.44 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf 9/11/2006 5:27 PM 15.98 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\VSSVC.EXE-0F74375A.pf 9/11/2006 4:39 PM 4.52 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\WDFMGR.EXE-2CF4013B.pf 9/11/2006 4:39 PM 6.85 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\WEATHER.EXE-0CF25899.pf 9/11/2006 4:29 PM 5.43 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\WGATRAY.EXE-0ED38BED.pf 9/11/2006 4:46 PM 28.09 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\WINLOGON.EXE-32C57D49.pf 9/11/2006 4:46 PM 30.18 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf 9/11/2006 5:00 PM 74.14 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf 9/11/2006 5:00 PM 34.13 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\Cookies 9/11/2006 4:19 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\Cookies\index.dat 9/11/2006 5:04 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\DIAGZ.exe 9/11/2006 5:11 PM 392.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\History 9/11/2006 4:19 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\History\History.IE5 9/11/2006 4:19 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\History\History.IE5\desktop.ini 9/11/2006 4:19 PM 113 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\History\History.IE5\index.dat 9/11/2006 5:04 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\MpCmdRun.log 9/11/2006 5:01 PM 701 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\OTMNM.exe 9/11/2006 5:10 PM 344.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\Temporary Internet Files 9/11/2006 4:19 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5 9/11/2006 4:19 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\3ZTN4VQ0 9/11/2006 4:19 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\3ZTN4VQ0\desktop.ini 9/11/2006 4:19 PM 67 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\desktop.ini 9/11/2006 4:19 PM 67 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat 9/11/2006 5:04 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\O923WHA3 9/11/2006 4:19 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\O923WHA3\desktop.ini 9/11/2006 4:19 PM 67 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\S09QZ9NA 9/11/2006 4:19 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\S09QZ9NA\desktop.ini 9/11/2006 4:19 PM 67 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\U8BXQ6KF 9/11/2006 4:19 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\U8BXQ6KF\desktop.ini 9/11/2006 4:19 PM 67 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\VXFJMVWIGVEE.exe 9/11/2006 5:08 PM 412.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\WGAErrLog.txt 9/11/2006 5:29 PM 255 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\TEMP\WGANotify.settings 9/11/2006 4:47 PM 409 bytes Visible in Windows API, but not in MFT or directory index.
bnkrldy
Regular Member
 
Posts: 35
Joined: July 8th, 2006, 1:43 am

Unread postby whisperer » September 12th, 2006, 3:46 am

As I said before – stubborn, whilst I am looking at the RKR file see if you can run this one, from any of the accounts, preferably Leanna's.

Download Silentrunners.zip from here and save it to your Desktop.
  1. First you will need to extract the file(s).
    • Right click on the zipped folder and from the new menu click on Extract All
    • In the 'Extraction Wizard' window that opens, click on Next
    • Click on Next again.
    • In the final window, click on Finish
    • You should now see the contents of the Silent Runners folder - Silent Runnners.vbs.
  2. Double click Silent Runners.vbs to run it.
    IMPORTANT
    Some real-time protection programs may warn you of a possibly malicious script being detected when you run Silent Runnners.vbs, allow it to run. Alternatively, disable any script blocking software you have running before you start.
  3. You will receive a prompt: Do you want to skip supplementary searches? - click NO
  4. Once the All Done! prompt flashes up, open the Startup Program text file that has appeared in the folder and copy & paste it into your next reply.

GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby whisperer » September 12th, 2006, 3:01 pm

Hi again,

This is in addition to the SilentRunner post above, starting with some questions.

Do you have a Visioneer scanner, or have had in the past and do you use PaperPort software – questions, questions, questions. :) There are 3 files normally associated with Visioneer scanners that are currently hidden from Windows, so I am going to ask you to submit these 3 files to two agencies who will scan the files and advise whether anything untoward is hidden therein. We can do this investigation from Gale's account as it was there that RKR found these files.

First I need you to ensure that any hidden and system files are visible to the system.
  1. Select the Start button and from the available options
  2. Right-click the My Computer option.
  3. Select Explore from the drop-down menu
  4. Select the Tools menu and click Folder Options. from the new window
  5. Select the View Tab.
  6. Under the Hidden files and folders heading select Show hidden files and folders by clicking in the check-box to its left
  7. Remove the check against Hide protected operating system files (recommended) option, again by clicking the check-box to its left.
  8. Click Yes to confirm.
  9. Click OK.
  10. Windows does not search for hidden or system files by default so
    • Click the Start button and select Search choosing For Files or Folders
    • From the dialogue box select All files and folders and at the bottom select More Advanced Options
    • Place selection ticks in the check-boxes for
      • Search system folders
      • Search hidden files and folders
      • Search subfolders
  11. Close the search dialogue box

The paths of the three files in question is C:\WINDOWS\Prefetch\ and the files are
  • PAPRPORT.EXE
  • PPLINKS.EXE
  • PPSCANMG.EXE
Please upload each file to the following agencies for detailed analysis.
  1. First I would like you to upload the file to the Jotti web site.
    • Click on the Browse button and navigate to the C:\WINDOWS\Prefetch directory
    • Locate the first file and click to select
    • Click the Submit button
    • You may have to try more than once if the service load is close to 100% but you will get an online answer
    • Please copy the response and post in your next reply
    • Repeat the sequence for the other two files.
  2. Now repeat the upload to the VirusTotal site.
    • Click the Browse button, navigate to the first fileand click to select.
    • Click the Send icon
    • This time you will receive an email response
    • As before repeat the sequence for the other two files.
    • Please copy the contents of the emails and place in your next reply

GT :thumbup:
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 288 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware