Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

NEW HERE _ CHEK MY LOG OUT? thx [CLOSED]


  • This topic is locked This topic is locked

#1
kjt817

kjt817

    Member

  • Member
  • PipPip
  • 43 posts
hey all, first time here - just learning about all this

heres my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:04:11 PM, on 8/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kyle Trinward\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shoponkyo...&subcat=Systems
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKLM\..\Run: [AOL Messenger] aolmsngr.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Zk0GYcov] C:\PROGRA~1\tqvxrvtq\GowCfgBN.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestat...ab?ver=1,1,0,32
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop...virus/PCPAV.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://130.111.231.6...sCamControl.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp


2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shoponkyo...&subcat=Systems
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKLM\..\Run: [AOL Messenger] aolmsngr.exe
O4 - HKLM\..\Run: [Zk0GYcov] C:\PROGRA~1\tqvxrvtq\GowCfgBN.exe
O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}


Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Delete Rogue files

Run CleanUp and delete all temp files including temporary internet files

Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -

Common Toolbar

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

Folders
C:\PROGRA~1\COMMON~2\ADDRES~1
C:\PROGRA~1\tqvxrvtq


Files
aolmsngr.exe

(Search for this file using the Windows Search function)


Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch. It will open the folder Prefetch. Delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!


Reboot the PC in Normal Mode.

Please visit Panda and do an online scan. Save the scan report.

Run Hijack This and post a fresh HJT log along with Panda scan report.
  • 0

#3
kjt817

kjt817

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
NEW HIJACKTHIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 9:50:40 PM, on 8/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Kyle Trinward\Desktop\malwareX\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Zk0GYcov] C:\PROGRA~1\tqvxrvtq\GowCfgBN.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestat...ab?ver=1,1,0,32
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop...virus/PCPAV.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://130.111.231.6...sCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe




PANDA SCAN REPORT:


Incident Status Location

Spyware:Spyware/CommonName No disinfected C:\Documents and Settings\Kyle Trinward\Desktop\hijackthis\backups\backup-20050826-201445-152.dll
Spyware:Spyware/CommonName No disinfected C:\Documents and Settings\Kyle Trinward\Desktop\hijackthis\backups\backup-20050826-201620-840.dll
Spyware:Spyware/CommonName No disinfected C:\Program Files\AVPersonal\INFECTED\A0037808.DLL.VIR
Adware:Adware/IALink No disinfected C:\Program Files\AVPersonal\INFECTED\A0039189.EXE.VIR
Virus:Trj/Imiserv.F Disinfected C:\Program Files\AVPersonal\INFECTED\A0039190.EXE.VIR
Virus:Trj/Downloader.AN Disinfected C:\Program Files\AVPersonal\INFECTED\BRIDGE.EXE.VIR
Spyware:Spyware/CommonName No disinfected C:\Program Files\AVPersonal\INFECTED\GOWCFGBN.DLL.VIR
Spyware:Spyware/CommonName No disinfected C:\Program Files\tqvxrvtq\cnml.exe
Spyware:Spyware/CommonName No disinfected C:\Program Files\vqotxr\uxqouw.exe
Spyware:Spyware/CommonName No disinfected C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP331\A0056009.exe
Spyware:Spyware/CommonName No disinfected C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP331\A0056010.exe
Hacktool:Hacktool/Rootkit.M No disinfected C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP331\A0057254.SYS
Spyware:Spyware/CommonName No disinfected C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP331\A0057255.dll
Spyware:Spyware/CommonName No disinfected C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP331\A0057257.exe
Spyware:Spyware/CommonName No disinfected C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP331\A0057259.exe
Adware:Adware/BlazeFind No disinfected C:\WINDOWS\bar.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\biprep.exe
Adware:adware/gator No disinfected C:\WINDOWS\GatorPatch.log
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\bi.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\biini.inf
Adware:Adware/WinTools No disinfected C:\WINDOWS\Key2.txt
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\mxTarget.dll
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\preInsMt.exe
Hacktool:Hacktool/Rootkit.M No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\winik.sys
Adware:adware/talkstocks No disinfected C:\WINDOWS\SYSTEM32\mstbl.ocx
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\SYSTEM32\ssurf022.dll
Spyware:spyware/commonname No disinfected C:\WINDOWS\SYSTEM32\winnet.ini
Also - I was unable to delete 2 fils in the c:\progra~1\tqvxrvtq folder:

"cnml.exe" and "profile.dat"


suggestions?

Thanks for your help
  • 0

#4
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi

We will get this infection in Safe Mode.


Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

Run Hijack This and click on scan. The following items need to be fixed -

O4 - HKLM\..\Run: [Zk0GYcov] C:\PROGRA~1\tqvxrvtq\GowCfgBN.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.


Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

C:\Program Files\tqvxrvtq <----- Full folder

C:\WINDOWS\bar.exe
C:\WINDOWS\biprep.exe
C:\WINDOWS\GatorPatch.log
C:\WINDOWS\INF\bi.inf
C:\WINDOWS\INF\biini.inf
C:\WINDOWS\Key2.txt
C:\WINDOWS\mxTarget.dll
C:\WINDOWS\preInsMt.exe
C:\WINDOWS\SYSTEM32\DRIVERS\winik.sys
C:\WINDOWS\SYSTEM32\mstbl.ocx
C:\WINDOWS\SYSTEM32\ssurf022.dll
C:\WINDOWS\SYSTEM32\winnet.ini



Reboot the PC in Normal Mode.

Post a fresh HJT log.

Please download RootKitRevealer from here:
http://www.sysintern...kitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.
  • 0

#5
kjt817

kjt817

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
c:\win\sys32\drivers\winik.sys will not go away - ad aware, antivir etc. all wont touch it, neither will manually deleting it?? ugh....


heres a new hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:17:46 AM, on 8/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Documents and Settings\Kyle Trinward\Desktop\malwareX\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Zk0GYcov] C:\PROGRA~1\tqvxrvtq\GowCfgBN.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestat...ab?ver=1,1,0,32
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop...virus/PCPAV.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://130.111.231.6...sCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


and the RootkitRevealer log:

C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\01[1].htm 8/27/2005 10:30 AM 8.45 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\01[2].htm 8/27/2005 10:30 AM 8.44 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\biggrin[1].gif 8/27/2005 10:34 AM 696 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\cool[1].gif 8/27/2005 10:34 AM 696 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\happy[1].gif 8/27/2005 10:34 AM 699 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\icon12[1].gif 8/27/2005 10:34 AM 1.04 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\icon3[1].gif 8/27/2005 10:34 AM 673 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\icon4[1].gif 8/27/2005 10:34 AM 671 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\index[1].php 8/27/2005 10:34 AM 12.18 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\index[3].htm 8/27/2005 10:34 AM 58.62 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\ipb_bbcode[1].js 8/27/2005 10:34 AM 8.86 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\ranting[1].gif 8/27/2005 10:34 AM 17.94 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\rolleyes1[1].gif 8/27/2005 10:34 AM 1.32 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\wub[1].gif 8/27/2005 10:34 AM 1.38 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\blink[1].gif 8/27/2005 10:34 AM 1.06 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\huh[1].gif 8/27/2005 10:34 AM 708 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\icon1[1].gif 8/27/2005 10:34 AM 672 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\icon7[1].gif 8/27/2005 10:34 AM 672 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\icon8[1].gif 8/27/2005 10:34 AM 677 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\ohmy[1].gif 8/27/2005 10:34 AM 698 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\sad[1].gif 8/27/2005 10:34 AM 698 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\thumbsup[1].gif 8/27/2005 10:34 AM 486 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\wacko[1].gif 8/27/2005 10:34 AM 946 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\blushing[1].gif 8/27/2005 10:34 AM 1.11 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\confused1[1].gif 8/27/2005 10:34 AM 345 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\icon10[1].gif 8/27/2005 10:34 AM 672 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\icon11[1].gif 8/27/2005 10:34 AM 689 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\icon2[1].gif 8/27/2005 10:34 AM 676 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\icon9[2].gif 8/27/2005 10:34 AM 888 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\index[1].php 8/27/2005 10:30 AM 13.10 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\lookaround[1].gif 8/27/2005 10:34 AM 482 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\ph34r[1].gif 8/27/2005 10:34 AM 705 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\tongue[1].gif 8/27/2005 10:34 AM 698 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\whistling[1].gif 8/27/2005 10:34 AM 1.10 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\SDIFCT6F\angry[1].gif 8/27/2005 10:34 AM 465 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\SDIFCT6F\CARUGJFT 8/27/2005 10:30 AM 2.06 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\SDIFCT6F\helpsmilie[1].gif 8/27/2005 10:34 AM 931 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\SDIFCT6F\icon13[1].gif 8/27/2005 10:34 AM 1.08 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\SDIFCT6F\icon5[1].gif 8/27/2005 10:34 AM 672 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\SDIFCT6F\icon6[1].gif 8/27/2005 10:34 AM 666 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\SDIFCT6F\laughing[1].gif 8/27/2005 10:34 AM 515 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\SDIFCT6F\smile[1].gif 8/27/2005 10:34 AM 699 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\SDIFCT6F\surrender[1].gif 8/27/2005 10:34 AM 1.90 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\SDIFCT6F\upset[1].gif 8/27/2005 10:34 AM 679 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\SDIFCT6F\wink[1].gif 8/27/2005 10:34 AM 698 bytes Hidden from Windows API.



Thanks again :tazz:
  • 0

#6
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
There is another entry which seems to be very sticky -

O4 - HKLM\..\Run: [Zk0GYcov] C:\PROGRA~1\tqvxrvtq\GowCfgBN.exe


Lets find out why it id doing so -

Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#7
kjt817

kjt817

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AIM" = "C:\Program Files\AIM95\aim.exe -cnetwait.odl" ["America Online, Inc."]
"Microsoft Works Update Detection" = "C:\Program Files\Microsoft Works\WkDetect.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Dell|Alert" = "C:\Program Files\Dell\Support\Alert\bin\DAMon.exe" [empty string]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"ZingSpooler" = "C:\Program Files\Common Files\Zing\ZingSpooler.exe" ["Sony Electronics Inc."]
"LXSUPMON" = "C:\WINDOWS\system32\LXSUPMON.EXE RUN" ["Lexmark International Inc."]
"Zk0GYcov" = "C:\PROGRA~1\tqvxrvtq\GowCfgBN.exe" [file not found]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"AVGCtrl" = ""C:\Program Files\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.11 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\KaZaA\My Shared Folder\WC3\arcext.dll" [file not found]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.11 DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\KaZaA\My Shared Folder\WC3\arcext.dll" [file not found]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.11 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\KaZaA\My Shared Folder\WC3\arcext.dll" [file not found]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.11 Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\KaZaA\My Shared Folder\WC3\arcext.dll" [file not found]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\shellex.dll" ["Roxio"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\KaZaA\My Shared Folder\WC3\arcext.dll" [file not found]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\KaZaA\My Shared Folder\WC3\arcext.dll" [file not found]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Kyle Trinward\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Enabled Scheduled Tasks:
------------------------

"Disk Cleanup" -> launches: "C:\WINDOWS\SYSTEM32\CLEANMGR.EXE" [MS]
"Disk Defragmenter" -> launches: "C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM95\aim.exe" ["America Online, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Service, AntiVirService, "C:\Program Files\AVPersonal\AVGUARD.EXE" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Program Files\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 135 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 50 seconds.
---------- (total run time: 252 seconds)
  • 0

#8
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Copy the part in bold below into notepad and save it as fix.reg
Save as type:All files (The first line in the file should be REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zk0GYcov" =-


Double click on fix.reg and let it merge with your Registry.


Run Hijack This and click on scan. The following items need to be fixed -

O4 - HKLM\..\Run: [Zk0GYcov] C:\PROGRA~1\tqvxrvtq\GowCfgBN.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.


Reboot the PC and post a fresh HJT log.

Also let me know how many users use this PC and whether you have administrative rights on the PC !!!
  • 0

#9
kjt817

kjt817

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

O4 - HKLM\..\Run: [Zk0GYcov] C:\PROGRA~1\tqvxrvtq\GowCfgBN.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.


Reboot the PC and post a fresh HJT log.

Also let me know how many users use this PC and whether you have administrative rights on the PC !!!



alright - that is still showing up even after merging the sys reg's, checking in hjt and restarting...

and I am the only "user" with a profile - and its w/administrative rights. my gf uses it too, but under my name.


another thing, when I'm running HJT, the AntiVir pops up saying:

"C:\WINDOWS\SYSTEM32\DRIVERS\WINIK.SYS

Is the Trojan horse TR/RKit.Agent.Q"

and prompts me to take an action - what should I choose?

Thanks again for your time, I appreciate it.
  • 0

#10
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please download RootKitRevealer from here:
http://www.sysintern...kitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.
  • 0

Advertisements


#11
kjt817

kjt817

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name 8/27/2005 11:03 PM 26 bytes Windows API length not consistent with raw hive data.
HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\ID 8/27/2005 11:03 PM 4 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Kyle Trinward\Application Data\Aim\wygffgcg\kjt817\urlcache\aim1E.tmp 8/28/2005 4:49 PM 347 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Application Data\Aim\wygffgcg\kjt817\urlcache\aim20.tmp 8/28/2005 5:49 PM 347 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Cookies\kyle trinward@ad.yieldmanager[2].txt 8/28/2005 6:08 PM 180 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Cookies\kyle trinward@doubleclick[1].txt 8/28/2005 6:07 PM 95 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Cookies\kyle trinward@forums.vwvortex[1].txt 8/28/2005 6:08 PM 100 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Cookies\kyle trinward@forums.vwvortex[2].txt 8/27/2005 11:08 PM 101 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Cookies\kyle trinward@maxserving[2].txt 8/28/2005 6:08 PM 171 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Cookies\kyle trinward@realmedia[1].txt 8/28/2005 6:07 PM 92 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Cookies\kyle trinward@servedby.advertising[1].txt 8/28/2005 8:56 AM 396 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Cookies\kyle trinward@servedby.advertising[2].txt 8/28/2005 4:49 PM 528 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Cookies\kyle trinward@thecarconnection[1].txt 8/28/2005 6:07 PM 394 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\10036_NIMNTDUYXQPTZ[1].jpg 8/28/2005 6:07 PM 14.85 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\10037_ANQANXLBCHVLR[1].jpg 8/28/2005 6:07 PM 8.99 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\10038_UVYPIUSMCKDMQ[1].jpg 8/28/2005 6:07 PM 21.33 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\10050_ZCVPDDJHMBYUN[1].jpg 8/28/2005 6:07 PM 17.26 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\10314284-7[1].gif 8/28/2005 6:00 PM 3.80 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\153[1].gif 8/28/2005 6:08 PM 2.73 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\154[1].gif 8/28/2005 5:53 PM 2.73 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\155[1].gif 8/28/2005 5:53 PM 2.73 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\157[1].gif 8/28/2005 6:01 PM 2.73 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\158[1].gif 8/28/2005 6:07 PM 2.32 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\1971FordTorino10[1].jpg 8/28/2005 6:03 PM 302.16 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\202[1].gif 8/28/2005 6:01 PM 2.15 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\2309_image[1].gif 8/28/2005 6:07 PM 22.89 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\31-1X1PIXEL[1].gif 8/28/2005 6:07 PM 42 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\5313_image[1].gif 8/28/2005 6:07 PM 4.38 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\am001514[1].jpg 8/28/2005 6:03 PM 39.91 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\Audio[1].png 8/28/2005 3:23 PM 1.27 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\background-list[1].gif 8/28/2005 3:24 PM 861 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\background-righttable[1].gif 8/28/2005 3:23 PM 34.70 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\background[1].gif 8/27/2005 4:16 PM 57 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\bbtitle_carlounge[1].gif 8/28/2005 5:53 PM 3.59 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\blank[1].gif 8/28/2005 3:23 PM 45 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\browse[1].htm 8/28/2005 3:24 PM 27.86 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\button-list-down-top[1].gif 8/28/2005 3:24 PM 1.57 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\button-list-up-top-blank[1].gif 8/28/2005 3:24 PM 1.25 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\button-submityourown[1].gif 8/28/2005 3:23 PM 1.71 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\CA72O3F1.com%2Fzeroforum%3Fid%3D1&cc=9&u_h=1024&u_w=1280&u_ah=996&u_aw=1280&u_cd=24&u_tz=-240&u_his=1&u_java=true 8/28/2005 6:08 PM 1.74 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\CAGPY5XE.htm 8/28/2005 6:01 PM 3.71 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\CAJMM9ZZ.htm 8/28/2005 6:00 PM 5.03 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\CALRV94O.htm 8/28/2005 6:07 PM 4.77 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\cjcss2[1].css 8/28/2005 3:23 PM 5.18 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\CJNews_1029[1].jpg 8/28/2005 3:23 PM 67.88 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\cjvs_BrutalDildos_bdildos_082805[1].gif 8/28/2005 3:24 PM 12.56 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\confused[1].gif 8/28/2005 6:07 PM 110 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\css_8[1].css 8/27/2005 4:59 PM 20.80 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\dot[1].gif 8/28/2005 6:07 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\eek[1].gif 8/28/2005 6:07 PM 1.23 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\emgift[1].gif 8/28/2005 6:07 PM 81 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\ewtrack_ff1[1].gif 8/28/2005 4:49 PM 67 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\exp_plus[1].gif 8/28/2005 3:22 PM 61 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\firstmazdapost[1].jpg 8/28/2005 5:54 PM 143.74 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\forum_bg[1].gif 8/28/2005 5:53 PM 1.31 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\forums_sub_nav_13[1].gif 8/28/2005 5:53 PM 474 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\header-02[1].gif 8/28/2005 3:23 PM 12.46 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\header-03[1].gif 8/28/2005 3:23 PM 10.03 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\header-greedgiveaway-left[1].gif 8/28/2005 3:23 PM 5.96 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\header-hp-02[1].gif 8/28/2005 3:23 PM 2.54 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\header-hp-09[1].gif 8/28/2005 3:23 PM 7.73 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\header_dots_magenta[1].gif 8/28/2005 6:07 PM 385 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\header_left[1].gif 8/28/2005 6:07 PM 1.69 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\header_top[1].gif 8/28/2005 6:07 PM 3.41 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\index[1].php 8/28/2005 3:22 PM 18.34 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\industry[1].gif 8/28/2005 6:07 PM 1.84 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\ipb_topic[1].js 8/27/2005 6:48 PM 3.40 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\kat[1].png 8/28/2005 3:22 PM 10.37 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\masthead_03[1].gif 8/28/2005 5:53 PM 4.01 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\nav-audio[1].gif 8/28/2005 3:23 PM 1.55 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\nav-editorials[1].gif 8/28/2005 3:23 PM 2.24 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\nav-linktous[1].gif 8/28/2005 3:23 PM 2.44 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\nav-shop[1].gif 8/28/2005 3:23 PM 1.95 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\nav-whatsyourdysfunction[1].gif 8/28/2005 3:23 PM 5.11 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\nav[1].gif 8/27/2005 4:16 PM 87 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\navmenu_super_var[1].js 8/28/2005 6:07 PM 12.61 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\newpoll[1].gif 8/28/2005 5:53 PM 588 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\p_mq_add[1].gif 8/27/2005 6:48 PM 1.50 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\p_online[1].gif 8/27/2005 6:48 PM 1.20 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\p_pm[1].gif 8/27/2005 6:48 PM 1.19 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\pip[1].gif 8/27/2005 6:48 PM 1009 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\Platinumbucks_CFH100x400_00[1].gif 8/28/2005 3:24 PM 28.62 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\reviews[1].gif 8/28/2005 6:07 PM 828 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\screwy[1].gif 8/28/2005 6:01 PM 1.10 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\search_header[1].swf 8/28/2005 5:53 PM 20.16 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\sicksitebar-03[1].gif 8/28/2005 3:23 PM 1.34 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\sig-danny[1].gif 8/28/2005 3:23 PM 3.99 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\SilverCash_video_100x400[1].gif 8/28/2005 3:25 PM 19.85 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\smile[1].gif 8/28/2005 5:53 PM 93 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\ssb-03[1].gif 8/28/2005 3:23 PM 11.42 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\stat_time[1].gif 8/27/2005 4:16 PM 1.01 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\stats2[1].gif 8/28/2005 6:00 PM 222 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\t_options[1].gif 8/27/2005 6:48 PM 1.89 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\t_qr[1].gif 8/27/2005 6:58 PM 1.93 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\text_group[1].htm 8/28/2005 3:24 PM 2.98 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\Topbucks_hfdp775x60-2[1].gif 8/28/2005 3:24 PM 29.21 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\underlying_nav_09[1].gif 8/28/2005 5:53 PM 977 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\underlying_nav_10[1].gif 8/28/2005 5:53 PM 948 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\Video[1].png 8/28/2005 3:23 PM 706 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\view-header-02-videos[1].gif 8/28/2005 3:23 PM 5.72 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\view-header-07[1].gif 8/28/2005 3:23 PM 2.12 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\view-header-12[1].gif 8/28/2005 3:23 PM 7.55 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\viewnav-back[1].gif 8/28/2005 3:23 PM 66 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\viewnav-bottom[1].gif 8/28/2005 3:23 PM 3.44 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\viewnav-top[1].gif 8/28/2005 3:23 PM 2.71 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\zerothread[1] 8/28/2005 6:08 PM 22.58 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\zerothread[1].htm 8/28/2005 6:07 PM 99.66 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\zerothread[2].htm 8/28/2005 6:08 PM 102.11 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\23Q8QMJL\zone[1].htm 8/28/2005 6:08 PM 458 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\03[1].gif 8/28/2005 3:22 PM 6.93 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\10049_NGWDRWFWKDFQC[1].jpg 8/28/2005 6:07 PM 15.39 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\100x400_ALT_1[1].gif 8/28/2005 3:27 PM 15.93 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\10296834-5[1].gif 8/28/2005 5:53 PM 4.96 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\131[1].gif 8/28/2005 5:53 PM 3.97 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\203[1].gif 8/28/2005 6:01 PM 479 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\204[1].gif 8/28/2005 6:01 PM 451 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\207[1].gif 8/28/2005 6:08 PM 255 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\211[1].gif 8/28/2005 6:08 PM 526 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\225[1].gif 8/28/2005 6:08 PM 1.82 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\254[1].gif 8/28/2005 6:01 PM 459 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\775X60_ALT_3[1].gif 8/28/2005 3:24 PM 29.84 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\adsWrapperAIM[1].js 8/28/2005 4:49 PM 1.48 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\AetherWare[1].gif 8/28/2005 6:01 PM 8.65 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\announce[1].gif 8/28/2005 6:00 PM 237 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\Aston-Martin-Meets-Art-Project-Vanquish-Side-Dock-1280x960[1].jpg 8/28/2005 5:53 PM 129.47 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\background-adbrite[1].gif 8/28/2005 3:24 PM 7.70 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\background-cj[1].jpg 8/28/2005 3:23 PM 565 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\background-left[1].gif 8/28/2005 3:23 PM 53.71 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\background-list-bottom[1].gif 8/28/2005 3:24 PM 3.61 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\background-rating[1].gif 8/28/2005 3:23 PM 3.74 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\background-righttable-botto[1].gif 8/28/2005 3:23 PM 3.15 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\bg_header_magenta[1].gif 8/28/2005 6:07 PM 187 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\bg_header_main[1].gif 8/28/2005 6:07 PM 22.52 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\bg_header_top[1].gif 8/28/2005 6:07 PM 104 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\button-submit[1].gif 8/28/2005 3:23 PM 1.54 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\CA8DY9LI.swf 8/28/2005 5:54 PM 17.62 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\CAO5G94Z.swf 8/28/2005 3:22 PM 24.63 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\COOKIEfailover[1].swf 8/28/2005 4:49 PM 13.84 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\delim[1].gif 8/28/2005 5:53 PM 79 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\DLDR_Q305_120x600[1].jpg 8/28/2005 6:07 PM 18.14 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\dot[1].gif 8/28/2005 6:07 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\extras[1].gif 8/28/2005 6:07 PM 718 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\file[1].gif 8/28/2005 6:00 PM 19.61 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\file[2].gif 8/28/2005 6:03 PM 18.90 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\file[3].gif 8/28/2005 6:06 PM 12.83 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\free_adwords_2499_336x280[1].gif 8/28/2005 3:22 PM 10.97 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\frown[1].gif 8/28/2005 5:53 PM 94 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\header-04[1].gif 8/28/2005 3:23 PM 2.45 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\header-bestrated-left[1].gif 8/28/2005 3:23 PM 6.26 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\header-bestrated-videos[1].gif 8/28/2005 3:23 PM 5.86 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\header-[bleep]itbucket[1].gif 8/28/2005 3:23 PM 6.03 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\header-hp-05[1].gif 8/28/2005 3:23 PM 2.73 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\header-hp-11[1].gif 8/28/2005 3:23 PM 5.91 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\header_dots_gray[1].gif 8/28/2005 6:07 PM 385 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\HJTstaff[1].png 8/27/2005 6:48 PM 1.48 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\home[1].gif 8/28/2005 6:07 PM 686 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\homercar[1].jpg 8/28/2005 5:54 PM 50.92 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\icon14[1].gif 8/27/2005 4:16 PM 1.08 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\index[1].htm 8/28/2005 3:22 PM 41.52 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\INT_9545b_120x90_upx[1].swf 8/28/2005 4:49 PM 6.49 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\lancerevors04_05_1024[1].jpg 8/28/2005 6:08 PM 146.39 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\Left[1].gif 8/27/2005 4:59 PM 2.13 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\menu_com[1].js 8/28/2005 6:07 PM 23.09 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\msgthread[1].gif 8/28/2005 5:53 PM 163 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\nav-advertise[1].gif 8/28/2005 3:23 PM 2.58 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\nav-bookmarkcj[1].gif 8/28/2005 3:23 PM 2.61 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\nav-freesmut[1].gif 8/28/2005 3:23 PM 2.42 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\nav-pics[1].gif 8/28/2005 3:23 PM 1.54 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\nav-search[1].gif 8/28/2005 3:23 PM 1.80 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\nav-submit[1].gif 8/28/2005 3:23 PM 2.16 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\nav-text[1].gif 8/28/2005 3:23 PM 1.57 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\navindex2[1].gif 8/28/2005 5:53 PM 322 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\newtopic[1].gif 8/28/2005 5:53 PM 609 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\p_card[1].gif 8/27/2005 6:48 PM 1.52 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\photo000232_large[1].jpg 8/28/2005 5:54 PM 78.30 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\print_friendly[1].gif 8/28/2005 6:07 PM 273 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\sicksitebar-01[1].gif 8/28/2005 3:23 PM 7.84 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\SilverCash_anal_775x60[1].gif 8/28/2005 3:27 PM 18.93 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\ssb-01[1].gif 8/28/2005 3:23 PM 18.21 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\stat_sql[1].gif 8/27/2005 4:16 PM 633 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\StingRay%5B1%5D[1].jpg 8/28/2005 5:54 PM 149.34 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\Text[1].png 8/28/2005 3:23 PM 3.49 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\tile_cat[1].gif 8/27/2005 4:59 PM 746 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\to_post_off[1].gif 8/27/2005 6:48 PM 64 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\trackthread[1].gif 8/28/2005 5:53 PM 549 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\underlying_nav_06[1].gif 8/28/2005 5:53 PM 982 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\underlying_nav_07[1].gif 8/28/2005 5:53 PM 1.19 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\underlying_nav_12[1].gif 8/28/2005 5:53 PM 1005 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\untitledtruecolor02450fu[1].jpg 8/27/2005 6:48 PM 10.74 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\view-header-04[1].gif 8/28/2005 3:23 PM 2.28 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\view-header-05[1].gif 8/28/2005 3:23 PM 2.34 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\view-header-09[1].gif 8/28/2005 3:23 PM 2.56 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\viewnav-back-middle[1].gif 8/28/2005 3:23 PM 663 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\viewnav-back-up[1].gif 8/28/2005 3:23 PM 4.21 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\xkr1b[1].jpg 8/28/2005 5:54 PM 36.56 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\zeroforum[1].htm 8/28/2005 6:08 PM 69.82 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\IBMBEZ47\zerothread[2].htm 8/28/2005 6:01 PM 104.00 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\10042_OXRKRQPNHHOIU[1].jpg 8/28/2005 6:07 PM 7.13 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\10048_CWDZDNCPYIFTH[1].jpg 8/28/2005 6:07 PM 11.12 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\10052_SVSZXVJGNYJPB[1].jpg 8/28/2005 6:07 PM 7.04 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\10053_DEUBSNXNHGPEG[1].jpg 8/28/2005 6:07 PM 109.75 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\100x400_ALT_3[1].gif 8/28/2005 3:25 PM 28.41 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\115[1].gif 8/28/2005 5:53 PM 3.97 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\1403[1].jpg 8/28/2005 6:07 PM 23.91 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\156[1].gif 8/28/2005 6:01 PM 2.73 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\2004-Audi-R8-A4-DTM-1600x1200[1].jpg 8/28/2005 5:53 PM 287.21 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\213[1].gif 8/28/2005 6:07 PM 390 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\215[1].gif 8/28/2005 6:01 PM 370 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\235[1].gif 8/28/2005 6:08 PM 480 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\236[1].gif 8/28/2005 6:01 PM 1.80 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\__utm[1].js 8/28/2005 6:07 PM 21.55 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\_B5K9260_S[1].jpg 8/28/2005 5:53 PM 187.96 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\adimage[1].gif 8/28/2005 6:07 PM 9.00 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\adsEnd[1].js 8/28/2005 4:49 PM 1.57 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\applestore_120x60[1].gif 8/28/2005 5:53 PM 1.74 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\bg_header_gray[1].gif 8/28/2005 6:07 PM 206 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\bg_topnav[1].gif 8/28/2005 6:07 PM 208 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\biggrin[1].gif 8/28/2005 5:53 PM 152 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\biggrin_upper[1].gif 8/28/2005 5:53 PM 962 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\biggrinsanta[1].gif 8/28/2005 6:07 PM 223 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\button-list-down-bottom[1].gif 8/28/2005 3:24 PM 1.65 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\CAA3YLI1.htm 8/28/2005 6:08 PM 4.92 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\CAHG7AJZ.swf 8/28/2005 3:22 PM 30.92 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\clickToDownload[1].gif 8/28/2005 3:23 PM 900 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\d[1].gif 8/28/2005 6:07 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\Dollarmachine_PinkFlicks_Banner20[1].gif 8/28/2005 3:23 PM 39.47 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\donate[1].gif 8/27/2005 6:48 PM 857 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\Download[1].png 8/28/2005 3:23 PM 1.06 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\edit2[1].gif 8/28/2005 5:53 PM 458 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\emthup[1].gif 8/28/2005 5:53 PM 82 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\enthusiasts[1].gif 8/28/2005 6:07 PM 2.06 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\ewtrack[1].gif 8/28/2005 4:49 PM 67 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\exp_minus[1].gif 8/28/2005 3:22 PM 59 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\file[1].gif 8/28/2005 5:53 PM 33.30 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\file[1].swf 8/28/2005 6:02 PM 81.23 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\file[2].gif 8/28/2005 5:53 PM 25.19 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\file[3].gif 8/28/2005 6:01 PM 15.85 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\file[4].gif 8/28/2005 6:08 PM 79.42 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\file[5].gif 8/28/2005 6:08 PM 43.83 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\fileclip[1].gif 8/28/2005 6:00 PM 71 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\footer-01[1].gif 8/28/2005 3:23 PM 55 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\footerads[1].htm 8/27/2005 6:58 PM 782 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\header-01[1].gif 8/28/2005 3:23 PM 10.47 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\header-05[1].gif 8/28/2005 3:23 PM 1.88 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\header-cjpoll[1].gif 8/28/2005 3:23 PM 6.38 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\header-greedgiveaway-right[1].gif 8/28/2005 3:23 PM 5.98 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\header-hp-01[1].gif 8/28/2005 3:23 PM 2.66 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\header-hp-06[1].gif 8/28/2005 3:23 PM 3.16 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\header-hp-07[1].gif 8/28/2005 3:23 PM 3.38 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\header-hp-10[1].gif 8/28/2005 3:23 PM 4.86 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\header-hp-12[1].gif 8/28/2005 3:23 PM 2.31 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\header_corner_left[1].gif 8/28/2005 6:07 PM 513 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\help[1].gif 8/28/2005 5:53 PM 401 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\icon13[1].gif 8/27/2005 4:16 PM 1.08 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\macmini120x60[1].gif 8/28/2005 6:07 PM 3.14 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\nav-dailylinks[1].gif 8/28/2005 3:23 PM 2.52 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\nav-downloads[1].gif 8/28/2005 3:23 PM 2.32 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\nav-help[1].gif 8/28/2005 3:23 PM 1.92 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\nav-videos[1].gif 8/28/2005 3:23 PM 1.76 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\nav-webmasters[1].gif 8/28/2005 3:23 PM 2.58 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\nav_advancedsearch[1].gif 8/28/2005 6:07 PM 2.49 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\nav_search[1].gif 8/28/2005 6:07 PM 1.72 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\nelson-haha[1].gif 8/28/2005 6:01 PM 12.60 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\p_edit[1].gif 8/27/2005 6:58 PM 1.40 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\p_offline[1].gif 8/27/2005 6:48 PM 815 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\p_quote[1].gif 8/27/2005 6:48 PM 1.56 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\Pic[1].png 8/28/2005 3:23 PM 1.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\randm[1].js 8/28/2005 6:07 PM 1.37 KB Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\redface[1].gif 8/28/2005 6:08 PM 136 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\sicksitebar-02[1].gif 8/28/2005 3:23 PM 5.58 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\sicksitebar-04[1].gif 8/28/2005 3:23 PM 28.47 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\sly[1].gif 8/28/2005 6:07 PM 525 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\ssb-02[1].gif 8/28/2005 3:23 PM 15.86 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\ssb-04[1].gif 8/28/2005 3:23 PM 17.38 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\ssb-05[1].gif 8/28/2005 3:23 PM 11.05 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\stat_gzip[1].gif 8/27/2005 4:16 PM 266 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\subscribe[1].gif 8/28/2005 6:00 PM 252 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\t_new[1].gif 8/27/2005 4:16 PM 1.90 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\thumbsup[1].gif 8/27/2005 6:48 PM 486 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\Topbucks_drs100X400-2[1].gif 8/28/2005 3:24 PM 18.69 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\Topbucks_HFBC776X60-1[1].gif 8/28/2005 3:25 PM 24.27 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\underlying_nav_08[1].gif 8/28/2005 5:53 PM 891 bytes Hidden from Windows API.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\view-header-01[1].gif 8/28/2005 3:23 PM 2.07 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\view-header-06[1].gif 8/28/2005 3:23 PM 3.89 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\view-header-10[1].gif 8/28/2005 3:23 PM 1.44 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\viewnav-back-bottom[1].gif 8/28/2005 3:23 PM 12.11 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\viewnav-back-down[1].gif 8/28/2005 3:23 PM 3.33 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Kyle Trinward\Local Settings\Temporary Internet Files\Content.IE5\OYZIA234\viewnav-button-down[1].gif 8/28/2005 3:23 PM 1.38 KB Visible in Windows API, but not in MFT or directory index.<
  • 0

#12
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
All these are temp files. Can you use Clean Up and delete all temp files !!!!!!!!

You should use it once a day atleast.

Please post back a fresh HJT log
  • 0

#13
kjt817

kjt817

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:55:40 PM, on 8/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Kyle Trinward\Desktop\malwareX\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Zk0GYcov] C:\PROGRA~1\tqvxrvtq\GowCfgBN.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestat...ab?ver=1,1,0,32
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop...virus/PCPAV.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://130.111.231.6...sCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#14
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Next, please reboot your computer in SafeMode

Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply
  • 0

#15
kjt817

kjt817

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
EWIDO SECURITY SUITE LOG:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:35:20 PM, 8/29/2005
+ Report-Checksum: 445B7649

+ Scan result:

HKLM\SOFTWARE\Classes\BabeIE.AgentIE -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\BabeIE.AgentIE\CLSID -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\BabeIE.AgentIE\CurVer -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\BabeIE.Handler -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\BabeIE.Handler\CLSID -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\BabeIE.Handler\CurVer -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\BabeIE.Helper -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\BabeIE.Helper\CLSID -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\BabeIE.Helper\CurVer -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6656b666-992f-4d74-8588-8ca69e97d90c} -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{71ED4FBA-4024-4bbe-91DC-9704C93F453E} -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{83DE62E0-5805-11D8-9B25-00E04C60FAF2} -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40} -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2D0F5208-3198-49A4-86A7-D65E9E582751} -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{99908473-1135-4009-BE4F-32B921F86ED9} -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\cn -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D879D743-E2CC-4161-8034-2234203681C9} -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\CommonName -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\CommonName\BabeIE -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\CommonName\User -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bargain Buddy -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\nCASE -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\xupiter -> Spyware.Xupiter : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dbi -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IESearchbarIESearchbar -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing\Files -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing\Files\ASYCFILT.DLL -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing\Files\COMCAT.DLL -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing\Files\MFC42.DLL -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing\Files\MSVCP60.DLL -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing\Files\MSVCRT.DLL -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing\Files\MSXML3.DLL -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing\Files\MSXML3A.DLL -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing\Files\MSXML3R.DLL -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing\Files\OLEAUT32.DLL -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing\Files\OLEPRO32.DLL -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing\Files\STDOLE2.TLB -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing\System -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\WinIK -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\Security -> Spyware.CommonName : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\Enum -> Spyware.CommonName : Error during cleaning
C:\Program Files\AVPersonal\INFECTED\A0037808.DLL.VIR -> Spyware.CommonName : Cleaned with backup
C:\Program Files\AVPersonal\INFECTED\A0039189.EXE.VIR -> TrojanDownloader.MlFree : Cleaned with backup
C:\Program Files\AVPersonal\INFECTED\A0039197.EXE.VIR -> Trojan.Golid : Cleaned with backup
C:\Program Files\AVPersonal\INFECTED\A0056009.EXE.VIR -> Spyware.CommonName.j : Cleaned with backup
C:\Program Files\AVPersonal\INFECTED\A0057254.SYS.VIR -> Trojan.Rootkit.Agent.q : Cleaned with backup
C:\Program Files\AVPersonal\INFECTED\GOWCFGBN.DLL.VIR -> Spyware.CommonName : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\osuouvsx\svrrorqt.exe -> Spyware.CommonName : Cleaned with backup
C:\Program Files\tqvxrvtq\cnml.exe -> Spyware.CommonName : Error during cleaning
C:\Program Files\WildTangent\Components\SystemConfig0100.dll -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP331\A0057257.exe -> Spyware.CommonName : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP333\A0058364.dll -> Spyware.BiSpy : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP333\A0058365.exe -> Spyware.BiSpy : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP333\A0058371.exe -> Trojan.Bispy.B : Cleaned with backup
C:\WINDOWS\systb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\SYSTEM32\DRIVERS\winik.sys -> Trojan.Rootkit.Agent.q : Error during cleaning
C:\WINDOWS\SYSTEM32\jjiiygrn.dll -> Trojan.Goldid : Cleaned with backup


::Report End




HJT LOG (POST EWIDO):

Logfile of HijackThis v1.99.1
Scan saved at 8:48:13 PM, on 8/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kyle Trinward\Desktop\malwareX\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Zk0GYcov] C:\PROGRA~1\tqvxrvtq\GowCfgBN.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestat...ab?ver=1,1,0,32
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop...virus/PCPAV.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://130.111.231.6...sCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



Please note:
I have had no success deleting c:\win~\sys32\drivers\winik.sys

and the entry in HJT: O4 - HKLM\..\Run: [Zk0GYcov] C:\PROGRA~1\tqvxrvtq\GowCfgBN.exe" Will not remove after "Fixing" it still pops up.

What do you think this might mean? as you can see from the post I've tried many things
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP