Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Invisible spyware annoyance. [RESOLVED]

Started by wizardmon5 , Nov 30 2005 07:11 PM

  • This topic is locked This topic is locked

#1
wizardmon5
Posted 30 November 2005 - 07:11 PM

wizardmon5

    Member

  • Member
  • PipPip
  • 18 posts
I somewhat recently began getting occasional pop-ups from sites which I know should not have them, meaning I have some type of spyware. So, I ran about five scanners (Norton Antivirus, Ad-Aware, Ewido Security Suite, SpywareDoctor, and Spyware Nuker), and deleted everything they found. But I'm still getting pop-ups.

I have also run the L2MFIXER tool and the NailFix tool.

If it helps, I just got a pop-up while coming to this page (to post the topic). It was an ad for WinAntiVirus Pro, whatever that is.

Here is my HiJackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 7:11:02 PM, on 11/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WorldCommunityGrid\UD.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\WorldCommunityGrid\ud_3434601.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\WorldCommunityGrid\ud_3434601_0.dir\WCGrid_AutoDock.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\David Parrish\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.c...orms/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\dapiebar.dll
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Startup: World Community Grid Agent.lnk = C:\Program Files\WorldCommunityGrid\UD.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Infospace\DogpileToolbar\contextsearch.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell...iler/SysPro.CAB
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross...m/cabs/A18X.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.1.74.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121152971859
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone.../ICSScanner.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://echat.us.del...t/TLIEFlash.CAB
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec....rl/SymAData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
wizardmon5
Posted 01 December 2005 - 06:13 PM

wizardmon5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Uh, so can anyone help? I noticed that there have been a LOT of posts, and I just don't want to get lost in previous pages.


EDIT: Sorry. I read through a couple help topics, and saw that it can take three days. I hope that editing this doesn't bump it up again, that is not what I'm trying to do. Just letting you know I get what's going on.

Edited by wizardmon5, 02 December 2005 - 07:58 PM.

  • 0

#3
Kat
Posted 05 December 2005 - 01:47 AM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello and welcome to GeeksToGo. I'm not seeing anything obvious in your log, so I'd like you to run a scan for me. :tazz:

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#4
wizardmon5
Posted 07 December 2005 - 07:23 AM

wizardmon5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Uh, well, I ran the scan, and it detected a ton of things, but it said I need an active subscription to remove them. I still have it open if there's some way around that.

Here's a screenshot of what I have right now: http://img224.images...untitled9rr.jpg
  • 0

#5
Kat
Posted 07 December 2005 - 10:57 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
yikes. Ok, first of all, let's get rid of the Apropos rootkit before we worry about the rest of what SpySweeper found. I apologize for the bad link that gave you a download of it you'd need to subscribe to. :tazz: we just discovered that problem yesterday, and fixed the links. After we clear you of Apropos, we will re-do SpySweeper to get rid of all those other nasties! :)

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
  • 0

#6
wizardmon5
Posted 07 December 2005 - 11:50 PM

wizardmon5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Alrighty, here's my HiJackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 11:50:03 PM, on 12/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\David Parrish\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zombo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zombo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.c...orms/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\dapiebar.dll
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Startup: World Community Grid Agent.lnk = C:\Program Files\WorldCommunityGrid\UD.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Infospace\DogpileToolbar\contextsearch.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell...iler/SysPro.CAB
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross...m/cabs/A18X.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.1.74.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121152971859
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone.../ICSScanner.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://echat.us.del...t/TLIEFlash.CAB
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec....rl/SymAData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




And here's the AproposFixer log:




Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\David Parrish\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\C7XRmA32ITn5]
@="q41\\q44CDDCDDEDf\\6q1:1CDDCSFDmYdTemiDiA45u.JIDt3y7u34D14s43E4A4"
"Device"="\\\\.\\Pluapnp"
"DriverPath"="C:\\WINDOWS\\System32\\drivers\\pscsr.sys"
"DriverName"="asplass"
"HideUninstallerName"="C:\\Program Files\\Crinland\\lapmcnfg.exe"
"UninstallerPath"="C:\\WINDOWS\\System32\\mswim700.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{F8287F82-704A-4244-A98F-D2A451AEC880}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\System32\\mslqtz32.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.con...onbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X6ac66ce-3a61-0ea5-d1e9-84e2dc0d6de3}"
"PageFiltering"=dword:00000001
"CrMnTmt"=dword:0036ee80

************

Removing hidden service:
Service asplass removed.

Removing hidden folder:
Deletion of folder Crinland succeeded!

Deleting files:

Deletion of file C:\WINDOWS\System32\drivers\pscsr.sys succeeded!
Deletion of file C:\WINDOWS\System32\alupicom.exe succeeded!
Deletion of file C:\WINDOWS\System32\mslqtz32.dll succeeded!
Deletion of file C:\WINDOWS\System32\mswim700.exe succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\C7XRmA32ITn5]
[-HKEY_LOCAL_MACHINE\Software\C7XRmA32ITn5]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8287F82-704A-4244-A98F-D2A451AEC880}]

Done!

Finished!
  • 0

#7
Kat
Posted 08 December 2005 - 12:47 AM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
ok excellent! :) The Apropos rootkit is gone now! :tazz: Let's move on to getting you clean. Again, I apologize about the problem with SpySweeper. Before we try that again, let's look at a couple of other things. Can you give me an Uninstall list please? To get this:
  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.
Because the SpySweeper log screenshot you showed me claims there could be other rootkits, let's double check that before we move on, as well.

Please download Rootkit Revealer (link is at the very bottom of the page)
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

Please make a reply here. I would just like to see the Uninstall List, and the log from Rootkit Revealer.
  • 0

#8
wizardmon5
Posted 08 December 2005 - 09:06 PM

wizardmon5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Alrighty. Here's the uninstall list:


ABBYY FineReader 5.0 Sprint
Active@ UNDELETE DEMO
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop 6.0
Adobe Premiere 6.0
Advanced RealMedia Export Plug-in for Premiere 6.0
Advanced WMA Workshop version 2.1
Age of Empires III Trial
Albatross18 (OGplanet)
Aliens vs. Predator 2 Multiplayer Demo
AndreaMosaic 3.18
AOL Instant Messenger
Aranea Spywizard
ATI Control Panel
ATI Display Driver
Audacity 1.2.3
Ballmaster 1.60
Battlefield 2™ Demo
Bazooka Scanner
Bejeweled 2 Deluxe 1.0
BitTornado 0.3.10
CC_ccStart
ccCommon
CDRipper
Cheaters Archive
CleanUp!
CoffeeCup GIF Animator 6.2 Shareware
CoffeeCup HTML Editor
CoffeeCup MP3 Rip & Burn
Command & Conquer Generals
Command & Conquer Red Alert 2
Command && Conquer Red Alert 2 - Yuri's Revenge
Command and ConquerTM Generals Zero Hour
Conexant D850 56K V.9x DFVc Modem
Cool Edit Pro 2.0
Creative DVD Audio Plugin for Audigy Series
Crimsonland
Dell AIO Printer A920
Dell ResourceCD
Deluxe Menu
Diablo II
Disk Investigator 1.32
DivX
DivX Player
Dogpile Toolbar
Dogpile Toolbar (remove only)
Download Accelerator Plus
EarthLink Free Online Calling Lite 2.0 release 1104x
ElectriCalm 3D Screensaver (remove only)
ElectricSheep 2.6.3
ewido security suite
FairyHand 1.5 Trial Version
FaxTools
FilePlanet Download Manager 2.1
FinalAlert 2 - Yuri's Revenge
FinePixViewer Ver.4.0
First Step Guide
FLV Player 1.01
FolderShare
Fraps (remove only)
FUJIFILM USB Driver
Ground Control II MP Demo
Guild Wars
GunBound
GunboundWC
Halo Editing Kit
ImageMixer VCD for FinePix
ImageMixer VCD2
InterActual Player
Internet Download Manager
Internet Explorer Q903235
InterVideo WinDVD 6
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Kazaa Lite K++ v2.4.3
Konvertor
Laser Kombat
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Logitech Gaming Software
Macromedia Flash MX 2004
Macromedia Flash Player
Macromedia Flash Player 8
Macromedia Shockwave Player
MAIET Gunz
Masque Games on aim
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft AntiSpyware
Microsoft Broadband Networking
Microsoft Data Access Components KB870669
Microsoft Halo
Microsoft Halo Custom Edition
Microsoft Halo Trial
Microsoft Home Publishing 2000
Microsoft Windows Journal Viewer
Microsoft Word 2000
Microsoft Works 2000
Microsoft Works 2000 Setup Launcher
MicroStaff WINASPI NT
Monopoly Tycoon
Moolander - ArcadeTown.com
Mozilla Firefox (1.0.7)
MSN Gaming Zone
MSN Messenger 7.0
MSN Messenger 7.0
MSRedist
MSXML 4.0 SP2 Parser and SDK
MSXML4 Parser
Nero - Burning Rom
Nimo Codecs Pack v5.0 (Remove Only)
NoAdware v3.0
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
Panda ActiveScan
PCBugDoctor version 1.0.0.4
PerfectDisk
Picture Package
Project64 1.6
QuickTime
Ragnarok Online
Ragnarok Sakray
Rakion International
RAW FILE CONVERTER LE
RealPlayer
Rebate Retriever 1.0
Registry Mechanic
Return to Castle Wolfenstein Multiplayer DEMO
Risk II
Rose Online
ScanSpyware v3.8.0.4
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Shockwave
Skype 1.3
SmartFTP Client
Snood for Windows version 3.01-W
Softnyx Launcher
Sony USB Driver
Sound Blaster Live!
Speech Synthesizer 5.0
Spy Sweeper
Spyware Doctor 3.0
Star Trek Starfleet Command III
Starcraft
StarCraft X-tra Editor Version 2.5
Steam
Swarm
Swf to Mp3 Converter v2.0
Symantec Script Blocking Installer
SymNet
System Spyware Interrogator
TeamSpeak 2 RC2
The Print Shop Photo Pro
TreeSize Personal 3.32
WeatherBug
Westwood Shared Internet Components
WhatPulse
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB820291
Windows XP Hotfix - KB821253
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB826942
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB896727
Windows XP Hotfix (SP2) Q322011
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q814995
WinRAR archiver
WinZip
Wolfenstein - Enemy Territory
Word in Works Suite add-in
World Community Grid Agent
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Photos Easy Upload Tool 1v4
Yrefresher 1.00
Zed - ArcadeTown.com



And here's the Rootkit Reveal thing:



HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 12/8/2005 8:23 PM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\DirectPlayNATHelp\DPNHUPnP\ActiveNATMappings\msmsgs (192.168.2.133:9573) 18663 UDP 12/8/2005 8:21 PM 32 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\DirectPlayNATHelp\DPNHUPnP\ActiveNATMappings\msmsgs (192.168.2.133:14152) 26101 TCP 12/8/2005 8:21 PM 32 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Application Data\Aim\MrWizardmon5\urlcache\aim9A.tmp 12/8/2005 8:22 PM 130 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Application Data\Aim\MrWizardmon5\urlcache\aim9D.tmp 12/8/2005 8:24 PM 130 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Application Data\Aim\MrWizardmon5\urlcache\aimCE.tmp 12/8/2005 8:56 PM 130 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Cookies\david parrish@geekstogo[1].txt 12/8/2005 7:57 PM 599 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Cookies\david parrish@geekstogo[2].txt 12/8/2005 8:43 PM 521 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Cookies\david [email protected][1].txt 12/8/2005 8:53 PM 127 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Cookies\david parrish@urbandictionary[1].txt 12/7/2005 11:35 PM 491 bytes Visible in Windows API, MFT, but not in directory index.
C:\Documents and Settings\David Parrish\Cookies\david parrish@urbandictionary[2].txt 12/8/2005 8:58 PM 492 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\0AZ6VW64\12761_pinkrazr_160_hibrand_msn_cpa[1].swf 12/6/2005 7:25 PM 29.19 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\0AZ6VW64\287055898_s[1].jpg 12/6/2005 9:56 PM 850 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\0AZ6VW64\ads[2].htm 12/6/2005 7:12 PM 3.65 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\0AZ6VW64\CA5WZIFF.swf 12/6/2005 7:23 PM 20.97 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\0AZ6VW64\Com_Mess;MN=93189869;wm=o;sz=120x90;tile=1;dcove=d;ord=53715941[1] 12/6/2005 9:11 PM 493 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\0AZ6VW64\greenblur[1].jpg 12/6/2005 9:34 PM 1.88 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\0AZ6VW64\Hamwise[1].jpg 12/6/2005 9:53 PM 1.65 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\0AZ6VW64\Laird[1].jpg 12/6/2005 9:34 PM 3.29 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\0AZ6VW64\r[1].js 12/6/2005 7:11 PM 608 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\0AZ6VW64\stars_red_27[1].gif 12/6/2005 9:31 PM 160 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\0AZ6VW64\t_p1[1].png 12/6/2005 6:58 PM 2.17 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\0AZ6VW64\yikers_guy_shoots_self_with_nail_gun[1].jpg 12/6/2005 7:26 PM 3.85 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\0000011895_000000000000000247995[1].swf 12/5/2005 11:36 PM 24.07 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\031214329X.01.THUMBZZZ[1].jpg 12/8/2005 8:53 PM 1.48 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\120x600[1].swf 12/6/2005 7:26 PM 20.66 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\23081091[1].jpg 12/6/2005 7:31 PM 2.27 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\279566706_s[1].jpg 12/6/2005 9:56 PM 4.03 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\a9-table-bg-1[1].gif 12/8/2005 8:53 PM 168 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\abcnews_rss[1].xml 12/8/2005 8:56 PM 5.31 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\addtomyyahoo4[1].gif 12/8/2005 8:53 PM 719 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\advanced_wars2_kanbei_forum[1].gif 12/6/2005 11:43 PM 1.48 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\amzn-logo-118w[1].gif 12/8/2005 8:53 PM 1.82 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\atsign[1].gif 12/8/2005 8:53 PM 317 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\book-background[1].gif 12/8/2005 8:55 PM 3.29 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\buybox-button-find-gifts[1].gif 12/8/2005 8:53 PM 1.31 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\CA23QRUP.gif 12/8/2005 8:55 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\CA2FGDUZ.gif 12/8/2005 8:52 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\CA6JG96L.gif 12/8/2005 8:54 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\CA6L3X4W.gif 12/8/2005 8:55 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\CA6P27EF.gif 12/8/2005 8:56 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\CAB3NEDN 12/6/2005 7:02 PM 96 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\CADMJLTT.gif 12/8/2005 8:58 PM 35 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\CAKVEXYX.gif 12/8/2005 8:54 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\CAMJKXC9.gif 12/8/2005 8:53 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\CAQJJSLW.gif 12/8/2005 8:54 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\CATS58D9.gif 12/8/2005 8:55 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\CAYR0XMV.gif 12/8/2005 8:53 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\dademonshoe[1].jpg 12/6/2005 9:22 PM 18.68 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\editor[1].css 12/8/2005 8:52 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\editor[1].js 12/8/2005 8:52 PM 661 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\editor[2].css 12/8/2005 8:52 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\editor[3].css 12/8/2005 8:54 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\foxnews_rss[1].xml 12/8/2005 8:56 PM 8.25 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\home[2].php 12/6/2005 7:01 PM 23.92 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\i.p.tools[1].gif 12/6/2005 7:25 PM 168 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\jkwl[1].jpg 12/6/2005 7:04 PM 2.42 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\logo-off[1].gif 12/8/2005 8:53 PM 1.28 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\middlefinger-45009[1].jpg 12/8/2005 8:55 PM 1.01 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\n2CoreCSS-n2v1-4580[1].css 12/8/2005 8:53 PM 5.26 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\n2CoreLibs-utilities-19637[1].js 12/8/2005 8:53 PM 32.53 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\orange-arrow[1].gif 12/8/2005 8:53 PM 58 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\reply[2].php 12/6/2005 7:14 PM 15.18 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\shocker-45075[1].jpg 12/8/2005 8:55 PM 881 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\stars_red_15[1].gif 12/6/2005 9:31 PM 160 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\steps[1].css 12/8/2005 8:53 PM 393 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\ticker[2].js 12/8/2005 8:55 PM 6.33 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\topbanner_04[1].gif 12/6/2005 7:31 PM 3.41 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\transparent-pixel[1].gif 12/8/2005 8:53 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\urban[1].css 12/8/2005 8:52 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\urban[1].js 12/8/2005 8:55 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\urban[2].css 12/8/2005 8:54 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\urban[2].js 12/8/2005 8:55 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\urban[3].css 12/8/2005 8:55 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\urban[3].js 12/8/2005 8:56 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\wallbackground[1].jpg 12/8/2005 8:54 PM 32.52 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\yikers_kid_breaks_fish_tank_by_accident[1].jpg 12/6/2005 7:26 PM 7.64 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\45UJ8LAB\YPN_logo[1].gif 12/7/2005 12:23 AM 1.99 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\0060536993.01.THUMBZZZ[1].jpg 12/8/2005 8:53 PM 1.28 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\01[1].htm 12/8/2005 7:56 PM 277 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\01[2].htm 12/8/2005 7:56 PM 427 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\0740751182.01.THUMBZZZ[1].jpg 12/8/2005 8:53 PM 2.88 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\104-6850571-3100716[2] 12/8/2005 8:53 PM 66.75 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\1px-background[1].gif 12/8/2005 8:53 PM 46 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\45954[1].jpg 12/8/2005 8:55 PM 5.45 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\ADSAdClient31[1] 12/8/2005 7:56 PM 705 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\ADSAdClient31[2] 12/8/2005 7:56 PM 711 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\B1659667[1].htm 12/8/2005 8:51 PM 4.33 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\book[1].php 12/8/2005 8:54 PM 4.95 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\button[4].gif 12/8/2005 8:55 PM 4.55 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\button[5].gif 12/8/2005 8:54 PM 4.55 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\CA41EHNK.gif 12/8/2005 8:54 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\CAC96NKT.gif 12/8/2005 8:52 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\CAE34HU7.gif 12/8/2005 8:52 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\CAQ3WX6V.gif 12/8/2005 8:52 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\CAU0X6VD.gif 12/8/2005 8:55 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\CAUR0LAB.gif 12/8/2005 8:54 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\CAVJLPPX.gif 12/8/2005 8:52 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\editor[10].css 12/8/2005 8:56 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\editor[3].js 12/8/2005 8:52 PM 661 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\editor[4].js 12/8/2005 8:54 PM 661 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\editor[5].js 12/8/2005 8:58 PM 661 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\editor[7].css 12/8/2005 8:51 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\editor[8].css 12/8/2005 8:51 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\editor[9].css 12/8/2005 8:55 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\foxnews_rss[1].xml 12/8/2005 7:55 PM 8.20 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\foxnews_rss[2].xml 12/8/2005 8:26 PM 8.67 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\gb-closed[1].gif 12/8/2005 8:53 PM 1.60 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\gc-logo_v2[1].gif 12/8/2005 8:53 PM 1.49 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\go-button-books[1].gif 12/8/2005 8:53 PM 719 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\go-orange-trans[1].gif 12/8/2005 8:53 PM 799 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\home[2].php 12/8/2005 6:05 PM 24.62 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\HoTMaiL[8] 12/8/2005 8:50 PM 64.33 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\hotmail___1021000204[2].js 12/8/2005 7:56 PM 33.35 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\kanyewest-45065[1].jpg 12/8/2005 8:55 PM 677 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\n2BootstrapLibs-azbTbs-42329[1].js 12/8/2005 8:53 PM 6.96 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\prevarrow[1].gif 12/8/2005 8:52 PM 161 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\rssicon[1].gif 12/8/2005 8:53 PM 451 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\searchspy[1].xml 12/8/2005 8:24 PM 3.58 KB Visible in Windows API, directory index, but not in MFT.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\simple-add-to-wishlist[1].gif 12/8/2005 8:53 PM 951 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\slashdot[2] 12/8/2005 7:55 PM 16.21 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\timezone[1].js 12/8/2005 8:51 PM 147 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\timezone[2].js 12/8/2005 8:54 PM 147 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\tools[1].php 12/8/2005 8:53 PM 3.90 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\urban[10].js 12/8/2005 8:52 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\urban[11].css 12/8/2005 8:51 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\urban[11].js 12/8/2005 8:52 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\urban[12].css 12/8/2005 8:51 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\urban[12].js 12/8/2005 8:52 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\urban[13].css 12/8/2005 8:52 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\urban[13].js 12/8/2005 8:55 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\urban[14].css 12/8/2005 8:55 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\8VPB6UF1\urban[15].css 12/8/2005 8:56 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\0060568062.01.THUMBZZZ[1].jpg 12/8/2005 8:53 PM 2.11 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\0740751433.01.TZZZZZZZ[1].jpg 12/8/2005 8:53 PM 4.17 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\0767908406.01.THUMBZZZ[1].jpg 12/8/2005 8:53 PM 1.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\abcnews_rss[1].xml 12/8/2005 7:55 PM 5.32 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\add.urbandictionary[1] 12/7/2005 11:34 PM 4.25 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\AIM_UAC[1].adp 12/8/2005 8:43 PM 746 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\aol[3].htm 12/8/2005 8:43 PM 148 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\blank[2].gif 12/8/2005 8:53 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\book-3d[1].jpg 12/8/2005 8:53 PM 25.47 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\CA4PER4P.gif 12/8/2005 8:51 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\CA4T2JSH.gif 12/8/2005 8:52 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\CAJDL447.gif 12/8/2005 8:53 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\CAODYFO9.gif 12/8/2005 8:53 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\CAZJXLWU.gif 12/8/2005 8:51 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\Com_Mess;MN=93189869;wm=o;sz=120x90;tile=1;dcove=d;ord=224831787[1] 12/8/2005 8:43 PM 493 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\daily[2].php 12/8/2005 8:53 PM 9.96 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\define[2].php 12/8/2005 8:53 PM 4.94 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\editor[10].css 12/8/2005 8:54 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\editor[11].css 12/8/2005 8:56 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\editor[7].css 12/8/2005 8:52 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\editor[8].css 12/8/2005 8:52 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\editor[9].css 12/8/2005 8:54 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\endcap-a9-go[1].gif 12/8/2005 8:53 PM 698 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\hotmail___1000000002[1].css 12/8/2005 8:51 PM 3.31 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\hotmail___1000000002[2].css 12/8/2005 7:56 PM 3.31 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\india-45041[1].jpg 12/8/2005 8:55 PM 802 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\india-45042[1].jpg 12/8/2005 8:55 PM 782 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\insert[2].css 12/8/2005 8:52 PM 609 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\insert[3].css 12/8/2005 8:52 PM 609 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\MS1438_10705_728x90_FCR_1[1].gif 12/8/2005 8:51 PM 7.48 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\searchspy[1].xml 12/8/2005 8:29 PM 3.46 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\smarterchild-45096[1].jpg 12/8/2005 8:55 PM 827 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\stars-3-5[1].gif 12/8/2005 8:53 PM 394 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\staygo[1].php 12/8/2005 8:56 PM 22.99 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\tabs-line[1].gif 12/8/2005 8:53 PM 61 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\tabs-middle-on[1].gif 12/8/2005 8:53 PM 963 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\timezone[2].js 12/8/2005 8:55 PM 147 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\update-arrow-tan[1].gif 12/8/2005 8:53 PM 582 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\urban[10].css 12/8/2005 8:52 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\urban[11].css 12/8/2005 8:52 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\urban[11].js 12/8/2005 8:51 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\urban[12].css 12/8/2005 8:52 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\urban[12].js 12/8/2005 8:52 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\urban[13].css 12/8/2005 8:54 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\urban[13].js 12/8/2005 8:55 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\urban[14].css 12/8/2005 8:54 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\urban[15].css 12/8/2005 8:56 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\urban[8].css 12/8/2005 8:52 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\urban[9].css 12/8/2005 8:52 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\urchin[2].js 12/7/2005 7:28 AM 16.71 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\urchin[3].js 12/8/2005 8:53 PM 16.71 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\BMGZJ5WD\wall.urbandictionary[1] 12/8/2005 8:54 PM 11.21 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\006270107X.01.THUMBZZZ[1].jpg 12/8/2005 8:53 PM 1.83 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\0312318715.01.THUMBZZZ[1].jpg 12/8/2005 8:53 PM 1.53 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\0451203712.01.THUMBZZZ[1].jpg 12/8/2005 8:53 PM 2.00 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\abcnews_rss[1].xml 12/8/2005 8:26 PM 5.35 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\add.urbandictionary[2] 12/8/2005 8:56 PM 4.25 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\ads[1].css 12/8/2005 8:53 PM 318 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\banner[1].jpg 12/8/2005 8:53 PM 1.83 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\button[6].gif 12/8/2005 8:55 PM 4.55 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\CA1YZTHI.gif 12/8/2005 8:55 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\CA856FC9.swf 12/8/2005 8:51 PM 21.01 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\CADSN6VD.gif 12/8/2005 8:51 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\CAM0AV2L.gif 12/8/2005 8:52 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\CANVDXD5.gif 12/8/2005 8:54 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\cap-a9[1].gif 12/8/2005 8:53 PM 1.22 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\CAQBW5SZ.gif 12/8/2005 8:53 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\CAR2A97F.gif 12/8/2005 8:52 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\CAWRU7IA.gif 12/8/2005 8:52 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\CAX8GBDL.gif 12/8/2005 8:54 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\editor[4].js 12/8/2005 8:51 PM 661 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\editor[7].css 12/8/2005 8:52 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\editor[8].css 12/8/2005 8:58 PM 1.24 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\helppane___10210002F[2].js 12/8/2005 7:56 PM 3.75 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\hotmail___1021000204[2].js 12/8/2005 8:51 PM 33.35 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\index[1].css 12/8/2005 8:55 PM 2.52 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\insert[6].css 12/8/2005 8:55 PM 609 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\more-results-sr-white[1].gif 12/8/2005 8:53 PM 856 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\optn=1[1].jpg 12/8/2005 8:43 PM 11.76 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\preorder-rollover[1].gif 12/8/2005 8:53 PM 4.45 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\searchspy[1].xml 12/8/2005 8:56 PM 3.49 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\simple-add-to-cart[1].gif 12/8/2005 8:53 PM 1.09 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\staygo[1].php 12/8/2005 8:58 PM 24.73 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\tabs-left-off[1].gif 12/8/2005 8:53 PM 804 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\tabs-middle-off[1].gif 12/8/2005 8:53 PM 1.34 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\tabs-right-off[1].gif 12/8/2005 8:53 PM 542 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\timezone[2].js 12/8/2005 8:54 PM 147 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\urban[10].js 12/8/2005 8:52 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\urban[11].js 12/8/2005 8:52 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\urban[12].css 12/8/2005 8:52 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\urban[12].js 12/8/2005 8:54 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\urban[13].css 12/8/2005 8:53 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\urban[13].js 12/8/2005 8:54 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\urban[14].css 12/8/2005 8:55 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\urban[14].js 12/8/2005 8:56 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\urban[15].css 12/8/2005 8:56 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\urban[16].css 12/8/2005 8:58 PM 4.62 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\urban[8].js 12/8/2005 8:51 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\L73R9HO2\urban[9].js 12/8/2005 8:52 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\297924904_s[1].jpg 12/6/2005 9:56 PM 1.56 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\311606179_s[1].jpg 12/6/2005 9:56 PM 3.29 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\60x120[1].html 12/6/2005 7:31 PM 113 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\CADF9T4Y.gif 12/8/2005 8:55 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\CAKLS3U3.gif 12/8/2005 8:55 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\CAM3O1MV.gif 12/8/2005 8:55 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\CAPPNW2Z.gif 12/8/2005 8:55 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\CAT17RIC.gif 12/8/2005 8:55 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\CAUR49U3.gif 12/8/2005 8:55 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\CAX3F18C.gif 12/6/2005 7:31 PM 35 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\ctrt=4[1] 12/6/2005 7:17 PM 1.26 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\editor[1].css 12/8/2005 8:55 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\editor[1].js 12/8/2005 8:56 PM 661 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\editor[2].css 12/8/2005 8:55 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\home[2].php 12/8/2005 8:55 PM 24.69 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\human_shield[1].gif 12/6/2005 7:31 PM 8.99 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\insert[1].css 12/8/2005 8:56 PM 609 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\jason_sig[2].jpg 12/6/2005 7:01 PM 17.63 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\left_column_bg[1].jpg 12/6/2005 7:25 PM 407 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\newdelhi-45027[1].jpg 12/8/2005 8:55 PM 868 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\optn=1[1] 12/6/2005 7:27 PM 1.08 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\quotes[1].gif 12/8/2005 8:55 PM 206 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\reply[6].php 12/6/2005 7:14 PM 15.07 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\right[1].gif 12/6/2005 7:25 PM 95 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\smile[1].jpg 12/8/2005 8:55 PM 13.83 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\spy_600x400_bl25[1].gif 12/6/2005 9:19 PM 2.92 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\spylog[2].gif 12/6/2005 7:30 PM 1.90 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\syrixmod[1].gif 12/6/2005 7:04 PM 18.91 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\t_p2[1].png 12/6/2005 6:58 PM 5.22 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\urban[1].css 12/8/2005 8:55 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\urban[1].js 12/8/2005 8:56 PM 1.05 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\urban[2].css 12/8/2005 8:56 PM 4.62 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\yikers_cyril_levitates[1].jpg 12/6/2005 7:26 PM 6.07 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\O1E345UJ\ysi_progress_bar[1].gif 12/6/2005 10:28 PM 3.83 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\UPHUVMH4\076791466X.01.THUMBZZZ[1].jpg 12/8/2005 8:53 PM 1.64 KB Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\UPHUVMH4\CAHDKB3P.gif 12/8/2005 8:55 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\UPHUVMH4\CAMKCT6S.gif 12/8/2005 8:53 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\UPHUVMH4\CAODABCP.gif 12/8/2005 8:55 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\UPHUVMH4\CAQPCFGR.gif 12/8/2005 8:52 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\David Parrish\Local Settings\Temporary Internet Files\Content.IE5\UPHUVMH4\choose-a-store[1].gif 12/8/2005 8:53 PM 1.04 KB Hidden from Windows API.
C:\Docu
  • 0

#9
Kat
Posted 08 December 2005 - 09:55 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
:tazz: Yikes! Let's try to get those temp folders cleaned up.

Please download CleanUp! and run it to remove any leftover remnants of infection. Click the CleanUp button, and let it scan and select any files it needs to remove. Once it is done, exit the program.

Reboot the computer.

Run the RootkitRevealer again. Let me know if it finds anything this time. It *shouldn't*. :)

Now.. I also want you to re-run SpySweeper! Please UNINSTALL your current version of SpySweeper. Then:


Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Download Now button to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#10
wizardmon5
Posted 09 December 2005 - 11:41 PM

wizardmon5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
The RootkitRevealer didn't find anything, no.

Here's the contents of the SpySweeper. Looks like that one did find something. =P



********
10:28 PM: | Start of Session, Friday, December 09, 2005 |
10:28 PM: Spy Sweeper started
10:28 PM: Sweep initiated using definitions version 582
10:28 PM: Starting Memory Sweep
10:29 PM: Memory Sweep Complete, Elapsed Time: 00:01:32
10:29 PM: Starting Registry Sweep
10:29 PM: Found Trojan Horse: trojan downloader popuppers
10:29 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mm83.ocx\ (2 subtraces) (ID = 960758)
10:29 PM: Found Adware: winad
10:29 PM: HKCR\typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5}\ (7 subtraces) (ID = 1023387)
10:29 PM: HKLM\software\classes\typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5}\ (7 subtraces) (ID = 1023399)
10:30 PM: Registry Sweep Complete, Elapsed Time:00:00:10
10:30 PM: Starting Cookie Sweep
10:30 PM: Found Spy Cookie: websponsors cookie
10:30 PM: david [email protected][2].txt (ID = 3665)
10:30 PM: Found Spy Cookie: go.com cookie
10:30 PM: david [email protected][1].txt (ID = 2729)
10:30 PM: Found Spy Cookie: adecn cookie
10:30 PM: david parrish@adecn[1].txt (ID = 2063)
10:30 PM: Found Spy Cookie: adknowledge cookie
10:30 PM: david parrish@adknowledge[2].txt (ID = 2072)
10:30 PM: Found Spy Cookie: adlegend cookie
10:30 PM: david parrish@adlegend[1].txt (ID = 2074)
10:30 PM: Found Spy Cookie: adrevolver cookie
10:30 PM: david parrish@adrevolver[1].txt (ID = 2088)
10:30 PM: david parrish@adrevolver[3].txt (ID = 2088)
10:30 PM: Found Spy Cookie: addynamix cookie
10:30 PM: david [email protected][2].txt (ID = 2062)
10:30 PM: Found Spy Cookie: cc214142 cookie
10:30 PM: david [email protected][2].txt (ID = 2367)
10:30 PM: Found Spy Cookie: adultfriendfinder cookie
10:30 PM: david parrish@adultfriendfinder[1].txt (ID = 2165)
10:30 PM: Found Spy Cookie: advertising cookie
10:30 PM: david parrish@advertising[1].txt (ID = 2175)
10:30 PM: Found Spy Cookie: apmebf cookie
10:30 PM: david parrish@apmebf[1].txt (ID = 2229)
10:30 PM: Found Spy Cookie: atwola cookie
10:30 PM: david [email protected][2].txt (ID = 2256)
10:30 PM: Found Spy Cookie: falkag cookie
10:30 PM: david [email protected][1].txt (ID = 2650)
10:30 PM: david [email protected][1].txt (ID = 2650)
10:30 PM: Found Spy Cookie: ask cookie
10:30 PM: david parrish@ask[1].txt (ID = 2245)
10:30 PM: Found Spy Cookie: atlas dmt cookie
10:30 PM: david parrish@atdmt[2].txt (ID = 2253)
10:30 PM: david parrish@atwola[1].txt (ID = 2255)
10:30 PM: Found Spy Cookie: belnk cookie
10:30 PM: david parrish@belnk[1].txt (ID = 2292)
10:30 PM: Found Spy Cookie: bravenet cookie
10:30 PM: david parrish@bravenet[1].txt (ID = 2322)
10:30 PM: Found Spy Cookie: gostats cookie
10:30 PM: david [email protected][2].txt (ID = 2748)
10:30 PM: david parrish@cc214142[1].txt (ID = 2366)
10:30 PM: Found Spy Cookie: ccbill cookie
10:30 PM: david parrish@ccbill[1].txt (ID = 2369)
10:30 PM: Found Spy Cookie: centrport net cookie
10:30 PM: david parrish@centrport[1].txt (ID = 2374)
10:30 PM: Found Spy Cookie: customer cookie
10:30 PM: david parrish@customer[1].txt (ID = 2481)
10:30 PM: Found Spy Cookie: did-it cookie
10:30 PM: david parrish@did-it[1].txt (ID = 2523)
10:30 PM: david [email protected][2].txt (ID = 2293)
10:30 PM: Found Spy Cookie: empnads cookie
10:30 PM: david parrish@empnads[2].txt (ID = 5012)
10:30 PM: david [email protected][1].txt (ID = 2729)
10:30 PM: Found Spy Cookie: fastclick cookie
10:30 PM: david parrish@fastclick[2].txt (ID = 2651)
10:30 PM: Found Spy Cookie: go2net.com cookie
10:30 PM: david parrish@go2net[1].txt (ID = 2730)
10:30 PM: david parrish@go[1].txt (ID = 2728)
10:30 PM: Found Spy Cookie: clickandtrack cookie
10:30 PM: david [email protected][1].txt (ID = 2397)
10:30 PM: Found Spy Cookie: howstuffworks cookie
10:30 PM: david parrish@howstuffworks[1].txt (ID = 2805)
10:30 PM: Found Spy Cookie: screensavers.com cookie
10:30 PM: david [email protected][1].txt (ID = 3298)
10:30 PM: Found Spy Cookie: infospace cookie
10:30 PM: david parrish@infospace[2].txt (ID = 2865)
10:30 PM: Found Spy Cookie: domainsponsor cookie
10:30 PM: david [email protected][1].txt (ID = 2535)
10:30 PM: Found Spy Cookie: mx-targeting cookie
10:30 PM: david [email protected][2].txt (ID = 3024)
10:30 PM: Found Spy Cookie: maxserving cookie
10:30 PM: david parrish@maxserving[1].txt (ID = 2966)
10:30 PM: david [email protected][1].txt (ID = 2652)
10:30 PM: Found Spy Cookie: nextag cookie
10:30 PM: david parrish@nextag[2].txt (ID = 5014)
10:30 PM: Found Spy Cookie: okcounter.com cookie
10:30 PM: david parrish@okcounter[1].txt (ID = 3093)
10:30 PM: Found Spy Cookie: questionmarket cookie
10:30 PM: david parrish@questionmarket[1].txt (ID = 3217)
10:30 PM: Found Spy Cookie: realmedia cookie
10:30 PM: david parrish@realmedia[1].txt (ID = 3235)
10:30 PM: Found Spy Cookie: reunion cookie
10:30 PM: david parrish@reunion[2].txt (ID = 3255)
10:30 PM: Found Spy Cookie: rn11 cookie
10:30 PM: david parrish@rn11[2].txt (ID = 3261)
10:30 PM: david [email protected][1].txt (ID = 2729)
10:30 PM: david [email protected][1].txt (ID = 2729)
10:30 PM: Found Spy Cookie: tvguide cookie
10:30 PM: david [email protected][1].txt (ID = 3600)
10:30 PM: david [email protected][2].txt (ID = 2729)
10:30 PM: david [email protected][2].txt (ID = 2729)
10:30 PM: david [email protected][1].txt (ID = 2729)
10:30 PM: Found Spy Cookie: clicktracks cookie
10:30 PM: david [email protected][2].txt (ID = 2407)
10:30 PM: Found Spy Cookie: reliablestats cookie
10:30 PM: david [email protected][2].txt (ID = 3254)
10:30 PM: Found Spy Cookie: tickle cookie
10:30 PM: david parrish@tickle[1].txt (ID = 3529)
10:30 PM: Found Spy Cookie: trafficmp cookie
10:30 PM: david parrish@trafficmp[2].txt (ID = 3581)
10:30 PM: Found Spy Cookie: tribalfusion cookie
10:30 PM: david parrish@tribalfusion[2].txt (ID = 3589)
10:30 PM: david parrish@tvguide[1].txt (ID = 3599)
10:30 PM: Found Spy Cookie: affiliatefuel.com cookie
10:30 PM: david [email protected][1].txt (ID = 2202)
10:30 PM: david [email protected][1].txt (ID = 3298)
10:30 PM: Found Spy Cookie: xiti cookie
10:30 PM: david parrish@xiti[1].txt (ID = 3717)
10:30 PM: Found Spy Cookie: zedo cookie
10:30 PM: david parrish@zedo[1].txt (ID = 3762)
10:30 PM: Cookie Sweep Complete, Elapsed Time: 00:00:07
10:30 PM: Starting File Sweep
10:36 PM: Found Adware: exact cashback/bargain buddy
10:36 PM: a0002157.exe (ID = 50522)
10:38 PM: Found Adware: shopathomeselect
10:38 PM: l8mcrak2.dat (ID = 159521)
10:38 PM: Found Adware: powerscan
10:38 PM: a0009401.exe (ID = 72675)
10:38 PM: Found Adware: ist yoursitebar
10:38 PM: a0009386.dll (ID = 144079)
10:38 PM: Found Adware: surf accuracy
10:38 PM: a0009388.cfg (ID = 115677)
10:38 PM: Found Adware: internetoptimizer
10:38 PM: a0009402.exe (ID = 122872)
10:39 PM: Found Adware: adlogix
10:39 PM: a0010952.exe (ID = 185739)
10:39 PM: Found Adware: dealhelper
10:39 PM: ajmzdak.xml (ID = 57646)
10:39 PM: a0009392.dll (ID = 144079)
10:40 PM: ajmzdau2.xml (ID = 57651)
10:41 PM: Found Adware: upspiral toolbar
10:41 PM: a0014436.exe (ID = 82040)
10:42 PM: ajmzdau3.xml (ID = 57652)
10:42 PM: a0009387.exe (ID = 122872)
10:43 PM: newajmzdak2.xml (ID = 134358)
10:44 PM: newajmzdak1.xml (ID = 134357)
10:45 PM: newajmzdau1.xml (ID = 134360)
10:45 PM: newajmzdau2.xml (ID = 134361)
10:45 PM: newajmzdau.xml (ID = 134362)
10:45 PM: ajmzdau1.xml (ID = 57650)
10:45 PM: ajmzdak2.xml (ID = 57648)
10:46 PM: ajmzdak1.xml (ID = 57647)
10:46 PM: newajmzdak.xml (ID = 134359)
10:47 PM: Found Adware: webhancer
10:47 PM: a0011221.exe (ID = 83849)
10:47 PM: a0011234.exe (ID = 83849)
10:47 PM: ajmzdau.xml (ID = 57649)
10:49 PM: olstb4vb.dat (ID = 121494)
10:52 PM: Found Adware: ist sidefind
10:52 PM: a0003192.dll (ID = 76052)
10:52 PM: Found Adware: bonzi buddy
10:52 PM: bbshortcut.ico (ID = 51620)
10:53 PM: Found Adware: e2g
10:53 PM: a0015404.exe (ID = 188122)
10:53 PM: a0015407.exe (ID = 188217)
10:53 PM: a0015406.dll (ID = 180542)
10:53 PM: a0011225.exe (ID = 125346)
10:53 PM: a0010709.cfg (ID = 162775)
10:53 PM: a0010710.exe (ID = 180158)
10:54 PM: a0028706.exe (ID = 180136)
10:54 PM: a0016045.exe (ID = 180136)
10:54 PM: a0016461.exe (ID = 122872)
10:54 PM: a0016043.cfg (ID = 162775)
10:54 PM: a0016464.exe (ID = 199841)
10:54 PM: a0016044.exe (ID = 193923)
10:54 PM: a0016460.exe (ID = 72675)
10:54 PM: a0016515.exe (ID = 180136)
10:55 PM: jsvdpb.xml (ID = 49280)
10:55 PM: ajmzdadk.xml (ID = 57645)
10:55 PM: newajmzdatime.xml (ID = 163168)
10:55 PM: a0011230.ini (ID = 188794)
10:55 PM: Found Adware: imgiant
10:55 PM: a0012389.inf (ID = 63590)
10:58 PM: Warning: Unhandled Archive Type
10:58 PM: Warning: Cannot create file "C:\WINDOWS\Temp\10SST26.zip\". The filename, directory name, or volume label syntax is incorrect
10:58 PM: Warning: Unhandled Archive Type
10:58 PM: Warning: Unhandled Archive Type
10:58 PM: Warning: Unhandled Archive Type
10:58 PM: Warning: Unhandled Archive Type
10:59 PM: Warning: Unhandled Archive Type
11:06 PM: Warning: Unhandled Archive Type
11:09 PM: Warning: Unhandled Archive Type
11:09 PM: Warning: Unhandled Archive Type
11:11 PM: Warning: Unhandled Archive Type
11:11 PM: Warning: Unhandled Archive Type
11:11 PM: Warning: Unhandled Archive Type
11:11 PM: Found Adware: ieplugin
11:11 PM: 200508140634.zip (ID = 63356)
11:11 PM: Warning: Unhandled Archive Type
11:12 PM: Warning: Unhandled Archive Type
11:23 PM: Warning: Unhandled Archive Type
11:23 PM: Warning: Unhandled Archive Type
11:23 PM: Warning: Unhandled Archive Type
11:23 PM: Warning: Unhandled Archive Type
11:23 PM: Warning: Unhandled Archive Type
11:23 PM: Warning: Unhandled Archive Type
11:23 PM: Warning: Unhandled Archive Type
11:23 PM: Warning: Unhandled Archive Type
11:23 PM: Warning: Unhandled Archive Type
11:23 PM: Warning: Unhandled Archive Type
11:23 PM: Warning: Unhandled Archive Type
11:23 PM: 200511071837.zip (ID = 188119)
11:24 PM: Warning: Unhandled Archive Type
11:25 PM: File Sweep Complete, Elapsed Time: 00:54:51
11:25 PM: Full Sweep has completed. Elapsed time 00:56:43
11:25 PM: Traces Found: 130
11:40 PM: Removal process initiated
11:40 PM: Quarantining All Traces: adlogix
11:40 PM: Quarantining All Traces: bonzi buddy
11:40 PM: Quarantining All Traces: internetoptimizer
11:40 PM: Quarantining All Traces: trojan downloader popuppers
11:40 PM: Quarantining All Traces: dealhelper
11:40 PM: Quarantining All Traces: e2g
11:40 PM: Quarantining All Traces: exact cashback/bargain buddy
11:40 PM: Quarantining All Traces: ieplugin
11:40 PM: Quarantining All Traces: imgiant
11:40 PM: Quarantining All Traces: ist sidefind
11:40 PM: Quarantining All Traces: ist yoursitebar
11:40 PM: Quarantining All Traces: powerscan
11:40 PM: Quarantining All Traces: shopathomeselect
11:40 PM: Quarantining All Traces: surf accuracy
11:40 PM: Quarantining All Traces: upspiral toolbar
11:40 PM: Quarantining All Traces: webhancer
11:40 PM: Quarantining All Traces: winad
11:40 PM: Quarantining All Traces: addynamix cookie
11:40 PM: Quarantining All Traces: adecn cookie
11:40 PM: Quarantining All Traces: adknowledge cookie
11:40 PM: Quarantining All Traces: adlegend cookie
11:40 PM: Quarantining All Traces: adrevolver cookie
11:40 PM: Quarantining All Traces: adultfriendfinder cookie
11:40 PM: Quarantining All Traces: advertising cookie
11:40 PM: Quarantining All Traces: affiliatefuel.com cookie
11:40 PM: Quarantining All Traces: apmebf cookie
11:40 PM: Quarantining All Traces: ask cookie
11:40 PM: Quarantining All Traces: atlas dmt cookie
11:40 PM: Quarantining All Traces: atwola cookie
11:40 PM: Quarantining All Traces: belnk cookie
11:40 PM: Quarantining All Traces: bravenet cookie
11:40 PM: Quarantining All Traces: cc214142 cookie
11:40 PM: Quarantining All Traces: ccbill cookie
11:40 PM: Quarantining All Traces: centrport net cookie
11:40 PM: Quarantining All Traces: clickandtrack cookie
11:40 PM: Quarantining All Traces: clicktracks cookie
11:40 PM: Quarantining All Traces: customer cookie
11:40 PM: Quarantining All Traces: did-it cookie
11:40 PM: Quarantining All Traces: domainsponsor cookie
11:40 PM: Quarantining All Traces: empnads cookie
11:40 PM: Quarantining All Traces: falkag cookie
11:40 PM: Quarantining All Traces: fastclick cookie
11:40 PM: Quarantining All Traces: go.com cookie
11:40 PM: Quarantining All Traces: go2net.com cookie
11:40 PM: Quarantining All Traces: gostats cookie
11:40 PM: Quarantining All Traces: howstuffworks cookie
11:40 PM: Quarantining All Traces: infospace cookie
11:40 PM: Quarantining All Traces: maxserving cookie
11:40 PM: Quarantining All Traces: mx-targeting cookie
11:40 PM: Quarantining All Traces: nextag cookie
11:40 PM: Quarantining All Traces: okcounter.com cookie
11:40 PM: Quarantining All Traces: questionmarket cookie
11:40 PM: Quarantining All Traces: realmedia cookie
11:40 PM: Quarantining All Traces: reliablestats cookie
11:40 PM: Quarantining All Traces: reunion cookie
11:40 PM: Quarantining All Traces: rn11 cookie
11:40 PM: Quarantining All Traces: screensavers.com cookie
11:40 PM: Quarantining All Traces: tickle cookie
11:40 PM: Quarantining All Traces: trafficmp cookie
11:40 PM: Quarantining All Traces: tribalfusion cookie
11:40 PM: Quarantining All Traces: tvguide cookie
11:40 PM: Quarantining All Traces: websponsors cookie
11:40 PM: Quarantining All Traces: xiti cookie
11:40 PM: Quarantining All Traces: zedo cookie
11:40 PM: Removal process completed. Elapsed time 00:00:25
********
10:27 PM: | Start of Session, Friday, December 09, 2005 |
10:27 PM: Spy Sweeper started
10:27 PM: Your spyware definitions have been updated.
10:28 PM: | End of Session, Friday, December 09, 2005 |
  • 0

#11
Kat
Posted 10 December 2005 - 09:38 AM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Looking much better! How is it running now? I'd like you to reboot the computer normally, then empty SpySweeper's quarantine. Then, give me a fresh HijackThis log please. :)

I am on a family holiday for an early Christmas this weekend, but the hotel has internet access. It may be sometime this evening before I can get back here to check on you, but I WILL get here. :tazz:
  • 0

#12
wizardmon5
Posted 10 December 2005 - 03:38 PM

wizardmon5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
It's running quite well now. I don't recall getting a single pop-under (or anything else, for that matter) today!

Also, don't worry about it. I'll be fine without you for however long you're on vacation. Have fun. =P


Here's the new HiJackThis log:



Logfile of HijackThis v1.99.1
Scan saved at 3:37:02 PM, on 12/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WorldCommunityGrid\UD.EXE
C:\Program Files\WorldCommunityGrid\ud_3434601.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\WorldCommunityGrid\ud_3434601_0.dir\WCGrid_AutoDock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\David Parrish\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zombo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zombo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.c...orms/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\dapiebar.dll
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Startup: World Community Grid Agent.lnk = C:\Program Files\WorldCommunityGrid\UD.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Infospace\DogpileToolbar\contextsearch.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell...iler/SysPro.CAB
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross...m/cabs/A18X.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.1.74.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121152971859
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone.../ICSScanner.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://echat.us.del...t/TLIEFlash.CAB
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec....rl/SymAData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#13
Kat
Posted 10 December 2005 - 05:12 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Looking great!! Do some surfing, let me know tomorrow how things are running, and if there are any other problems with the machine before I turn you loose with the "all clean" speech! :tazz:
  • 0

#14
Kat
Posted 11 December 2005 - 04:49 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Congratulations! Your log is now clean! :tazz:

Here are some items that you will want to add to your to-do list:

These are some tips to reduce the potential for Spyware/Adware/Virus infection in the future:
I would strongly recommend reviewing and installing the following applications if you dont currently have them running on your system:

Use Anti-Virus Software
It is very important that your computer has Anti-Virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online and stand-alone Anti-Virus programs:
Virus, Spyware, and Malware Protection and Removal Resources

Update your AntiVirus Software
It is imperitive that you update your Anti-Virus software at least once a week (Even more if you wish). If you do not update your Anti-Virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall
I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

Spyware/Adware Detection and Removal Programs:
Understanding Spyware, Browser Hijackers, and DialersAd-Aware SEIf you suspect that you have spyware installed on your computer, here are instructions on how to setup and use Ad-Aware SE
How to use Ad-Aware SE to remove Spyware
[/list]Spybot S&DIf you suspect that you have spyware installed on your computer, here are instructions on how to setup and use Spybot S&D
How to use Spybot to remove Spyware
[/list]I strongly recommend using both of these programs to catch most spyware/adware

Prevention Programs:
  • SpywareBlaster -- SpywareBlaster will prevent spyware from being installed.
  • SpywareGuard -- SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad -- IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts File -- The MVPS Hosts File replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  • Google Toolbar -- Get the free Google Toolbar to help stop pop up windows.
Other Necessary Programs:
  • A More Secure Browser
    Internet Explorer is not the most secure and best browser.
    There are safer and better alternatives available. I recommend using Firefox
Be sure to also keep up with Windows and IE updates.

Windows Security and Critical Updates
http://v4.windowsupdate.microsoft.com/en/default.asp

Internet Explorer Security and Critical Updates
http://www.microsoft.com/windows/ie/default.asp

And also see TonyKlein's good advice
So how did I get infected in the first place?

Update all these Programs Regularly:Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically.

  • 0

#15
Kat
Posted 15 December 2005 - 03:07 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP