Question

Backdoor.Trojan using hk.dll...UNABLE to Kill the Beast

Asked by: impressivity

Hi,

I am fixing this computer for a client of mine, and it had quite a few issues. I have updated ALL Windows updates/patches, etc. I have run multiple and multiple scans using at least 5 antivirus programs and 4 or 5 adware/spyware/malware programs. I've removed everything from HJT that was not necessary...and the problem child is apparently not being found.

This PC has Norton Internet Security installed, and everytime you press ANY key on the keyboard, it kicks up a "Virus Alert" with the following message:

Norton AntiVirus has detected a virus on your computer.
Details:
Object Name: C:|WINDOWS\hk.dll
Virus Name: Backdoor.Trojan
Action Taken: Unable to repair this file

Then, when you press OK, it comes with this box:
Action Taken: Access to the file was denied.

So, the obvious thing there is...delete the file in Safe Mode. Did that...but upon rebooting...it comes back.

I have done my homework, and there is NO service running that shows hk.dll...HOWEVER, if you look at the components of one of the "SVCHOST" services running, one of the DLLS is HK.DLL!!!!!

I have searched the registry for hk.dll...to no avail. I've also disabled any items in the Add-ons section of IE Programs, just to be sure.

Any thoughts out there? Here's the HJT log file, just so you can see it for yourself.

Thanks in Advance!
Dave S.
dave@impressivity.com

Logfile of HijackThis v1.99.1
Scan saved at 7:51:19 AM, on 8/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\1.0.1322.0\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for ¸æË: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124849641953
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

Plus...

30 Day FREE access, no risk, no obligation
Collaborate with the world's top tech experts
Unlimited access to our exclusive solution database
Never be left without tech help again

Subscribe Now

Asked On: 2005-08-25 at 05:01:12ID21539633
Tags: beast
Topic: Windows Network Security
Participating Experts: 3
Points: 500
Comments: 19

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

"The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
"Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
"Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Free Tech Articles

WARNING: 5 Reasons why you should NEVER fix a computer for free.
It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
SCCM OSD Basic troubleshooting
SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
Create a Win7 Gadget
This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
Outlook continually prompting for username and password
There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
Backup Exchange 2010 Information Store using Windows Backup
There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

Avoiding Bugs in Microsoft Access
Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
Top 10 Best New Features in Visio 2010
Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
IT Consultant Business Secrets Revealed
Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
Disaster Recovery and Business Continuity
Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
Organize Your Visio Diagrams with Containers and Lists
Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
How to Us Objects, Properties, Events and Methods in Microsoft Access
Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Watch More

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

by: war1Posted on 2005-08-25 at 08:58:56ID: 14753322

Greetings, impressivity !

Here is a link to the analyzed log

http://hijackthis.de/logfiles/f99095e716e935b9879a183da3e0acc8.html

Look at the items marked "Possibly Nasty" and "Unknown". If you do not recognized them, have HJT delete them. If this is not your home page, delete it.

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

Cheers!

by: war1Posted on 2005-08-25 at 09:02:37ID: 14753378

impressivity,

Here is how to remove hk.dll
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.trojan.html

Check for virus and adware

Housecall Online Scan
http://housecall.antivirus.com
or
Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

SpyBot S&D searches your harddisk for so-called spy- or adbots;
http://security.kolla.de/
or
Adaware
http://www.lavasoftusa.com/software/adaware/
or
CoolWebShredder
http://www.spychecker.com/program/coolwebshredder.html
or
Ewido
http://www.ewido.net/en/

3. If still no joy, download HijackThis

http://www.hijackthis.de/

Run the program and you will find many entries. Most are OK. Post the log at the Hijackthis link above and click Analyze, Save. Post a link to the saved list here.

by: impressivityPosted on 2005-08-25 at 09:20:39ID: 14753566

War1,

That does happen to be the hom page, so we'll leave that one alone.

Regarding your most recent post, I have already gone through each of those things (literally) before I ever posted this problem. As I said...I've gone through all the basics and researched this extensively...to no avail.

Thanks,
Dave

by: war1Posted on 2005-08-25 at 09:27:21ID: 14753647

Have you run Ewido? It sometimes catches adware that the other scanners do not catch.

http://www.ewido.net/en/

by: r-kPosted on 2005-08-25 at 10:13:57ID: 14754137

Here is what you can do to disable that file:

(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)

(1) Right click on the file (hk.dll) in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

(5) Close all windows.

(6) Reboot.

After reboot the file will be unable to run.

This should give you time to investigate more carefully where it might be starting from.

by: caza13Posted on 2005-08-25 at 14:22:09ID: 14756716

Have you disabled the system resore function of Windows XP? It looks like something is restoring the file after it has been deleted. Here is a link to a download that can delete files while the system is starting:

http://www.diamondcs.com.au/index.php?page=dellater

It is possible that the file will still be restored after it is deleted.

by: impressivityPosted on 2005-08-25 at 19:48:26ID: 14758182

Thanks for all the posts, everyone.

I'll reply to each one separately below.

1. Yes, I ran Ewido multiple times already, prior to my post...and it found stuff...it just didn't fix this one.

2. This is definitely a solution that now keeps the file from executing, and therefore, allows me to type without the stupid virus box coming up with each keystroke!.
Now what? :-)

3. Deleting the file (hk.dll) won't help my situation...and here's why. I can delete the file in Safe Mode. However, when rebooted in normal mode, it's back.
I have done some more research on the issue. and this may be of help to someone...I don't know where to go from here:

Using Spybot, I went to the Tools, clicked on the 'Process List' and found that there are several processes using "svhost.exe" (7 to be exact). There was one that caught my attention...it has 83 threads, while the others have 15 or fewer. Well, when I click on that one particular svhost, I can see the modules associated with that, and, lo and behold...I see "hk.dll". NO OTHER Process has kh.dll associated as a module.

Also, there is NO Process running called "hk.dll". I tried killing that specific svhost process, and it just comes back again. I hope that helps explain things a little more.

Again...I really appreciate all the efforts here.
Dave

by: r-kPosted on 2005-08-25 at 21:32:35ID: 14758519

I assume that you have removed permissions as I suggested above, and that hk.dll is no longer able to run.

Do not delete the hk.dll file, because it will get recreated, as you already noticed. Just leave it with no permissions. It is harmless that way.

The next step is to see what is launching it. I suggest getting Autoruns from:
http://www.sysinternals.com/Utilities/Autoruns.html
and running that. Use the "Hide Microsoft Entries" option to reduce the list, then look for anything suspicious. If necessary, save the list to a text file and then cut-and-paste it here.

In addition, can you run "tasklist /svc" from a command window and paste the results here (you can save the results to a text file with a command like "tasklist /svc > temp.txt")

by: impressivityPosted on 2005-08-25 at 21:58:11ID: 14758598

r-k,

Yes, I had removed perms and did NOT kill the file afterwards.

Here is the txt file from the autoruns (I did not find anything suspicious):

===================================================================
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ AcctMgr      Password Manager Controller      Symantec Corporation      c:\program files\norton password manager\acctmgr.exe

+ ccApp      Symantec User Session      Symantec Corporation      c:\program files\common files\symantec shared\ccapp.exe

+ SunJavaUpdateSched      Java(TM) 2 Platform Standard Edition binary      (Not verified) Sun Microsystems, Inc.      c:\program files\java\jre1.5.0_02\bin\jusched.exe

+ Symantec NetDriver Monitor      Symantec Security Drivers Install Monitor      Symantec Corporation      c:\program files\symnetdrv\sndmon.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ HPAiODevice(hp officejet v series) - 1.lnk      HP OfficeJet COM Device Objects      (Not verified) Hewlett-Packard Co.      c:\program files\hewlett-packard\aio\hp officejet v series\bin\hpoant07.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup

+ SpywareGuard.lnk      SpywareGuard            c:\program files\spywareguard\sgmain.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ SpybotSD TeaTimer      System settings protector      (Not verified) Safer Networking Limited      c:\program files\spybot - search & destroy\teatimer.exe

HKLM\System\CurrentControlSet\Services

+ ccEvtMgr      Symantec Event Manager      Symantec Corporation      c:\program files\common files\symantec shared\ccevtmgr.exe

+ ccProxy      Symantec Proxy Service      Symantec Corporation      c:\program files\common files\symantec shared\ccproxy.exe

+ ccSetMgr      Symantec Settings Manager      Symantec Corporation      c:\program files\common files\symantec shared\ccsetmgr.exe

+ ISSVC      Internet Security Service      Symantec Corporation      c:\program files\norton internet security\issvc.exe

+ navapsvc      Handles Norton AntiVirus Auto-Protect events.      Symantec Corporation      c:\program files\norton internet security\norton antivirus\navapsvc.exe

+ SBService      Norton AntiVirus ScripBlocking Service      Symantec Corporation      c:\program files\common files\symantec shared\script blocking\sbserv.exe

+ SNDSrvc      Symantec Network Drivers Service      Symantec Corporation      c:\program files\common files\symantec shared\sndsrvc.exe

+ SPBBCSvc      Symantec SPBBC      Symantec Corporation      c:\program files\common files\symantec shared\spbbc\spbbcsvc.exe

+ Symantec Core LC      Symantec Core LC      Symantec Corporation      c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe

+ SymWSC      Symantec WMI Service      Symantec Corporation      c:\program files\common files\symantec shared\security center\symwsc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

+ spywareguard.dll      SpywareGuard Protection            c:\program files\spywareguard\spywareguard.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Display Panning CPL Extension                  File not found: deskpan.dll

+ Fusion Cache      Microsoft .NET Runtime Execution Engine      (Not verified) Microsoft Corporation      c:\windows\system32\mscoree.dll

+ ICQ Shell Extension                  c:\program files\icq\icqshext.dll

+ Shell Extensions for RealOne Player      RealPlayer Shell Extensions      (Not verified) RealNetworks, Inc.      c:\program files\real\realplayer\rpshell.dll

+ spywareguard.dll      SpywareGuard Protection            c:\program files\spywareguard\spywareguard.dll

+ Web Folders      Microsoft Web Folders      (Not verified) Microsoft Corporation      c:\program files\common files\microsoft shared\web folders\msonsext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ CNavExtBho Class      Norton AntiVirusNAVShellExt Module      Symantec Corporation      c:\program files\norton internet security\norton antivirus\navshext.dll

HKLM\Software\Microsoft\Internet Explorer\Toolbar

+ Norton AntiVirus      Norton AntiVirusNAVShellExt Module      Symantec Corporation      c:\program files\norton internet security\norton antivirus\navshext.dll

+ ycomp5_6_2_0.dll      Yahoo! Toolbar 5.6 for Internet Explorer      (Not verified) Yahoo! Inc.      c:\program files\yahoo!\companion\installs\cpn\ycomp5_6_2_0.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions

+ ICQ                  c:\program files\icq\icq.exe

+ MoneySide      MoneySide Controls      (Not verified) Microsoft Corporation      c:\program files\microsoft money\system\mnyside.dll

HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

+ DllDirectory                  c:\windows\system32
===================================================================

Here are the results of the tasklist /svc:

===================================================================
Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 416 N/A
csrss.exe 472 N/A
winlogon.exe 496 N/A
services.exe 540 Eventlog, PlugPlay
lsass.exe 552 PolicyAgent, ProtectedStorage, SamSs
svchost.exe 704 DcomLaunch, TermService
svchost.exe 752 RpcSs
svchost.exe 816 AudioSrv, Browser, CryptSvc, Dhcp, ERSvc,
EventSystem, FastUserSwitchingCompatibility,
helpsvc, HidServ, lanmanserver,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, seclogon, SENS, SharedAccess,
ShellHWDetection, TapiSrv, Themes, TrkWks,
Twain16, W32Time, winmgmt, wscsvc, wuauserv,
WZCSVC
svchost.exe 876 Dnscache
svchost.exe 960 LmHosts, SSDPSRV, WebClient
explorer.exe 1212 N/A
spoolsv.exe 1272 Spooler
AcctMgr.exe 1604 N/A
CCAPP.EXE 1612 N/A
jusched.exe 1628 N/A
TeaTimer.exe 1664 N/A
sgmain.exe 1732 N/A
sgbhp.exe 1784 N/A
CCPROXY.EXE 136 ccProxy
CCSETMGR.EXE 200 ccSetMgr
ISSVC.exe 256 ISSVC
NAVAPSVC.EXE 336 navapsvc
SNDSrvc.exe 1120 SNDSrvc
SPBBCSvc.exe 1092 SPBBCSvc
svchost.exe 1348 stisvc
symlcsvc.exe 1400 Symantec Core LC
CCEVTMGR.EXE 1536 ccEvtMgr
fxssvc.exe 1032 Fax
alg.exe 3248 ALG
svchost.exe 3680 HTTPFilter
SpybotSD.exe 4076 N/A
iexplore.exe 372 N/A
notepad.exe 2600 N/A
msmsgs.exe 3372 N/A
cmd.exe 920 N/A
wmiprvse.exe 636 N/A
tasklist.exe 4020 N/A
===================================================================

Thanks a Million for the assistance.
Dave

by: r-kPosted on 2005-08-25 at 23:35:55ID: 14758871

Nothing obviously wrong in the above. I have a feeling that hk.dll is starting as a Service. There are three ways to confirm this. You could go Control Panel -> Admin Tools -> Services and right-click on each service -> Properties and see which has hk.dll mentioned in the "path to executable" field. You could also do a search for hk.dll in the Registry. The third way is to go Control Panel -> Admin Tools -> Event Viewer and look in the System. Around the time of the last reboot you should see some service that failed to start (because you removed permissions from hk.dll)

by: impressivityPosted on 2005-08-26 at 06:23:26ID: 14760608

1. I reviewed each of the services that are currently NOT running, and NONE had "hk.dll" listed in the path to executable field.

2. I searched for kh.dll in the registry...and it's not there anywhere. I've done that search before, and have never found any occurrence in the registry.

3. There were no services that failed to start, or at least no Event created for it.

Any other thoughts?
Thanks! Dave

by: impressivityPosted on 2005-08-26 at 06:54:27ID: 14760884

I found that the "Terminal Services" was started, so I disabled that and then had to reboot to stop it. I was seeing a DCOM error in the event log, and realized that it was related to TS. I don't want TS on this PC running...and I wonder if that was the back door for that hk.dll, which appeared to be a key logger.

I have to get this pc back to the client...and now that we've disabled that pesky hk.dll, I'll just accept the answer you provided that got the thing stopped.

I sincerely appreciate the assistance...and wish you a great weekend!
Dave

by: r-kPosted on 2005-08-26 at 07:35:15ID: 14761252

Interesting. The bad file is disabled, so I suppose you're OK. If you still have time, I would do the following:

(1) Run RootkitRevealer from http://www.sysinternals.com/Utilities/RootkitRevealer.html and see if it finds anything "hidden"

(2) Use the "driverquery" command from a command prompt and see if there is any unusual device driver installed. This list is harder to interpret, so feel free to post it here if not sure.

by: impressivityPosted on 2005-08-26 at 07:46:41ID: 14761365

r-k,

Thanks! Running the RootkitRevealer now. I don't have driverquery on my pc...where can I find that? This particular pc has XP Home, and I only see driverquery online referring to XP Pro or newer OS's.

Thanks,
Dave

by: r-kPosted on 2005-08-26 at 07:52:55ID: 14761426

I don't have quick access to an Home system, but if you have a Pro system handy, just copy driverquery.exe from C:\WINDOWS\system32 to a floppy disk and put it on the Home system. It should work.

by: r-kPosted on 2005-08-26 at 07:56:37ID: 14761472

An alternate way to see device drivers:

Start "Device Manager" from the Control Panel -> System

Then select View -> Show Hidden Devices from the menu. This will add a new folder to the tree called "Non-plug and Play Drivers". Expand that to see the list. You can right-click on any one to see Properties, then "Driver" and "Driver Details" to see which file its running.

A bit tedious, but hope it helps.

by: impressivityPosted on 2005-08-26 at 08:10:33ID: 14761607

Was able to pull the file from an XP Pro machine...thanks.

Here's the output from that driverquery:

Module Name Display Name Driver Type Link Date
============ ====================== ============= ======================
ACPI Microsoft ACPI Driver Kernel 8/4/2004 2:07:35 AM
ACPIEC ACPIEC Kernel 8/17/2001 4:57:55 PM
aec Microsoft Kernel Acous Kernel 2/13/2004 10:20:15 AM
AFD AFD Networking Support Kernel 8/4/2004 2:14:13 AM
ALCXWDM Service for Realtek AC Kernel 6/19/2003 3:30:16 AM
AsyncMac RAS Asynchronous Media Kernel 8/4/2004 2:05:02 AM
atapi Standard IDE/ESDI Hard Kernel 8/4/2004 1:59:41 AM
Atmarpc ATM ARP Client Protoco Kernel 8/4/2004 1:58:29 AM
audstub Audio Stub Driver Kernel 8/17/2001 4:59:40 PM
Beep Beep Kernel 8/17/2001 4:47:33 PM
cbidf2k cbidf2k Kernel 8/17/2001 4:52:06 PM
Cdaudio Cdaudio Kernel 8/17/2001 4:52:26 PM
Cdfs Cdfs File System 8/4/2004 2:14:09 AM
Cdrom CD-ROM Driver Kernel 8/4/2004 1:59:52 AM
Disk Disk Driver Kernel 8/4/2004 1:59:53 AM
dmboot dmboot Kernel 8/4/2004 2:07:13 AM
dmio dmio Kernel 8/4/2004 2:07:13 AM
dmload dmload Kernel 8/17/2001 4:58:15 PM
DMusic Microsoft Kernel DLS S Kernel 8/4/2004 2:07:37 AM
dot4 MS IEEE-1284.4 Driver Kernel 8/4/2004 1:58:28 AM
Dot4Print Print Class Driver for Kernel 8/17/2001 4:47:25 PM
Dot4Scan Scan Class Driver for Kernel 8/17/2001 4:47:25 PM
dot4usb Dot4USB Filter Dot4USB Kernel 8/17/2001 4:47:24 PM
drmkaud Microsoft Kernel DRM A Kernel 8/4/2004 2:07:56 AM
Fastfat Fastfat File System 8/4/2004 2:14:15 AM
Fdc Floppy Disk Controller Kernel 8/4/2004 1:59:25 AM
Fips Fips Kernel 8/17/2001 9:31:49 PM
Flpydisk Floppy Disk Driver Kernel 8/4/2004 1:59:24 AM
FltMgr FltMgr File System 8/4/2004 2:01:17 AM
Ftdisk Volume Manager Driver Kernel 8/17/2001 4:52:41 PM
Gpc Generic Packet Classif Kernel 8/4/2004 2:04:11 AM
HidUsb Microsoft HID Class Dr Kernel 8/17/2001 5:02:16 PM
HSFHWBS2 HSFHWBS2 Kernel 2/13/2002 4:27:28 AM
HSF_DP HSF_DP Kernel 2/13/2002 4:26:40 AM
HTTP HTTP Kernel 10/8/2004 7:48:20 PM
i8042prt i8042 Keyboard and PS/ Kernel 8/4/2004 2:14:36 AM
ialm ialm Kernel 4/15/2003 1:39:44 PM
Imapi CD-Burning Filter Driv Kernel 8/4/2004 2:00:12 AM
IntelIde IntelIde Kernel 8/4/2004 1:59:40 AM
intelppm Intel Processor Driver Kernel 8/4/2004 1:59:19 AM
ip6fw IPv6 Windows Firewall Kernel 8/4/2004 2:00:04 AM
IpFilterDriv IP Traffic Filter Driv Kernel 8/17/2001 4:55:07 PM
IpInIp IP in IP Tunnel Driver Kernel 8/4/2004 2:04:45 AM
IpNat IP Network Address Tra Kernel 9/29/2004 6:28:36 PM
IPSec IPSEC driver Kernel 8/4/2004 2:14:27 AM
IRENUM IR Enumerator Service Kernel 8/4/2004 2:00:45 AM
isapnp PnP ISA/EISA Bus Drive Kernel 8/17/2001 4:58:01 PM
Kbdclass Keyboard Class Driver Kernel 8/4/2004 1:58:32 AM
kbdhid Keyboard HID Driver Kernel 8/4/2004 1:58:33 AM
kmixer Microsoft Kernel Wave Kernel 8/4/2004 2:07:46 AM
KSecDD KSecDD Kernel 8/4/2004 1:59:45 AM
mdmxsdk mdmxsdk Kernel 10/22/2001 5:46:24 PM
mnmdd mnmdd Kernel 8/17/2001 4:57:28 PM
Modem Modem Kernel 8/4/2004 2:08:04 AM
Mouclass Mouse Class Driver Kernel 8/4/2004 1:58:32 AM
mouhid Mouse HID Driver Kernel 8/17/2001 4:47:57 PM
MountMgr Mount Point Manager Kernel 8/4/2004 1:58:29 AM
MRxDAV WebDav Client Redirect File System 8/4/2004 2:00:49 AM
MRxSmb MRXSMB File System 1/18/2005 11:26:50 PM
Msfs Msfs File System 8/4/2004 2:00:37 AM
MSKSSRV Microsoft Streaming Se Kernel 8/4/2004 1:58:39 AM
MSPCLOCK Microsoft Streaming Cl Kernel 8/4/2004 1:58:38 AM
MSPQM Microsoft Streaming Qu Kernel 8/4/2004 1:58:39 AM
mssmbios Microsoft System Manag Kernel 8/4/2004 2:07:47 AM
Mup Mup File System 8/4/2004 2:15:20 AM
NDIS NDIS System Driver Kernel 8/4/2004 2:14:27 AM
NdisTapi Remote Access NDIS TAP Kernel 8/17/2001 4:55:29 PM
Ndisuio NDIS Usermode I/O Prot Kernel 8/4/2004 2:03:10 AM
NdisWan Remote Access NDIS WAN Kernel 8/4/2004 2:14:30 AM
NDProxy NDIS Proxy Kernel 8/17/2001 4:55:30 PM
NetBIOS NetBIOS Interface File System 8/4/2004 2:03:19 AM
NetBT NetBT Kernel 8/4/2004 2:14:36 AM
Npfs Npfs File System 8/4/2004 2:00:38 AM
Ntfs Ntfs File System 8/4/2004 2:15:06 AM
Null Null Kernel 8/17/2001 4:47:39 PM
NwlnkFlt IPX Traffic Filter Dri Kernel 8/17/2001 4:54:05 PM
NwlnkFwd IPX Traffic Forwarder Kernel 8/17/2001 4:54:08 PM
Parport Parallel port driver Kernel 8/4/2004 1:59:04 AM
PartMgr Partition Manager Kernel 8/17/2001 9:32:23 PM
ParVdm ParVdm Kernel 8/17/2001 4:49:49 PM
PCI PCI Bus Driver Kernel 8/4/2004 2:07:45 AM
PCIIde PCIIde Kernel 8/17/2001 4:51:49 PM
Pcmcia Pcmcia Kernel 8/4/2004 2:07:45 AM
PptpMiniport WAN Miniport (PPTP) Kernel 8/4/2004 2:14:26 AM
Processor Processor Driver Kernel 8/4/2004 1:59:14 AM
PSched QoS Packet Scheduler Kernel 8/4/2004 2:04:16 AM
Ptilink Direct Parallel Link D Kernel 8/17/2001 4:49:53 PM
RasAcd Remote Access Auto Con Kernel 8/17/2001 4:55:39 PM
Rasl2tp WAN Miniport (L2TP) Kernel 8/4/2004 2:14:21 AM
RasPppoe Remote Access PPPOE Dr Kernel 8/4/2004 2:05:06 AM
Raspti Direct Parallel Kernel 8/17/2001 4:55:32 PM
Rdbss Rdbss File System 10/27/2004 9:13:57 PM
RDPCDD RDPCDD Kernel 8/17/2001 4:46:56 PM
RDPWD RDPWD Kernel 6/9/2005 7:52:39 PM
redbook Digital CD Audio Playb Kernel 8/4/2004 1:59:34 AM
rtl8139 Realtek RTL8139/810X F Kernel 8/23/2001 9:03:53 AM
Secdrv Secdrv Kernel 2/9/2001 11:51:30 AM
serenum Serenum Filter Driver Kernel 8/4/2004 1:59:06 AM
Serial Serial port driver Kernel 8/4/2004 2:15:51 AM
Sfloppy Sfloppy Kernel 8/4/2004 1:59:53 AM
splitter Microsoft Kernel Audio Kernel 8/4/2004 2:07:46 AM
sr System Restore Filter File System 8/4/2004 2:06:22 AM
Srv Srv File System 5/9/2005 8:17:49 PM
swenum Software Bus Driver Kernel 8/4/2004 1:58:41 AM
swmidi Microsoft Kernel GS Wa Kernel 8/17/2001 5:00:42 PM
SYMDNS SYMDNS Kernel 4/5/2005 2:10:54 PM
SYMFW SYMFW Kernel 4/5/2005 2:11:07 PM
SYMIDS SYMIDS Kernel 4/5/2005 2:11:16 PM
SYMNDIS SYMNDIS Kernel 4/5/2005 2:11:01 PM
SYMREDRV SYMREDRV Kernel 4/5/2005 2:11:10 PM
SYMTDI SYMTDI Kernel 4/5/2005 2:10:52 PM
sysaudio Microsoft Kernel Syste Kernel 8/4/2004 2:15:54 AM
Tcpip TCP/IP Protocol Driver Kernel 5/25/2005 3:04:00 PM
TDPIPE TDPIPE Kernel 8/4/2004 1:58:53 AM
TDTCP TDTCP Kernel 8/4/2004 1:58:52 AM
TermDD Terminal Device Driver Kernel 8/4/2004 1:58:52 AM
Udfs Udfs File System 8/4/2004 2:00:27 AM
Update Microcode Update Drive Kernel 8/4/2004 1:58:32 AM
usbccgp Microsoft USB Generic Kernel 8/4/2004 2:08:45 AM
usbehci Microsoft USB 2.0 Enha Kernel 8/4/2004 2:08:34 AM
usbhub USB2 Enabled Hub Kernel 8/4/2004 2:08:40 AM
USBSTOR USB Mass Storage Drive Kernel 8/4/2004 2:08:44 AM
usbuhci Microsoft USB Universa Kernel 8/4/2004 2:08:34 AM
VgaSave VGA Display Controller Kernel 8/4/2004 2:07:06 AM
VolSnap VolSnap Kernel 8/4/2004 2:00:14 AM
Wanarp Remote Access IP ARP D Kernel 8/4/2004 2:04:57 AM
wdmaud Microsoft WINMM WDM Au Kernel 8/4/2004 2:15:03 AM
winachsf winachsf Kernel 2/13/2002 4:20:44 AM
WS2IFSL Windows Socket 2.0 Non Kernel 8/17/2001 4:55:58 PM
{6080A529-89 Intel(R) Graphics Plat Kernel 4/15/2003 1:40:51 PM
{D31A0762-0C Intel(R) Graphics Chip Kernel 4/15/2003 1:40:44 PM

The other program is still scanning. So far it found one item in the registry, a data mismatch between Windows API and raw hive data.

Dave

by: impressivityPosted on 2005-08-26 at 08:17:15ID: 14761685

Ok...here are the details from the driverquery scan...doesn't appear to show anything helpful for my cause. I'm going to call it quits for now, unless the client reports the problem again later on. Thanks again for all your help! Blessings to you.

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed      8/26/2005 10:40 AM      80 bytes      Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Owner\Cookies\owner@nextstat[2].txt      8/26/2005 10:49 AM      205 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Cookies\owner@windowsitpro[2].txt      8/26/2005 10:47 AM      169 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Cookies\owner@www.tech-heaven[1].txt      8/26/2005 10:49 AM      91 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Cookies\owner@www.windowsitpro[2].txt      8/26/2005 10:47 AM      160 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\1538139181@Frame1[1]      8/26/2005 10:49 AM      481 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\1729192006@BottomLeft,Right1,Top[1]      8/26/2005 10:48 AM      7.58 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\40936[1].htm      8/26/2005 10:48 AM      96.28 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\al[2].htm      8/26/2005 10:48 AM      0 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\arrow_more_on_gray[1].gif      8/26/2005 10:48 AM      205 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\bottombg[1].gif      8/26/2005 10:49 AM      98 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\broker[1].js      8/26/2005 10:45 AM      24.12 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\buddy[1].gif      8/26/2005 10:49 AM      1000 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\CASBXZQ6.htm      8/26/2005 10:48 AM      6.53 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\ContentRating[1].css      8/26/2005 10:45 AM      965 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\dlogo[1].png      8/26/2005 10:49 AM      2.93 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\donate9[1].gif      8/26/2005 10:49 AM      1.41 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\edit[1].gif      8/26/2005 10:49 AM      914 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\empty[1].gif      8/26/2005 10:47 AM      43 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\events_a[1].gif      8/26/2005 10:47 AM      186 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\footerbg[1].gif      8/26/2005 10:49 AM      171 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\footerleftwave[1].gif      8/26/2005 10:49 AM      1.38 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\framesmenu[2].xml      8/26/2005 10:47 AM      1.91 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\func_010[1].js      8/26/2005 10:47 AM      44.05 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\home_a[1].gif      8/26/2005 10:47 AM      415 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\it_a[1].gif      8/26/2005 10:47 AM      322 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\js[1].aspx      8/26/2005 10:47 AM      3.12 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\leftbottom[1].gif      8/26/2005 10:49 AM      113 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\log_on_button[1].gif      8/26/2005 10:47 AM      263 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\logo[1].gif      8/26/2005 10:45 AM      8.36 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\mainframe[1].htm      8/26/2005 10:45 AM      1.55 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\megaphone[1].gif      8/26/2005 10:48 AM      126 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\members[1].gif      8/26/2005 10:49 AM      995 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\navspacer[1].gif      8/26/2005 10:49 AM      133 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\penton_5F6467[1].gif      8/26/2005 10:47 AM      486 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\postbitedge2[1].gif      8/26/2005 10:49 AM      236 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\Q_21539633[3].htm      8/26/2005 11:10 AM      99.74 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\rtg_print[1].gif      8/26/2005 10:45 AM      574 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\space11[1].gif      8/26/2005 10:49 AM      435 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\tocSync[1].gif      8/26/2005 10:45 AM      848 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\top[1].gif      8/26/2005 10:49 AM      460 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\vb_bullet[1].gif      8/26/2005 10:49 AM      555 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\verification_seal[1].gif      8/26/2005 10:49 AM      2.81 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\warez_monster[1].gif      8/26/2005 10:49 AM      43.06 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\winitpro_euro_link[1].gif      8/26/2005 10:47 AM      238 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0F4ENJTB\winitpro_logo_alt_top[1].gif      8/26/2005 10:47 AM      103 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\10ava[1].gif      8/26/2005 10:49 AM      4.25 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\1884499748@BottomLeft,Right1,Top[1]      8/26/2005 10:49 AM      7.44 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\2-mrs04166_niss_336x280[1].gif      8/26/2005 10:47 AM      8.29 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\40849[1].htm      8/26/2005 10:47 AM      47.00 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\al[2].htm      8/26/2005 10:47 AM      0 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\articles_a[1].gif      8/26/2005 10:47 AM      196 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\blogs_a[1].gif      8/26/2005 10:47 AM      175 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\bottomright[1].gif      8/26/2005 10:49 AM      112 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\calendar[1].gif      8/26/2005 10:49 AM      1009 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\CAOGL976.htm      8/26/2005 10:49 AM      6.40 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\catbg[1].gif      8/26/2005 10:49 AM      542 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\cclogo[1].gif      8/26/2005 10:49 AM      2.02 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\cm[4].gif      8/26/2005 11:08 AM      43 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\combo_1_left[1].jpg      8/26/2005 10:47 AM      31.47 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\combo_1_right[1].jpg      8/26/2005 10:47 AM      19.62 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\emachines[1].htm      8/26/2005 9:55 AM      12.30 KB      Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\emachines[2].htm      8/26/2005 11:08 AM      12.73 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\faq[1].gif      8/26/2005 10:49 AM      995 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\footerrightwave[1].gif      8/26/2005 10:49 AM      1.38 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\FramesMenu[1].js      8/26/2005 10:45 AM      5.83 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\header_background[1].gif      8/26/2005 10:47 AM      58 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\infosearchmedialarge[1].jpg      8/26/2005 10:49 AM      5.99 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\LH_24[1].gif      8/26/2005 10:49 AM      3.79 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\logout9[1].gif      8/26/2005 10:49 AM      1.35 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\mid_shadow[1].gif      8/26/2005 10:47 AM      149 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\pixel[1].gif      8/26/2005 10:47 AM      43 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\ratings[2].htm      8/26/2005 10:47 AM      6.97 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\reply[2].gif      8/26/2005 10:49 AM      1.11 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\rtg_rate[1].gif      8/26/2005 10:45 AM      608 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\search[3].htm      8/26/2005 10:45 AM      6.12 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\search[4].htm      8/26/2005 10:47 AM      16.91 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\sendpm[1].gif      8/26/2005 10:49 AM      991 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\SmartNav[1].js      8/26/2005 10:45 AM      9.21 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\submit[1].gif      8/26/2005 10:48 AM      441 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\symantec_wpbnr[1].gif      8/26/2005 10:48 AM      6.04 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\tf-advanced[1].jpg      8/26/2005 10:49 AM      9.98 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\tocNext[1].gif      8/26/2005 10:45 AM      865 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\top20_header_open[1].gif      8/26/2005 10:48 AM      1.06 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\topbg[1].gif      8/26/2005 10:49 AM      97 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\topleft[1].gif      8/26/2005 10:49 AM      113 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\winnetmag[1].css      8/26/2005 10:47 AM      15.71 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45IV2L4N\xml_on_white[1].gif      8/26/2005 10:48 AM      377 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\0[2].gif      8/26/2005 10:49 AM      43 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\1696900438@Frame1[1]      8/26/2005 10:47 AM      481 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\arrow_px_up[1].gif      8/26/2005 10:45 AM      53 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\bluepost_on_white[1].gif      8/26/2005 10:48 AM      515 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\button_printer[1].gif      8/26/2005 10:48 AM      93 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\CA9SW79H.htm      8/26/2005 10:49 AM      5.59 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\CACDQFSL.swf      8/26/2005 10:49 AM      21.12 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\common[1].js      8/26/2005 10:47 AM      4.35 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\donate1[1].gif      8/26/2005 10:49 AM      1.04 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\driverquery[1].htm      8/26/2005 10:45 AM      11.36 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\driverquery[2].htm      8/26/2005 10:47 AM      2.68 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\find[1].gif      8/26/2005 10:49 AM      981 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\footernavbg[1].gif      8/26/2005 10:49 AM      97 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\front[3].htm      8/26/2005 10:48 AM      6.50 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\go_gray[1].gif      8/26/2005 10:47 AM      479 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\header_art[1].gif      8/26/2005 10:47 AM      1.08 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\indexLogoPerson_03[1].gif      8/26/2005 11:08 AM      15.75 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\js[1].aspx      8/26/2005 10:47 AM      3.12 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\login[1].htm      8/26/2005 10:49 AM      12.85 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\navi_arrow[1].gif      8/26/2005 10:47 AM      56 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\next[1].gif      8/26/2005 10:49 AM      63 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\pixel[2].gif      8/26/2005 10:47 AM      43 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\Postini_Banner_Ad[1].gif      8/26/2005 10:47 AM      24.06 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\prev[1].gif      8/26/2005 10:49 AM      62 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\profile[1].gif      8/26/2005 10:49 AM      987 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\quicksearch[1].htm      8/26/2005 10:45 AM      4.82 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\quote[1].gif      8/26/2005 10:49 AM      903 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\register[1].gif      8/26/2005 10:49 AM      1009 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\Roadblock[1].jpg      8/26/2005 10:47 AM      51.98 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\RootkitRevealer[1].htm      8/26/2005 10:43 AM      21.26 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\rtg_email[1].gif      8/26/2005 10:45 AM      1010 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\search_red[1].gif      8/26/2005 10:47 AM      433 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\shop9[1].gif      8/26/2005 10:49 AM      1.34 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\showthread[1].htm      8/26/2005 10:49 AM      56.87 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\tech-careers[1].jpg      8/26/2005 10:49 AM      10.24 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\tech-forums[1].jpg      8/26/2005 10:49 AM      4.87 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\tocHide[1].gif      8/26/2005 10:45 AM      843 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\topics_a[1].gif      8/26/2005 10:47 AM      187 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\vbulletin[1].gif      8/26/2005 10:49 AM      539 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\windows_issues[1].gif      8/26/2005 10:48 AM      6.63 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9LQKD3I8\winitpro_logo_home_alt[1].gif      8/26/2005 10:47 AM      2.99 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\0stars[1].gif      8/26/2005 10:49 AM      239 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\1442995703@BottomLeft,Right1,Top[1]      8/26/2005 10:47 AM      1.34 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\archive9[1].gif      8/26/2005 10:49 AM      947 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\button_email[1].gif      8/26/2005 10:48 AM      73 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\CAFY2DFN.swf      8/26/2005 10:48 AM      21.12 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\CAGLU7QB.htm      8/26/2005 10:47 AM      6.38 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\copyright[1].gif      8/26/2005 10:49 AM      757 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\default[1].htm      8/26/2005 10:43 AM      5.08 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\diskeeper_wpbnr[1].gif      8/26/2005 10:49 AM      8.06 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\email_Windows[1].gif      8/26/2005 10:48 AM      1.01 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\forums_a[1].gif      8/26/2005 10:47 AM      192 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\front[4].htm      8/26/2005 10:47 AM      6.14 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\front[5].htm      8/26/2005 10:48 AM      249 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\go[1].gif      8/26/2005 10:49 AM      727 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\google[1].htm      8/26/2005 10:45 AM      3.74 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\hbx[1].js      8/26/2005 10:47 AM      13.40 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\header_spacer[1].gif      8/26/2005 10:47 AM      1.08 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\home1[1].gif      8/26/2005 10:49 AM      991 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\home[2].gif      8/26/2005 10:49 AM      985 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\index[1].htm      8/26/2005 10:47 AM      53.39 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\indexLogoTL_03[1].gif      8/26/2005 11:08 AM      8.33 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\infobg[1].gif      8/26/2005 10:49 AM      574 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\logging_js[1].htm      8/26/2005 10:49 AM      2.94 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\masthead[1].htm      8/26/2005 10:45 AM      4.89 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\ms_masthead_ltr[1].gif      8/26/2005 10:45 AM      947 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\mymsgs[1].png      8/26/2005 10:49 AM      282 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\navbg[1].gif      8/26/2005 10:49 AM      107 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\newthread[1].gif      8/26/2005 10:49 AM      1.11 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\orangefooterline[1].gif      8/26/2005 10:49 AM      52 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\publications_a[1].gif      8/26/2005 10:47 AM      234 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\RootkitRevealer[1].htm      8/26/2005 10:39 AM      21.26 KB      Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\rtg_save[1].gif      8/26/2005 10:45 AM      567 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\search[1].gif      8/26/2005 10:49 AM      990 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\search[4].htm      8/26/2005 10:45 AM      16.87 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\search[5].htm      8/26/2005 10:49 AM      16.85 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\showtoc[1].gif      8/26/2005 10:45 AM      368 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\SmartNav[1].htm      8/26/2005 10:45 AM      15 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\subscribe_button[1].gif      8/26/2005 10:47 AM      981 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\tocPrevious[1].gif      8/26/2005 10:45 AM      868 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\top_shadow[1].gif      8/26/2005 10:47 AM      149 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\topright[1].gif      8/26/2005 10:49 AM      114 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\wsp[1].gif      8/26/2005 10:49 AM      1.75 KB      Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KD2F8PQJ\xml_lt_gray[1].gif      8/26/2005 10:47 AM      395 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Recent\driverquery.txt.lnk      8/26/2005 11:07 AM      430 bytes      Hidden from Windows API.
C:\Documents and Settings\Owner\Recent\Local Disk (C).lnk      8/26/2005 11:07 AM      293 bytes      Hidden from Windows API.
C:\driverquery.txt      8/26/2005 11:07 AM      9.61 KB      Hidden from Windows API.
C:\WINDOWS\Prefetch\DRIVERQUERY.EXE-1CDAF90F.pf      8/26/2005 11:07 AM      37.72 KB      Hidden from Windows API.
C:\WINDOWS\system32\driverquery.exe      8/26/2005 11:03 AM      57.00 KB      Hidden from Windows API.

by: r-kPosted on 2005-08-26 at 08:22:43ID: 14761739

Yes, I agree. There is no Rootkit. I also scanned the driverquery results, and nothing bad there either.

I think it's safe to use the system unless the user reports any new symptoms.

You might do a quick "netstat -ab" command to make sure no network ports are open that shouldn't be.

Good luck.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

For individual users
Instant access to solutions
Ask your tech questions
Start your 30-day Free Trial

Business Accounts

Perfect for organizations
Multiple users
Save over 36%
Create a Business Account

Answer for Membership

Earn free access
Showcase your knowledge
No credit card required
Sign Up to Answer

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...

Question

Backdoor.Trojan using hk.dll...UNABLE to Kill the Beast

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

beast

Windows Network Security

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Need individual assistance?

Our experts are ready to help.

Want to learn from the best?

Read articles from industry experts.

Working on a long term project?

Store your work and research.

What Makes Experts Exchange Unique?

Trusted by the world's most respected brands.

Faithfully serving IT professionals since 1996.

Related Solutions

Free Tech Articles

Cloud Class Webinars

Join the Community

Give a Little. Get a Lot.

Answers

3 Ways to Join

The Experts

The Experts

Testimonials

Testimonials

Testimonials

Business Clients

Business Clients

In the Press

In the Press

In the Press