Spyware, Viruses, & Security forum

General discussion

Questionable email

by 1Chris / July 31, 2010 1:14 PM PDT

I got an email in my Yahoo! account with subject: Notice of Copyright Infringement: ID... It has my full name and address, which is highly unusual. Goes on to say that AT&T forwarded it to me on behalf of NBC Universal, because my account is supposedly distributing copyrighted music and movies. I don't nor have I ever done anything remotely like this.

From the way it's worded, I can't quite tell if this is legit or not. Is this kind of thing being circulated, in other words is this spam?

It's been suggested to run Malwarebytes - which I did, full scan for 1 hr 29 min - zero (0) infected files found.

I'm not sure what to do about this.

Discussion is locked
You are posting a reply to: Questionable email
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Questionable email
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
I Would Believe That This
by tobeach / July 31, 2010 3:23 PM PDT
In reply to: Questionable email

is a scam blackmail attempt & coming from NBC is more than a little suspicious as NBC (the TV Network) wouldn't hold copyrights to anything beyond it's own shows. DO NOT REPLY!!! Believe me, IF it was a legit RIAA thing their lawyers would be sending by registered messenger with personal service!!
You can thank the RIAA & film companies for enabling these scammers to be effective in their extortion games.

Safely store a copy for future reference being sure to get a header & transit info in the properties & details sections. These will help security services chase down the sender.

You MAY report this to Yahoo security & if you like to the FBI (if you're in the U.S.).

Here's a link to Google search showing numerous variations:
http://www.google.com/search?q=copyright+infringement+%2Bfake+notices+of+action&start=0&start=0&ie=utf-8&oe=utf-8&client=mozilla&rls=org.mozilla:en-US:unofficial

Likely the work of the Russian Business network or one of their sub-groups & usually they're after CCard info via payment you ok.

Hope this puts your mind at rest. Happy

Collapse -
P.S. Are You Using Wireless
by tobeach / July 31, 2010 3:43 PM PDT

type connections for the internet? If so, is it strongly protected by at least WPA2 or better encryption? In other words, could someone be piggy-backing on the connection & downloading??

I think NBC does or did have ownership of Universal Studios (movies) so
there IS a slight chance it's legit (if I'm right) but there have been scams of this type in the last year or two.

The complaint/notice should name SPECIFIC TITLE(S) of what you are accused of copying. IF there IS title, check IF NBC/Universal does in fact hold rights to the title. Often crooks forget about that little detail!! Good luck! Happy

Collapse -
I would just delete it and forget about it. . If it
by roddy32 / July 31, 2010 10:45 PM PDT
In reply to: Questionable email

were true you would have cops at your door instead of an e-mail.

Collapse -
This was sent to all my sub accounts also
by 1Chris / August 1, 2010 11:39 AM PDT
In reply to: Questionable email

I just noticed this was sent to all my sub accounts also, apparently from complaintresponse@abuse-att.net. It mentions that Infringing Filename: Sin Nombre [SPANISH] Xvid + (ENG SUB).
I've never watched much less distributed a Spanish movie with English subtitles.
Malwarebytes came up with nothing - zero. But Superantispyware came up with 118.
I dunno.

Collapse -
The Sin Nombre Is Spanish For
by tobeach / August 1, 2010 3:01 PM PDT

without name (no name).

The SAS result may be interesting. Likely most are tracking cookies BUT there could be some nasties hiding in there.
Open SAS Main page, click preferences> the logs and please copy & paste
the last log entry (w/118)for us to peruse.
Have you told SAS to fix all found yet? Did it say successfully completed or say some could not be removed? I'll check back tomorrow night for reply. Thanks!! Happy

Collapse -
SAS log
by 1Chris / August 1, 2010 3:29 PM PDT

Si, yo puedo leer un poco Happy

Far as I can tell, all look like tracking cookies, but a few more eyes could help.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/01/2010 at 05:43 PM

Application Version : 4.33.1000

Core Rules Database Version : 5299
Trace Rules Database Version: 3111

Scan type : Complete Scan
Total Scan Time : 00:45:27

Memory items scanned : 768
Memory threats detected : 0
Registry items scanned : 8732
Registry threats detected : 0
File items scanned : 38195
File threats detected : 118

Adware.Tracking Cookie
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@serving-sys[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@smartmoney.112.2o7[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@cdn4.specificclick[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@ehg-reed.hitbox[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@apmebf[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@pointroll[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@yieldmanager[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@sales.liveperson[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@tribalfusion[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@kontera[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@collective-media[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@zedo[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@atwola[3].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@media6degrees[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@eyewonder[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@247realmedia[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@tacoda[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@ads.cnn[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@burstnet[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@adxpose[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@trafficmp[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@imrworldwide[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@citi.bridgetrack[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@at.atwola[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@adserver.adtechus[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@mediaplex[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@a1.interclick[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@in.getclicky[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@pcworldcommunication.122.2o7[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@cdn.at.atwola[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@ads.pointroll[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@2o7[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@adecn[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@specificmedia[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@liveperson[5].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@adbureau[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@crackberry[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@interclick[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@realmedia[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@www.burstbeacon[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@liveperson[3].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@tracking.admarketplace[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@content.yieldmanager[3].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@www.googleadservices[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@insightexpressai[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@questionmarket[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@twgroup.122.2o7[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@ads.undertone[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@cdn1.trafficmp[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@ad.yieldmanager[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@liveperson[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@walmart.112.2o7[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@casalemedia[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@oasn04.247realmedia[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@ad.wsod[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@statse.webtrendslive[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@fastclick[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@nextag[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@sojern.122.2o7[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@content.yieldmanager[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@bs.serving-sys[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@burstbeacon[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@cb.adbureau[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@msnportal.112.2o7[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@ar.atwola[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@t3.trackalyzer[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@ru4[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@invitemedia[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@zillow.adbureau[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@atdmt[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@www.burstnet[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@advertising[3].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@ar.atwola[3].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@associatedcontent.112.2o7[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@doubleclick[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@interchangecorporation.122.2o7[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@videoegg.adbureau[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@dmtracker[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@statcounter[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@ice.112.2o7[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@specificclick[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@adbrite[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@ads.associatedcontent[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@revsci[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@local.findtarget[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@usatoday1.112.2o7[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@liveperson[4].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@trackalyzer[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@forums.crackberry[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@adtech[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@gostats[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@server.iad.liveperson[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@edgeadx[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@chitika[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@adinterax[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@stat.onestat[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@pluckit.demandmedia[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@stpetersburgtimes.122.2o7[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@lockedonmedia[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@norwegiancruiseline.112.2o7[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@hitbox[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@bluestreak[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@ad.epochtimes[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@www.googleadservices[3].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@adserver.adpredictive[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@asianmedia[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@counter.hitslink[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@govtrack[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@bizrate[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@tourtracker[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@at.atwola[1].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@atdmt[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@advertising[2].txt
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\chris@atwola[1].txt

Adware.Flash Tracking Cookie
C:\Users\Chris\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\FYLPKJMX\MEDIA.KING5.COM
C:\Users\Chris\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\FYLPKJMX\MEDIA.MTVNSERVICES.COM
C:\Users\Chris\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\FYLPKJMX\MSNBCMEDIA.MSN.COM
C:\Users\Chris\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\FYLPKJMX\SECURE-US.IMRWORLDWIDE.COM

Collapse -
You're Right, Awful Lot
by tobeach / August 1, 2010 4:20 PM PDT
In reply to: SAS log

of cookies, way over the top to my eyes! Good clean out can only help!
Let SAS fix/remove.

My XP PRO Has under 10 because I use Mozilla to browse & the cookie mgr allows me to set ALL but the most important few to "session only" clearing them after leaving net.
WARNING: Some cookies LIE claiming session but remain even after CCleaner SLIM run. When I find these they go to the block list "may NOT set cookies".

Free CCleaner (get SLIM version at bottom of page):
http://www.piriform.com/ccleaner/builds

ALSO, IF using Mozilla, you can get Free add-on called "NoScript" for Firefox which will prevent running of java scripts automatically until you give individual permission as needed.
A good first line of defense when browsing.

COOKIES: The ONE that caught my eye in particular was:

"C:\Users\Chris\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\FYLPKJMX\>>>MS NBC MEDIA<<<.MSN.COM !!!

By going to the Macromedia site you can remove existing cookies & adjust/set parameters to limit or *prevent* placement of stored cookies in Flash player!! Suggest this is a GOOD idea!! To do so visit:

For Flash Settings Mgr ONLINE:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html

Good Luck!! Sandy Happy

Collapse -
SAS log on my sons computer
by 1Chris / August 2, 2010 11:33 AM PDT

Thanks Sandy,

I ran SAS on my son's machine, if anyone wants to take a gander and decipher any of this.
It's been a nightmare trying to contact AT&T. I got referred on the phone to 3 different depts. today. I sent and email last week and a rep got back to me today - with almost the same wording as the first - no help whatsoever. Sorry, I'm kinda freaked out now.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/01/2010 at 11:10 PM

Application Version : 4.26.1000

Core Rules Database Version : 5299
Trace Rules Database Version: 3111

Scan type : Complete Scan
Total Scan Time : 01:02:42

Memory items scanned : 462
Memory threats detected : 0
Registry items scanned : 4022
Registry threats detected : 281
File items scanned : 13093
File threats detected : 6

Adware.HotBar/SpamBlockerUtility (Low Risk)
HKLM\Software\Classes\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\Control
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\Implemented Categories
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\Implemented Categories\{00021494-0000-0000-C000-000000000046}
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\InprocServer32
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\InprocServer32#ThreadingModel
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\Instance
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\Instance#CLSID
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\Instance\InitPropertyBag
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\Instance\InitPropertyBag#Url
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\MiscStatus
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\MiscStatus\1
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\ProgID
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\Programmable
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\ToolboxBitmap32
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\TypeLib
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\Version
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}\VersionIndependentProgID
HKCR\HBMain.CommBand.1
HKCR\HBMain.CommBand
HKCR\TypeLib\{A57470DE-14C7-4FCD-9D4C-E5711F24F0ED}
HKCR\TypeLib\{A57470DE-14C7-4FCD-9D4C-E5711F24F0ED}\1.0
HKCR\TypeLib\{A57470DE-14C7-4FCD-9D4C-E5711F24F0ED}\1.0\0
HKCR\TypeLib\{A57470DE-14C7-4FCD-9D4C-E5711F24F0ED}\1.0\0\win32
HKCR\TypeLib\{A57470DE-14C7-4FCD-9D4C-E5711F24F0ED}\1.0\FLAGS
HKCR\TypeLib\{A57470DE-14C7-4FCD-9D4C-E5711F24F0ED}\1.0\HELPDIR
C:\PROGRAM FILES\HOTBAR\BIN\11.0.175.0\HOSTIE.DLL
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}
HKU\S-1-5-21-1214440339-854245398-1708537768-500\Software\Microsoft\Internet Explorer\Explorer Bars\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358}

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@media.licenseacquisition[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hotbar[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@content.licenseacquisition[1].txt

Adware.Zango/ShoppingReport
HKCR\CLSID\{14113B47-D59C-4F0F-9D10-FF1730265584}
HKCR\CLSID\{14113B47-D59C-4F0F-9D10-FF1730265584}#AppID
HKCR\CLSID\{14113B47-D59C-4F0F-9D10-FF1730265584}\InprocServer32
HKCR\CLSID\{14113B47-D59C-4F0F-9D10-FF1730265584}\InprocServer32#ThreadingModel
HKCR\CLSID\{14113B47-D59C-4F0F-9D10-FF1730265584}\ProgID
HKCR\CLSID\{14113B47-D59C-4F0F-9D10-FF1730265584}\Programmable
HKCR\CLSID\{14113B47-D59C-4F0F-9D10-FF1730265584}\TypeLib
HKCR\CLSID\{14113B47-D59C-4F0F-9D10-FF1730265584}\VersionIndependentProgID
HKCR\CLSID\{2D00AA2A-69EF-487a-8A40-B3E27F07C91E}
HKCR\CLSID\{2D00AA2A-69EF-487a-8A40-B3E27F07C91E}\InprocServer32
HKCR\CLSID\{2D00AA2A-69EF-487a-8A40-B3E27F07C91E}\InprocServer32#ThreadingModel
HKCR\CLSID\{2D00AA2A-69EF-487a-8A40-B3E27F07C91E}\ProgID
HKCR\CLSID\{2D00AA2A-69EF-487a-8A40-B3E27F07C91E}\Programmable
HKCR\CLSID\{2D00AA2A-69EF-487a-8A40-B3E27F07C91E}\TypeLib
HKCR\CLSID\{2D00AA2A-69EF-487a-8A40-B3E27F07C91E}\VersionIndependentProgID
HKCR\CLSID\{62906E60-BCE2-4E1B-9ED0-8B9042EE15E4}
HKCR\CLSID\{62906E60-BCE2-4E1B-9ED0-8B9042EE15E4}\Control
HKCR\CLSID\{62906E60-BCE2-4E1B-9ED0-8B9042EE15E4}\InprocServer32
HKCR\CLSID\{62906E60-BCE2-4E1B-9ED0-8B9042EE15E4}\InprocServer32#ThreadingModel
HKCR\CLSID\{62906E60-BCE2-4E1B-9ED0-8B9042EE15E4}\MiscStatus
HKCR\CLSID\{62906E60-BCE2-4E1B-9ED0-8B9042EE15E4}\MiscStatus\1
HKCR\CLSID\{62906E60-BCE2-4E1B-9ED0-8B9042EE15E4}\ProgID
HKCR\CLSID\{62906E60-BCE2-4E1B-9ED0-8B9042EE15E4}\Programmable
HKCR\CLSID\{62906E60-BCE2-4E1B-9ED0-8B9042EE15E4}\ToolboxBitmap32
HKCR\CLSID\{62906E60-BCE2-4E1B-9ED0-8B9042EE15E4}\TypeLib
HKCR\CLSID\{62906E60-BCE2-4E1B-9ED0-8B9042EE15E4}\Version
HKCR\CLSID\{62906E60-BCE2-4E1B-9ED0-8B9042EE15E4}\VersionIndependentProgID
HKCR\CLSID\{71F731B3-008B-4052-9EA4-4145ACCE40C3}
HKCR\CLSID\{71F731B3-008B-4052-9EA4-4145ACCE40C3}\InprocServer32
HKCR\CLSID\{71F731B3-008B-4052-9EA4-4145ACCE40C3}\InprocServer32#ThreadingModel
HKCR\CLSID\{71F731B3-008B-4052-9EA4-4145ACCE40C3}\ProgID
HKCR\CLSID\{71F731B3-008B-4052-9EA4-4145ACCE40C3}\Programmable
HKCR\CLSID\{71F731B3-008B-4052-9EA4-4145ACCE40C3}\TypeLib
HKCR\CLSID\{71F731B3-008B-4052-9EA4-4145ACCE40C3}\VersionIndependentProgID
HKCR\CLSID\{86C5840B-80C4-4C30-A655-37344A542009}
HKCR\CLSID\{86C5840B-80C4-4C30-A655-37344A542009}\InprocServer32
HKCR\CLSID\{86C5840B-80C4-4C30-A655-37344A542009}\InprocServer32#ThreadingModel
HKCR\CLSID\{86C5840B-80C4-4C30-A655-37344A542009}\ProgID
HKCR\CLSID\{86C5840B-80C4-4C30-A655-37344A542009}\TypeLib
HKCR\CLSID\{86C5840B-80C4-4C30-A655-37344A542009}\VersionIndependentProgID
HKCR\CLSID\{A5B6FA30-D317-41CA-9CB1-C898D3C7F34E}
HKCR\CLSID\{A5B6FA30-D317-41CA-9CB1-C898D3C7F34E}\Control
HKCR\CLSID\{A5B6FA30-D317-41CA-9CB1-C898D3C7F34E}\InprocServer32
HKCR\CLSID\{A5B6FA30-D317-41CA-9CB1-C898D3C7F34E}\InprocServer32#ThreadingModel
HKCR\CLSID\{A5B6FA30-D317-41CA-9CB1-C898D3C7F34E}\ProgID
HKCR\CLSID\{A5B6FA30-D317-41CA-9CB1-C898D3C7F34E}\Programmable
HKCR\CLSID\{A5B6FA30-D317-41CA-9CB1-C898D3C7F34E}\ToolboxBitmap32
HKCR\CLSID\{A5B6FA30-D317-41CA-9CB1-C898D3C7F34E}\TypeLib
HKCR\CLSID\{A5B6FA30-D317-41CA-9CB1-C898D3C7F34E}\VersionIndependentProgID
HKCR\CLSID\{A9C42A57-421C-4572-8B12-249C59183D1C}
HKCR\CLSID\{A9C42A57-421C-4572-8B12-249C59183D1C}#AppID
HKCR\CLSID\{A9C42A57-421C-4572-8B12-249C59183D1C}\InprocServer32
HKCR\CLSID\{A9C42A57-421C-4572-8B12-249C59183D1C}\InprocServer32#ThreadingModel
HKCR\CLSID\{A9C42A57-421C-4572-8B12-249C59183D1C}\ProgID
HKCR\CLSID\{A9C42A57-421C-4572-8B12-249C59183D1C}\Programmable
HKCR\CLSID\{A9C42A57-421C-4572-8B12-249C59183D1C}\TypeLib
HKCR\CLSID\{A9C42A57-421C-4572-8B12-249C59183D1C}\VersionIndependentProgID
HKCR\CLSID\{CC19A5F2-B4AD-41D5-A5C9-0680904C1483}
HKCR\CLSID\{CC19A5F2-B4AD-41D5-A5C9-0680904C1483}\InprocServer32
HKCR\CLSID\{CC19A5F2-B4AD-41D5-A5C9-0680904C1483}\InprocServer32#ThreadingModel
HKCR\CLSID\{CC19A5F2-B4AD-41D5-A5C9-0680904C1483}\ProgID
HKCR\CLSID\{CC19A5F2-B4AD-41D5-A5C9-0680904C1483}\Programmable
HKCR\CLSID\{CC19A5F2-B4AD-41D5-A5C9-0680904C1483}\TypeLib
HKCR\CLSID\{CC19A5F2-B4AD-41D5-A5C9-0680904C1483}\VersionIndependentProgID
HKCR\CLSID\{F9BFA98D-9935-4EA4-A05A-72C7F0778F02}
HKCR\CLSID\{F9BFA98D-9935-4EA4-A05A-72C7F0778F02}\InprocServer32
HKCR\CLSID\{F9BFA98D-9935-4EA4-A05A-72C7F0778F02}\InprocServer32#ThreadingModel
HKCR\CLSID\{F9BFA98D-9935-4EA4-A05A-72C7F0778F02}\ProgID
HKCR\CLSID\{F9BFA98D-9935-4EA4-A05A-72C7F0778F02}\Programmable
HKCR\CLSID\{F9BFA98D-9935-4EA4-A05A-72C7F0778F02}\TypeLib
HKCR\CLSID\{F9BFA98D-9935-4EA4-A05A-72C7F0778F02}\VersionIndependentProgID
HKCR\TypeLib\{03D7FF6E-9781-40B5-BB7F-94291A361604}
HKCR\TypeLib\{03D7FF6E-9781-40B5-BB7F-94291A361604}\1.0
HKCR\TypeLib\{03D7FF6E-9781-40B5-BB7F-94291A361604}\1.0\0
HKCR\TypeLib\{03D7FF6E-9781-40B5-BB7F-94291A361604}\1.0\0\win32
HKCR\TypeLib\{03D7FF6E-9781-40B5-BB7F-94291A361604}\1.0\FLAGS
HKCR\TypeLib\{03D7FF6E-9781-40B5-BB7F-94291A361604}\1.0\HELPDIR
HKCR\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}
HKCR\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0
HKCR\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0\0
HKCR\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0\0\win32
HKCR\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0\FLAGS
HKCR\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0\HELPDIR
HKCR\TypeLib\{148E1447-C728-48FD-BEEC-A7D06C5FFF58}
HKCR\TypeLib\{148E1447-C728-48FD-BEEC-A7D06C5FFF58}\1.0
HKCR\TypeLib\{148E1447-C728-48FD-BEEC-A7D06C5FFF58}\1.0\0
HKCR\TypeLib\{148E1447-C728-48FD-BEEC-A7D06C5FFF58}\1.0\0\win32
HKCR\TypeLib\{148E1447-C728-48FD-BEEC-A7D06C5FFF58}\1.0\FLAGS
HKCR\TypeLib\{148E1447-C728-48FD-BEEC-A7D06C5FFF58}\1.0\HELPDIR
HKCR\TypeLib\{8292078F-F6E9-412B-8EB1-360C05C5ECE5}
HKCR\TypeLib\{8292078F-F6E9-412B-8EB1-360C05C5ECE5}\1.0
HKCR\TypeLib\{8292078F-F6E9-412B-8EB1-360C05C5ECE5}\1.0\0
HKCR\TypeLib\{8292078F-F6E9-412B-8EB1-360C05C5ECE5}\1.0\0\win32
HKCR\TypeLib\{8292078F-F6E9-412B-8EB1-360C05C5ECE5}\1.0\FLAGS
HKCR\TypeLib\{8292078F-F6E9-412B-8EB1-360C05C5ECE5}\1.0\HELPDIR
HKCR\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}
HKCR\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0
HKCR\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0\0
HKCR\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0\0\win32
HKCR\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0\FLAGS
HKCR\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0\HELPDIR
HKCR\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}
HKCR\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\ProxyStubClsid
HKCR\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\ProxyStubClsid32
HKCR\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\TypeLib
HKCR\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\TypeLib#Version
HKCR\Interface\{2447E305-5E90-42A8-BD1E-0BC333B807E1}
HKCR\Interface\{2447E305-5E90-42A8-BD1E-0BC333B807E1}\ProxyStubClsid
HKCR\Interface\{2447E305-5E90-42A8-BD1E-0BC333B807E1}\ProxyStubClsid32
HKCR\Interface\{2447E305-5E90-42A8-BD1E-0BC333B807E1}\TypeLib
HKCR\Interface\{2447E305-5E90-42A8-BD1E-0BC333B807E1}\TypeLib#Version
HKCR\Interface\{2557DD3F-23A0-477C-BCD8-90FD0AECC4B8}
HKCR\Interface\{2557DD3F-23A0-477C-BCD8-90FD0AECC4B8}\ProxyStubClsid
HKCR\Interface\{2557DD3F-23A0-477C-BCD8-90FD0AECC4B8}\ProxyStubClsid32
HKCR\Interface\{2557DD3F-23A0-477C-BCD8-90FD0AECC4B8}\TypeLib
HKCR\Interface\{2557DD3F-23A0-477C-BCD8-90FD0AECC4B8}\TypeLib#Version
HKCR\Interface\{2893116C-A176-42B1-8794-DA8C9FC45564}
HKCR\Interface\{2893116C-A176-42B1-8794-DA8C9FC45564}\ProxyStubClsid
HKCR\Interface\{2893116C-A176-42B1-8794-DA8C9FC45564}\ProxyStubClsid32
HKCR\Interface\{2893116C-A176-42B1-8794-DA8C9FC45564}\TypeLib
HKCR\Interface\{2893116C-A176-42B1-8794-DA8C9FC45564}\TypeLib#Version
HKCR\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}
HKCR\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}\ProxyStubClsid
HKCR\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}\ProxyStubClsid32
HKCR\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}\TypeLib
HKCR\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}\TypeLib#Version
HKCR\Interface\{3CEB04AB-08AF-45F4-81B4-70D13C1F7B85}
HKCR\Interface\{3CEB04AB-08AF-45F4-81B4-70D13C1F7B85}\ProxyStubClsid
HKCR\Interface\{3CEB04AB-08AF-45F4-81B4-70D13C1F7B85}\ProxyStubClsid32
HKCR\Interface\{3CEB04AB-08AF-45F4-81B4-70D13C1F7B85}\TypeLib
HKCR\Interface\{3CEB04AB-08AF-45F4-81B4-70D13C1F7B85}\TypeLib#Version
HKCR\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}
HKCR\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\ProxyStubClsid
HKCR\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\ProxyStubClsid32
HKCR\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\TypeLib
HKCR\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\TypeLib#Version
HKCR\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}
HKCR\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\ProxyStubClsid
HKCR\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\ProxyStubClsid32
HKCR\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\TypeLib
HKCR\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\TypeLib#Version
HKCR\Interface\{50D2FDCC-2707-49CB-8223-7FE0424909AA}
HKCR\Interface\{50D2FDCC-2707-49CB-8223-7FE0424909AA}\ProxyStubClsid
HKCR\Interface\{50D2FDCC-2707-49CB-8223-7FE0424909AA}\ProxyStubClsid32
HKCR\Interface\{50D2FDCC-2707-49CB-8223-7FE0424909AA}\TypeLib
HKCR\Interface\{50D2FDCC-2707-49CB-8223-7FE0424909AA}\TypeLib#Version
HKCR\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}
HKCR\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\ProxyStubClsid
HKCR\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\ProxyStubClsid32
HKCR\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\TypeLib
HKCR\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\TypeLib#Version
HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}
HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}\ProxyStubClsid
HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}\ProxyStubClsid32
HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}\TypeLib
HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}\TypeLib#Version
HKCR\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}
HKCR\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\ProxyStubClsid
HKCR\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\ProxyStubClsid32
HKCR\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\TypeLib
HKCR\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\TypeLib#Version
HKCR\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}
HKCR\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\ProxyStubClsid
HKCR\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\ProxyStubClsid32
HKCR\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\TypeLib
HKCR\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\TypeLib#Version
HKCR\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}
HKCR\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\ProxyStubClsid
HKCR\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\ProxyStubClsid32
HKCR\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\TypeLib
HKCR\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\TypeLib#Version
HKCR\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}
HKCR\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\ProxyStubClsid
HKCR\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\ProxyStubClsid32
HKCR\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\TypeLib
HKCR\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\TypeLib#Version
HKCR\Interface\{878CE013-7BA9-4650-A78C-B2234C0C1648}
HKCR\Interface\{878CE013-7BA9-4650-A78C-B2234C0C1648}\ProxyStubClsid
HKCR\Interface\{878CE013-7BA9-4650-A78C-B2234C0C1648}\ProxyStubClsid32
HKCR\Interface\{878CE013-7BA9-4650-A78C-B2234C0C1648}\TypeLib
HKCR\Interface\{878CE013-7BA9-4650-A78C-B2234C0C1648}\TypeLib#Version
HKCR\Interface\{8EE46F55-1CE1-4DB9-811A-68938EC7F3DD}
HKCR\Interface\{8EE46F55-1CE1-4DB9-811A-68938EC7F3DD}\ProxyStubClsid
HKCR\Interface\{8EE46F55-1CE1-4DB9-811A-68938EC7F3DD}\ProxyStubClsid32
HKCR\Interface\{8EE46F55-1CE1-4DB9-811A-68938EC7F3DD}\TypeLib
HKCR\Interface\{8EE46F55-1CE1-4DB9-811A-68938EC7F3DD}\TypeLib#Version
HKCR\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}
HKCR\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\ProxyStubClsid
HKCR\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\ProxyStubClsid32
HKCR\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\TypeLib
HKCR\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\TypeLib#Version
HKCR\Interface\{99FDCA0C-7380-4E9C-8D99-5DC4750334EF}
HKCR\Interface\{99FDCA0C-7380-4E9C-8D99-5DC4750334EF}\ProxyStubClsid
HKCR\Interface\{99FDCA0C-7380-4E9C-8D99-5DC4750334EF}\ProxyStubClsid32
HKCR\Interface\{99FDCA0C-7380-4E9C-8D99-5DC4750334EF}\TypeLib
HKCR\Interface\{99FDCA0C-7380-4E9C-8D99-5DC4750334EF}\TypeLib#Version
HKCR\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}
HKCR\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\ProxyStubClsid
HKCR\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\ProxyStubClsid32
HKCR\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\TypeLib
HKCR\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\TypeLib#Version
HKCR\Interface\{A7213D71-47E1-4832-92D7-D61DFE9F231F}
HKCR\Interface\{A7213D71-47E1-4832-92D7-D61DFE9F231F}\ProxyStubClsid
HKCR\Interface\{A7213D71-47E1-4832-92D7-D61DFE9F231F}\ProxyStubClsid32
HKCR\Interface\{A7213D71-47E1-4832-92D7-D61DFE9F231F}\TypeLib
HKCR\Interface\{A7213D71-47E1-4832-92D7-D61DFE9F231F}\TypeLib#Version
HKCR\Interface\{A87DFD99-CF81-4241-85CE-881E0026B686}
HKCR\Interface\{A87DFD99-CF81-4241-85CE-881E0026B686}\ProxyStubClsid
HKCR\Interface\{A87DFD99-CF81-4241-85CE-881E0026B686}\ProxyStubClsid32
HKCR\Interface\{A87DFD99-CF81-4241-85CE-881E0026B686}\TypeLib
HKCR\Interface\{A87DFD99-CF81-4241-85CE-881E0026B686}\TypeLib#Version
HKCR\Interface\{B1D9F4B1-B9FF-463F-BF15-AB9CB26160F7}
HKCR\Interface\{B1D9F4B1-B9FF-463F-BF15-AB9CB26160F7}\ProxyStubClsid
HKCR\Interface\{B1D9F4B1-B9FF-463F-BF15-AB9CB26160F7}\ProxyStubClsid32
HKCR\Interface\{B1D9F4B1-B9FF-463F-BF15-AB9CB26160F7}\TypeLib
HKCR\Interface\{B1D9F4B1-B9FF-463F-BF15-AB9CB26160F7}\TypeLib#Version
HKCR\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}
HKCR\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\ProxyStubClsid
HKCR\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\ProxyStubClsid32
HKCR\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\TypeLib
HKCR\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\TypeLib#Version
HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}
HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}\ProxyStubClsid
HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}\ProxyStubClsid32
HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}\TypeLib
HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}\TypeLib#Version
HKCR\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}
HKCR\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\ProxyStubClsid
HKCR\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\ProxyStubClsid32
HKCR\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\TypeLib
HKCR\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\TypeLib#Version
HKCR\Interface\{C96B9FAE-A032-4100-BB47-32EF05E28BE4}
HKCR\Interface\{C96B9FAE-A032-4100-BB47-32EF05E28BE4}\ProxyStubClsid
HKCR\Interface\{C96B9FAE-A032-4100-BB47-32EF05E28BE4}\ProxyStubClsid32
HKCR\Interface\{C96B9FAE-A032-4100-BB47-32EF05E28BE4}\TypeLib
HKCR\Interface\{C96B9FAE-A032-4100-BB47-32EF05E28BE4}\TypeLib#Version
HKCR\Interface\{CF82F350-E1C4-4916-AC12-BA73DB60AFB7}
HKCR\Interface\{CF82F350-E1C4-4916-AC12-BA73DB60AFB7}\ProxyStubClsid
HKCR\Interface\{CF82F350-E1C4-4916-AC12-BA73DB60AFB7}\ProxyStubClsid32
HKCR\Interface\{CF82F350-E1C4-4916-AC12-BA73DB60AFB7}\TypeLib
HKCR\Interface\{CF82F350-E1C4-4916-AC12-BA73DB60AFB7}\TypeLib#Version
HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}
HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}\ProxyStubClsid
HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}\ProxyStubClsid32
HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}\TypeLib
HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}\TypeLib#Version
HKCR\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}
HKCR\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\ProxyStubClsid
HKCR\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\ProxyStubClsid32
HKCR\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\TypeLib
HKCR\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\TypeLib#Version

Trace.Known Threat Sources
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4T978UYH\content.licenseacquisition[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SGOIXG57\yikers_tyra_proves_theyre_real[1].wmv

Collapse -
well There's Good News & Bad...
by tobeach / August 2, 2010 4:49 PM PDT

The good news is that all the listed sources are located in
"Temporary Internet Files\Content.IE5..." so even a CCleaner run should remove those but since SAS is there already let it Fix all found.

Advice is pretty much the same as previous. Specific to this machine report:

"Hotbar" anything can only be trouble & has caused problems in various
variation as long as I can recall.

Yours seems to be in conjunction w/ Outlook/Outlook Express/Mail.
Possible SAS may not remove and you may have to un-install via Control Panel> Add/Delete programs as Spam Blocker. Dump ALL HOTBAR items.
Note some Hotbar are plug-ins/add ons to Internet Explorer be sure those are gone to prevent re-infection.
A safer bet would be the "Mailwasher" Program.

Given the amount of registry items, after SAS does it's bit, I would get Free Malwarebytes MBAM.exe from: http://www.malwarebytes.org/
Download, update & run & let fix all found during a FULL scan. No one program will get everything. Both SAS & MBAM update daily.
IF either reports a "rootkit" found ,let us know in next post.
P.S. Whose Anti-Virus are in use on BOTH machines (curious)?

Once BOTH are reporting all clean, I would run an System File Check (SFC) to fix any possibly corrupted system files. You don't mention OS's so below direction is for XP machines. If Vista or Win7 see this:
http://support.microsoft.com/kb/929833

All require log on as user w/admin rights or as admin in Vista/W7.

How to SFC (in XP)

Left click on My Computer(open)
Right click on "C" or your OS drive if another letter.
Left click Properties and then click Tools Tab.
Left click on "Error Checking"> Check Now.
Left click to enter check mark in UPPER of 2 boxes offered (Auto Fix SF).

(If you want to check disk & try repair of bad blocks on HD check BOTH boxes)(will take much longer maybe 2 hours depending on system size).

Left click on "Start".
Computer will have to reboot to begin repairs. OK pop-up. Manually reboot.
Just leave alone (you're locked out anyway) ''til process finished.
*************
At SOME point when all is clean & working WELL, you'll want to dump restore points so no attempted re-install/instatment of previous problems can show up by error.

I'm rather concerned that so many items are in ADMIN account! Often these are in a "user" account. This maybe result of browsing while logged in as "Administrator" allowing anything to be downloaded & installed.

General suggestion is to surf as "User w/ reduced privileges" to prevent drive by assaults etc. IF sure he wants to download & install, better to bookmark/Favorites and then return w/Admin priv. to that site only for the purpose. ALWAYS right click scan ANY download w/ A/V &/or A/S programs BEFORE opening it!

I admit I'm guilty of this myself..but I'm a paranoid surfer NOT using IE to surf & with alt protections in place.

Pleas post back with successes or any problems that arise for further help by myself or others as needs be. Thanks! G' Luck! Sandy Happy

Collapse -
I don't understand much of this yet
by 1Chris / August 3, 2010 5:39 AM PDT

This is getting very tiring. Anyway...

What is hotbar? I don't see it anywhere. A search for *hotbar turns up nothing.
Sorry, thought I mentioned my son's computer is an old Windows 2000 Dell. I'm running Avast on this (my Vista machine) and PC Tools has been on this Dell. I tried many times for days to get an update for this and less than halfway through it says, "error downloading one or more files". I downloaded Avast, and when I ran the exe file, something comes up written in what looks like Greek, Russian or Bulgarian. So I uninstalled PC Tools and downloaded it again. Same weird characters come up on PC Tools interface. Now I notice when I mouse over the systray clock - the date is in this strange format too.
I'll try to address these other issues when I can understand them and have some time.

Collapse -
Re: Your Sons Computer (W2000)
by tobeach / August 3, 2010 4:03 PM PDT

After Checking Home Sites for Avast! & PC Tools, I believe the basic problem maybe that neither
PC Tools Int. Security Nor their Spyware Doctor w/ A/V support Straight Win 2000 or even w/ Sp4. Logical that an install would mess up lots of things.

From the Avast! Site:
"The supported operating systems for avast! Free Antivirus 5.0 and avast! Pro Antivirus 5.0 are Microsoft Windows 2000 Professional Service Pack 4, Microsoft Windows XP Service Pack 2 or higher (any Edition, 32-bit or 64-bit), Microsoft Windows Vista..."

http://support.avast.com/index.php?languageid=1&group=eng&_m=knowledgebase&_a=viewarticle&kbarticleid=455#idt_01

From Avast Forums:

"Plain Win2000 SP4 is not enough. You need install additionally Rollup1. With Rollup1 installed you probably should repeat avast5 installation."

Personally, I have run into the same problem since mid-2010 with NONE of the well known FREE A/Vs supporting my old XP SP1 all are SP2 & up only!

The ONLY one I could find & I have been using for about 1/2 year is
Free version of Rising A/V 2010 with "cloud "protection" ( I have NOT checked the box for the cloud myself as I'm not sure about the whole idea). The rest is quite extensive & has VB100 pass rating for 2010 version. Not well know here but big in Asia & Australia.
http://www.freerav.com/
http://support.rising-global.com/index.php? (for future reference)


Some paid like Norton claim Win2000 support but I don't know how high
Service Packs are needed.

The "Hotbar" was found on your sons computer as Spam Blocker by SAS:
"Adware.HotBar/SpamBlockerUtility (Low Risk)" (I rate as not in my trusted group ever!). Same for "Adware.Zango/ShoppingReport" found!
Have you had SAS fix what it found? (Before trying to install/update PCT/Avast?)

At this point, perhaps your BEST bet on this machine (W2000) is to system restore back to before PCT/Avast screw up w/ weird language.

NOTE:Check in Control Panel> Regional & Language options Icon to reset
to English/US English & correct time zone IF they're altered still.

Run SAS & Fix all found. Reboot & Run SAS once more and if 2nd scan shows NO problems in report,DISCONNECT from Net,Un-install PC Tools & reboot & Run SFC in that order.

Then on YOUR computer (because sons will have NO Protection) visit RAV Free link, if you like what you see, download & save their free A/V install .exe (65.7 MB) on to a CD/DVD or Flash thumb drive & then transfer to sons machine and install Then make net available for updating it.

At same time (if you haven't yet, also download & save MBAM.exe to same CD/Flash drive to have available for final check.
http://www.malwarebytes.org/


Hopefully his machine should now be usable?? Let us know. Thanks! S

How's YOUR machine doing??
Did SAS report all fixed?? If Not post the latest log to see whats left to do. Also a scan w/ MBAM.exe can only help.

Although Very Hard to find about now, patience & a nerve settler are
are a virtue!! :^O Keep up the good work as heaven is closer than you think (hopefully)!! Grin
Good Luck! Cool Sandy

Collapse -
Ran some online scanners
by 1Chris / August 4, 2010 12:12 PM PDT

Thanks Sandy,

I did an online scan with Trend Micro Housecall which found sai1C2.exe. It said it was spyware and the threat was ADW ZWANG3. It 'fixed' it, whatever that means.

I've been running another online scan with Panda Active Scan 2; after 9 hours it found 2 infected files and 88 'vulnerabilities'. Then it wanted me to buy it!
I took what it found and uploaded them to virustotal, but I really can't make heads or tails of the report.
I uploaded a screenshot of those Greek looking characters to a couple other forums. Is it possible to do that here?

I'll check out your suggestions.

Collapse -
Program removal
by 1Chris / August 4, 2010 12:17 PM PDT

There was a program on that machine when I got it that a good freind with a special router called xiao bang shou. Some references to some of the files associated with it are listed in the Panda and virustotal results. I'm trying to figure out how to uninstall this thing. It's got a few folders with many files. It's not listed in add/remove programs in ctl panel. I wonder if I can just delete them.

Collapse -
It Needs To Be Removed.
by Carol~ Moderator / August 4, 2010 1:12 PM PDT
In reply to: Program removal

Chris..

I saw your screenshot. The software used by the previous owner, to send prerecorded messages through a special router needs to be removed! It may be the cause of some of your problems. Before trying to delete the files manually, try using the (free) Revo Uninstaller utility. If you don't see the program listed in the main window, check to see if it's there in "Advanced mode". Advance / Hunter mode will allow you to see more programs. Hopefully, you'll see it there.

If there's anything left of, PC Tool's Spyware Doctor, I would remove that too. I would strongly suggest installing CCleaner. Download the "Slim Version", which comes without the (unnecessary) toolbar. It's the last build on the list.

Have you let SUPERAntiSpyware and Malwarebytes' Anti-Malware remove whatever it found? If not, please do.

And lastly. Call 1-866-618-7991 to find out what the email was about. Listen to the recorded message. From there.. I would not do anything. As Roddy noted, I'm sure they will make a point of getting in touch with you, if they need to.

Let us know how you make out..
Carol

Collapse -
An Added Note Regarding The AT&T Email..
by Carol~ Moderator / August 4, 2010 1:38 PM PDT

Chris..

I suggested you call the number, I included in my last post. The recorded message is going to tell you to get in touch with the company referenced in AT&T's email. In your case NBC Universal. I presume their email was similar to this. Or this.

As long as you aren't using "copyrighted content that might be occurring via file sharing software, services or networks", you have nothing to worry about. However, I would still suggest you follow the steps they offer, to prevent any need for further communication in the future.

Best of luck..
Carol

Collapse -
Doesn't show up in revouninstaller
by 1Chris / August 4, 2010 1:48 PM PDT

I clicked on Hunter mode - and revouninstaller disappeared.

Collapse -
Did You Click on Advanced?
by Carol~ Moderator / August 4, 2010 2:44 PM PDT
In reply to: Program removal

Chris..

Did you get as far as clicking on Advanced? Where you were given the opportunity to look for it? Or are you saying it disappeared before that point? If Revo didn't find it, please try CCleaner before trying to delete it manually.

And as I asked before, did you have SAS and MBAM clean whatever it found?

I mean NO disrespect, but are you sure you know what your son is downloading? Look at the last entry in his SAS log. I'm not sure it means very much, but it might.

In the meantime, please let us know if SAS and MBAM report you clean.

Carol

Collapse -
Yep
by 1Chris / August 4, 2010 3:12 PM PDT

I don't see an 'advanced' option, but Hunter mode is supposed to remove the window and put a target on the desktop. I tried dragging and dropping, turning it into the burning fire thing and bringing all the zip and exe files from that program with no results. It says no installation files found.

Is there any other way to uninstall this or shall I just delete the files and folders. Btw, when I put the names of the files, folders etc. in the Search box in revouninstall it didn't find anything - when I was looking at them in another window.

I did let SAS and MBM clean what they found.

What is the phone # you listed to?

Collapse -
Re: Yep
by Carol~ Moderator / August 4, 2010 3:57 PM PDT

The number for AT&T, which I included in this post is 1-866-618-7991. As I noted, you will get a recording telling you to get in touch with the company referenced in the email. In your case NBC Universal. If you follow the steps in the email, it should prevent you from having to do anything further.

I realized something after I suggested Revo. If you're using your son's 2000, I don't think you'll be able to make use of it. Or at least, according to their system requirements. If you were able to install it, and you couldn't find it in Advanced mode, then Revo wasn't able to find the files. Have a look at this guide, and also this.

I was in the middle of creating a post, when I saw yours. I was going to tell you, I thought the best alternative might be to make use of the forum, you already posted at. They analyze HijackThis logs. Additionally, they make use of specialized tools, which we generally don't utilize here. Tools which are capable of looking deep into your system.

With that said, if all your scans are now coming up clean, and you're not having any problems otherwise, there may not be a need for it. At the very least, continue with the help you're receiving at the malware removal forum. It's your choice to make.

Carol

Collapse -
Email turns out to be legit
by 1Chris / August 6, 2010 5:15 AM PDT
In reply to: Questionable email

Been playing phone tag with AT&T network security.

Anyway, to continue this long drawn out thread...revouninstall did get rid out quite a few temp files, etc.
About the hotbar issue...I found one dll file with that name. how can I deal with others that may be on the computer.

This may be related...I dunno. Now when my son tries to play videos on that machine - which he's been doing for over a year with no probs, youtube says that he's gotta download and install flashplayer - which he's done three times. youtube keeps coming back with 'you gotta download flashplayer'.

btw, can I delete some of my irrelevant posts on this thread to make it less unwieldy?

Collapse -
Hotbar, Adobe, Etc.
by Carol~ Moderator / August 6, 2010 9:18 AM PDT

Chris..

'About the hotbar issue...I found one dll file with that name. how can I deal with others that may be on the computer.'

In case you weren't aware of it, Spam Utility Blocker, is what SUPERAntiSpyware flagged as "Hotbar". You stated SAS (and MBAM) reported you clean. There shouldn't be any Hotbar files left, at this point. If there are any leftover Spam Utility Blocker files, and you wish to search for them, some are listed here.

Please be careful where you download Flash Player from. I always go directly to Adobe. The current version is 10,1,53,64.

To test which version you have:
http://www.adobe.com/software/flash/about/

Have your son (or you, if that's the case) use the Flash Player Uninstaller to remove whichever version is on the machine.
http://kb2.adobe.com/cps/141/tn_14157.html

Download the (manual) installer to your desktop and run it from there.

? The direct download for Internet Explorer:
http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe

? The direct download for Firefox, Opera, etc:
http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

Chris, I would gladly delete whichever posts you feel to be irrelevant. Unfortunately, if one post is removed, all those below it will automatically be removed. That won't leave very much. Sad If it makes you feel any better, I don't think any of your posts were "irrelevant".

Best of luck..
Carol

Collapse -
Still can't install security software yet
by 1Chris / August 6, 2010 11:48 AM PDT
In reply to: Hotbar, Adobe, Etc.

Thanks Carol Happy

I was surprised that revouninstaller came up with all these 'junk files' that I thought Ccleaner would have taken care of.

I checked all regional settings - all set to US English, but I sometimes get this Greek looking stuff.

Still can't get any security software on here. There was previously F-secure on there but I uninstalled it. There's still an F-secure "Automatic update agent" that shows up in the systray - even after I 'removed' it in revounistaller - twice. Could that be causing any problems?

Collapse -
Looks As Though You Have Bits & Pieces of 3 A/V's
by Carol~ Moderator / August 6, 2010 3:49 PM PDT

Chris..

I was trying to simplify things, when I first answered your post. It seems to be getting more complicated, as we go along. I really don't know what to suggest at this point.

In your post at the malware removal forum, you included a screenshot of PC Tool's "Spyware Doctor and AntiVirus", which looks to be a Greek (or Russian) version.

You stated when you tried to run Avast's setup, it too had "strange characters". You felt it was Greek or Russian. Now you're saying F-Secure was previously installed. If the Automatic Update Agent (FSAUA) is in the system tray, then parts of it are still installed. The update agent (fsaua.exe) might (or might not) be running. If it is, it needs to be disabled.

I presume you know, ONLY one A/V is recommended. It could be causing part of the problem.

I don't know where you got the computer from. Or why it had "xiao bang shou" installed to 'send prerecorded messages through a special router'. What I DO know is, this is all above my head. And beyond my understanding. Sad

The language difference may be as simple as a setting change. Or as complex as wiping the system clean. I don't know enough to tell what needs to be done.

If you don't get additional help here, I can only recommend you continue at the malware removal forum. It may wind up not being a malware problem. But if they look at the logs, they may be able to see where the files are, which need removing.

I wish I could be of more help, but I don't know what else to tell you.

Carol

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!