BasicScanner This scanner scans bytes from harddisk Securitytool for finding files with certain byte contents Written by RJHM van den Bergh All rights reserved june 2008 Distribution allowed in unchanged form Please visit my site http://www.comweb.nl for updates Suggestion are welcome sales@comweb.nl Error (D:\.\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (The process cannot access the file because it is being used by another process)) on D:\.\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Error (D:\.\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (The process cannot access the file because it is being used by another process)) on D:\.\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Error (D:\.\Documents and Settings\Administrator\Local Settings\Temp\hsperfdata_Administrator\840 (The process cannot access the file because it is being used by another process)) on D:\.\Documents and Settings\Administrator\Local Settings\Temp\hsperfdata_Administrator\840 Error (D:\.\Documents and Settings\Administrator\ntuser.dat.LOG (The process cannot access the file because it is being used by another process)) on D:\.\Documents and Settings\Administrator\ntuser.dat.LOG Error (D:\.\WINNT\system32\config\DEFAULT.LOG (The process cannot access the file because it is being used by another process)) on D:\.\WINNT\system32\config\DEFAULT.LOG Error (D:\.\WINNT\system32\config\SAM (The process cannot access the file because it is being used by another process)) on D:\.\WINNT\system32\config\SAM Error (D:\.\WINNT\system32\config\SAM.LOG (The process cannot access the file because it is being used by another process)) on D:\.\WINNT\system32\config\SAM.LOG Error (D:\.\WINNT\system32\config\SECURITY (The process cannot access the file because it is being used by another process)) on D:\.\WINNT\system32\config\SECURITY Error (D:\.\WINNT\system32\config\SECURITY.LOG (The process cannot access the file because it is being used by another process)) on D:\.\WINNT\system32\config\SECURITY.LOG Error (D:\.\WINNT\system32\config\SOFTWARE.LOG (The process cannot access the file because it is being used by another process)) on D:\.\WINNT\system32\config\SOFTWARE.LOG MATCH D:\.\WINNT\system32\WinNt32.dll Error (D:\.\WINNT\Temp\ZLT074f3.TMP (The process cannot access the file because it is being used by another process)) on D:\.\WINNT\Temp\ZLT074f3.TMP --------------------- Conclusie: File D:\.\WINNT\system32\WinNt32.dll is 10240 bytes Max file Size was set at 30000 bytes There is searched for three bytes in sequence. The values are 208,66,195 when signbit is set at value +128 When signbit is set at -128 then values are -48,66,-61 Hexadecimal this is D042C3 (IP address we where looking for was 208.66.195.) Number of guesses possible in the file is 10240-3+1=10238 Change that all guesses are wrong (3 byte sequence) = (256^3-1)/(256^3) Change that all quesses go wrong ( (256^3-1)/(256^3) )^10238 Change that the one of the guesses is correct = 1-( (256^3-1)/(256^3) )^10238 That is about 0,061% very small change that this is a coinsident.