win32.agent.pz will not go away!!!! Help! [Archive]

View Full Version : win32.agent.pz will not go away!!!! Help!

PeteMI

2007-11-11, 23:53

Spybot has identified win32.agent.pz but can't get rid of it.

Here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:38 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = God is watching you!! What are you watching?
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000002} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingA6886] command /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6864] cmd /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5784] command /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4895] cmd /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189260770296
O16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://meijer.lifepics.com/net/Uploader/LPUploader45.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = csxt.csx.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = csxt.csx.com
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 9610 bytes

I have to put the KOS log on a separate post.

PeteMI

2007-11-12, 00:00

And the KOS Log:

KASPERSKY ONLINE SCANNER REPORT
Sunday, November 11, 2007 5:38:11 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/11/2007
Kaspersky Anti-Virus database records: 456397

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 144413
Number of viruses found 12
Number of infected objects 125
Number of suspicious objects 0
Duration of the scan process 01:56:19

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/ipv6monl.dll Infected: Trojan-Spy.Win32.BZub.bs skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip ZIP: infected - 1 skipped

C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\37\3e36ace5-2788f73e/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped

C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\37\3e36ace5-2788f73e/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped

C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\37\3e36ace5-2788f73e ZIP: infected - 2 skipped

C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\39\7713e8e7-478576e8/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped

C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\39\7713e8e7-478576e8/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped

C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\39\7713e8e7-478576e8 ZIP: infected - 2 skipped

C:\Documents and Settings\HP_Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\HP_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\HP_Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\HP_Owner\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\HP_Owner\~tmp0374.exe Infected: Trojan-Spy.Win32.Goldun.lw skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Data\master.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Data\mastlog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Data\model.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Data\modellog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Data\tempdb.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\Data\templog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME\LOG\ERRORLOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP622\A0061578.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP622\A0061589.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP622\A0061603.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP622\A0061623.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP623\A0061652.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP623\A0062652.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

Have to split this again!!!!!

PeteMI

2007-11-12, 00:01

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP624\A0062668.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP624\A0062682.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP625\A0062708.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP625\A0062727.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP626\A0062739.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP626\A0062751.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP627\A0062771.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP627\A0062784.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP628\A0063784.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP628\A0063801.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP629\A0063827.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP630\A0063849.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP631\A0063869.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP631\A0063878.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP631\A0063887.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP632\A0063926.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP634\A0063955.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP634\A0064956.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP634\A0064965.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP634\A0065965.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP635\A0066472.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP636\A0066600.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP640\A0067268.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP640\A0067280.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP640\A0067305.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP640\A0067315.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP641\A0067344.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP642\A0067417.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP642\A0067429.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP642\A0067443.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP643\A0067468.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP644\A0067487.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP645\A0067511.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP645\A0067523.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP645\A0067536.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP646\A0067551.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP646\A0067563.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP646\A0067581.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP646\A0067591.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP647\A0067602.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP647\A0067622.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP647\A0067632.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP648\A0067647.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP649\A0067678.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP650\A0067695.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP650\A0067718.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP650\A0067743.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP651\A0067767.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP651\A0067778.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP651\A0067823.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP652\A0067835.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP652\A0067851.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP652\A0067861.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP652\A0067871.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP653\A0067899.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP653\A0067913.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP653\A0067923.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP654\A0067937.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP655\A0067957.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP655\A0067969.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP656\A0067985.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP656\A0067997.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP656\A0068009.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP657\A0068043.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP657\A0068055.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP657\A0068071.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP657\A0068081.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP658\A0068098.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP658\A0068108.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP659\A0068132.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP659\A0068147.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP659\A0068157.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP659\A0068167.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP660\A0068179.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP660\A0068189.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP661\A0068203.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP661\A0068213.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP661\A0068223.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP661\A0068233.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP662\A0068248.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP662\A0068259.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP662\A0068272.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP663\A0068295.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP663\A0068306.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP663\A0068322.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP663\A0068340.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP663\A0068352.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP664\A0069352.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP664\A0069363.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP664\A0069375.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP664\A0069391.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP665\A0069404.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP668\A0069540.exe Infected: Trojan-Spy.Win32.Zbot.r skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP673\A0070751.exe Infected: Trojan-Spy.Win32.Zbot.r skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP680\A0072084.exe Infected: Trojan-PSW.Win32.Zbot.z skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP691\A0072395.exe Infected: Trojan-Spy.Win32.Zbot.bk skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP711\change.log Object is locked skipped

C:\U.exe Infected: Trojan-PSW.Win32.Zbot.z skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\file.exe Infected: Trojan-Spy.Win32.BZub.hj skipped

C:\WINDOWS\installer2.9.55.exe Infected: Trojan-Spy.Win32.BZub.hj skipped

C:\WINDOWS\pfirewall.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{0E30364E-0973-40BC-87A7-DF2F7D0728CD}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\hook.dll Infected: Trojan-Spy.Win32.Agent.ol skipped

C:\WINDOWS\system32\ip6mony.dll Infected: Trojan-Spy.Win32.BZub.dv skipped

C:\WINDOWS\system32\ip6monz.dll Infected: Trojan-Spy.Win32.BZub.hj skipped

C:\WINDOWS\system32\ipv6monk.dll Infected: Trojan-Spy.Win32.BZub.bs skipped

C:\WINDOWS\system32\msn.exe Infected: Trojan-Spy.Win32.BZub.dh skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\1.tmp Infected: Trojan-Spy.Win32.Zbot.bk skipped

C:\WINDOWS\Temp\18B.tmp Infected: Trojan-PSW.Win32.Zbot.z skipped

C:\WINDOWS\Temp\2.tmp Infected: Trojan-Spy.Win32.Zbot.bg skipped

C:\WINDOWS\Temp\Perflib_Perfdata_5b0.dat Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\I386\Apps\APP22387\src\HPSummer2005.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped

D:\I386\Apps\APP22387\src\HPSummer2005.exe WiseSFX: infected - 1 skipped

D:\I386\Apps\APP22387\src\HPSummer2005.exe WiseSFX Dropper: infected - 1 skipped

Scan process completed.

If you need anything else let me know. Thanks, PeteMI

pskelley

2007-11-12, 15:39

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I am sorry to be the bearer of bad news, but you have a very bad trojan here: C:\WINDOWS\system32\ntos.
Here is some information:
http://www.symantec.com/security_response/writeup.jsp?docid=2007-040208-5335-99&tabid=2

It reads PStore to steal saved passwords on the compromised computer.I would review all of the Symantec information.

http://research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.Small.lu&threatid=70959

A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Please let us know what you have decided to do in your next post.

Thanks

PeteMI

2007-11-13, 04:52

Reformating is probably the easiest course for me but one question; my computer didn't come with disks. All the restore software is loaded on the D: drive. ( I think it is just a partition of the C: drive) Do these trojans infect that too? Also, will photos stored on the computer be infected? Thanks, PeteMI

pskelley

2007-11-13, 13:23

my computer didn't come with disks.
Who did you purchase that from? What would they do if your hard drive went?
This information should answer most questions.
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

Thanks

http://www.malwarecomplaints.info/

PeteMI

2007-11-13, 21:30

I bought the computer from Staples. I guess its supposed to be convenient to not have to use disks to reload your software...until something like this happens!:scratch: Oh well, a couple of the links you gave indicated that if the restore software is in a harddrive partition (like mine), that the methods given wouldn't work so I'll hunt around the web to see if reformating is even an option, seeing that the trojan may have infected that part too. Thanks for your help though, at least now I know what I am dealing with and have secured my passwords!:bigthumb:

pskelley

2007-11-13, 21:48

Thanks for that feedback, I bought a Compaq at Office Depot years ago, but at least it came with a restore disk. I restored it a year or so ago and it is like a new computer. I rarely take it out of the garage anymore, just a quick spin around the net on an occaisional sunny Sunday. Good luck finding what you need, here is information that might help you avoid this situation.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.