spykat
2009-10-25, 03:36
Dear Forum,
It appears that I have been invaded by multiple trojans, droppers, etc.
I first noticed something was wrong when I booted up, and just as the Windows screen was coming on, it would reboot..over and over.
I got out my Windows 2000 (yeah, I know) install CD and used the "Rescue" console. This allowed me to at least boot up completely.
Soon, however, my Avast antivirus popped up with a virus warning.
Ran Avast in Safe Mode -- quarantined suspect files then rebooted.
Still infected.
In succession,in Safe Mode ran: Spybot S&D, Malwarebytes Anti-malware, a-squared Free, and SuperAntiSpyware. While MANY malware items were discovered and deleted/quarantined, they seemed to come back upon the next boot-up.
Other observances:
* Avast notified me of a possible infection of SVCHOST.exe.
I was afraid to delete or quarantine it however.
I have three occurrences of this file on my system:
C:\WINNT: 1,141 kb, altered 10/22/2009 11:39AM
C:\WINNT\system32: 7 kb altered 12/07/1999 5:00AM
C:\WINNT\system32\dllcache: 27 kb altered 12/07/1999 5:00AM
The first, larger, recently altered one gives me some concern.
* 9129837.exe in Task Manager; can't be killed.
* Upon running CCleaner:
There are usually entries in the
C:\WINNT\TEMP directory that either can't be removed, or replicate themselves instantly.
While not always the same files, here are the latest two:
C:\WINNT\TEMP\mta13187.dll
C:\WINNT\TEMP\nea3F.tmp
I have also seen a.tmp, b.tmp, etc in this location.
* Attempting to open some programs will bring up a "Windows Installer" window. Presumably, these programs, having been on my computer for some time are already fully installed. Not sure if this is malware related, or another problem (ugh).
* Some internet sites "Can Not be found" -- specifically antivirus sites, and even the "Windows Update" site. Being blocked my some nasty trojan perhaps?
OK, now for some data.
Here is my HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:03 PM, on 10/24/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\GhostWall\ghostwall.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\TEMP\VRT16.tmp
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\svchost.exe
C:\WINNT\svchust.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\System32\lsm32.sys
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32\drivers\smss.exe
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\RICK\Application Data\Mozilla\Profiles\default\tq59upyp.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\Msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GhostWall] "C:\Program Files\GhostWall\ghostwall.exe" -minimize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\FlashUtil10b.exe (User 'Default user')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Use webcow on this Page - C:\Program Files\WebCow\wcie.iemenu.htm
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Use webcow on this &Selection - C:\Program Files\WebCow\wcie.iemenu2.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O15 - Trusted Zone: www.bayareascene.net
O15 - Trusted Zone: http://www.bayareascene.net
O15 - Trusted Zone: *.calhawaiianhoa.org
O15 - Trusted Zone: *.disqus.com
O15 - Trusted Zone: googleads.g.doubleclick.net
O15 - Trusted Zone: www.fremontasbaseball.com
O15 - Trusted Zone: www.goodwillsv.org
O15 - Trusted Zone: www.hotornot.com
O15 - Trusted Zone: www.lincolnavenuewillowglen.com
O15 - Trusted Zone: *.linkshare.com
O15 - Trusted Zone: *.linksynergy.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.rickshrum.com
O15 - Trusted Zone: *.sanjosecellphones.com
O15 - Trusted Zone: www.staples.com
O15 - Trusted Zone: *.viator.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmod11 - C:\WINNT\SYSTEM32\pmod11.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Express Accounts (ExpressAccountsService) - Unknown owner - C:\Program Files\NCH Software\ExpressAccounts\expressaccounts.exe (file missing)
O23 - Service: Express Invoice (ExpressInvoiceService) - NCH Software - C:\Program Files\NCH Software\ExpressInvoice\expressinvoice.exe
O23 - Service: HID Input Service (HidServ) - Unknown owner - C:\WINNT\system32\hidserv.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\system32\msiexec.exe (file missing)
O23 - Service: Net Login (NetLogin) - Unknown owner - C:\WINNT\svchost.exe
O23 - Service: Net_Login - Unknown owner - C:\WINNT\svchust.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINNT\System32\TuneUpDefragService.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINNT\System32\ups.exe (file missing)
--
End of file - 8929 bytes
---
Here is my Spybot S&D Log:
--- Search result list ---
Smitfraud-C.gp: [SBI $8E7F06B8] Executable (File, fixed)
C:\WINNT\svchost.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Nurech: [SBI $38173BA2] Autorun settings (ttool) (Registry value, fixed)
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool
Nurech: [SBI $38173BA2] Program file (File, fixed)
C:\WINNT\9129837.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
PWS.Small.bs: [SBI $077B7AD9] Settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\InetData\k1
PWS.Small.bs: [SBI $2C56291A] Settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\InetData\k2
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa
Win32.Agent.xml: [SBI $164F72E4] Library (File, fixed)
C:\WINNT\system32\msxm192z.dll
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.Delf.uc: [SBI $88B8013A] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINNT\system32\winlogon.exe
Win32.Delf.uc: [SBI $14B30E85] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINNT\system32\winlogon.exe
Win32.Agent.wiw: [SBI $9148C432] Executable (File, fixed)
C:\WINNT\system32\wmdtc.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.Clicker.sv: [SBI $BD306ECD] Executable (File, fixed)
C:\WINNT\svchust.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.Fakealert.ttam: [SBI $098F8609] File (File, fixed)
C:\WINNT\fonts\services.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)
LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)
LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)
LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)
LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)
LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)
LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)
Common Dialogs: History (303 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
MS Office 9.0: Recently used files (92 files) (Directory, nothing done)
C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Microsoft\Office\Recent\
Log: Activity: COM+.log (Backup file, nothing done)
C:\WINNT\COM+.log
Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINNT\SchedLgU.Txt
Log: Activity: imsins.log (Backup file, nothing done)
C:\WINNT\imsins.log
Log: Activity: mmdet.log (Backup file, nothing done)
C:\WINNT\mmdet.log
Log: Activity: ModemDet.txt (Backup file, nothing done)
C:\WINNT\ModemDet.txt
Log: Activity: Sti_Trace.log (Backup file, nothing done)
C:\WINNT\Sti_Trace.log
Log: Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINNT\ntbtlog.txt
Log: Install: Active Setup Log.txt (Backup file, nothing done)
C:\WINNT\Active Setup Log.txt
Log: Install: comsetup.log (Backup file, nothing done)
C:\WINNT\comsetup.log
Log: Install: iis5.log (Backup file, nothing done)
C:\WINNT\iis5.log
Log: Install: ocgen.log (Backup file, nothing done)
C:\WINNT\ocgen.log
Log: Install: ockodak.log (Backup file, nothing done)
C:\WINNT\ockodak.log
Log: Install: setupact.log (Backup file, nothing done)
C:\WINNT\setupact.log
Log: Install: setupapi.log (Backup file, nothing done)
C:\WINNT\setupapi.log
Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINNT\wmsetup.log
Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\mofcomp.log
Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wbemcore.log
Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wbemprox.log
Log: Shutdown: System32\wbem\logs\wbemsnmp.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wbemsnmp.log
Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\winmgmt.log
Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wmiadap.log
Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wmiprov.log
Adobe Save For Web 3.0: [SBI $2B778709] Last save folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Adobe\Save For Web 3.0\Preferences\SaveDir\tlfd
Ahead Nero Burning Rom: [SBI $0D846EDB] Compilation directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation
Ahead Nero Burning Rom: [SBI $DE353278] Browser directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Ahead\Nero - Burning Rom\Settings\BrowserDir
Ahead Nero Burning Rom: [SBI $F3FD92E9] Working directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Ahead\Nero - Burning Rom\Settings\WorkingDir
Ahead Nero Burning Rom: [SBI $055C754D] Last ISO directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\ahead\Nero - Burning Rom\General\OFDLastISODir
Ahead Nero Burning Rom: [SBI $505FB952] Last Audio directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\ahead\Nero - Burning Rom\General\OFDLastAudioDir
Ahead Nero Burning Rom: [SBI $0A02AC84] Last MP3 directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\ahead\Nero - Burning Rom\General\OFDLastMP3Dir
Animation Shop 3: [SBI $C2450D13] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\JASC\Animation Shop 3\Recent File List
Animation Shop 3: [SBI $B6CA019A] Recent browse folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Jasc\Animation Shop 3\Browser\BrowseDir
Animation Shop 3: [SBI $A8A257E6] Recent image folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Jasc\Animation Shop 3\FileOpenDialog\OpenImageDir
Animation Shop 3: [SBI $9FDEFC61] Recent save as folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Jasc\Animation Shop 3\SaveAsDialog\SaveAsDir
Gabest Media Player Classic: [SBI $E81D76E1] Last captured file (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Gabest\Media Player Classic\Capture\FileName
HTTrack Website Copier: [SBI $93C02757] Last used folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\WinHTTrack Website Copier\WinHTTrack Website Copier\DefaultValues\BasePath
HTTrack Website Copier: [SBI $FB31D252] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\WinHTTrack Website Copier\WinHTTrack Website Copier\Recent File List
Internet Explorer: [SBI $1E8157BE] Typed URL list (25 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\TypedURLs
Internet Explorer: [SBI $1E8157BE] Typed URL list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-500\Software\Microsoft\Internet Explorer\TypedURLs
Internet Explorer: [SBI $FF589D0C] Download directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Download Directory
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $D5C3373A] AutoComplete data (79 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\IntelliForms\SPW
IZArc: [SBI $06AB5057] Last open folder (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\AppCurrentDir
IZArc: [SBI $95F8E74A] Last add folder (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\LastAddFolder
IZArc: [SBI $D6CA3E99] Archives history (4 files) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\History
IZArc: [SBI $03C34D02] Extract folder history (5 files) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\Recent\cbExtractPath
Adobe FlashPlayer Cookies: [SBI $065CE2DC] Text file () (File, nothing done)
C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Macromedia\Flash Player\#SharedObjects\73RBQQ63\bin.clearspring.com\clearspring.sol
Properties.size=61
Properties.md5=4C01C594CBB72B1C7E7FC56020033557
Properties.filedate=1256249068
Properties.filedatetext=2009-10-22 15:04:28
Adobe FlashPlayer Cookies: [SBI $065CE2DC] Text file () (File, nothing done)
C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Macromedia\Flash Player\#SharedObjects\73RBQQ63\udn.specificclick.net\fug.sol
Properties.size=33
Properties.md5=E7B0D4B4CDD1420BACDDC9C15B48B39A
Properties.filedate=1256271012
Properties.filedatetext=2009-10-22 21:10:12
Adobe FlashPlayer Cookies: [SBI $E17C7B50] Text file () (File, nothing done)
C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Macromedia\Flash Player\#SharedObjects\73RBQQ63\cdn4.specificclick.net\img\gu.sol
Properties.size=69
Properties.md5=E6CE2F0368784EA918B1CAA4794C291B
Properties.filedate=1256306443
Properties.filedatetext=2009-10-23 07:00:42
Macromedia FreeHand MX: [SBI $51D93363] Last import folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Macromedia\FreeHand\11\Dialogs\ImportDirectory
MS Management Console: [SBI $ECD50EAD] Recent command list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Microsoft Management Console\Recent File List
MS Media Player: [SBI $735D57D7] Recent open directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir
MS Media Player: [SBI $3B9B7B9A] Last CD record path (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\MediaPlayer\Preferences\CDRecordPath
MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID
MS ClipArt Gallery 9.0: [SBI $6804DCA8] Used cliparts (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\ClipArt Gallery\2.0\MRUDescription
MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
MS DirectInput: [SBI $9A063C91] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\DirectInput\MostRecentApplication\Name
MS DirectInput: [SBI $7B184199] Most recent application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\DirectInput\MostRecentApplication\Id
MS Office 9.0: [SBI $4F7FBCC4] Internet history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Common\Internet\LocationOfComponents
MS Office 9.0: [SBI $DE9A4E33] Access recent file (21 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Access\Settings
MS Office 9.0 (Word): [SBI $EC31BB71] Recently used file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Word\Data\Settings
MS Office 9.0 (Excel): [SBI $E49B52E1] Recent files (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Excel\Recent Files
MS Office 9.0 (PowerPoint): [SBI $43C6507A] Recent file list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\PowerPoint\Recent File List
MS Fax: [SBI $F2D1A0E8] Last country ID (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Fax\UserInfo\LastCountryID
MS Fax: [SBI $F2D1A0E8] Last country ID (Registry value, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Fax\UserInfo\LastCountryID
MS Frontpage: [SBI $A45AF00A] Recent page list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Page List
MS Regedit: [SBI $C3B62FC1] Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey
MS Windows Backup 5.0: [SBI $9CE336F6] Last created backup set (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Ntbackup\Hardware\Logical Disk File
MS Windows Backup 5.0: [SBI $E1E8C3AC] Backup logs history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Ntbackup\Log Files
MS Wordpad: [SBI $4C02334D] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
PowerBullet: [SBI $B01E3628] Last saved project (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\DDD\Powerbullet\LastSavedPath
Windows: [SBI $1E4E2003] Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources
Windows.OpenWith: [SBI $414F7591] Open with list - .$$$ extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.$$$\OpenWithList
Windows.OpenWith: [SBI $B2FD6109] Open with list - .3DS extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3DS\OpenWithList
Windows.OpenWith: [SBI $1563C37F] Open with list - .ADR extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADR\OpenWithList
Windows.OpenWith: [SBI $F6D91293] Open with list - .AI extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AI\OpenWithList
Windows.OpenWith: [SBI $6D23ED53] Open with list - .APF extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.APF\OpenWithList
Windows.OpenWith: [SBI $77FE82E7] Open with list - .AS extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AS\OpenWithList
Windows.OpenWith: [SBI $16E309E0] Open with list - .ASF extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASF\OpenWithList
Windows.OpenWith: [SBI $6CBE8CD7] Open with list - .ASP extension (6 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASP\OpenWithList
Windows.OpenWith: [SBI $CDE7D0A6] Open with list - .ASX extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASX\OpenWithList
Windows.OpenWith: [SBI $50F69B2B] Open with list - .AU extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AU\OpenWithList
Windows.OpenWith: [SBI $F7204896] Open with list - .AVI extension (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList
Windows.OpenWith: [SBI $DCEE25EC] Open with list - .BAK extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BAK\OpenWithList
Windows.OpenWith: [SBI $691C1B44] Open with list - .BIN extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\OpenWithList
Windows.OpenWith: [SBI $9B660711] Open with list - .BK1 extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BK1\OpenWithList
Windows.OpenWith: [SBI $A1C94E79] Open with list - .BMP extension (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList
Windows.OpenWith: [SBI $C92C6763] Open with list - .BUP extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BUP\OpenWithList
Windows.OpenWith: [SBI $3A7F8A99] Open with list - .BZ2 extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BZ2\OpenWithList
Windows.OpenWith: [SBI $63036C95] Open with list - .CAB extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CAB\OpenWithList
Windows.OpenWith: [SBI $9E8D5C8A] Open with list - .CDA extension (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA\OpenWithList
Windows.OpenWith: [SBI $4414E448] Open with list - .CGI extension (5 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CGI\OpenWithList
Windows.OpenWith: [SBI $B6B2B96E] Open with list - .CHM extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CHM\OpenWithList
Windows.OpenWith: [SBI $56EC999C] Open with list - .CNT extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CNT\OpenWithList
Windows.OpenWith: [SBI $37C65299] Open with list - .CSH extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSH\OpenWithList
Windows.OpenWith: [SBI $A59774C7] Open with list - .CSM extension (5 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSM\OpenWithList
Windows.OpenWith: [SBI $7E93AD81] Open with list - .CSS extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList
Windows.OpenWith: [SBI $7E93AD81] Open with list - .CSS extension (10 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList
Windows.OpenWith: [SBI $ECC28BDF] Open with list - .CSV extension (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSV\OpenWithList
Windows Explorer: [SBI $7308A845] Run history (27 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Windows Explorer: [SBI $AA0766B5] Stream history (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
Windows Explorer: [SBI $AA0766B5] Stream history (201 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (5 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (40 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (16 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (4090 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (99 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $B7EBA926] Last visited history (26 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Windows Explorer: [SBI $41E7A1E4] Computer search history #2 (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ComputerNameMRU
Windows Explorer: [SBI $2F2F664E] Text in files search history (25 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU
Windows Explorer: [SBI $9B519012] File search history (25 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows Media\WMSDK\General\UniqueID
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Cookie: [SBI $49804B54] Cookie (1) (Cookie, nothing done)
History: [SBI $49804B54] History (17) (History, nothing done)
Cookie: [SBI $49804B54] Cookie (561) (Cookie, nothing done)
Cookie: [SBI $49804B54] Cookie (2897) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-08-14 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2005-06-27 unins000.exe (51.41.0.0)
2009-03-11 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2009-10-08 Includes\Adware.sbi (*)
2009-10-20 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-10-14 Includes\Dialer.sbi (*)
2009-10-13 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-10-13 Includes\HijackersC.sbi (*)
2009-10-20 Includes\Keyloggers.sbi (*)
2009-10-20 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-10-13 Includes\Malware.sbi (*)
2009-10-21 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-10-20 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-10-20 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-10-13 Includes\Spyware.sbi (*)
2009-10-20 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti (*)
2009-10-06 Includes\Trojans.sbi (*)
2009-10-21 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
---
Here are the results on 2 SUPERAntiSpyware Scans:
1)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/22/2009 at 03:21 AM
Application Version : 4.29.1002
Core Rules Database Version : 4144
Trace Rules Database Version: 2075
Scan type : Custom Scan
Total Scan Time : 00:05:37
Memory items scanned : 341
Memory threats detected : 2
Registry items scanned : 7439
Registry threats detected : 1
File items scanned : 3
File threats detected : 2
Trojan.Agent/Gen-WIWOW64
C:\WINNT\SYSTEM32\WMDTC.EXE
C:\WINNT\SYSTEM32\WMDTC.EXE
Trojan.Downloader-Gen/Win
C:\WINNT\9129837.EXE
C:\WINNT\9129837.EXE
[ttool] C:\WINNT\9129837.EXE
--
2)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/22/2009 at 11:24 AM
Application Version : 4.29.1002
Core Rules Database Version : 4144
Trace Rules Database Version: 2075
Scan type : Complete Scan
Total Scan Time : 01:44:33
Memory items scanned : 205
Memory threats detected : 0
Registry items scanned : 7472
Registry threats detected : 6
File items scanned : 32160
File threats detected : 7
Trojan.Dropper/Sys-NV
HKLM\System\ControlSet001\Services\Nwsapagent
C:\WINNT\SYSTEM32\NWSAPV32.DLL
HKLM\System\ControlSet001\Enum\Root\LEGACY_Nwsapagent
HKLM\System\ControlSet002\Services\Nwsapagent
HKLM\System\ControlSet002\Enum\Root\LEGACY_Nwsapagent
HKLM\System\CurrentControlSet\Services\Nwsapagent
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_Nwsapagent
C:\WINNT\SYSTEM32\IPRIPV32.DLL
Adware.Tracking Cookie
C:\Documents and Settings\Default User.WINNT\Cookies\system@content.yieldmanager[1].txt
Trojan.Agent/Gen-NumTemp
C:\WINNT\SYSTEM32\9.TMP
Trojan.Agent/Gen-Dropper[Temp]
C:\WINNT\SYSTEM32\C.TMP
Trojan.Agent/Gen-Pher[ProQuota]
C:\WINNT\SYSTEM32\DLLCACHE\PROQUOTA.EXE
Trojan.Dropper/Win-NV
C:\WINNT\SV1.EXE
---
If useful, and you are familiar with this, here are the results of a "Rooter" malware finder scan:
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 2000 . (5.0.2195) Service Pack 4
[32_bits] - x86 Family 15 Model 2 Stepping 4, GenuineIntel
.
Error OpenService (wscsvc) : 1060
[SharedAccess] STOPPED (state:1) : Windows Firewall -> Disabled !
.
Internet Explorer 6.0.2800.1106
Mozilla Firefox 3.5.3 (en-US)
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:111 Go - Free:51 Go )
D:\ [Fixed-NTFS] .. ( Total:19 Go - Free:7 Go )
E:\ [CD_Rom]
F:\ [CD_Rom]
.
Scan : 18:23.50
Path : C:\Rooter$\Rooter.exe
User : Rick ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (8)
______ \SystemRoot\System32\smss.exe (152)
______ \??\C:\WINNT\system32\csrss.exe (176)
______ \??\C:\WINNT\system32\winlogon.exe (200)
______ C:\WINNT\system32\services.exe (228)
______ C:\WINNT\system32\lsass.exe (240)
______ C:\WINNT\system32\svchost.exe (396)
______ C:\WINNT\system32\spoolsv.exe (424)
______ C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (484)
______ C:\Program Files\Alwil Software\Avast4\ashServ.exe (504)
______ C:\WINNT\System32\svchost.exe (536)
______ C:\Program Files\IObit\IObit Security 360\IS360srv.exe (556)
______ C:\WINNT\system32\MSTask.exe (620)
______ C:\WINNT\system32\stisvc.exe (764)
______ C:\Program Files\UPHClean\uphclean.exe (812)
______ C:\WINNT\Explorer.exe (944)
______ C:\Program Files\Analog Devices\SoundMAX\Smtray.exe (1004)
______ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (1012)
______ C:\Program Files\GhostWall\ghostwall.exe (1028)
______ C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe (1052)
______ C:\Program Files\IObit\IObit Security 360\IS360tray.exe (1060)
______ C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (828)
______ C:\WINNT\system32\cmd.exe (1348)
______ C:\WINNT\system32\cmd.exe (1356)
______ C:\WINNT\system32\cmd.exe (1364)
______ C:\WINNT\system32\cmd.exe (1380)
______ C:\WINNT\system32\cmd.exe (1392)
______ C:\WINNT\TEMP\VRT16.tmp (1320)
______ C:\WINNT\system32\svchost.exe (1300)
______ C:\WINNT\system32\svchost.exe (1548)
______ C:\WINNT\svchost.exe (1316)
______ C:\WINNT\svchust.exe (1768)
______ C:\Program Files\Mozilla Firefox\firefox.exe (1648)
______ C:\Program Files\IObit\IObit Security 360\is360.exe (1920)
______ C:\WINNT\System32\svchost.exe (1804)
______ C:\Program Files\Trend Micro\HijackThis\HijackThis.exe (1756)
______ C:\WINNT\notepad.exe (2272)
______ C:\WINNT\System32\lsm32.sys (2284)
______ C:\Program Files\Internet Explorer\iexplore.exe (2236)
______ C:\Rooter$\Rooter.exe (2160)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
----------------------\\ Scheduled Tasks
.
C:\WINNT\Tasks\AppleSoftwareUpdate.job
C:\WINNT\Tasks\desktop.ini
C:\WINNT\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\WINNT\System32\fhhkj.bak1
C:\WINNT\System32\fhhkj.bak2
C:\WINNT\System32\fhhkj.tmp
C:\WINNT\System32\fhhkj.bak1
C:\WINNT\System32\fhhkj.bak2
C:\WINNT\System32\fhhkj.tmp
==> Vundo <==
.
C:\DOCUME~1\RICKPR~1.000\My Documents\Downloads\Metadata\_crack_ ppt2flash pro 4.1 1 by CLONECD (Unreleased).zip.xml
C:\DOCUME~1\RICKPR~1.000\My Documents\Downloads\Metadata\_crack_ ppt2flash pro 4.1 1 by CLONECD (Unreleased).zip.xml
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 18:24.05
.
C:\Rooter$\Rooter_7.txt - (24/10/2009 | 18:24.05).c
---
Here is the scan findings from Root Repeal:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/23 18:11
Program Version: Version 1.3.5.0
Windows Version: Windows 2000 SP4
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
Address: 0xBE6D5000 Size: 86016 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
Address: 0xEB5E5000 Size: 4096 File Visible: No Signed: -
Status: -
Name: RecAgent.sys
Image Path: RecAgent.sys
Address: 0xEB418000 Size: 16384 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINNT\System32\drivers\rootrepeal.sys
Address: 0xBCFE6000 Size: 49152 File Visible: No Signed: -
Status: -
Name: uphcleanhlp.sys
Image Path: C:\WINNT\System32\Drivers\uphcleanhlp.sys
Address: 0xBD366000 Size: 12288 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Rick.PROJECT-X.000\My Documents\MAXX-8~1.TIF:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.
==EOF==
---
Should also note, at one point, my system lost track of where notepad.exe was located. I heard reference to the QAZ Trojan causing this, altho I did not find any references to any registry entries, as recounted on this page:
http://www.pchell.com/virus/qaz.shtml
---
I am running a PC with 1 Gig of RAM, on Windows 2000, Service Pack 4.
Please inform me of any other information you need.
I realize I have provided a [I]lot of information, but hopefully, it will assist you in diagnosing this thing.
While I realize I am not alone in this boat, if I were to lose my system, I would be in big trouble.
Any help would be kindly appreciated.
Thanks,
Rick
It appears that I have been invaded by multiple trojans, droppers, etc.
I first noticed something was wrong when I booted up, and just as the Windows screen was coming on, it would reboot..over and over.
I got out my Windows 2000 (yeah, I know) install CD and used the "Rescue" console. This allowed me to at least boot up completely.
Soon, however, my Avast antivirus popped up with a virus warning.
Ran Avast in Safe Mode -- quarantined suspect files then rebooted.
Still infected.
In succession,in Safe Mode ran: Spybot S&D, Malwarebytes Anti-malware, a-squared Free, and SuperAntiSpyware. While MANY malware items were discovered and deleted/quarantined, they seemed to come back upon the next boot-up.
Other observances:
* Avast notified me of a possible infection of SVCHOST.exe.
I was afraid to delete or quarantine it however.
I have three occurrences of this file on my system:
C:\WINNT: 1,141 kb, altered 10/22/2009 11:39AM
C:\WINNT\system32: 7 kb altered 12/07/1999 5:00AM
C:\WINNT\system32\dllcache: 27 kb altered 12/07/1999 5:00AM
The first, larger, recently altered one gives me some concern.
* 9129837.exe in Task Manager; can't be killed.
* Upon running CCleaner:
There are usually entries in the
C:\WINNT\TEMP directory that either can't be removed, or replicate themselves instantly.
While not always the same files, here are the latest two:
C:\WINNT\TEMP\mta13187.dll
C:\WINNT\TEMP\nea3F.tmp
I have also seen a.tmp, b.tmp, etc in this location.
* Attempting to open some programs will bring up a "Windows Installer" window. Presumably, these programs, having been on my computer for some time are already fully installed. Not sure if this is malware related, or another problem (ugh).
* Some internet sites "Can Not be found" -- specifically antivirus sites, and even the "Windows Update" site. Being blocked my some nasty trojan perhaps?
OK, now for some data.
Here is my HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:03 PM, on 10/24/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\GhostWall\ghostwall.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\TEMP\VRT16.tmp
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\svchost.exe
C:\WINNT\svchust.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\System32\lsm32.sys
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32\drivers\smss.exe
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\RICK\Application Data\Mozilla\Profiles\default\tq59upyp.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\Msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GhostWall] "C:\Program Files\GhostWall\ghostwall.exe" -minimize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\FlashUtil10b.exe (User 'Default user')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Use webcow on this Page - C:\Program Files\WebCow\wcie.iemenu.htm
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Use webcow on this &Selection - C:\Program Files\WebCow\wcie.iemenu2.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O15 - Trusted Zone: www.bayareascene.net
O15 - Trusted Zone: http://www.bayareascene.net
O15 - Trusted Zone: *.calhawaiianhoa.org
O15 - Trusted Zone: *.disqus.com
O15 - Trusted Zone: googleads.g.doubleclick.net
O15 - Trusted Zone: www.fremontasbaseball.com
O15 - Trusted Zone: www.goodwillsv.org
O15 - Trusted Zone: www.hotornot.com
O15 - Trusted Zone: www.lincolnavenuewillowglen.com
O15 - Trusted Zone: *.linkshare.com
O15 - Trusted Zone: *.linksynergy.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.rickshrum.com
O15 - Trusted Zone: *.sanjosecellphones.com
O15 - Trusted Zone: www.staples.com
O15 - Trusted Zone: *.viator.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmod11 - C:\WINNT\SYSTEM32\pmod11.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Express Accounts (ExpressAccountsService) - Unknown owner - C:\Program Files\NCH Software\ExpressAccounts\expressaccounts.exe (file missing)
O23 - Service: Express Invoice (ExpressInvoiceService) - NCH Software - C:\Program Files\NCH Software\ExpressInvoice\expressinvoice.exe
O23 - Service: HID Input Service (HidServ) - Unknown owner - C:\WINNT\system32\hidserv.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\system32\msiexec.exe (file missing)
O23 - Service: Net Login (NetLogin) - Unknown owner - C:\WINNT\svchost.exe
O23 - Service: Net_Login - Unknown owner - C:\WINNT\svchust.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINNT\System32\TuneUpDefragService.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINNT\System32\ups.exe (file missing)
--
End of file - 8929 bytes
---
Here is my Spybot S&D Log:
--- Search result list ---
Smitfraud-C.gp: [SBI $8E7F06B8] Executable (File, fixed)
C:\WINNT\svchost.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Nurech: [SBI $38173BA2] Autorun settings (ttool) (Registry value, fixed)
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool
Nurech: [SBI $38173BA2] Program file (File, fixed)
C:\WINNT\9129837.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
PWS.Small.bs: [SBI $077B7AD9] Settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\InetData\k1
PWS.Small.bs: [SBI $2C56291A] Settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\InetData\k2
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa
Win32.Agent.xml: [SBI $164F72E4] Library (File, fixed)
C:\WINNT\system32\msxm192z.dll
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.Delf.uc: [SBI $88B8013A] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINNT\system32\winlogon.exe
Win32.Delf.uc: [SBI $14B30E85] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINNT\system32\winlogon.exe
Win32.Agent.wiw: [SBI $9148C432] Executable (File, fixed)
C:\WINNT\system32\wmdtc.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.Clicker.sv: [SBI $BD306ECD] Executable (File, fixed)
C:\WINNT\svchust.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.Fakealert.ttam: [SBI $098F8609] File (File, fixed)
C:\WINNT\fonts\services.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)
LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)
LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)
LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)
LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)
LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)
LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)
Common Dialogs: History (303 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
MS Office 9.0: Recently used files (92 files) (Directory, nothing done)
C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Microsoft\Office\Recent\
Log: Activity: COM+.log (Backup file, nothing done)
C:\WINNT\COM+.log
Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINNT\SchedLgU.Txt
Log: Activity: imsins.log (Backup file, nothing done)
C:\WINNT\imsins.log
Log: Activity: mmdet.log (Backup file, nothing done)
C:\WINNT\mmdet.log
Log: Activity: ModemDet.txt (Backup file, nothing done)
C:\WINNT\ModemDet.txt
Log: Activity: Sti_Trace.log (Backup file, nothing done)
C:\WINNT\Sti_Trace.log
Log: Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINNT\ntbtlog.txt
Log: Install: Active Setup Log.txt (Backup file, nothing done)
C:\WINNT\Active Setup Log.txt
Log: Install: comsetup.log (Backup file, nothing done)
C:\WINNT\comsetup.log
Log: Install: iis5.log (Backup file, nothing done)
C:\WINNT\iis5.log
Log: Install: ocgen.log (Backup file, nothing done)
C:\WINNT\ocgen.log
Log: Install: ockodak.log (Backup file, nothing done)
C:\WINNT\ockodak.log
Log: Install: setupact.log (Backup file, nothing done)
C:\WINNT\setupact.log
Log: Install: setupapi.log (Backup file, nothing done)
C:\WINNT\setupapi.log
Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINNT\wmsetup.log
Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\mofcomp.log
Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wbemcore.log
Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wbemprox.log
Log: Shutdown: System32\wbem\logs\wbemsnmp.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wbemsnmp.log
Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\winmgmt.log
Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wmiadap.log
Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wmiprov.log
Adobe Save For Web 3.0: [SBI $2B778709] Last save folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Adobe\Save For Web 3.0\Preferences\SaveDir\tlfd
Ahead Nero Burning Rom: [SBI $0D846EDB] Compilation directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation
Ahead Nero Burning Rom: [SBI $DE353278] Browser directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Ahead\Nero - Burning Rom\Settings\BrowserDir
Ahead Nero Burning Rom: [SBI $F3FD92E9] Working directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Ahead\Nero - Burning Rom\Settings\WorkingDir
Ahead Nero Burning Rom: [SBI $055C754D] Last ISO directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\ahead\Nero - Burning Rom\General\OFDLastISODir
Ahead Nero Burning Rom: [SBI $505FB952] Last Audio directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\ahead\Nero - Burning Rom\General\OFDLastAudioDir
Ahead Nero Burning Rom: [SBI $0A02AC84] Last MP3 directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\ahead\Nero - Burning Rom\General\OFDLastMP3Dir
Animation Shop 3: [SBI $C2450D13] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\JASC\Animation Shop 3\Recent File List
Animation Shop 3: [SBI $B6CA019A] Recent browse folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Jasc\Animation Shop 3\Browser\BrowseDir
Animation Shop 3: [SBI $A8A257E6] Recent image folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Jasc\Animation Shop 3\FileOpenDialog\OpenImageDir
Animation Shop 3: [SBI $9FDEFC61] Recent save as folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Jasc\Animation Shop 3\SaveAsDialog\SaveAsDir
Gabest Media Player Classic: [SBI $E81D76E1] Last captured file (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Gabest\Media Player Classic\Capture\FileName
HTTrack Website Copier: [SBI $93C02757] Last used folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\WinHTTrack Website Copier\WinHTTrack Website Copier\DefaultValues\BasePath
HTTrack Website Copier: [SBI $FB31D252] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\WinHTTrack Website Copier\WinHTTrack Website Copier\Recent File List
Internet Explorer: [SBI $1E8157BE] Typed URL list (25 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\TypedURLs
Internet Explorer: [SBI $1E8157BE] Typed URL list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-500\Software\Microsoft\Internet Explorer\TypedURLs
Internet Explorer: [SBI $FF589D0C] Download directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Download Directory
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $D5C3373A] AutoComplete data (79 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\IntelliForms\SPW
IZArc: [SBI $06AB5057] Last open folder (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\AppCurrentDir
IZArc: [SBI $95F8E74A] Last add folder (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\LastAddFolder
IZArc: [SBI $D6CA3E99] Archives history (4 files) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\History
IZArc: [SBI $03C34D02] Extract folder history (5 files) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\Recent\cbExtractPath
Adobe FlashPlayer Cookies: [SBI $065CE2DC] Text file () (File, nothing done)
C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Macromedia\Flash Player\#SharedObjects\73RBQQ63\bin.clearspring.com\clearspring.sol
Properties.size=61
Properties.md5=4C01C594CBB72B1C7E7FC56020033557
Properties.filedate=1256249068
Properties.filedatetext=2009-10-22 15:04:28
Adobe FlashPlayer Cookies: [SBI $065CE2DC] Text file () (File, nothing done)
C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Macromedia\Flash Player\#SharedObjects\73RBQQ63\udn.specificclick.net\fug.sol
Properties.size=33
Properties.md5=E7B0D4B4CDD1420BACDDC9C15B48B39A
Properties.filedate=1256271012
Properties.filedatetext=2009-10-22 21:10:12
Adobe FlashPlayer Cookies: [SBI $E17C7B50] Text file () (File, nothing done)
C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Macromedia\Flash Player\#SharedObjects\73RBQQ63\cdn4.specificclick.net\img\gu.sol
Properties.size=69
Properties.md5=E6CE2F0368784EA918B1CAA4794C291B
Properties.filedate=1256306443
Properties.filedatetext=2009-10-23 07:00:42
Macromedia FreeHand MX: [SBI $51D93363] Last import folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Macromedia\FreeHand\11\Dialogs\ImportDirectory
MS Management Console: [SBI $ECD50EAD] Recent command list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Microsoft Management Console\Recent File List
MS Media Player: [SBI $735D57D7] Recent open directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir
MS Media Player: [SBI $3B9B7B9A] Last CD record path (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\MediaPlayer\Preferences\CDRecordPath
MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID
MS ClipArt Gallery 9.0: [SBI $6804DCA8] Used cliparts (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\ClipArt Gallery\2.0\MRUDescription
MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
MS DirectInput: [SBI $9A063C91] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\DirectInput\MostRecentApplication\Name
MS DirectInput: [SBI $7B184199] Most recent application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\DirectInput\MostRecentApplication\Id
MS Office 9.0: [SBI $4F7FBCC4] Internet history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Common\Internet\LocationOfComponents
MS Office 9.0: [SBI $DE9A4E33] Access recent file (21 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Access\Settings
MS Office 9.0 (Word): [SBI $EC31BB71] Recently used file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Word\Data\Settings
MS Office 9.0 (Excel): [SBI $E49B52E1] Recent files (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Excel\Recent Files
MS Office 9.0 (PowerPoint): [SBI $43C6507A] Recent file list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\PowerPoint\Recent File List
MS Fax: [SBI $F2D1A0E8] Last country ID (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Fax\UserInfo\LastCountryID
MS Fax: [SBI $F2D1A0E8] Last country ID (Registry value, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Fax\UserInfo\LastCountryID
MS Frontpage: [SBI $A45AF00A] Recent page list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Page List
MS Regedit: [SBI $C3B62FC1] Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey
MS Windows Backup 5.0: [SBI $9CE336F6] Last created backup set (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Ntbackup\Hardware\Logical Disk File
MS Windows Backup 5.0: [SBI $E1E8C3AC] Backup logs history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Ntbackup\Log Files
MS Wordpad: [SBI $4C02334D] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
PowerBullet: [SBI $B01E3628] Last saved project (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\DDD\Powerbullet\LastSavedPath
Windows: [SBI $1E4E2003] Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources
Windows.OpenWith: [SBI $414F7591] Open with list - .$$$ extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.$$$\OpenWithList
Windows.OpenWith: [SBI $B2FD6109] Open with list - .3DS extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3DS\OpenWithList
Windows.OpenWith: [SBI $1563C37F] Open with list - .ADR extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADR\OpenWithList
Windows.OpenWith: [SBI $F6D91293] Open with list - .AI extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AI\OpenWithList
Windows.OpenWith: [SBI $6D23ED53] Open with list - .APF extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.APF\OpenWithList
Windows.OpenWith: [SBI $77FE82E7] Open with list - .AS extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AS\OpenWithList
Windows.OpenWith: [SBI $16E309E0] Open with list - .ASF extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASF\OpenWithList
Windows.OpenWith: [SBI $6CBE8CD7] Open with list - .ASP extension (6 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASP\OpenWithList
Windows.OpenWith: [SBI $CDE7D0A6] Open with list - .ASX extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASX\OpenWithList
Windows.OpenWith: [SBI $50F69B2B] Open with list - .AU extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AU\OpenWithList
Windows.OpenWith: [SBI $F7204896] Open with list - .AVI extension (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList
Windows.OpenWith: [SBI $DCEE25EC] Open with list - .BAK extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BAK\OpenWithList
Windows.OpenWith: [SBI $691C1B44] Open with list - .BIN extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\OpenWithList
Windows.OpenWith: [SBI $9B660711] Open with list - .BK1 extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BK1\OpenWithList
Windows.OpenWith: [SBI $A1C94E79] Open with list - .BMP extension (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList
Windows.OpenWith: [SBI $C92C6763] Open with list - .BUP extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BUP\OpenWithList
Windows.OpenWith: [SBI $3A7F8A99] Open with list - .BZ2 extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BZ2\OpenWithList
Windows.OpenWith: [SBI $63036C95] Open with list - .CAB extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CAB\OpenWithList
Windows.OpenWith: [SBI $9E8D5C8A] Open with list - .CDA extension (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA\OpenWithList
Windows.OpenWith: [SBI $4414E448] Open with list - .CGI extension (5 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CGI\OpenWithList
Windows.OpenWith: [SBI $B6B2B96E] Open with list - .CHM extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CHM\OpenWithList
Windows.OpenWith: [SBI $56EC999C] Open with list - .CNT extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CNT\OpenWithList
Windows.OpenWith: [SBI $37C65299] Open with list - .CSH extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSH\OpenWithList
Windows.OpenWith: [SBI $A59774C7] Open with list - .CSM extension (5 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSM\OpenWithList
Windows.OpenWith: [SBI $7E93AD81] Open with list - .CSS extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList
Windows.OpenWith: [SBI $7E93AD81] Open with list - .CSS extension (10 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList
Windows.OpenWith: [SBI $ECC28BDF] Open with list - .CSV extension (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSV\OpenWithList
Windows Explorer: [SBI $7308A845] Run history (27 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Windows Explorer: [SBI $AA0766B5] Stream history (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
Windows Explorer: [SBI $AA0766B5] Stream history (201 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (5 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (40 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (16 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (4090 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (99 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $B7EBA926] Last visited history (26 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Windows Explorer: [SBI $41E7A1E4] Computer search history #2 (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ComputerNameMRU
Windows Explorer: [SBI $2F2F664E] Text in files search history (25 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU
Windows Explorer: [SBI $9B519012] File search history (25 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows Media\WMSDK\General\UniqueID
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Cookie: [SBI $49804B54] Cookie (1) (Cookie, nothing done)
History: [SBI $49804B54] History (17) (History, nothing done)
Cookie: [SBI $49804B54] Cookie (561) (Cookie, nothing done)
Cookie: [SBI $49804B54] Cookie (2897) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-08-14 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2005-06-27 unins000.exe (51.41.0.0)
2009-03-11 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2009-10-08 Includes\Adware.sbi (*)
2009-10-20 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-10-14 Includes\Dialer.sbi (*)
2009-10-13 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-10-13 Includes\HijackersC.sbi (*)
2009-10-20 Includes\Keyloggers.sbi (*)
2009-10-20 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-10-13 Includes\Malware.sbi (*)
2009-10-21 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-10-20 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-10-20 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-10-13 Includes\Spyware.sbi (*)
2009-10-20 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti (*)
2009-10-06 Includes\Trojans.sbi (*)
2009-10-21 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
---
Here are the results on 2 SUPERAntiSpyware Scans:
1)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/22/2009 at 03:21 AM
Application Version : 4.29.1002
Core Rules Database Version : 4144
Trace Rules Database Version: 2075
Scan type : Custom Scan
Total Scan Time : 00:05:37
Memory items scanned : 341
Memory threats detected : 2
Registry items scanned : 7439
Registry threats detected : 1
File items scanned : 3
File threats detected : 2
Trojan.Agent/Gen-WIWOW64
C:\WINNT\SYSTEM32\WMDTC.EXE
C:\WINNT\SYSTEM32\WMDTC.EXE
Trojan.Downloader-Gen/Win
C:\WINNT\9129837.EXE
C:\WINNT\9129837.EXE
[ttool] C:\WINNT\9129837.EXE
--
2)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/22/2009 at 11:24 AM
Application Version : 4.29.1002
Core Rules Database Version : 4144
Trace Rules Database Version: 2075
Scan type : Complete Scan
Total Scan Time : 01:44:33
Memory items scanned : 205
Memory threats detected : 0
Registry items scanned : 7472
Registry threats detected : 6
File items scanned : 32160
File threats detected : 7
Trojan.Dropper/Sys-NV
HKLM\System\ControlSet001\Services\Nwsapagent
C:\WINNT\SYSTEM32\NWSAPV32.DLL
HKLM\System\ControlSet001\Enum\Root\LEGACY_Nwsapagent
HKLM\System\ControlSet002\Services\Nwsapagent
HKLM\System\ControlSet002\Enum\Root\LEGACY_Nwsapagent
HKLM\System\CurrentControlSet\Services\Nwsapagent
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_Nwsapagent
C:\WINNT\SYSTEM32\IPRIPV32.DLL
Adware.Tracking Cookie
C:\Documents and Settings\Default User.WINNT\Cookies\system@content.yieldmanager[1].txt
Trojan.Agent/Gen-NumTemp
C:\WINNT\SYSTEM32\9.TMP
Trojan.Agent/Gen-Dropper[Temp]
C:\WINNT\SYSTEM32\C.TMP
Trojan.Agent/Gen-Pher[ProQuota]
C:\WINNT\SYSTEM32\DLLCACHE\PROQUOTA.EXE
Trojan.Dropper/Win-NV
C:\WINNT\SV1.EXE
---
If useful, and you are familiar with this, here are the results of a "Rooter" malware finder scan:
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 2000 . (5.0.2195) Service Pack 4
[32_bits] - x86 Family 15 Model 2 Stepping 4, GenuineIntel
.
Error OpenService (wscsvc) : 1060
[SharedAccess] STOPPED (state:1) : Windows Firewall -> Disabled !
.
Internet Explorer 6.0.2800.1106
Mozilla Firefox 3.5.3 (en-US)
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:111 Go - Free:51 Go )
D:\ [Fixed-NTFS] .. ( Total:19 Go - Free:7 Go )
E:\ [CD_Rom]
F:\ [CD_Rom]
.
Scan : 18:23.50
Path : C:\Rooter$\Rooter.exe
User : Rick ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (8)
______ \SystemRoot\System32\smss.exe (152)
______ \??\C:\WINNT\system32\csrss.exe (176)
______ \??\C:\WINNT\system32\winlogon.exe (200)
______ C:\WINNT\system32\services.exe (228)
______ C:\WINNT\system32\lsass.exe (240)
______ C:\WINNT\system32\svchost.exe (396)
______ C:\WINNT\system32\spoolsv.exe (424)
______ C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (484)
______ C:\Program Files\Alwil Software\Avast4\ashServ.exe (504)
______ C:\WINNT\System32\svchost.exe (536)
______ C:\Program Files\IObit\IObit Security 360\IS360srv.exe (556)
______ C:\WINNT\system32\MSTask.exe (620)
______ C:\WINNT\system32\stisvc.exe (764)
______ C:\Program Files\UPHClean\uphclean.exe (812)
______ C:\WINNT\Explorer.exe (944)
______ C:\Program Files\Analog Devices\SoundMAX\Smtray.exe (1004)
______ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (1012)
______ C:\Program Files\GhostWall\ghostwall.exe (1028)
______ C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe (1052)
______ C:\Program Files\IObit\IObit Security 360\IS360tray.exe (1060)
______ C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (828)
______ C:\WINNT\system32\cmd.exe (1348)
______ C:\WINNT\system32\cmd.exe (1356)
______ C:\WINNT\system32\cmd.exe (1364)
______ C:\WINNT\system32\cmd.exe (1380)
______ C:\WINNT\system32\cmd.exe (1392)
______ C:\WINNT\TEMP\VRT16.tmp (1320)
______ C:\WINNT\system32\svchost.exe (1300)
______ C:\WINNT\system32\svchost.exe (1548)
______ C:\WINNT\svchost.exe (1316)
______ C:\WINNT\svchust.exe (1768)
______ C:\Program Files\Mozilla Firefox\firefox.exe (1648)
______ C:\Program Files\IObit\IObit Security 360\is360.exe (1920)
______ C:\WINNT\System32\svchost.exe (1804)
______ C:\Program Files\Trend Micro\HijackThis\HijackThis.exe (1756)
______ C:\WINNT\notepad.exe (2272)
______ C:\WINNT\System32\lsm32.sys (2284)
______ C:\Program Files\Internet Explorer\iexplore.exe (2236)
______ C:\Rooter$\Rooter.exe (2160)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
----------------------\\ Scheduled Tasks
.
C:\WINNT\Tasks\AppleSoftwareUpdate.job
C:\WINNT\Tasks\desktop.ini
C:\WINNT\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\WINNT\System32\fhhkj.bak1
C:\WINNT\System32\fhhkj.bak2
C:\WINNT\System32\fhhkj.tmp
C:\WINNT\System32\fhhkj.bak1
C:\WINNT\System32\fhhkj.bak2
C:\WINNT\System32\fhhkj.tmp
==> Vundo <==
.
C:\DOCUME~1\RICKPR~1.000\My Documents\Downloads\Metadata\_crack_ ppt2flash pro 4.1 1 by CLONECD (Unreleased).zip.xml
C:\DOCUME~1\RICKPR~1.000\My Documents\Downloads\Metadata\_crack_ ppt2flash pro 4.1 1 by CLONECD (Unreleased).zip.xml
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 18:24.05
.
C:\Rooter$\Rooter_7.txt - (24/10/2009 | 18:24.05).c
---
Here is the scan findings from Root Repeal:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/23 18:11
Program Version: Version 1.3.5.0
Windows Version: Windows 2000 SP4
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
Address: 0xBE6D5000 Size: 86016 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
Address: 0xEB5E5000 Size: 4096 File Visible: No Signed: -
Status: -
Name: RecAgent.sys
Image Path: RecAgent.sys
Address: 0xEB418000 Size: 16384 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINNT\System32\drivers\rootrepeal.sys
Address: 0xBCFE6000 Size: 49152 File Visible: No Signed: -
Status: -
Name: uphcleanhlp.sys
Image Path: C:\WINNT\System32\Drivers\uphcleanhlp.sys
Address: 0xBD366000 Size: 12288 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Rick.PROJECT-X.000\My Documents\MAXX-8~1.TIF:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.
==EOF==
---
Should also note, at one point, my system lost track of where notepad.exe was located. I heard reference to the QAZ Trojan causing this, altho I did not find any references to any registry entries, as recounted on this page:
http://www.pchell.com/virus/qaz.shtml
---
I am running a PC with 1 Gig of RAM, on Windows 2000, Service Pack 4.
Please inform me of any other information you need.
I realize I have provided a [I]lot of information, but hopefully, it will assist you in diagnosing this thing.
While I realize I am not alone in this boat, if I were to lose my system, I would be in big trouble.
Any help would be kindly appreciated.
Thanks,
Rick