PDA

View Full Version : Trojan: Please Help



spykat
2009-10-25, 03:36
Dear Forum,

It appears that I have been invaded by multiple trojans, droppers, etc.
I first noticed something was wrong when I booted up, and just as the Windows screen was coming on, it would reboot..over and over.
I got out my Windows 2000 (yeah, I know) install CD and used the "Rescue" console. This allowed me to at least boot up completely.

Soon, however, my Avast antivirus popped up with a virus warning.
Ran Avast in Safe Mode -- quarantined suspect files then rebooted.
Still infected.
In succession,in Safe Mode ran: Spybot S&D, Malwarebytes Anti-malware, a-squared Free, and SuperAntiSpyware. While MANY malware items were discovered and deleted/quarantined, they seemed to come back upon the next boot-up.

Other observances:

* Avast notified me of a possible infection of SVCHOST.exe.
I was afraid to delete or quarantine it however.
I have three occurrences of this file on my system:
C:\WINNT: 1,141 kb, altered 10/22/2009 11:39AM
C:\WINNT\system32: 7 kb altered 12/07/1999 5:00AM
C:\WINNT\system32\dllcache: 27 kb altered 12/07/1999 5:00AM
The first, larger, recently altered one gives me some concern.

* 9129837.exe in Task Manager; can't be killed.

* Upon running CCleaner:
There are usually entries in the
C:\WINNT\TEMP directory that either can't be removed, or replicate themselves instantly.
While not always the same files, here are the latest two:
C:\WINNT\TEMP\mta13187.dll
C:\WINNT\TEMP\nea3F.tmp
I have also seen a.tmp, b.tmp, etc in this location.

* Attempting to open some programs will bring up a "Windows Installer" window. Presumably, these programs, having been on my computer for some time are already fully installed. Not sure if this is malware related, or another problem (ugh).

* Some internet sites "Can Not be found" -- specifically antivirus sites, and even the "Windows Update" site. Being blocked my some nasty trojan perhaps?

OK, now for some data.
Here is my HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:03 PM, on 10/24/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\GhostWall\ghostwall.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\TEMP\VRT16.tmp
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\svchost.exe
C:\WINNT\svchust.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\System32\lsm32.sys
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32\drivers\smss.exe
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\RICK\Application Data\Mozilla\Profiles\default\tq59upyp.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\Msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GhostWall] "C:\Program Files\GhostWall\ghostwall.exe" -minimize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\FlashUtil10b.exe (User 'Default user')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Use webcow on this Page - C:\Program Files\WebCow\wcie.iemenu.htm
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Use webcow on this &Selection - C:\Program Files\WebCow\wcie.iemenu2.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O15 - Trusted Zone: www.bayareascene.net
O15 - Trusted Zone: http://www.bayareascene.net
O15 - Trusted Zone: *.calhawaiianhoa.org
O15 - Trusted Zone: *.disqus.com
O15 - Trusted Zone: googleads.g.doubleclick.net
O15 - Trusted Zone: www.fremontasbaseball.com
O15 - Trusted Zone: www.goodwillsv.org
O15 - Trusted Zone: www.hotornot.com
O15 - Trusted Zone: www.lincolnavenuewillowglen.com
O15 - Trusted Zone: *.linkshare.com
O15 - Trusted Zone: *.linksynergy.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.rickshrum.com
O15 - Trusted Zone: *.sanjosecellphones.com
O15 - Trusted Zone: www.staples.com
O15 - Trusted Zone: *.viator.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmod11 - C:\WINNT\SYSTEM32\pmod11.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Express Accounts (ExpressAccountsService) - Unknown owner - C:\Program Files\NCH Software\ExpressAccounts\expressaccounts.exe (file missing)
O23 - Service: Express Invoice (ExpressInvoiceService) - NCH Software - C:\Program Files\NCH Software\ExpressInvoice\expressinvoice.exe
O23 - Service: HID Input Service (HidServ) - Unknown owner - C:\WINNT\system32\hidserv.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\system32\msiexec.exe (file missing)
O23 - Service: Net Login (NetLogin) - Unknown owner - C:\WINNT\svchost.exe
O23 - Service: Net_Login - Unknown owner - C:\WINNT\svchust.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINNT\System32\TuneUpDefragService.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINNT\System32\ups.exe (file missing)

--
End of file - 8929 bytes
---
Here is my Spybot S&D Log:


--- Search result list ---
Smitfraud-C.gp: [SBI $8E7F06B8] Executable (File, fixed)
C:\WINNT\svchost.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Nurech: [SBI $38173BA2] Autorun settings (ttool) (Registry value, fixed)
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool

Nurech: [SBI $38173BA2] Program file (File, fixed)
C:\WINNT\9129837.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

PWS.Small.bs: [SBI $077B7AD9] Settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\InetData\k1

PWS.Small.bs: [SBI $2C56291A] Settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\InetData\k2

Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa

Win32.Agent.xml: [SBI $164F72E4] Library (File, fixed)
C:\WINNT\system32\msxm192z.dll
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Win32.Delf.uc: [SBI $88B8013A] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINNT\system32\winlogon.exe

Win32.Delf.uc: [SBI $14B30E85] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINNT\system32\winlogon.exe

Win32.Agent.wiw: [SBI $9148C432] Executable (File, fixed)
C:\WINNT\system32\wmdtc.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Win32.Clicker.sv: [SBI $BD306ECD] Executable (File, fixed)
C:\WINNT\svchust.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Win32.Fakealert.ttam: [SBI $098F8609] File (File, fixed)
C:\WINNT\fonts\services.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)


LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)


LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)


LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)


LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)


LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)


LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)


Common Dialogs: History (303 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

MS Office 9.0: Recently used files (92 files) (Directory, nothing done)
C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Microsoft\Office\Recent\

Log: Activity: COM+.log (Backup file, nothing done)
C:\WINNT\COM+.log

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINNT\SchedLgU.Txt

Log: Activity: imsins.log (Backup file, nothing done)
C:\WINNT\imsins.log

Log: Activity: mmdet.log (Backup file, nothing done)
C:\WINNT\mmdet.log

Log: Activity: ModemDet.txt (Backup file, nothing done)
C:\WINNT\ModemDet.txt

Log: Activity: Sti_Trace.log (Backup file, nothing done)
C:\WINNT\Sti_Trace.log

Log: Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINNT\ntbtlog.txt

Log: Install: Active Setup Log.txt (Backup file, nothing done)
C:\WINNT\Active Setup Log.txt

Log: Install: comsetup.log (Backup file, nothing done)
C:\WINNT\comsetup.log

Log: Install: iis5.log (Backup file, nothing done)
C:\WINNT\iis5.log

Log: Install: ocgen.log (Backup file, nothing done)
C:\WINNT\ocgen.log

Log: Install: ockodak.log (Backup file, nothing done)
C:\WINNT\ockodak.log

Log: Install: setupact.log (Backup file, nothing done)
C:\WINNT\setupact.log

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINNT\setupapi.log

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINNT\wmsetup.log

Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\mofcomp.log

Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wbemcore.log

Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wbemprox.log

Log: Shutdown: System32\wbem\logs\wbemsnmp.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wbemsnmp.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wmiadap.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wmiprov.log

Adobe Save For Web 3.0: [SBI $2B778709] Last save folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Adobe\Save For Web 3.0\Preferences\SaveDir\tlfd

Ahead Nero Burning Rom: [SBI $0D846EDB] Compilation directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation

Ahead Nero Burning Rom: [SBI $DE353278] Browser directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Ahead\Nero - Burning Rom\Settings\BrowserDir

Ahead Nero Burning Rom: [SBI $F3FD92E9] Working directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Ahead\Nero - Burning Rom\Settings\WorkingDir

Ahead Nero Burning Rom: [SBI $055C754D] Last ISO directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\ahead\Nero - Burning Rom\General\OFDLastISODir

Ahead Nero Burning Rom: [SBI $505FB952] Last Audio directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\ahead\Nero - Burning Rom\General\OFDLastAudioDir

Ahead Nero Burning Rom: [SBI $0A02AC84] Last MP3 directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\ahead\Nero - Burning Rom\General\OFDLastMP3Dir

Animation Shop 3: [SBI $C2450D13] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\JASC\Animation Shop 3\Recent File List

Animation Shop 3: [SBI $B6CA019A] Recent browse folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Jasc\Animation Shop 3\Browser\BrowseDir

Animation Shop 3: [SBI $A8A257E6] Recent image folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Jasc\Animation Shop 3\FileOpenDialog\OpenImageDir

Animation Shop 3: [SBI $9FDEFC61] Recent save as folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Jasc\Animation Shop 3\SaveAsDialog\SaveAsDir

Gabest Media Player Classic: [SBI $E81D76E1] Last captured file (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Gabest\Media Player Classic\Capture\FileName

HTTrack Website Copier: [SBI $93C02757] Last used folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\WinHTTrack Website Copier\WinHTTrack Website Copier\DefaultValues\BasePath

HTTrack Website Copier: [SBI $FB31D252] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\WinHTTrack Website Copier\WinHTTrack Website Copier\Recent File List

Internet Explorer: [SBI $1E8157BE] Typed URL list (25 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\TypedURLs

Internet Explorer: [SBI $1E8157BE] Typed URL list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-500\Software\Microsoft\Internet Explorer\TypedURLs

Internet Explorer: [SBI $FF589D0C] Download directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Download Directory

Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $D5C3373A] AutoComplete data (79 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\IntelliForms\SPW

IZArc: [SBI $06AB5057] Last open folder (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\AppCurrentDir

IZArc: [SBI $95F8E74A] Last add folder (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\LastAddFolder

IZArc: [SBI $D6CA3E99] Archives history (4 files) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\History

IZArc: [SBI $03C34D02] Extract folder history (5 files) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\Recent\cbExtractPath

Adobe FlashPlayer Cookies: [SBI $065CE2DC] Text file () (File, nothing done)
C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Macromedia\Flash Player\#SharedObjects\73RBQQ63\bin.clearspring.com\clearspring.sol
Properties.size=61
Properties.md5=4C01C594CBB72B1C7E7FC56020033557
Properties.filedate=1256249068
Properties.filedatetext=2009-10-22 15:04:28

Adobe FlashPlayer Cookies: [SBI $065CE2DC] Text file () (File, nothing done)
C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Macromedia\Flash Player\#SharedObjects\73RBQQ63\udn.specificclick.net\fug.sol
Properties.size=33
Properties.md5=E7B0D4B4CDD1420BACDDC9C15B48B39A
Properties.filedate=1256271012
Properties.filedatetext=2009-10-22 21:10:12

Adobe FlashPlayer Cookies: [SBI $E17C7B50] Text file () (File, nothing done)
C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Macromedia\Flash Player\#SharedObjects\73RBQQ63\cdn4.specificclick.net\img\gu.sol
Properties.size=69
Properties.md5=E6CE2F0368784EA918B1CAA4794C291B
Properties.filedate=1256306443
Properties.filedatetext=2009-10-23 07:00:42

Macromedia FreeHand MX: [SBI $51D93363] Last import folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Macromedia\FreeHand\11\Dialogs\ImportDirectory

MS Management Console: [SBI $ECD50EAD] Recent command list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Microsoft Management Console\Recent File List

MS Media Player: [SBI $735D57D7] Recent open directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir

MS Media Player: [SBI $3B9B7B9A] Last CD record path (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\MediaPlayer\Preferences\CDRecordPath

MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID

MS ClipArt Gallery 9.0: [SBI $6804DCA8] Used cliparts (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\ClipArt Gallery\2.0\MRUDescription

MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

MS DirectInput: [SBI $9A063C91] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\DirectInput\MostRecentApplication\Name

MS DirectInput: [SBI $7B184199] Most recent application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\DirectInput\MostRecentApplication\Id

MS Office 9.0: [SBI $4F7FBCC4] Internet history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Common\Internet\LocationOfComponents

MS Office 9.0: [SBI $DE9A4E33] Access recent file (21 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Access\Settings

MS Office 9.0 (Word): [SBI $EC31BB71] Recently used file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Word\Data\Settings

MS Office 9.0 (Excel): [SBI $E49B52E1] Recent files (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Excel\Recent Files

MS Office 9.0 (PowerPoint): [SBI $43C6507A] Recent file list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\PowerPoint\Recent File List

MS Fax: [SBI $F2D1A0E8] Last country ID (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Fax\UserInfo\LastCountryID

MS Fax: [SBI $F2D1A0E8] Last country ID (Registry value, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Fax\UserInfo\LastCountryID

MS Frontpage: [SBI $A45AF00A] Recent page list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Page List

MS Regedit: [SBI $C3B62FC1] Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

MS Windows Backup 5.0: [SBI $9CE336F6] Last created backup set (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Ntbackup\Hardware\Logical Disk File

MS Windows Backup 5.0: [SBI $E1E8C3AC] Backup logs history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Ntbackup\Log Files

MS Wordpad: [SBI $4C02334D] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List

PowerBullet: [SBI $B01E3628] Last saved project (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\DDD\Powerbullet\LastSavedPath

Windows: [SBI $1E4E2003] Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources

Windows.OpenWith: [SBI $414F7591] Open with list - .$$$ extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.$$$\OpenWithList

Windows.OpenWith: [SBI $B2FD6109] Open with list - .3DS extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3DS\OpenWithList

Windows.OpenWith: [SBI $1563C37F] Open with list - .ADR extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADR\OpenWithList

Windows.OpenWith: [SBI $F6D91293] Open with list - .AI extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AI\OpenWithList

Windows.OpenWith: [SBI $6D23ED53] Open with list - .APF extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.APF\OpenWithList

Windows.OpenWith: [SBI $77FE82E7] Open with list - .AS extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AS\OpenWithList

Windows.OpenWith: [SBI $16E309E0] Open with list - .ASF extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASF\OpenWithList

Windows.OpenWith: [SBI $6CBE8CD7] Open with list - .ASP extension (6 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASP\OpenWithList

Windows.OpenWith: [SBI $CDE7D0A6] Open with list - .ASX extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASX\OpenWithList

Windows.OpenWith: [SBI $50F69B2B] Open with list - .AU extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AU\OpenWithList

Windows.OpenWith: [SBI $F7204896] Open with list - .AVI extension (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList

Windows.OpenWith: [SBI $DCEE25EC] Open with list - .BAK extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BAK\OpenWithList

Windows.OpenWith: [SBI $691C1B44] Open with list - .BIN extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\OpenWithList

Windows.OpenWith: [SBI $9B660711] Open with list - .BK1 extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BK1\OpenWithList

Windows.OpenWith: [SBI $A1C94E79] Open with list - .BMP extension (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

Windows.OpenWith: [SBI $C92C6763] Open with list - .BUP extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BUP\OpenWithList

Windows.OpenWith: [SBI $3A7F8A99] Open with list - .BZ2 extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BZ2\OpenWithList

Windows.OpenWith: [SBI $63036C95] Open with list - .CAB extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CAB\OpenWithList

Windows.OpenWith: [SBI $9E8D5C8A] Open with list - .CDA extension (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA\OpenWithList

Windows.OpenWith: [SBI $4414E448] Open with list - .CGI extension (5 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CGI\OpenWithList

Windows.OpenWith: [SBI $B6B2B96E] Open with list - .CHM extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CHM\OpenWithList

Windows.OpenWith: [SBI $56EC999C] Open with list - .CNT extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CNT\OpenWithList

Windows.OpenWith: [SBI $37C65299] Open with list - .CSH extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSH\OpenWithList

Windows.OpenWith: [SBI $A59774C7] Open with list - .CSM extension (5 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSM\OpenWithList

Windows.OpenWith: [SBI $7E93AD81] Open with list - .CSS extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList

Windows.OpenWith: [SBI $7E93AD81] Open with list - .CSS extension (10 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList

Windows.OpenWith: [SBI $ECC28BDF] Open with list - .CSV extension (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSV\OpenWithList

Windows Explorer: [SBI $7308A845] Run history (27 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: [SBI $AA0766B5] Stream history (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: [SBI $AA0766B5] Stream history (201 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (5 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (40 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (16 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (4090 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (99 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: [SBI $B7EBA926] Last visited history (26 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: [SBI $41E7A1E4] Computer search history #2 (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ComputerNameMRU

Windows Explorer: [SBI $2F2F664E] Text in files search history (25 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU

Windows Explorer: [SBI $9B519012] File search history (25 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Cookie: [SBI $49804B54] Cookie (1) (Cookie, nothing done)


History: [SBI $49804B54] History (17) (History, nothing done)


Cookie: [SBI $49804B54] Cookie (561) (Cookie, nothing done)


Cookie: [SBI $49804B54] Cookie (2897) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-08-14 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2005-06-27 unins000.exe (51.41.0.0)
2009-03-11 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2009-10-08 Includes\Adware.sbi (*)
2009-10-20 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-10-14 Includes\Dialer.sbi (*)
2009-10-13 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-10-13 Includes\HijackersC.sbi (*)
2009-10-20 Includes\Keyloggers.sbi (*)
2009-10-20 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-10-13 Includes\Malware.sbi (*)
2009-10-21 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-10-20 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-10-20 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-10-13 Includes\Spyware.sbi (*)
2009-10-20 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti (*)
2009-10-06 Includes\Trojans.sbi (*)
2009-10-21 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
---
Here are the results on 2 SUPERAntiSpyware Scans:
1)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/22/2009 at 03:21 AM

Application Version : 4.29.1002

Core Rules Database Version : 4144
Trace Rules Database Version: 2075

Scan type : Custom Scan
Total Scan Time : 00:05:37

Memory items scanned : 341
Memory threats detected : 2
Registry items scanned : 7439
Registry threats detected : 1
File items scanned : 3
File threats detected : 2

Trojan.Agent/Gen-WIWOW64
C:\WINNT\SYSTEM32\WMDTC.EXE
C:\WINNT\SYSTEM32\WMDTC.EXE

Trojan.Downloader-Gen/Win
C:\WINNT\9129837.EXE
C:\WINNT\9129837.EXE
[ttool] C:\WINNT\9129837.EXE
--
2)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/22/2009 at 11:24 AM

Application Version : 4.29.1002

Core Rules Database Version : 4144
Trace Rules Database Version: 2075

Scan type : Complete Scan
Total Scan Time : 01:44:33

Memory items scanned : 205
Memory threats detected : 0
Registry items scanned : 7472
Registry threats detected : 6
File items scanned : 32160
File threats detected : 7

Trojan.Dropper/Sys-NV
HKLM\System\ControlSet001\Services\Nwsapagent
C:\WINNT\SYSTEM32\NWSAPV32.DLL
HKLM\System\ControlSet001\Enum\Root\LEGACY_Nwsapagent
HKLM\System\ControlSet002\Services\Nwsapagent
HKLM\System\ControlSet002\Enum\Root\LEGACY_Nwsapagent
HKLM\System\CurrentControlSet\Services\Nwsapagent
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_Nwsapagent
C:\WINNT\SYSTEM32\IPRIPV32.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Default User.WINNT\Cookies\system@content.yieldmanager[1].txt

Trojan.Agent/Gen-NumTemp
C:\WINNT\SYSTEM32\9.TMP

Trojan.Agent/Gen-Dropper[Temp]
C:\WINNT\SYSTEM32\C.TMP

Trojan.Agent/Gen-Pher[ProQuota]
C:\WINNT\SYSTEM32\DLLCACHE\PROQUOTA.EXE

Trojan.Dropper/Win-NV
C:\WINNT\SV1.EXE
---
If useful, and you are familiar with this, here are the results of a "Rooter" malware finder scan:

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 2000 . (5.0.2195) Service Pack 4
[32_bits] - x86 Family 15 Model 2 Stepping 4, GenuineIntel
.
Error OpenService (wscsvc) : 1060
[SharedAccess] STOPPED (state:1) : Windows Firewall -> Disabled !
.
Internet Explorer 6.0.2800.1106
Mozilla Firefox 3.5.3 (en-US)
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:111 Go - Free:51 Go )
D:\ [Fixed-NTFS] .. ( Total:19 Go - Free:7 Go )
E:\ [CD_Rom]
F:\ [CD_Rom]
.
Scan : 18:23.50
Path : C:\Rooter$\Rooter.exe
User : Rick ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (8)
______ \SystemRoot\System32\smss.exe (152)
______ \??\C:\WINNT\system32\csrss.exe (176)
______ \??\C:\WINNT\system32\winlogon.exe (200)
______ C:\WINNT\system32\services.exe (228)
______ C:\WINNT\system32\lsass.exe (240)
______ C:\WINNT\system32\svchost.exe (396)
______ C:\WINNT\system32\spoolsv.exe (424)
______ C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (484)
______ C:\Program Files\Alwil Software\Avast4\ashServ.exe (504)
______ C:\WINNT\System32\svchost.exe (536)
______ C:\Program Files\IObit\IObit Security 360\IS360srv.exe (556)
______ C:\WINNT\system32\MSTask.exe (620)
______ C:\WINNT\system32\stisvc.exe (764)
______ C:\Program Files\UPHClean\uphclean.exe (812)
______ C:\WINNT\Explorer.exe (944)
______ C:\Program Files\Analog Devices\SoundMAX\Smtray.exe (1004)
______ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (1012)
______ C:\Program Files\GhostWall\ghostwall.exe (1028)
______ C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe (1052)
______ C:\Program Files\IObit\IObit Security 360\IS360tray.exe (1060)
______ C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (828)
______ C:\WINNT\system32\cmd.exe (1348)
______ C:\WINNT\system32\cmd.exe (1356)
______ C:\WINNT\system32\cmd.exe (1364)
______ C:\WINNT\system32\cmd.exe (1380)
______ C:\WINNT\system32\cmd.exe (1392)
______ C:\WINNT\TEMP\VRT16.tmp (1320)
______ C:\WINNT\system32\svchost.exe (1300)
______ C:\WINNT\system32\svchost.exe (1548)
______ C:\WINNT\svchost.exe (1316)
______ C:\WINNT\svchust.exe (1768)
______ C:\Program Files\Mozilla Firefox\firefox.exe (1648)
______ C:\Program Files\IObit\IObit Security 360\is360.exe (1920)
______ C:\WINNT\System32\svchost.exe (1804)
______ C:\Program Files\Trend Micro\HijackThis\HijackThis.exe (1756)
______ C:\WINNT\notepad.exe (2272)
______ C:\WINNT\System32\lsm32.sys (2284)
______ C:\Program Files\Internet Explorer\iexplore.exe (2236)
______ C:\Rooter$\Rooter.exe (2160)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
----------------------\\ Scheduled Tasks
.
C:\WINNT\Tasks\AppleSoftwareUpdate.job
C:\WINNT\Tasks\desktop.ini
C:\WINNT\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\WINNT\System32\fhhkj.bak1
C:\WINNT\System32\fhhkj.bak2
C:\WINNT\System32\fhhkj.tmp
C:\WINNT\System32\fhhkj.bak1
C:\WINNT\System32\fhhkj.bak2
C:\WINNT\System32\fhhkj.tmp
==> Vundo <==
.
C:\DOCUME~1\RICKPR~1.000\My Documents\Downloads\Metadata\_crack_ ppt2flash pro 4.1 1 by CLONECD (Unreleased).zip.xml
C:\DOCUME~1\RICKPR~1.000\My Documents\Downloads\Metadata\_crack_ ppt2flash pro 4.1 1 by CLONECD (Unreleased).zip.xml
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 18:24.05
.
C:\Rooter$\Rooter_7.txt - (24/10/2009 | 18:24.05).c
---
Here is the scan findings from Root Repeal:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/23 18:11
Program Version: Version 1.3.5.0
Windows Version: Windows 2000 SP4
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
Address: 0xBE6D5000 Size: 86016 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
Address: 0xEB5E5000 Size: 4096 File Visible: No Signed: -
Status: -

Name: RecAgent.sys
Image Path: RecAgent.sys
Address: 0xEB418000 Size: 16384 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINNT\System32\drivers\rootrepeal.sys
Address: 0xBCFE6000 Size: 49152 File Visible: No Signed: -
Status: -

Name: uphcleanhlp.sys
Image Path: C:\WINNT\System32\Drivers\uphcleanhlp.sys
Address: 0xBD366000 Size: 12288 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Rick.PROJECT-X.000\My Documents\MAXX-8~1.TIF:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

==EOF==

---
Should also note, at one point, my system lost track of where notepad.exe was located. I heard reference to the QAZ Trojan causing this, altho I did not find any references to any registry entries, as recounted on this page:
http://www.pchell.com/virus/qaz.shtml

---
I am running a PC with 1 Gig of RAM, on Windows 2000, Service Pack 4.
Please inform me of any other information you need.

I realize I have provided a [I]lot of information, but hopefully, it will assist you in diagnosing this thing.

While I realize I am not alone in this boat, if I were to lose my system, I would be in big trouble.

Any help would be kindly appreciated.

Thanks,
Rick

spykat
2009-10-25, 03:50
Ran IObit Security 360 and it found a bunch of nasties.
I eliminated them, but fully expect their return.

Here is the IObit log:
IObit Security 360

OS:Windows 2000
Version:1.0.1.30
Define Version:1251
Time Elapsed:00:05:02
Objects Scanned:59139
Threats Found:27

|Name|Type|Description|ID|
Hijack.Userinit, Registry Data, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Value=Userinit, 6-877
Mal/Gen.Downloader, File, C:\WINNT\sv1.exe, 4-506
Trojan-spy.Win32/Agent, File, C:\WINNT\System32\BtwSrv.dll, 4-507
Backdoor.Trojan, File, C:\WINNT\System32\lsm32.sys, 4-508
Trojan-spy.Win32/Agent, Registry Key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BtwSrv, 4-510
Trojan-spy.Win32/Agent, Registry Key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV, 4-511
Trojan-spy.Win32/Agent, Registry Key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Net_Login, 4-514
Trojan-spy.Win32/Agent, Registry Key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_NET_LOGIN, 4-515
Trojan-spy.Win32/Agent, File, C:\WINNT\isvchost.exe, 4-1052
Mal/Gen.Downloader, File, C:\WINNT\svchust.exe, 4-1338
Trojan-spy.Win32/Agent, File, C:\WINNT\System32\certstore.dat, 4-8144
Backdoor.Trojan, File, C:\WINNT\System32\FInstall.sys, 4-10002
Trojan-spy.Win32/Agent, File, C:\WINNT\System32\msxm192z.dll, 4-13377
Trojan-spy.Win32/Agent, File, C:\WINNT\svchost.exe, 4-22308
Mal/Gen.Trace, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=BuildW, 4-28329
Mal/Gen.Trace, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=FirstInstallFlag, 4-28330
Mal/Gen.Trace, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=i, 4-28332
Mal/Gen.Trace, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=uid, 4-28337
Mal/Gen.Trace, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=Ulrn, 4-28338
Mal/Gen.Trace, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=Update, 4-28339
Mal/Gen.Trace, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=UpdateNew, 4-28340
Mal/Gen.Downloader, Registry Key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLogin, 4-35121
Backdoor.Trojan, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=mBt, 4-36448
Backdoor.Trojan, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=udfa, 4-36554
Backdoor.Trojan, File, C:\WINNT\System32\opeia.exe, 4-36737
Backdoor.Trojan, File, C:\WINNT\System32\FastNetSrv.exe, 4-36752
Backdoor.Trojan, Registry Key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV, 4-36753
---
Here is the Updated HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:22 PM, on 10/24/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\GhostWall\ghostwall.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\TEMP\VRT16.tmp
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=Userinit.exe
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\RICK\Application Data\Mozilla\Profiles\default\tq59upyp.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\Msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GhostWall] "C:\Program Files\GhostWall\ghostwall.exe" -minimize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\FlashUtil10b.exe (User 'Default user')
O4 - S-1-5-21-583907252-573735546-839522115-1000 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User '?')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Use webcow on this Page - C:\Program Files\WebCow\wcie.iemenu.htm
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Use webcow on this &Selection - C:\Program Files\WebCow\wcie.iemenu2.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O15 - Trusted Zone: www.adultdvdtalk.com
O15 - Trusted Zone: www.asiangirlsandwhiteguys.com
O15 - Trusted Zone: www.bayareascene.net
O15 - Trusted Zone: http://www.bayareascene.net
O15 - Trusted Zone: *.calhawaiianhoa.org
O15 - Trusted Zone: *.disqus.com
O15 - Trusted Zone: googleads.g.doubleclick.net
O15 - Trusted Zone: www.fremontasbaseball.com
O15 - Trusted Zone: www.goodwillsv.org
O15 - Trusted Zone: www.hotornot.com
O15 - Trusted Zone: www.lincolnavenuewillowglen.com
O15 - Trusted Zone: *.linkshare.com
O15 - Trusted Zone: *.linksynergy.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.rickshrum.com
O15 - Trusted Zone: *.sanjosecellphones.com
O15 - Trusted Zone: www.staples.com
O15 - Trusted Zone: *.viator.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmod11 - C:\WINNT\SYSTEM32\pmod11.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Express Accounts (ExpressAccountsService) - Unknown owner - C:\Program Files\NCH Software\ExpressAccounts\expressaccounts.exe (file missing)
O23 - Service: Express Invoice (ExpressInvoiceService) - NCH Software - C:\Program Files\NCH Software\ExpressInvoice\expressinvoice.exe
O23 - Service: HID Input Service (HidServ) - Unknown owner - C:\WINNT\system32\hidserv.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\system32\msiexec.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINNT\System32\TuneUpDefragService.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINNT\System32\ups.exe (file missing)

--
End of file - 8719 bytes
---

tashi
2009-10-25, 04:19
Hello spykat :welcome:


Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count.

Please provide only the one log until a helper responds, thanks.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)


Please start a new topic providing the HJT log only, with a link back to this thread. :)

Best regards.

spykat
2009-10-25, 04:26
Hi Tashi!
Thanks so very much for your fast assistance! :thanks:
I am in quite a bind here.

I will name the new thread "Spykat's HJT Log"

Rick

tashi
2009-10-25, 07:52
New topic: http://forums.spybot.info/showthread.php?t=52843

Renamed Trojan (and other Infections)

:)