Results 1 to 5 of 5

Thread: Trojan: Please Help

  1. #1
    Junior Member
    Join Date
    Oct 2009
    Posts
    9

    Unhappy Trojan: Please Help

    Dear Forum,

    It appears that I have been invaded by multiple trojans, droppers, etc.
    I first noticed something was wrong when I booted up, and just as the Windows screen was coming on, it would reboot..over and over.
    I got out my Windows 2000 (yeah, I know) install CD and used the "Rescue" console. This allowed me to at least boot up completely.

    Soon, however, my Avast antivirus popped up with a virus warning.
    Ran Avast in Safe Mode -- quarantined suspect files then rebooted.
    Still infected.
    In succession,in Safe Mode ran: Spybot S&D, Malwarebytes Anti-malware, a-squared Free, and SuperAntiSpyware. While MANY malware items were discovered and deleted/quarantined, they seemed to come back upon the next boot-up.

    Other observances:

    * Avast notified me of a possible infection of SVCHOST.exe.
    I was afraid to delete or quarantine it however.
    I have three occurrences of this file on my system:
    C:\WINNT: 1,141 kb, altered 10/22/2009 11:39AM
    C:\WINNT\system32: 7 kb altered 12/07/1999 5:00AM
    C:\WINNT\system32\dllcache: 27 kb altered 12/07/1999 5:00AM
    The first, larger, recently altered one gives me some concern.

    * 9129837.exe in Task Manager; can't be killed.

    * Upon running CCleaner:
    There are usually entries in the
    C:\WINNT\TEMP directory that either can't be removed, or replicate themselves instantly.
    While not always the same files, here are the latest two:
    C:\WINNT\TEMP\mta13187.dll
    C:\WINNT\TEMP\nea3F.tmp
    I have also seen a.tmp, b.tmp, etc in this location.

    * Attempting to open some programs will bring up a "Windows Installer" window. Presumably, these programs, having been on my computer for some time are already fully installed. Not sure if this is malware related, or another problem (ugh).

    * Some internet sites "Can Not be found" -- specifically antivirus sites, and even the "Windows Update" site. Being blocked my some nasty trojan perhaps?

    OK, now for some data.
    Here is my HijackThis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:15:03 PM, on 10/24/2009
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\IObit\IObit Security 360\IS360srv.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\GhostWall\ghostwall.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\IObit\IObit Security 360\IS360tray.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\TEMP\VRT16.tmp
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\svchost.exe
    C:\WINNT\svchust.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\IObit\IObit Security 360\is360.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINNT\System32\lsm32.sys
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32\drivers\smss.exe
    N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\RICK\Application Data\Mozilla\Profiles\default\tq59upyp.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\Msdxm.ocx
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [GhostWall] "C:\Program Files\GhostWall\ghostwall.exe" -minimize
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\FlashUtil10b.exe (User 'Default user')
    O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Use webcow on this Page - C:\Program Files\WebCow\wcie.iemenu.htm
    O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O8 - Extra context menu item: Use webcow on this &Selection - C:\Program Files\WebCow\wcie.iemenu2.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
    O15 - Trusted Zone: www.bayareascene.net
    O15 - Trusted Zone: http://www.bayareascene.net
    O15 - Trusted Zone: *.calhawaiianhoa.org
    O15 - Trusted Zone: *.disqus.com
    O15 - Trusted Zone: googleads.g.doubleclick.net
    O15 - Trusted Zone: www.fremontasbaseball.com
    O15 - Trusted Zone: www.goodwillsv.org
    O15 - Trusted Zone: www.hotornot.com
    O15 - Trusted Zone: www.lincolnavenuewillowglen.com
    O15 - Trusted Zone: *.linkshare.com
    O15 - Trusted Zone: *.linksynergy.com
    O15 - Trusted Zone: http://www.pandasoftware.com
    O15 - Trusted Zone: http://www.rickshrum.com
    O15 - Trusted Zone: *.sanjosecellphones.com
    O15 - Trusted Zone: www.staples.com
    O15 - Trusted Zone: *.viator.com
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: pmod11 - C:\WINNT\SYSTEM32\pmod11.dll
    O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: Express Accounts (ExpressAccountsService) - Unknown owner - C:\Program Files\NCH Software\ExpressAccounts\expressaccounts.exe (file missing)
    O23 - Service: Express Invoice (ExpressInvoiceService) - NCH Software - C:\Program Files\NCH Software\ExpressInvoice\expressinvoice.exe
    O23 - Service: HID Input Service (HidServ) - Unknown owner - C:\WINNT\system32\hidserv.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\system32\msiexec.exe (file missing)
    O23 - Service: Net Login (NetLogin) - Unknown owner - C:\WINNT\svchost.exe
    O23 - Service: Net_Login - Unknown owner - C:\WINNT\svchust.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINNT\System32\TuneUpDefragService.exe
    O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINNT\System32\ups.exe (file missing)

    --
    End of file - 8929 bytes
    ---
    Here is my Spybot S&D Log:


    --- Search result list ---
    Smitfraud-C.gp: [SBI $8E7F06B8] Executable (File, fixed)
    C:\WINNT\svchost.exe
    Properties.size=0
    Properties.md5=D41D8CD98F00B204E9800998ECF8427E

    Nurech: [SBI $38173BA2] Autorun settings (ttool) (Registry value, fixed)
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool

    Nurech: [SBI $38173BA2] Program file (File, fixed)
    C:\WINNT\9129837.exe
    Properties.size=0
    Properties.md5=D41D8CD98F00B204E9800998ECF8427E

    PWS.Small.bs: [SBI $077B7AD9] Settings (Registry value, fixed)
    HKEY_USERS\.DEFAULT\Software\Microsoft\InetData\k1

    PWS.Small.bs: [SBI $2C56291A] Settings (Registry value, fixed)
    HKEY_USERS\.DEFAULT\Software\Microsoft\InetData\k2

    Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa

    Win32.Agent.xml: [SBI $164F72E4] Library (File, fixed)
    C:\WINNT\system32\msxm192z.dll
    Properties.size=0
    Properties.md5=D41D8CD98F00B204E9800998ECF8427E

    Win32.Delf.uc: [SBI $88B8013A] Settings (Registry value, fixed)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINNT\system32\winlogon.exe

    Win32.Delf.uc: [SBI $14B30E85] Settings (Registry value, fixed)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINNT\system32\winlogon.exe

    Win32.Agent.wiw: [SBI $9148C432] Executable (File, fixed)
    C:\WINNT\system32\wmdtc.exe
    Properties.size=0
    Properties.md5=D41D8CD98F00B204E9800998ECF8427E

    Win32.Clicker.sv: [SBI $BD306ECD] Executable (File, fixed)
    C:\WINNT\svchust.exe
    Properties.size=0
    Properties.md5=D41D8CD98F00B204E9800998ECF8427E

    Win32.Fakealert.ttam: [SBI $098F8609] File (File, fixed)
    C:\WINNT\fonts\services.exe
    Properties.size=0
    Properties.md5=D41D8CD98F00B204E9800998ECF8427E

    LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)


    LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)


    LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)


    LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)


    LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)


    LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)


    LinkSynergy: Tracking cookie (Firefox: Rick (default)) (Cookie, nothing done)


    Common Dialogs: History (303 files) (Registry key, nothing done)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

    MS Office 9.0: Recently used files (92 files) (Directory, nothing done)
    C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Microsoft\Office\Recent\

    Log: Activity: COM+.log (Backup file, nothing done)
    C:\WINNT\COM+.log

    Log: Activity: SchedLgU.Txt (Backup file, nothing done)
    C:\WINNT\SchedLgU.Txt

    Log: Activity: imsins.log (Backup file, nothing done)
    C:\WINNT\imsins.log

    Log: Activity: mmdet.log (Backup file, nothing done)
    C:\WINNT\mmdet.log

    Log: Activity: ModemDet.txt (Backup file, nothing done)
    C:\WINNT\ModemDet.txt

    Log: Activity: Sti_Trace.log (Backup file, nothing done)
    C:\WINNT\Sti_Trace.log

    Log: Activity: ntbtlog.txt (Backup file, nothing done)
    C:\WINNT\ntbtlog.txt

    Log: Install: Active Setup Log.txt (Backup file, nothing done)
    C:\WINNT\Active Setup Log.txt

    Log: Install: comsetup.log (Backup file, nothing done)
    C:\WINNT\comsetup.log

    Log: Install: iis5.log (Backup file, nothing done)
    C:\WINNT\iis5.log

    Log: Install: ocgen.log (Backup file, nothing done)
    C:\WINNT\ocgen.log

    Log: Install: ockodak.log (Backup file, nothing done)
    C:\WINNT\ockodak.log

    Log: Install: setupact.log (Backup file, nothing done)
    C:\WINNT\setupact.log

    Log: Install: setupapi.log (Backup file, nothing done)
    C:\WINNT\setupapi.log

    Log: Install: wmsetup.log (Backup file, nothing done)
    C:\WINNT\wmsetup.log

    Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
    C:\WINNT\System32\wbem\logs\mofcomp.log

    Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
    C:\WINNT\System32\wbem\logs\wbemcore.log

    Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
    C:\WINNT\System32\wbem\logs\wbemprox.log

    Log: Shutdown: System32\wbem\logs\wbemsnmp.log (Backup file, nothing done)
    C:\WINNT\System32\wbem\logs\wbemsnmp.log

    Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
    C:\WINNT\System32\wbem\logs\winmgmt.log

    Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
    C:\WINNT\System32\wbem\logs\wmiadap.log

    Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
    C:\WINNT\System32\wbem\logs\wmiprov.log

    Adobe Save For Web 3.0: [SBI $2B778709] Last save folder (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Adobe\Save For Web 3.0\Preferences\SaveDir\tlfd

    Ahead Nero Burning Rom: [SBI $0D846EDB] Compilation directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation

    Ahead Nero Burning Rom: [SBI $DE353278] Browser directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Ahead\Nero - Burning Rom\Settings\BrowserDir

    Ahead Nero Burning Rom: [SBI $F3FD92E9] Working directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Ahead\Nero - Burning Rom\Settings\WorkingDir

    Ahead Nero Burning Rom: [SBI $055C754D] Last ISO directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\ahead\Nero - Burning Rom\General\OFDLastISODir

    Ahead Nero Burning Rom: [SBI $505FB952] Last Audio directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\ahead\Nero - Burning Rom\General\OFDLastAudioDir

    Ahead Nero Burning Rom: [SBI $0A02AC84] Last MP3 directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\ahead\Nero - Burning Rom\General\OFDLastMP3Dir

    Animation Shop 3: [SBI $C2450D13] Recent file list (4 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\JASC\Animation Shop 3\Recent File List

    Animation Shop 3: [SBI $B6CA019A] Recent browse folder (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Jasc\Animation Shop 3\Browser\BrowseDir

    Animation Shop 3: [SBI $A8A257E6] Recent image folder (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Jasc\Animation Shop 3\FileOpenDialog\OpenImageDir

    Animation Shop 3: [SBI $9FDEFC61] Recent save as folder (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Jasc\Animation Shop 3\SaveAsDialog\SaveAsDir

    Gabest Media Player Classic: [SBI $E81D76E1] Last captured file (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Gabest\Media Player Classic\Capture\FileName

    HTTrack Website Copier: [SBI $93C02757] Last used folder (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\WinHTTrack Website Copier\WinHTTrack Website Copier\DefaultValues\BasePath

    HTTrack Website Copier: [SBI $FB31D252] Recent file list (4 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\WinHTTrack Website Copier\WinHTTrack Website Copier\Recent File List

    Internet Explorer: [SBI $1E8157BE] Typed URL list (25 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\TypedURLs

    Internet Explorer: [SBI $1E8157BE] Typed URL list (1 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-500\Software\Microsoft\Internet Explorer\TypedURLs

    Internet Explorer: [SBI $FF589D0C] Download directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Download Directory

    Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

    Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

    Internet Explorer: [SBI $D5C3373A] AutoComplete data (79 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\IntelliForms\SPW

    IZArc: [SBI $06AB5057] Last open folder (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\AppCurrentDir

    IZArc: [SBI $95F8E74A] Last add folder (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\LastAddFolder

    IZArc: [SBI $D6CA3E99] Archives history (4 files) (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\History

    IZArc: [SBI $03C34D02] Extract folder history (5 files) (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\IZSoftware\IZArc\Recent\cbExtractPath

    Adobe FlashPlayer Cookies: [SBI $065CE2DC] Text file () (File, nothing done)
    C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Macromedia\Flash Player\#SharedObjects\73RBQQ63\bin.clearspring.com\clearspring.sol
    Properties.size=61
    Properties.md5=4C01C594CBB72B1C7E7FC56020033557
    Properties.filedate=1256249068
    Properties.filedatetext=2009-10-22 15:04:28

    Adobe FlashPlayer Cookies: [SBI $065CE2DC] Text file () (File, nothing done)
    C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Macromedia\Flash Player\#SharedObjects\73RBQQ63\udn.specificclick.net\fug.sol
    Properties.size=33
    Properties.md5=E7B0D4B4CDD1420BACDDC9C15B48B39A
    Properties.filedate=1256271012
    Properties.filedatetext=2009-10-22 21:10:12

    Adobe FlashPlayer Cookies: [SBI $E17C7B50] Text file () (File, nothing done)
    C:\Documents and Settings\Rick.PROJECT-X.000\Application Data\Macromedia\Flash Player\#SharedObjects\73RBQQ63\cdn4.specificclick.net\img\gu.sol
    Properties.size=69
    Properties.md5=E6CE2F0368784EA918B1CAA4794C291B
    Properties.filedate=1256306443
    Properties.filedatetext=2009-10-23 07:00:42

    Macromedia FreeHand MX: [SBI $51D93363] Last import folder (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Macromedia\FreeHand\11\Dialogs\ImportDirectory

    MS Management Console: [SBI $ECD50EAD] Recent command list (4 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Microsoft Management Console\Recent File List

    MS Media Player: [SBI $735D57D7] Recent open directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir

    MS Media Player: [SBI $3B9B7B9A] Last CD record path (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\MediaPlayer\Preferences\CDRecordPath

    MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID

    MS ClipArt Gallery 9.0: [SBI $6804DCA8] Used cliparts (7 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\ClipArt Gallery\2.0\MRUDescription

    MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name

    MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name

    MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name

    MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

    MS DirectInput: [SBI $9A063C91] Most recent application (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\DirectInput\MostRecentApplication\Name

    MS DirectInput: [SBI $7B184199] Most recent application ID (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\DirectInput\MostRecentApplication\Id

    MS Office 9.0: [SBI $4F7FBCC4] Internet history (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Common\Internet\LocationOfComponents

    MS Office 9.0: [SBI $DE9A4E33] Access recent file (21 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Access\Settings

    MS Office 9.0 (Word): [SBI $EC31BB71] Recently used file list (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Word\Data\Settings

    MS Office 9.0 (Excel): [SBI $E49B52E1] Recent files (4 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\Excel\Recent Files

    MS Office 9.0 (PowerPoint): [SBI $43C6507A] Recent file list (1 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Office\9.0\PowerPoint\Recent File List

    MS Fax: [SBI $F2D1A0E8] Last country ID (Registry value, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Fax\UserInfo\LastCountryID

    MS Fax: [SBI $F2D1A0E8] Last country ID (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Fax\UserInfo\LastCountryID

    MS Frontpage: [SBI $A45AF00A] Recent page list (1 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Page List

    MS Regedit: [SBI $C3B62FC1] Recent open key (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

    MS Windows Backup 5.0: [SBI $9CE336F6] Last created backup set (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Ntbackup\Hardware\Logical Disk File

    MS Windows Backup 5.0: [SBI $E1E8C3AC] Backup logs history (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Ntbackup\Log Files

    MS Wordpad: [SBI $4C02334D] Recent file list (4 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List

    PowerBullet: [SBI $B01E3628] Last saved project (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\DDD\Powerbullet\LastSavedPath

    Windows: [SBI $1E4E2003] Drivers installation paths (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources

    Windows.OpenWith: [SBI $414F7591] Open with list - .$$$ extension (2 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.$$$\OpenWithList

    Windows.OpenWith: [SBI $B2FD6109] Open with list - .3DS extension (2 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3DS\OpenWithList

    Windows.OpenWith: [SBI $1563C37F] Open with list - .ADR extension (2 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADR\OpenWithList

    Windows.OpenWith: [SBI $F6D91293] Open with list - .AI extension (3 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AI\OpenWithList

    Windows.OpenWith: [SBI $6D23ED53] Open with list - .APF extension (3 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.APF\OpenWithList

    Windows.OpenWith: [SBI $77FE82E7] Open with list - .AS extension (2 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AS\OpenWithList

    Windows.OpenWith: [SBI $16E309E0] Open with list - .ASF extension (4 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASF\OpenWithList

    Windows.OpenWith: [SBI $6CBE8CD7] Open with list - .ASP extension (6 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASP\OpenWithList

    Windows.OpenWith: [SBI $CDE7D0A6] Open with list - .ASX extension (3 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASX\OpenWithList

    Windows.OpenWith: [SBI $50F69B2B] Open with list - .AU extension (3 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AU\OpenWithList

    Windows.OpenWith: [SBI $F7204896] Open with list - .AVI extension (11 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList

    Windows.OpenWith: [SBI $DCEE25EC] Open with list - .BAK extension (2 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BAK\OpenWithList

    Windows.OpenWith: [SBI $691C1B44] Open with list - .BIN extension (2 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\OpenWithList

    Windows.OpenWith: [SBI $9B660711] Open with list - .BK1 extension (2 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BK1\OpenWithList

    Windows.OpenWith: [SBI $A1C94E79] Open with list - .BMP extension (11 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

    Windows.OpenWith: [SBI $C92C6763] Open with list - .BUP extension (2 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BUP\OpenWithList

    Windows.OpenWith: [SBI $3A7F8A99] Open with list - .BZ2 extension (2 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BZ2\OpenWithList

    Windows.OpenWith: [SBI $63036C95] Open with list - .CAB extension (3 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CAB\OpenWithList

    Windows.OpenWith: [SBI $9E8D5C8A] Open with list - .CDA extension (7 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA\OpenWithList

    Windows.OpenWith: [SBI $4414E448] Open with list - .CGI extension (5 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CGI\OpenWithList

    Windows.OpenWith: [SBI $B6B2B96E] Open with list - .CHM extension (4 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CHM\OpenWithList

    Windows.OpenWith: [SBI $56EC999C] Open with list - .CNT extension (2 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CNT\OpenWithList

    Windows.OpenWith: [SBI $37C65299] Open with list - .CSH extension (2 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSH\OpenWithList

    Windows.OpenWith: [SBI $A59774C7] Open with list - .CSM extension (5 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSM\OpenWithList

    Windows.OpenWith: [SBI $7E93AD81] Open with list - .CSS extension (2 files) (Registry key, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList

    Windows.OpenWith: [SBI $7E93AD81] Open with list - .CSS extension (10 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList

    Windows.OpenWith: [SBI $ECC28BDF] Open with list - .CSV extension (11 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSV\OpenWithList

    Windows Explorer: [SBI $7308A845] Run history (27 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

    Windows Explorer: [SBI $AA0766B5] Stream history (2 files) (Registry key, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

    Windows Explorer: [SBI $AA0766B5] Stream history (201 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

    Windows Explorer: [SBI $2026AFB6] User Assistant history IE (5 files) (Registry key, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

    Windows Explorer: [SBI $2026AFB6] User Assistant history IE (40 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

    Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

    Windows Explorer: [SBI $6107D172] User Assistant history files (16 files) (Registry key, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

    Windows Explorer: [SBI $6107D172] User Assistant history files (4090 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

    Windows Explorer: [SBI $6107D172] User Assistant history files (99 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

    Windows Explorer: [SBI $B7EBA926] Last visited history (26 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

    Windows Explorer: [SBI $41E7A1E4] Computer search history #2 (2 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ComputerNameMRU

    Windows Explorer: [SBI $2F2F664E] Text in files search history (25 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU

    Windows Explorer: [SBI $9B519012] File search history (25 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU

    Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

    Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

    Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

    Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

    Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-583907252-573735546-839522115-1000\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

    Cookie: [SBI $49804B54] Cookie (1) (Cookie, nothing done)


    History: [SBI $49804B54] History (17) (History, nothing done)


    Cookie: [SBI $49804B54] Cookie (561) (Cookie, nothing done)


    Cookie: [SBI $49804B54] Cookie (2897) (Cookie, nothing done)



    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2008-01-28 SDDelFile.exe (1.0.2.4)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2008-08-14 SDWinSec.exe (1.0.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-03-05 TeaTimer.exe (1.6.6.32)
    2005-06-27 unins000.exe (51.41.0.0)
    2009-03-11 unins001.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-07-28 advcheck.dll (1.6.3.17)
    2007-04-02 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2009-10-08 Includes\Adware.sbi (*)
    2009-10-20 Includes\AdwareC.sbi (*)
    2009-01-22 Includes\Cookies.sbi (*)
    2009-10-14 Includes\Dialer.sbi (*)
    2009-10-13 Includes\DialerC.sbi (*)
    2009-01-22 Includes\HeavyDuty.sbi (*)
    2009-05-26 Includes\Hijackers.sbi (*)
    2009-10-13 Includes\HijackersC.sbi (*)
    2009-10-20 Includes\Keyloggers.sbi (*)
    2009-10-20 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2009-10-13 Includes\Malware.sbi (*)
    2009-10-21 Includes\MalwareC.sbi (*)
    2009-03-25 Includes\PUPS.sbi (*)
    2009-10-20 Includes\PUPSC.sbi (*)
    2009-01-22 Includes\Revision.sbi (*)
    2009-01-13 Includes\Security.sbi (*)
    2009-10-20 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2009-10-13 Includes\Spyware.sbi (*)
    2009-10-20 Includes\SpywareC.sbi (*)
    2009-06-08 Includes\Tracks.uti (*)
    2009-10-06 Includes\Trojans.sbi (*)
    2009-10-21 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll
    ---
    Here are the results on 2 SUPERAntiSpyware Scans:
    1)
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 10/22/2009 at 03:21 AM

    Application Version : 4.29.1002

    Core Rules Database Version : 4144
    Trace Rules Database Version: 2075

    Scan type : Custom Scan
    Total Scan Time : 00:05:37

    Memory items scanned : 341
    Memory threats detected : 2
    Registry items scanned : 7439
    Registry threats detected : 1
    File items scanned : 3
    File threats detected : 2

    Trojan.Agent/Gen-WIWOW64
    C:\WINNT\SYSTEM32\WMDTC.EXE
    C:\WINNT\SYSTEM32\WMDTC.EXE

    Trojan.Downloader-Gen/Win
    C:\WINNT\9129837.EXE
    C:\WINNT\9129837.EXE
    [ttool] C:\WINNT\9129837.EXE
    --
    2)
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 10/22/2009 at 11:24 AM

    Application Version : 4.29.1002

    Core Rules Database Version : 4144
    Trace Rules Database Version: 2075

    Scan type : Complete Scan
    Total Scan Time : 01:44:33

    Memory items scanned : 205
    Memory threats detected : 0
    Registry items scanned : 7472
    Registry threats detected : 6
    File items scanned : 32160
    File threats detected : 7

    Trojan.Dropper/Sys-NV
    HKLM\System\ControlSet001\Services\Nwsapagent
    C:\WINNT\SYSTEM32\NWSAPV32.DLL
    HKLM\System\ControlSet001\Enum\Root\LEGACY_Nwsapagent
    HKLM\System\ControlSet002\Services\Nwsapagent
    HKLM\System\ControlSet002\Enum\Root\LEGACY_Nwsapagent
    HKLM\System\CurrentControlSet\Services\Nwsapagent
    HKLM\System\CurrentControlSet\Enum\Root\LEGACY_Nwsapagent
    C:\WINNT\SYSTEM32\IPRIPV32.DLL

    Adware.Tracking Cookie
    C:\Documents and Settings\Default User.WINNT\Cookies\system@content.yieldmanager[1].txt

    Trojan.Agent/Gen-NumTemp
    C:\WINNT\SYSTEM32\9.TMP

    Trojan.Agent/Gen-Dropper[Temp]
    C:\WINNT\SYSTEM32\C.TMP

    Trojan.Agent/Gen-Pher[ProQuota]
    C:\WINNT\SYSTEM32\DLLCACHE\PROQUOTA.EXE

    Trojan.Dropper/Win-NV
    C:\WINNT\SV1.EXE
    ---
    If useful, and you are familiar with this, here are the results of a "Rooter" malware finder scan:

    Rooter.exe (v1.0.2) by Eric_71
    .
    SeDebugPrivilege granted successfully ...
    .
    Windows 2000 . (5.0.2195) Service Pack 4
    [32_bits] - x86 Family 15 Model 2 Stepping 4, GenuineIntel
    .
    Error OpenService (wscsvc) : 1060
    [SharedAccess] STOPPED (state:1) : Windows Firewall -> Disabled !
    .
    Internet Explorer 6.0.2800.1106
    Mozilla Firefox 3.5.3 (en-US)
    .
    A:\ [Removable]
    C:\ [Fixed-NTFS] .. ( Total:111 Go - Free:51 Go )
    D:\ [Fixed-NTFS] .. ( Total:19 Go - Free:7 Go )
    E:\ [CD_Rom]
    F:\ [CD_Rom]
    .
    Scan : 18:23.50
    Path : C:\Rooter$\Rooter.exe
    User : Rick ( Administrator -> YES )
    .
    ----------------------\\ Processes
    .
    Locked [System Process] (0)
    ______ System (8)
    ______ \SystemRoot\System32\smss.exe (152)
    ______ \??\C:\WINNT\system32\csrss.exe (176)
    ______ \??\C:\WINNT\system32\winlogon.exe (200)
    ______ C:\WINNT\system32\services.exe (228)
    ______ C:\WINNT\system32\lsass.exe (240)
    ______ C:\WINNT\system32\svchost.exe (396)
    ______ C:\WINNT\system32\spoolsv.exe (424)
    ______ C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (484)
    ______ C:\Program Files\Alwil Software\Avast4\ashServ.exe (504)
    ______ C:\WINNT\System32\svchost.exe (536)
    ______ C:\Program Files\IObit\IObit Security 360\IS360srv.exe (556)
    ______ C:\WINNT\system32\MSTask.exe (620)
    ______ C:\WINNT\system32\stisvc.exe (764)
    ______ C:\Program Files\UPHClean\uphclean.exe (812)
    ______ C:\WINNT\Explorer.exe (944)
    ______ C:\Program Files\Analog Devices\SoundMAX\Smtray.exe (1004)
    ______ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (1012)
    ______ C:\Program Files\GhostWall\ghostwall.exe (1028)
    ______ C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe (1052)
    ______ C:\Program Files\IObit\IObit Security 360\IS360tray.exe (1060)
    ______ C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (828)
    ______ C:\WINNT\system32\cmd.exe (1348)
    ______ C:\WINNT\system32\cmd.exe (1356)
    ______ C:\WINNT\system32\cmd.exe (1364)
    ______ C:\WINNT\system32\cmd.exe (1380)
    ______ C:\WINNT\system32\cmd.exe (1392)
    ______ C:\WINNT\TEMP\VRT16.tmp (1320)
    ______ C:\WINNT\system32\svchost.exe (1300)
    ______ C:\WINNT\system32\svchost.exe (1548)
    ______ C:\WINNT\svchost.exe (1316)
    ______ C:\WINNT\svchust.exe (1768)
    ______ C:\Program Files\Mozilla Firefox\firefox.exe (1648)
    ______ C:\Program Files\IObit\IObit Security 360\is360.exe (1920)
    ______ C:\WINNT\System32\svchost.exe (1804)
    ______ C:\Program Files\Trend Micro\HijackThis\HijackThis.exe (1756)
    ______ C:\WINNT\notepad.exe (2272)
    ______ C:\WINNT\System32\lsm32.sys (2284)
    ______ C:\Program Files\Internet Explorer\iexplore.exe (2236)
    ______ C:\Rooter$\Rooter.exe (2160)
    .
    ----------------------\\ Device\Harddisk0\
    .
    \Device\Harddisk0 [Sectors : 63 x 512 Bytes]
    .
    ----------------------\\ Scheduled Tasks
    .
    C:\WINNT\Tasks\AppleSoftwareUpdate.job
    C:\WINNT\Tasks\desktop.ini
    C:\WINNT\Tasks\SA.DAT
    .
    ----------------------\\ Registry
    .
    .
    ----------------------\\ Files & Folders
    .
    C:\WINNT\System32\fhhkj.bak1
    C:\WINNT\System32\fhhkj.bak2
    C:\WINNT\System32\fhhkj.tmp
    C:\WINNT\System32\fhhkj.bak1
    C:\WINNT\System32\fhhkj.bak2
    C:\WINNT\System32\fhhkj.tmp
    ==> Vundo <==
    .
    C:\DOCUME~1\RICKPR~1.000\My Documents\Downloads\Metadata\_crack_ ppt2flash pro 4.1 1 by CLONECD (Unreleased).zip.xml
    C:\DOCUME~1\RICKPR~1.000\My Documents\Downloads\Metadata\_crack_ ppt2flash pro 4.1 1 by CLONECD (Unreleased).zip.xml
    ==> Cracks & Keygens <==
    .
    ----------------------\\ Scan completed at 18:24.05
    .
    C:\Rooter$\Rooter_7.txt - (24/10/2009 | 18:24.05).c
    ---
    Here is the scan findings from Root Repeal:
    ROOTREPEAL (c) AD, 2007-2009
    ==================================================
    Scan Start Time: 2009/10/23 18:11
    Program Version: Version 1.3.5.0
    Windows Version: Windows 2000 SP4
    ==================================================

    Drivers
    -------------------
    Name: dump_atapi.sys
    Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
    Address: 0xBE6D5000 Size: 86016 File Visible: No Signed: -
    Status: -

    Name: dump_WMILIB.SYS
    Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
    Address: 0xEB5E5000 Size: 4096 File Visible: No Signed: -
    Status: -

    Name: RecAgent.sys
    Image Path: RecAgent.sys
    Address: 0xEB418000 Size: 16384 File Visible: No Signed: -
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\WINNT\System32\drivers\rootrepeal.sys
    Address: 0xBCFE6000 Size: 49152 File Visible: No Signed: -
    Status: -

    Name: uphcleanhlp.sys
    Image Path: C:\WINNT\System32\Drivers\uphcleanhlp.sys
    Address: 0xBD366000 Size: 12288 File Visible: No Signed: -
    Status: -

    Hidden/Locked Files
    -------------------
    Path: C:\Documents and Settings\Rick.PROJECT-X.000\My Documents\MAXX-8~1.TIF:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
    Status: Visible to the Windows API, but not on disk.

    ==EOF==

    ---
    Should also note, at one point, my system lost track of where notepad.exe was located. I heard reference to the QAZ Trojan causing this, altho I did not find any references to any registry entries, as recounted on this page:
    http://www.pchell.com/virus/qaz.shtml

    ---
    I am running a PC with 1 Gig of RAM, on Windows 2000, Service Pack 4.
    Please inform me of any other information you need.

    I realize I have provided a lot of information, but hopefully, it will assist you in diagnosing this thing.

    While I realize I am not alone in this boat, if I were to lose my system, I would be in big trouble.

    Any help would be kindly appreciated.

    Thanks,
    Rick

  2. #2
    Junior Member
    Join Date
    Oct 2009
    Posts
    9

    Default More Data for the Above

    Ran IObit Security 360 and it found a bunch of nasties.
    I eliminated them, but fully expect their return.

    Here is the IObit log:
    IObit Security 360

    OS:Windows 2000
    Version:1.0.1.30
    Define Version:1251
    Time Elapsed:00:05:02
    Objects Scanned:59139
    Threats Found:27

    |Name|Type|Description|ID|
    Hijack.Userinit, Registry Data, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Value=Userinit, 6-877
    Mal/Gen.Downloader, File, C:\WINNT\sv1.exe, 4-506
    Trojan-spy.Win32/Agent, File, C:\WINNT\System32\BtwSrv.dll, 4-507
    Backdoor.Trojan, File, C:\WINNT\System32\lsm32.sys, 4-508
    Trojan-spy.Win32/Agent, Registry Key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BtwSrv, 4-510
    Trojan-spy.Win32/Agent, Registry Key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV, 4-511
    Trojan-spy.Win32/Agent, Registry Key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Net_Login, 4-514
    Trojan-spy.Win32/Agent, Registry Key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_NET_LOGIN, 4-515
    Trojan-spy.Win32/Agent, File, C:\WINNT\isvchost.exe, 4-1052
    Mal/Gen.Downloader, File, C:\WINNT\svchust.exe, 4-1338
    Trojan-spy.Win32/Agent, File, C:\WINNT\System32\certstore.dat, 4-8144
    Backdoor.Trojan, File, C:\WINNT\System32\FInstall.sys, 4-10002
    Trojan-spy.Win32/Agent, File, C:\WINNT\System32\msxm192z.dll, 4-13377
    Trojan-spy.Win32/Agent, File, C:\WINNT\svchost.exe, 4-22308
    Mal/Gen.Trace, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=BuildW, 4-28329
    Mal/Gen.Trace, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=FirstInstallFlag, 4-28330
    Mal/Gen.Trace, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=i, 4-28332
    Mal/Gen.Trace, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=uid, 4-28337
    Mal/Gen.Trace, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=Ulrn, 4-28338
    Mal/Gen.Trace, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=Update, 4-28339
    Mal/Gen.Trace, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=UpdateNew, 4-28340
    Mal/Gen.Downloader, Registry Key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetLogin, 4-35121
    Backdoor.Trojan, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=mBt, 4-36448
    Backdoor.Trojan, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM Value=udfa, 4-36554
    Backdoor.Trojan, File, C:\WINNT\System32\opeia.exe, 4-36737
    Backdoor.Trojan, File, C:\WINNT\System32\FastNetSrv.exe, 4-36752
    Backdoor.Trojan, Registry Key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV, 4-36753
    ---
    Here is the Updated HiJackThis Log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:51:22 PM, on 10/24/2009
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\IObit\IObit Security 360\IS360srv.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\GhostWall\ghostwall.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\IObit\IObit Security 360\IS360tray.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\TEMP\VRT16.tmp
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\IObit\IObit Security 360\is360.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    F2 - REG:system.ini: UserInit=Userinit.exe
    N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\RICK\Application Data\Mozilla\Profiles\default\tq59upyp.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\Msdxm.ocx
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [GhostWall] "C:\Program Files\GhostWall\ghostwall.exe" -minimize
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\FlashUtil10b.exe (User 'Default user')
    O4 - S-1-5-21-583907252-573735546-839522115-1000 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User '?')
    O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Use webcow on this Page - C:\Program Files\WebCow\wcie.iemenu.htm
    O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O8 - Extra context menu item: Use webcow on this &Selection - C:\Program Files\WebCow\wcie.iemenu2.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
    O15 - Trusted Zone: www.adultdvdtalk.com
    O15 - Trusted Zone: www.asiangirlsandwhiteguys.com
    O15 - Trusted Zone: www.bayareascene.net
    O15 - Trusted Zone: http://www.bayareascene.net
    O15 - Trusted Zone: *.calhawaiianhoa.org
    O15 - Trusted Zone: *.disqus.com
    O15 - Trusted Zone: googleads.g.doubleclick.net
    O15 - Trusted Zone: www.fremontasbaseball.com
    O15 - Trusted Zone: www.goodwillsv.org
    O15 - Trusted Zone: www.hotornot.com
    O15 - Trusted Zone: www.lincolnavenuewillowglen.com
    O15 - Trusted Zone: *.linkshare.com
    O15 - Trusted Zone: *.linksynergy.com
    O15 - Trusted Zone: http://www.pandasoftware.com
    O15 - Trusted Zone: http://www.rickshrum.com
    O15 - Trusted Zone: *.sanjosecellphones.com
    O15 - Trusted Zone: www.staples.com
    O15 - Trusted Zone: *.viator.com
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: pmod11 - C:\WINNT\SYSTEM32\pmod11.dll
    O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: Express Accounts (ExpressAccountsService) - Unknown owner - C:\Program Files\NCH Software\ExpressAccounts\expressaccounts.exe (file missing)
    O23 - Service: Express Invoice (ExpressInvoiceService) - NCH Software - C:\Program Files\NCH Software\ExpressInvoice\expressinvoice.exe
    O23 - Service: HID Input Service (HidServ) - Unknown owner - C:\WINNT\system32\hidserv.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\system32\msiexec.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINNT\System32\TuneUpDefragService.exe
    O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINNT\System32\ups.exe (file missing)

    --
    End of file - 8719 bytes
    ---

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello spykat

    Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count.
    Please provide only the one log until a helper responds, thanks.
    "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)


    Please start a new topic providing the HJT log only, with a link back to this thread.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  4. #4
    Junior Member
    Join Date
    Oct 2009
    Posts
    9

    Default

    Hi Tashi!
    Thanks so very much for your fast assistance!
    I am in quite a bind here.

    I will name the new thread "Spykat's HJT Log"

    Rick

  5. #5
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    New topic: http://forums.spybot.info/showthread.php?t=52843

    Renamed Trojan (and other Infections)


    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •