Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

Unread postby Siin0137 » March 14th, 2010, 7:19 pm

I am going to include 3 logs in this post. It will contain the HIGHJACK THIS log, Avira Log and Malwarebytes log. Please, help me take care of this. This is the only computer I have. Thank you. :)


-HIGH JACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:37 PM, on 3/14/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bing.zugo.com/?cfg=2-76-0-hPyW

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {EEE6C35D-6118-11DC-9C72-001320C79847} - (no file)
O1 - Hosts: 193.169.12.8 nosd.info
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: flvdirect - {8a05acfe-999b-bd40-c2aa-108023127b52} - C:\WINDOWS\system32\4N0omMK-.dll (file missing)
O2 - BHO: Internet Explorer Plugin - {8BFD4136-BF8E-4136-A6BF-62A538A82934} - bzhcwcio2.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: FrostWire On Startup.lnk = C:\Program Files\FrostWire\FrostWire.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7222 bytes







-AVIRA LOG:

Avira AntiVir Personal
Report file date: Sunday, March 14, 2010 01:42

Scanning for 1849583 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : MONIKA

Version information:
BUILD.DAT : 9.0.0.419 21701 Bytes 1/22/2010 18:29:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 16:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 12:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 04:43:22
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 04:43:32
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 04:43:37
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 04:43:43
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 04:43:43
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 04:43:43
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 04:43:43
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 04:43:43
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 04:43:44
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 04:43:44
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 04:43:44
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 04:43:44
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 04:43:46
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 04:43:47
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 04:43:48
VBASE016.VDF : 7.10.5.45 2048 Bytes 3/11/2010 04:43:48
VBASE017.VDF : 7.10.5.46 2048 Bytes 3/11/2010 04:43:48
VBASE018.VDF : 7.10.5.47 2048 Bytes 3/11/2010 04:43:48
VBASE019.VDF : 7.10.5.48 2048 Bytes 3/11/2010 04:43:49
VBASE020.VDF : 7.10.5.49 2048 Bytes 3/11/2010 04:43:49
VBASE021.VDF : 7.10.5.50 2048 Bytes 3/11/2010 04:43:49
VBASE022.VDF : 7.10.5.51 2048 Bytes 3/11/2010 04:43:49
VBASE023.VDF : 7.10.5.52 2048 Bytes 3/11/2010 04:43:49
VBASE024.VDF : 7.10.5.53 2048 Bytes 3/11/2010 04:43:50
VBASE025.VDF : 7.10.5.54 2048 Bytes 3/11/2010 04:43:50
VBASE026.VDF : 7.10.5.55 2048 Bytes 3/11/2010 04:43:50
VBASE027.VDF : 7.10.5.56 2048 Bytes 3/11/2010 04:43:50
VBASE028.VDF : 7.10.5.57 2048 Bytes 3/11/2010 04:43:50
VBASE029.VDF : 7.10.5.58 2048 Bytes 3/11/2010 04:43:51
VBASE030.VDF : 7.10.5.59 2048 Bytes 3/11/2010 04:43:51
VBASE031.VDF : 7.10.5.66 92672 Bytes 3/12/2010 04:43:51
Engineversion : 8.2.1.180
AEVDF.DLL : 8.1.1.3 106868 Bytes 3/13/2010 04:44:06
AESCRIPT.DLL : 8.1.3.17 1032570 Bytes 3/13/2010 04:44:05
AESCN.DLL : 8.1.5.0 127347 Bytes 3/13/2010 04:44:03
AESBX.DLL : 8.1.2.0 254323 Bytes 3/13/2010 04:44:07
AERDL.DLL : 8.1.4.2 479602 Bytes 3/13/2010 04:44:03
AEPACK.DLL : 8.2.1.0 426356 Bytes 3/13/2010 04:44:01
AEOFFICE.DLL : 8.1.0.39 196987 Bytes 3/13/2010 04:44:00
AEHEUR.DLL : 8.1.1.7 2326902 Bytes 3/13/2010 04:44:00
AEHELP.DLL : 8.1.10.1 237942 Bytes 3/13/2010 04:43:56
AEGEN.DLL : 8.1.2.0 373107 Bytes 3/13/2010 04:43:54
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 12:38:26
AECORE.DLL : 8.1.12.2 188790 Bytes 3/13/2010 04:43:53
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 12:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 20:14:02
AVREP.DLL : 8.0.0.7 159784 Bytes 3/13/2010 04:44:08
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 17:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +SPR,

Start of the scan: Sunday, March 14, 2010 01:42

Starting search for hidden objects.
'70321' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'mbam.exe' - '1' Module(s) have been scanned
Scan process 'WISPTIS.EXE' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'aim.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'IntuitUpdateService.exe' - '1' Module(s) have been scanned
Scan process 'BackWeb-137903.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'shwicon2k.exe' - '1' Module(s) have been scanned
Scan process 'kbd.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
37 processes with 37 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '74' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\KIM\Local Settings\Temporary Internet Files\Content.IE5\0OGMK98S\version[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\hp\recovery\wizard\fscommand\AppRecoveryLink_ret.exe
[DETECTION] Is the TR/Spy.Agent.beaf Trojan
C:\hp\recovery\wizard\fscommand\CreatorLink_ret.exe
[DETECTION] Is the TR/Spy.Agent.beaf Trojan
C:\hp\recovery\wizard\fscommand\RestoreLink_ret.exe
[DETECTION] Is the TR/Spy.Agent.beaf Trojan
C:\hp\recovery\wizard\fscommand\RTCDLink_ret.exe
[DETECTION] Is the TR/Spy.Agent.beaf Trojan
C:\hp\recovery\wizard\fscommand\RunLink_ret.exe
[DETECTION] Is the TR/Spy.Agent.beaf Trojan
C:\hp\recovery\wizard\fscommand\SysRecoveryLink_ret.exe
[DETECTION] Is the TR/Spy.Agent.beaf Trojan
C:\hp\recovery\wizard\fscommand\WizardLink_ret.exe
[DETECTION] Is the TR/Spy.Agent.beaf Trojan
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP272\A0163069.dll
[DETECTION] Contains recognition pattern of the ADSPY/eZula.TS adware or spyware
C:\WINDOWS\system32\bzhcwcio2.dll
[DETECTION] Contains recognition pattern of the WORM/Ambler.A.24 worm
Begin scan in 'D:\' <HP_RECOVERY>

Beginning disinfection:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4c0915fd.qua'!
C:\Documents and Settings\KIM\Local Settings\Temporary Internet Files\Content.IE5\0OGMK98S\version[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '4c0f15fa.qua'!
C:\hp\recovery\wizard\fscommand\AppRecoveryLink_ret.exe
[DETECTION] Is the TR/Spy.Agent.beaf Trojan
[NOTE] The file was moved to '4c0d1605.qua'!
C:\hp\recovery\wizard\fscommand\CreatorLink_ret.exe
[DETECTION] Is the TR/Spy.Agent.beaf Trojan
[NOTE] The file was moved to '4c021608.qua'!
C:\hp\recovery\wizard\fscommand\RestoreLink_ret.exe
[DETECTION] Is the TR/Spy.Agent.beaf Trojan
[NOTE] The file was moved to '4c1015fb.qua'!
C:\hp\recovery\wizard\fscommand\RTCDLink_ret.exe
[DETECTION] Is the TR/Spy.Agent.beaf Trojan
[NOTE] The file was moved to '4be015ea.qua'!
C:\hp\recovery\wizard\fscommand\RunLink_ret.exe
[DETECTION] Is the TR/Spy.Agent.beaf Trojan
[NOTE] The file was moved to '4c0b160b.qua'!
C:\hp\recovery\wizard\fscommand\SysRecoveryLink_ret.exe
[DETECTION] Is the TR/Spy.Agent.beaf Trojan
[NOTE] The file was moved to '4c10160f.qua'!
C:\hp\recovery\wizard\fscommand\WizardLink_ret.exe
[DETECTION] Is the TR/Spy.Agent.beaf Trojan
[NOTE] The file was moved to '4c1715ff.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP272\A0163069.dll
[DETECTION] Contains recognition pattern of the ADSPY/eZula.TS adware or spyware
[NOTE] The file was moved to '4bce15c6.qua'!
C:\WINDOWS\system32\bzhcwcio2.dll
[DETECTION] Contains recognition pattern of the WORM/Ambler.A.24 worm
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The file was moved to '4c051612.qua'!


End of the scan: Sunday, March 14, 2010 11:58
Used time: 4:58:04 Hour(s)

The scan has been done completely.

8618 Scanned directories
463958 Files were scanned
10 Viruses and/or unwanted programs were found
1 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
11 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
463945 Files not concerned
19484 Archives were scanned
3 Warnings
13 Notes
70321 Objects were scanned with rootkit scan
0 Hidden objects were found




-MALWAREBYTES LOG:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/14/2010 6:52:02 PM
mbam-log-2010-03-14 (18-52-02).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 249930
Time elapsed: 2 hour(s), 40 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 41

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ef34404a-747c-81d8-843a-d938e181273d} (Adware.BHO.FL) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\flv direct player (Adware.BHO.FL) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\HavingFunOnline (Adware.BHO.FL) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\FLV Direct Player (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Button (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\ComboBox (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Menu (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\SysButton (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Window (Adware.BHO.FL) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\downloading.swf (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\dskinliteu.dll (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\FLVPlayer.exe (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\player.dat (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\preload.swf (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\uninstall.exe (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin.xml (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Button\button_default.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Button\button_disable.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Button\button_down.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Button\button_hot.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Button\button_normal.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\ComboBox\combobox_buttonDown.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\ComboBox\combobox_buttonHot.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\ComboBox\combobox_buttonNor.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\ComboBox\edit_back.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Menu\menubg.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Menu\menuItem_arrow.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Menu\menuItem_check.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Menu\menuitem_select.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Menu\menuItem_seperator.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_close_down.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_close_hot.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_close_nor.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_max_down.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_max_hot.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_max_nor.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_min_down.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_min_hot.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_min_nor.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_restore_down.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_restore_hot.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_restore_nor.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Window\BottomBorder.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Window\downarrow.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Window\LeftBorder.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Window\Logo.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Window\main.ico (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Window\RightBorder.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
C:\Program Files\FLV Direct Player\SkinDirectFLV\skin\Window\TitlePattern.bmp (Adware.BHO.FL) -> Quarantined and deleted successfully.
Siin0137
Active Member
 
Posts: 13
Joined: January 20th, 2010, 8:15 pm
Advertisement
Register to Remove

Re: I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

Unread postby MWR 3 day Mod » March 17th, 2010, 11:32 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

Unread postby melboy » March 18th, 2010, 6:37 pm

Hi and welcome to the MR forums.

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

  1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine.
  3. If you don't know or understand something, please don't hesitate to ask.
  4. Please DO NOT run any other tools or scans whilst I am helping you.
  5. It is important that you reply to this thread. Do not start a new topic.
  6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  7. Absence of symptoms does not mean that everything is clear.


NOTE: Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.


IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.


No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.


========================================


I'm afraid I have unpleasant news for you.

There is evidence of an infection on your computer that is a Password Stealer. It allows outsiders to monitor your Internet activity and private information and send the stolen data to a remote attacker.

    If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Limit the internet use of the computer untill it is clean.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being: Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.

I am sorry to be the bearer of bad news, but it is best that you know the full impact of this infection.

Please read this for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Should you have any questions please feel free to ask.

=======================================

With reference to Malware Removal's P2P Programs Policy, please uninstall the following programs before we continue:
FrostWire
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
We see no purpose in cleaning your machine if you use P2P programmes, as it is pretty much certain that if you continue to use them then you will get infected again.


  • Click on Start > Control Panel and double click on Add/Remove Programs.
  • Locate FrostWire and click on the Change/Remove button to uninstall it.
  • Close Add/Remove Programs and Control Panel when done.



random's system information tool (RSIT)

  • Download random's system information tool (RSIT) by random/random from HERE and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt (<<will be maximized)
    • info.txt (<<will be minimized)
  • Post both of these logs in your next reply (Sometimes you have to make several post to get the logs posted.)
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

Unread postby Siin0137 » March 21st, 2010, 12:10 am

Please, I need more time. I am sorry. May I please have another day or so to do all of this?
Siin0137
Active Member
 
Posts: 13
Joined: January 20th, 2010, 8:15 pm

Re: I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

Unread postby melboy » March 21st, 2010, 7:19 am

Ok, I'll leave the topic open another day or so.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

Unread postby Siin0137 » March 24th, 2010, 1:52 pm

Okay, I appreciate your patience. :)
I haven't been able to do everything since I have been out of town. It looks like one of my family members ran scans from different programs on the computer. Should I send you another scan of my High Jack log in case the stats of my computer changed?

I'm sorry, I don't really know much about computers.
Siin0137
Active Member
 
Posts: 13
Joined: January 20th, 2010, 8:15 pm

Re: I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

Unread postby melboy » March 24th, 2010, 2:02 pm

Hi

Siin0137 wrote:It looks like one of my family members ran scans from different programs on the computer.
Can you ask people to refrain from running any scans or trying any fixes whilst i attempt to clean this PC.

Should I send you another scan of my High Jack log in case the stats of my computer changed?
No, follow the instructions in my first reply to you.

I'm sorry, I don't really know much about computers.
That's ok, I'll hopefully make the instructions easy to follow. If you're not sure - ask.

Can you try to reply in good time from now on - I was just about to close the topic.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

Unread postby Siin0137 » March 24th, 2010, 2:11 pm

Okay got it! :)

I figured I had something with a Password stealer since my passwords were changed almost everyday on websites that I use constantly.

I went into my Add or remove programs and Frostwire is not there. How do I remove it when it's not even visible??

Here is the LOG.TXT from the RSIT scan. Unfortunately the INFO.TEXT did not minimize nor did it show up at all.


LOG.TXT:

Logfile of random's system information tool 1.06 (written by random/random)
Run by michaelgonzales at 2010-03-24 13:04:57
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 46 GB (65%) free of 71 GB
Total RAM: 503 MB (34% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:11 PM, on 3/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\michaelgonzales\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\michaelgonzales.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {EEE6C35D-6118-11DC-9C72-001320C79847} - (no file)
O1 - Hosts: 193.169.12.8 nosd.info
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 8251 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\ParetoLogic Registration.job
C:\WINDOWS\tasks\ParetoLogic Update Version2.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{93A0AE64-BC12-451B-8A51-70307FB3DE89}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-02-18 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-02-18 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - HP View - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll [2003-09-03 98304]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2004-11-02 126976]
"KBD"=C:\HP\KBD\KBD.EXE [2003-02-11 61440]
"AutoTKit"=C:\hp\bin\AUTOTKIT.EXE [2003-06-18 53248]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-13 212992]
"VTTimer"=VTTimer.exe []
"PS2"=C:\WINDOWS\system32\ps2.exe [2002-10-16 81920]
"Sunkist2k"=C:\Program Files\Multimedia Card Reader\shwicon2k.exe [2003-08-14 139264]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2004-11-02 155648]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"BlackBerryAutoUpdate"=C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [2009-11-19 623960]
""= []
"RoxWatchTray"=C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2009-07-08 236016]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"ISUSPM"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2008-10-24 206112]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-02-18 2012912]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Documents and Settings\michaelgonzales\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-11-02 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe"="C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\FlashGet\FlashGet.exe"="C:\Program Files\FlashGet\FlashGet.exe:*:Enabled:Flashget"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware"
"C:\Program Files\FrostWire\FrostWire.exe"="C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe"="C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-03-15 18:12:24 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\Simply Super Software
2010-03-15 17:41:15 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-15 17:40:38 ----D---- C:\Program Files\SUPERAntiSpyware
2010-03-15 17:40:38 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\SUPERAntiSpyware.com
2010-03-15 17:39:55 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-03-15 00:12:15 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\Roxio
2010-03-15 00:02:26 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\InstallShield
2010-03-15 00:02:24 ----D---- C:\Documents and Settings\All Users\Application Data\InstallShield
2010-03-15 00:02:14 ----D---- C:\Documents and Settings\All Users\Application Data\Sonic
2010-03-14 23:56:26 ----D---- C:\Program Files\Common Files\Sonic Shared
2010-03-14 23:56:25 ----D---- C:\Program Files\Roxio
2010-03-14 23:56:25 ----D---- C:\Documents and Settings\All Users\Application Data\Roxio
2010-03-14 23:28:07 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\Research In Motion
2010-03-14 23:19:51 ----D---- C:\Documents and Settings\All Users\Application Data\Research In Motion
2010-03-14 23:18:55 ----D---- C:\Program Files\Common Files\Research In Motion
2010-03-14 23:18:50 ----D---- C:\Program Files\Research In Motion
2010-03-14 21:08:59 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\DriverCure
2010-03-14 21:08:51 ----D---- C:\Documents and Settings\All Users\Application Data\ParetoLogic
2010-03-14 21:08:51 ----D---- C:\Documents and Settings\All Users\Application Data\DriverCure
2010-03-14 21:08:48 ----D---- C:\Program Files\ParetoLogic
2010-03-14 20:30:46 ----D---- C:\Program Files\Microsoft Silverlight
2010-03-14 20:30:26 ----HDC---- C:\WINDOWS\$NtUninstallKB971513$
2010-03-14 20:30:07 ----HDC---- C:\WINDOWS\$NtUninstallbasecsp$
2010-03-14 20:18:37 ----HDC---- C:\WINDOWS\$NtUninstallKB963093$
2010-03-14 20:18:12 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2010-03-14 20:09:13 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\Windows Search
2010-03-14 20:07:18 ----A---- C:\WINDOWS\system32\igfxres.dll
2010-03-14 19:53:44 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\Windows Desktop Search
2010-03-14 19:53:00 ----D---- C:\WINDOWS\system32\GroupPolicy
2010-03-14 19:53:00 ----D---- C:\Program Files\Windows Desktop Search
2010-03-14 19:52:41 ----HDC---- C:\WINDOWS\$NtUninstallKB940157$
2010-03-14 19:52:35 ----HDC---- C:\WINDOWS\$NtUninstallKB915800-v4$
2010-03-14 19:51:16 ----N---- C:\WINDOWS\system32\spmsg.dll
2010-03-14 01:36:34 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\Malwarebytes
2010-03-13 01:14:48 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-03-13 01:14:19 ----A---- C:\WINDOWS\system32\javaws.exe
2010-03-13 01:14:19 ----A---- C:\WINDOWS\system32\javaw.exe
2010-03-13 01:14:19 ----A---- C:\WINDOWS\system32\java.exe
2010-03-12 23:38:32 ----D---- C:\Program Files\Avira
2010-03-12 23:38:32 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2010-03-11 02:40:12 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$
2010-03-04 00:37:18 ----D---- C:\Program Files\Paint.NET
2010-02-27 18:29:28 ----D---- C:\Program Files\Common Files\DivX Shared
2010-02-27 01:59:07 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\acccore
2010-02-27 01:58:27 ----D---- C:\Documents and Settings\All Users\Application Data\AIM
2010-02-27 01:58:06 ----D---- C:\Program Files\AIM
2010-02-25 03:00:50 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$

======List of files/folders modified in the last 1 months======

2010-03-24 12:58:21 ----D---- C:\Program Files
2010-03-24 12:58:20 ----D---- C:\WINDOWS\system32
2010-03-24 12:58:02 ----D---- C:\WINDOWS\Prefetch
2010-03-24 12:58:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-24 12:56:51 ----D---- C:\WINDOWS\Temp
2010-03-24 10:59:06 ----D---- C:\Program Files\Mozilla Firefox
2010-03-24 10:58:04 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-22 18:51:32 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2010-03-22 18:51:32 ----D---- C:\WINDOWS\system32\drivers
2010-03-22 02:21:45 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-03-20 22:10:39 ----HD---- C:\WINDOWS\inf
2010-03-15 17:41:03 ----SHD---- C:\WINDOWS\Installer
2010-03-15 17:40:57 ----SHD---- C:\Config.Msi
2010-03-15 17:39:55 ----D---- C:\Program Files\Common Files
2010-03-15 00:09:10 ----D---- C:\WINDOWS
2010-03-15 00:02:20 ----D---- C:\WINDOWS\WinSxS
2010-03-14 23:59:12 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-03-14 23:58:36 ----D---- C:\Program Files\Common Files\Roxio Shared
2010-03-14 23:58:14 ----RSD---- C:\WINDOWS\Fonts
2010-03-14 23:56:25 ----D---- C:\Program Files\Common Files\InstallShield
2010-03-14 23:55:06 ----D---- C:\temp
2010-03-14 23:34:46 ----SD---- C:\WINDOWS\Tasks
2010-03-14 23:22:03 ----D---- C:\WINDOWS\system32\ReinstallBackups
2010-03-14 21:52:40 ----D---- C:\WINDOWS\Microsoft.NET
2010-03-14 21:52:27 ----RSD---- C:\WINDOWS\assembly
2010-03-14 21:03:11 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-03-14 20:52:15 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-14 20:51:28 ----D---- C:\WINDOWS\security
2010-03-14 20:40:40 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-03-14 20:32:04 ----D---- C:\Program Files\Internet Explorer
2010-03-14 20:32:01 ----D---- C:\WINDOWS\ie8updates
2010-03-14 20:31:06 ----HD---- C:\WINDOWS\$hf_mig$
2010-03-14 20:30:31 ----A---- C:\WINDOWS\imsins.BAK
2010-03-14 20:20:29 ----D---- C:\WINDOWS\system32\CatRoot
2010-03-14 20:17:57 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2010-03-14 20:17:30 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2010-03-14 20:06:34 ----D---- C:\Program Files\WinRAR
2010-03-14 19:53:04 ----D---- C:\WINDOWS\system32\en-us
2010-03-14 19:53:00 ----D---- C:\WINDOWS\system32\wbem
2010-03-14 19:50:50 ----A---- C:\WINDOWS\win.ini
2010-03-14 19:50:32 ----D---- C:\Program Files\Windows Media Player
2010-03-14 19:50:24 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2010-03-14 19:48:58 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2010-03-14 19:48:07 ----D---- C:\WINDOWS\system32\LogFiles
2010-03-14 18:53:42 ----HDC---- C:\WINDOWS\$NtUninstallKB944338$
2010-03-14 13:32:18 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-13 01:14:46 ----D---- C:\Program Files\Common Files\Java
2010-03-13 01:14:09 ----D---- C:\Program Files\Java
2010-03-13 01:09:47 ----D---- C:\Documents and Settings\All Users\Application Data\Toolbar4
2010-03-13 00:09:28 ----A---- C:\YServer.txt
2010-03-13 00:08:23 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-03-13 00:03:00 ----D---- C:\Program Files\SpywareBlaster
2010-03-12 23:24:51 ----D---- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
2010-03-12 23:24:50 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\AVGTOOLBAR
2010-03-11 02:41:31 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2010-03-11 02:40:18 ----D---- C:\Program Files\Movie Maker
2010-03-02 00:30:12 ----A---- C:\WINDOWS\system32\MRT.exe
2010-02-27 18:35:27 ----D---- C:\Program Files\DivX
2010-02-27 01:58:00 ----D---- C:\Program Files\Common Files\AOL

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R1 SiSkp;SiSkp; C:\WINDOWS\System32\DRIVERS\srvkp.sys [2003-04-11 10624]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2010-03-13 56816]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2004-11-02 773565]
R3 IntelS51;Intel(R) 536EP Modem; C:\WINDOWS\system32\DRIVERS\IntelS51.sys [2004-12-10 1903338]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-03 10368]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2009-01-09 27136]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2002-08-29 5888]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2009-03-25 130432]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SunkFilt;Alcor Micro Corp - 9360; \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S2 nvcap;nVidia WDM Video Capture (universal); C:\WINDOWS\System32\DRIVERS\nvcap.sys [2003-07-30 126348]
S2 NVXBAR;nVidia WDM A/V Crossbar; C:\WINDOWS\System32\DRIVERS\NVxbar.sys [2003-07-30 13006]
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 EraserUtilDrvI9;EraserUtilDrvI9; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 RimUsb;BlackBerry Smartphone; C:\WINDOWS\System32\Drivers\RimUsb.sys [2008-05-20 22784]
S3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
S3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2004-08-04 166912]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2003-05-06 394752]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 Sunkfiltp;HP && Alcor Micro Corp for Phison; \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 viagfx;viagfx; C:\WINDOWS\System32\DRIVERS\vtmini.sys [2003-08-11 265344]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 IntuitUpdateService;Intuit Update Service; C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-09-29 13088]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-12-17 153376]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2003-08-19 77824]
S2 Roxio Upnp Server 9;Roxio Upnp Server 9; C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe [2007-12-06 362992]
S2 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe [2009-07-08 313840]
S2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2009-07-08 170480]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Roxio UPnP Renderer 9;Roxio UPnP Renderer 9; C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe [2007-12-06 88560]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2009-07-08 1108464]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------
Siin0137
Active Member
 
Posts: 13
Joined: January 20th, 2010, 8:15 pm

Re: I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

Unread postby melboy » March 25th, 2010, 1:59 pm

Hi



SystemLook

Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield (Do Not include CODE:)
    Code: Select all
    :folderfind
    *FrostWire*
    *BitTorrent* 

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



CKScanner
Download CKScanner from here
  • Important - Save it to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.


In your next reply:
  1. CKScanner.txt
  2. SystemLook.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

Unread postby Siin0137 » March 25th, 2010, 8:09 pm

Here are both scans:

CKSCANNER.TXT:


CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\conquer 2.0\c3\effect\firecracker-single\1.c3
c:\program files\conquer 2.0\c3\effect\firecracker-single\2.c3
c:\program files\conquer 2.0\c3\effect\firecracker-single\3.c3
c:\program files\conquer 2.0\c3\effect\firecracker-single\4.c3
c:\program files\conquer 2.0\c3\effect\firecracker2\1.c3
c:\program files\conquer 2.0\c3\effect\firecracker2\2.c3
c:\program files\conquer 2.0\c3\effect\firecracker2\3.c3
c:\program files\conquer 2.0\c3\effect\firecracker2\4.c3
c:\program files\conquer 2.0\c3\effect\firecracker2\5.c3
c:\program files\conquer 2.0\c3\effect\firecracker2\6.c3
scanner sequence 3.DF.11
----- EOF -----




SYSTEMLOOK.TXT:


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:56 on 25/03/2010 by michaelgonzales (Administrator - Elevation successful)

========== folderfind ==========

Searching for "*FrostWire*"
C:\Documents and Settings\michaelgonzales\Application Data\FrostWire d----- [21:27 06/01/2009]
C:\Documents and Settings\michaelgonzales\Application Data\FrostWire\themes\frostwirePro_theme d----- [21:27 06/01/2009]

Searching for "*BitTorrent* "
No folders found.

-=End Of File=-
Siin0137
Active Member
 
Posts: 13
Joined: January 20th, 2010, 8:15 pm

Re: I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

Unread postby melboy » March 25th, 2010, 8:39 pm

Hi


TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.




ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

Unread postby Siin0137 » March 27th, 2010, 11:32 am

Hello there. :)

I ran the TCF program you asked of me and also ran the other two scans as well. I know I got the Malwarebytes' log correct but I wasn't so sure about the ESET log. If it is an incorrect log and it wasn't the one you wanted, please show me how to locate it on my computer.
Thank you. :)


-MALWAREBYTES' LOG:


Malwarebytes' Anti-Malware 1.44
Database version: 3920
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/27/2010 11:17:08 AM
mbam-log-2010-03-27 (11-17-08).txt

Scan type: Quick Scan
Objects scanned: 158291
Time elapsed: 25 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\FLV Direct Player (Adware.FLVPlayer) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\FLV Direct Player\FLV Direct Player.lnk (Adware.FLVPlayer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\FLV Direct Player\Uninstall FLV Direct Player.lnk (Adware.FLVPlayer) -> Quarantined and deleted successfully.


-ESET LOG:


C:\Program Files\BackWeb\BackWeb Client\6.2.3.66\Program\runner.exe probably a variant of Win32/Agent trojan
C:\Program Files\Mozilla Firefox\extensions\{f51de81d-2be8-a8c0-7dc3-278b8ad0a263}\components\_5MWBE4XeQV6.dll a variant of Win32/Adware.Primawega.AA application
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe probably a variant of Win32/Agent trojan
Operating memory multiple threats
Siin0137
Active Member
 
Posts: 13
Joined: January 20th, 2010, 8:15 pm

Re: I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

Unread postby melboy » March 28th, 2010, 2:47 pm

Hi

Sorry for the slight delay, I attended a function away from home overnight.



Check a file
  • Go to VirusTotal or Jotti's
    C:\Program Files\Mozilla Firefox\extensions\{f51de81d-2be8-a8c0-7dc3-278b8ad0a263}\components\_5MWBE4XeQV6.dll
  • Copy/Paste the path and filename above into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
    NOTE: if you receive a message stating:
    • File has already been analyzed, click Reanalyze file Now.
    • File has been scanned before(Jotti), click Scan again.
  • After a while, a window will open, with details of what the scans found.
  • Copy and paste the results into your next reply.



    Fix HijackThis entries
    • Run HijackThis
    • Click on the do a system scan only button
    • Put a check beside all of the items listed below (if present):

        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
        O1 - Hosts: 193.169.12.8 nosd.info
        O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

    • Close all open windows and browsers/email etc...
    • Click on the Fix Checked button
    • When completed close the application.

    REBOOT



    Re-run - RSIT (Random's System Information Tool)
    You should still have this program on your desktop.

    • Double click on RSIT.exe to run it.
    • Click Continue at the disclaimer screen.
      RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced. (it will be maximized)
    • Please post ONLY the "log.txt", file contents in your next reply.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

Unread postby Siin0137 » March 28th, 2010, 6:32 pm

Hello! :) It's okay, I actually think that you reply faster than other people who have tried helping me lol.

Any who, I did what you asked pertaining to Virus Total, Highjack This and RSIT.

I scanned the Virus Total but no other window popped up to show me results. After it scanned, it just showed "Additional Information" and under that was a lot of writing that I do not seem to understand lol. I will post it in this response just in case if that is what you wanted anyway. If I am wrong, please let me know. :)

-Here is the Virus Total information that I copied and pasted off of the same window:

Additional information
File size: 1351680 bytes
MD5...: 244a0f1d8528fd54275662747707833a
SHA1..: 861c8c28d9b99ff363b6531c1ccc90c099f1f6c8
SHA256: f5f68e18320b52131a625964ff37a03a50c00df5134e540126966b86585ea437
ssdeep: 24576:4/DjIXE79z42lz5CL/dy5cClrCc6BJ916JGhyxwNMzI1fjO4OHtROTOPE2
tsgHi5:+d8iiTcwgHneDql29
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xf6081
timedatestamp.....: 0x4b625e72 (Fri Jan 29 04:05:06 2010)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x10ea5c 0x10f000 6.59 c72d98c274242bd7555fba484cc2437c
.rdata 0x110000 0x1cafb 0x1d000 4.82 e6fcfe31bea1fb1496fb063a19925882
.data 0x12d000 0x5c4c 0x1000 5.33 4120cb01cdeea4e5a2505e8fea41901a
.reloc 0x133000 0x1bb66 0x1c000 6.07 d9d96ec2666c22f7d073f16e4316ef4c

( 7 imports )
> KERNEL32.dll: InterlockedIncrement, InterlockedDecrement, GetProcAddress, LoadLibraryA, DeleteCriticalSection, DisableThreadLibraryCalls, LoadLibraryW, MultiByteToWideChar, WideCharToMultiByte
> USER32.dll: ShowWindow, SetWindowLongW, IsWindowVisible, IsWindow, SendMessageW
> xpcom.dll: NS_StringGetData, NS_StringContainerInit, NS_StringContainerFinish, NS_Alloc, NS_StringContainerInit2, NS_GetComponentManager, NS_CStringSetData, NS_CStringContainerInit, NS_Free, NS_CStringGetData, NS_CStringContainerFinish, NS_GetServiceManager
> nspr4.dll: PR_AtomicIncrement, PR_AtomicDecrement
> MSVCP60.dll: _peek@_$basic_istream@DU_$char_traits@D@std@@@std@@QAEHXZ, _get@_$basic_istream@DU_$char_traits@D@std@@@std@@QAEHXZ, __8std@@YA_NABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@0@Z, _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@ABV_$allocator@D@1@@Z, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, __C@_1___Nullstr@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@CAPBGXZ@4GB, __Eos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXI@Z, __Grow@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAE_NI_N@Z, __C@_1___Nullstr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@CAPBDXZ@4DB, __1_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAE@XZ, _assign@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z, _npos@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@2IB, _assign@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@PBGI@Z, __Copy@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAEXI@Z, __Tidy@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAEX_N@Z, __Xlen@std@@YAXXZ, _max_size@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIXZ, __Eos@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAEXI@Z, __Grow@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAE_NI_N@Z, __Mstd@@YA_NABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@0@Z, __8std@@YA_NABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@PBG@Z, __Tidy@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEX_N@Z, __Split@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAEXXZ, __Xran@std@@YAXXZ, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@ABV01@@Z, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z, _npos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@2IB, __Hstd@@YA_AV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@ABV10@0@Z, __Hstd@@YA_AV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@ABV10@PBG@Z, __Hstd@@YA_AV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@PBGABV10@@Z, _append@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@PBGI@Z, _append@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z, __0_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAE@PBGABV_$allocator@G@1@@Z, _substr@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBE_AV12@II@Z, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z, __1_Lockit@std@@QAE@XZ, __0_Lockit@std@@QAE@XZ, __Refcnt@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAEAAEPBG@Z, _find_first_of@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIPBGII@Z, __0_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAE@ABV01@@Z, _replace@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@IIPBGI@Z, _append@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@IG@Z, __1locale@std@@QAE@XZ, _find@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIPBGII@Z, __Global@_Locimp@locale@std@@0PAV123@A, __Init@locale@std@@CAPAV_Locimp@12@XZ, _do_narrow@_$ctype@G@std@@MBEDGD@Z, _do_narrow@_$ctype@G@std@@MBEPBGPBG0DPAD@Z, _do_widen@_$ctype@G@std@@MBEGD@Z, _do_widen@_$ctype@G@std@@MBEPBDPBD0PAG@Z, _do_toupper@_$ctype@G@std@@MBEGG@Z, _do_toupper@_$ctype@G@std@@MBEPBGPAGPBG@Z, _do_tolower@_$ctype@G@std@@MBEGG@Z, _do_tolower@_$ctype@G@std@@MBEPBGPAGPBG@Z, _do_scan_not@_$ctype@G@std@@MBEPBGFPBG0@Z, _do_scan_is@_$ctype@G@std@@MBEPBGFPBG0@Z, _do_is@_$ctype@G@std@@MBE_NFG@Z, _do_is@_$ctype@G@std@@MBEPBGPBG0PAF@Z, __0bad_cast@std@@QAE@ABV01@@Z, __1bad_cast@std@@UAE@XZ, __1ctype_base@std@@UAE@XZ, __1facet@locale@std@@UAE@XZ, ___7bad_cast@std@@6B@, __1_Locinfo@std@@QAE@XZ, _Getctype, __0_Locinfo@std@@QAE@PBD@Z, ___7_$ctype@G@std@@6B@, ___7ctype_base@std@@6B@, ___7facet@locale@std@@6B@, __Iscloc@locale@std@@QBE_NXZ, __Getfacet@locale@std@@QBEPBVfacet@12@I_N@Z, __Id_cnt@id@locale@std@@0HA, _id@_$ctype@G@std@@2V0locale@2@A, __1_$ctype@G@std@@UAE@XZ, _erase@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@II@Z, __9std@@YA_NABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@0@Z, __8std@@YA_NABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@0@Z, _find_last_of@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIPBGII@Z, ___D_$basic_ifstream@DU_$char_traits@D@std@@@std@@QAEXXZ, __1_$basic_istream@DU_$char_traits@D@std@@@std@@UAE@XZ, __1ios_base@std@@UAE@XZ, __1_$basic_ifstream@DU_$char_traits@D@std@@@std@@UAE@XZ, __1_$basic_ios@DU_$char_traits@D@std@@@std@@UAE@XZ, ___7_$basic_istream@DU_$char_traits@D@std@@@std@@6B@, __1_$basic_filebuf@DU_$char_traits@D@std@@@std@@UAE@XZ, _setstate@_$basic_ios@DU_$char_traits@D@std@@@std@@QAEXH_N@Z, _open@_$basic_filebuf@DU_$char_traits@D@std@@@std@@QAEPAV12@PBDH@Z, ___7_$basic_ifstream@DU_$char_traits@D@std@@@std@@6B@, __0_$basic_filebuf@DU_$char_traits@D@std@@@std@@QAE@PAU_iobuf@@@Z, __0_$basic_istream@DU_$char_traits@D@std@@@std@@QAE@PAV_$basic_streambuf@DU_$char_traits@D@std@@@1@_N@Z, ___7_$basic_ios@DU_$char_traits@D@std@@@std@@6B@, __0ios_base@std@@IAE@XZ, ___8_$basic_ifstream@DU_$char_traits@D@std@@@std@@7B@, __9std@@YA_NABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@PBG@Z, __0_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAE@ABV_$allocator@G@1@@Z, __0logic_error@std@@QAE@ABV01@@Z, __0out_of_range@std@@QAE@ABV01@@Z, __1out_of_range@std@@UAE@XZ, __1logic_error@std@@UAE@XZ, ___7out_of_range@std@@6B@, ___7logic_error@std@@6B@, __Copy@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXI@Z, _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ID@Z, __Split@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXXZ, _erase@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@II@Z, __Hstd@@YA_AV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@DABV10@@Z, __Hstd@@YA_AV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@PBDABV10@@Z, _substr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBE_AV12@II@Z, __0runtime_error@std@@QAE@ABV01@@Z, __1runtime_error@std@@UAE@XZ, ___7runtime_error@std@@6B@, __8std@@YA_NPBGABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@@Z, _replace@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@IIABV12@II@Z, _replace@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@IIABV12@@Z, _assign@_$char_traits@G@std@@SAXAAGABG@Z, __Nullstr@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@CAPBGXZ, _copy@_$char_traits@G@std@@SAPAGPAGPBGI@Z, _capacity@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIXZ, _c_str@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEPBGXZ, _size@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIXZ, _find@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIABV12@I@Z, __0out_of_range@std@@QAE@ABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@1@@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@PBDABV_$allocator@D@1@@Z, __0logic_error@std@@QAE@ABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@1@@Z, __Freeze@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAEXXZ, __Hstd@@YA_AV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@ABV10@PBD@Z, _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z, __Hstd@@YA_AV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@ABV10@0@Z, _find@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBEIPBDII@Z, ___D_$basic_ofstream@GU_$char_traits@G@std@@@std@@QAEXXZ, __1_$basic_ostream@GU_$char_traits@G@std@@@std@@UAE@XZ, ___D_$basic_ifstream@GU_$char_traits@G@std@@@std@@QAEXXZ, __1_$basic_istream@GU_$char_traits@G@std@@@std@@UAE@XZ, __1_$basic_streambuf@GU_$char_traits@G@std@@@std@@UAE@XZ, __Init@_$basic_filebuf@GU_$char_traits@G@std@@@std@@IAEXPAU_iobuf@@W4_Initfl@12@@Z, ___7_$basic_filebuf@GU_$char_traits@G@std@@@std@@6B@, __6std@@YAAAV_$basic_ostream@GU_$char_traits@G@std@@@0@AAV10@PBG@Z, __6std@@YAAAV_$basic_ostream@GU_$char_traits@G@std@@@0@AAV10@ABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@@Z, ___7_$basic_ostream@GU_$char_traits@G@std@@@std@@6B@, ___7_$basic_ofstream@GU_$char_traits@G@std@@@std@@6B@, __0_$basic_ostream@GU_$char_traits@G@std@@@std@@QAE@PAV_$basic_streambuf@GU_$char_traits@G@std@@@1@_N1@Z, ___8_$basic_ofstream@GU_$char_traits@G@std@@@std@@7B@, __1_$basic_ios@GU_$char_traits@G@std@@@std@@UAE@XZ, ___7_$basic_istream@GU_$char_traits@G@std@@@std@@6B@, __1_$basic_filebuf@GU_$char_traits@G@std@@@std@@UAE@XZ, _getline@std@@YAAAV_$basic_istream@GU_$char_traits@G@std@@@1@AAV21@AAV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@1@@Z, _setstate@_$basic_ios@GU_$char_traits@G@std@@@std@@QAEXH_N@Z, _open@_$basic_filebuf@GU_$char_traits@G@std@@@std@@QAEPAV12@PBDH@Z, ___7_$basic_ifstream@GU_$char_traits@G@std@@@std@@6B@, __0_$basic_filebuf@GU_$char_traits@G@std@@@std@@QAE@PAU_iobuf@@@Z, __0_$basic_istream@GU_$char_traits@G@std@@@std@@QAE@PAV_$basic_streambuf@GU_$char_traits@G@std@@@1@_N@Z, ___7_$basic_ios@GU_$char_traits@G@std@@@std@@6B@, ___8_$basic_ifstream@GU_$char_traits@G@std@@@std@@7B@, _close@_$basic_filebuf@GU_$char_traits@G@std@@@std@@QAEPAV12@XZ, __1_$basic_ofstream@GU_$char_traits@G@std@@@std@@UAE@XZ, __1_$basic_streambuf@DU_$char_traits@D@std@@@std@@UAE@XZ, _close@_$basic_filebuf@DU_$char_traits@D@std@@@std@@QAEPAV12@XZ, ___7_$basic_filebuf@DU_$char_traits@D@std@@@std@@6B@, _getline@std@@YAAAV_$basic_istream@DU_$char_traits@D@std@@@1@AAV21@AAV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@1@@Z, __0Init@ios_base@std@@QAE@XZ, __1Init@ios_base@std@@QAE@XZ, __0_Winit@std@@QAE@XZ, __1_Winit@std@@QAE@XZ, _seekg@_$basic_istream@DU_$char_traits@D@std@@@std@@QAEAAV12@V_$fpos@H@2@@Z, __0runtime_error@std@@QAE@ABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@1@@Z, _tellg@_$basic_istream@DU_$char_traits@D@std@@@std@@QAE_AV_$fpos@H@2@XZ, _seekg@_$basic_istream@DU_$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z, __0_$basic_ios@DU_$char_traits@D@std@@@std@@IAE@XZ, _what@logic_error@std@@UBEPBDXZ, __Fpz@std@@3_JB, _read@_$basic_istream@DU_$char_traits@D@std@@@std@@QAEAAV12@PADH@Z, _max_size@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBEIXZ, ___D_$basic_ofstream@DU_$char_traits@D@std@@@std@@QAEXXZ, __1_$basic_ostream@DU_$char_traits@D@std@@@std@@UAE@XZ, _write@_$basic_ostream@DU_$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z, ___7_$basic_ostream@DU_$char_traits@D@std@@@std@@6B@, ___7_$basic_ofstream@DU_$char_traits@D@std@@@std@@6B@, __0_$basic_ostream@DU_$char_traits@D@std@@@std@@QAE@PAV_$basic_streambuf@DU_$char_traits@D@std@@@1@_N1@Z, ___8_$basic_ofstream@DU_$char_traits@D@std@@@std@@7B@, __Hstd@@YA_AV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@ABV10@G@Z
> MSVCRT.dll: _wstat, fwrite, _fdopen, _terminate@@YAXXZ, _except_handler3, __1type_info@@UAE@XZ, _adjust_fdiv, malloc, _initterm, _onexit, __dllonexit, __2@YAPAXI@Z, __CxxFrameHandler, wcslen, time, _purecall, strcpy, strlen, memcpy, _ltow, _ultow, wcstol, _errno, wcstoul, atof, swprintf, __0exception@@QAE@ABV0@@Z, __1exception@@UAE@XZ, __0exception@@QAE@ABQBD@Z, _CxxThrowException, fclose, _wfopen, rand, _ftol, wcsftime, localtime, gmtime, memmove, __set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z, _beginthreadex, difftime, wcscpy, memchr, isalnum, tolower, fopen, _snprintf, fprintf, fread, ftell, fseek, fputc, isalpha, isspace, strncmp, strchr, free
> OLEAUT32.dll: -, -, -

( 1 exports )
NSGetModule
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned






-RSIT LOG.TXT:

Logfile of random's system information tool 1.06 (written by random/random)
Run by michaelgonzales at 2010-03-28 18:24:14
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 47 GB (67%) free of 71 GB
Total RAM: 503 MB (27% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:26 PM, on 3/28/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\michaelgonzales\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\michaelgonzales.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {EEE6C35D-6118-11DC-9C72-001320C79847} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 8142 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\ParetoLogic Registration.job
C:\WINDOWS\tasks\ParetoLogic Update Version2.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{93A0AE64-BC12-451B-8A51-70307FB3DE89}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-02-18 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-02-18 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - HP View - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll [2003-09-03 98304]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2004-11-02 126976]
"KBD"=C:\HP\KBD\KBD.EXE [2003-02-11 61440]
"AutoTKit"=C:\hp\bin\AUTOTKIT.EXE [2003-06-18 53248]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-13 212992]
"VTTimer"=VTTimer.exe []
"PS2"=C:\WINDOWS\system32\ps2.exe [2002-10-16 81920]
"Sunkist2k"=C:\Program Files\Multimedia Card Reader\shwicon2k.exe [2003-08-14 139264]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2004-11-02 155648]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"BlackBerryAutoUpdate"=C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [2009-11-19 623960]
""= []
"RoxWatchTray"=C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2009-07-08 236016]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"ISUSPM"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2008-10-24 206112]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-02-18 2012912]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Documents and Settings\michaelgonzales\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-11-02 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe"="C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\FlashGet\FlashGet.exe"="C:\Program Files\FlashGet\FlashGet.exe:*:Enabled:Flashget"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware"
"C:\Program Files\FrostWire\FrostWire.exe"="C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe"="C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-03-27 01:16:23 ----D---- C:\Program Files\ESET
2010-03-24 15:00:50 ----D---- C:\Program Files\Common Files\Software Update Utility
2010-03-15 18:12:24 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\Simply Super Software
2010-03-15 17:41:15 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-15 17:40:38 ----D---- C:\Program Files\SUPERAntiSpyware
2010-03-15 17:40:38 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\SUPERAntiSpyware.com
2010-03-15 17:39:55 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-03-15 00:12:15 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\Roxio
2010-03-15 00:02:26 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\InstallShield
2010-03-15 00:02:24 ----D---- C:\Documents and Settings\All Users\Application Data\InstallShield
2010-03-15 00:02:14 ----D---- C:\Documents and Settings\All Users\Application Data\Sonic
2010-03-14 23:56:26 ----D---- C:\Program Files\Common Files\Sonic Shared
2010-03-14 23:56:25 ----D---- C:\Program Files\Roxio
2010-03-14 23:56:25 ----D---- C:\Documents and Settings\All Users\Application Data\Roxio
2010-03-14 23:28:07 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\Research In Motion
2010-03-14 23:19:51 ----D---- C:\Documents and Settings\All Users\Application Data\Research In Motion
2010-03-14 23:18:55 ----D---- C:\Program Files\Common Files\Research In Motion
2010-03-14 23:18:50 ----D---- C:\Program Files\Research In Motion
2010-03-14 21:08:59 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\DriverCure
2010-03-14 21:08:51 ----D---- C:\Documents and Settings\All Users\Application Data\ParetoLogic
2010-03-14 21:08:51 ----D---- C:\Documents and Settings\All Users\Application Data\DriverCure
2010-03-14 21:08:48 ----D---- C:\Program Files\ParetoLogic
2010-03-14 20:30:46 ----D---- C:\Program Files\Microsoft Silverlight
2010-03-14 20:30:26 ----HDC---- C:\WINDOWS\$NtUninstallKB971513$
2010-03-14 20:30:07 ----HDC---- C:\WINDOWS\$NtUninstallbasecsp$
2010-03-14 20:18:37 ----HDC---- C:\WINDOWS\$NtUninstallKB963093$
2010-03-14 20:18:12 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2010-03-14 20:09:13 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\Windows Search
2010-03-14 20:07:18 ----A---- C:\WINDOWS\system32\igfxres.dll
2010-03-14 19:53:44 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\Windows Desktop Search
2010-03-14 19:53:00 ----D---- C:\WINDOWS\system32\GroupPolicy
2010-03-14 19:53:00 ----D---- C:\Program Files\Windows Desktop Search
2010-03-14 19:52:41 ----HDC---- C:\WINDOWS\$NtUninstallKB940157$
2010-03-14 19:52:35 ----HDC---- C:\WINDOWS\$NtUninstallKB915800-v4$
2010-03-14 19:51:16 ----N---- C:\WINDOWS\system32\spmsg.dll
2010-03-14 01:36:34 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\Malwarebytes
2010-03-13 01:14:48 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-03-13 01:14:19 ----A---- C:\WINDOWS\system32\javaws.exe
2010-03-13 01:14:19 ----A---- C:\WINDOWS\system32\javaw.exe
2010-03-13 01:14:19 ----A---- C:\WINDOWS\system32\java.exe
2010-03-12 23:38:32 ----D---- C:\Program Files\Avira
2010-03-12 23:38:32 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2010-03-11 02:40:12 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$
2010-03-04 00:37:18 ----D---- C:\Program Files\Paint.NET

======List of files/folders modified in the last 1 months======

2010-03-28 18:24:06 ----D---- C:\WINDOWS\Prefetch
2010-03-28 18:22:04 ----D---- C:\WINDOWS\Temp
2010-03-28 18:21:56 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-28 18:18:01 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-27 11:23:42 ----D---- C:\Program Files\Mozilla Firefox
2010-03-27 11:19:46 ----D---- C:\WINDOWS\system32\drivers
2010-03-27 11:18:00 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-03-27 01:16:23 ----D---- C:\Program Files
2010-03-27 00:57:30 ----D---- C:\WINDOWS\system32
2010-03-27 00:57:30 ----D---- C:\WINDOWS
2010-03-24 15:01:10 ----D---- C:\Program Files\AIM
2010-03-24 15:00:50 ----D---- C:\Program Files\Common Files
2010-03-22 18:51:32 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2010-03-22 02:21:45 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-03-20 22:10:39 ----HD---- C:\WINDOWS\inf
2010-03-15 17:41:03 ----SHD---- C:\WINDOWS\Installer
2010-03-15 17:40:57 ----SHD---- C:\Config.Msi
2010-03-15 00:02:20 ----D---- C:\WINDOWS\WinSxS
2010-03-14 23:59:12 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-03-14 23:58:36 ----D---- C:\Program Files\Common Files\Roxio Shared
2010-03-14 23:58:14 ----RSD---- C:\WINDOWS\Fonts
2010-03-14 23:56:25 ----D---- C:\Program Files\Common Files\InstallShield
2010-03-14 23:55:06 ----D---- C:\temp
2010-03-14 23:34:46 ----SD---- C:\WINDOWS\Tasks
2010-03-14 23:22:03 ----D---- C:\WINDOWS\system32\ReinstallBackups
2010-03-14 21:52:40 ----D---- C:\WINDOWS\Microsoft.NET
2010-03-14 21:52:27 ----RSD---- C:\WINDOWS\assembly
2010-03-14 21:03:11 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-03-14 20:52:15 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-14 20:51:28 ----D---- C:\WINDOWS\security
2010-03-14 20:40:40 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-03-14 20:32:06 ----A---- C:\WINDOWS\imsins.BAK
2010-03-14 20:32:04 ----D---- C:\Program Files\Internet Explorer
2010-03-14 20:32:01 ----D---- C:\WINDOWS\ie8updates
2010-03-14 20:31:06 ----HD---- C:\WINDOWS\$hf_mig$
2010-03-14 20:20:29 ----D---- C:\WINDOWS\system32\CatRoot
2010-03-14 20:17:57 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2010-03-14 20:17:30 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2010-03-14 20:06:34 ----D---- C:\Program Files\WinRAR
2010-03-14 19:53:04 ----D---- C:\WINDOWS\system32\en-us
2010-03-14 19:53:00 ----D---- C:\WINDOWS\system32\wbem
2010-03-14 19:50:50 ----A---- C:\WINDOWS\win.ini
2010-03-14 19:50:32 ----D---- C:\Program Files\Windows Media Player
2010-03-14 19:50:24 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2010-03-14 19:48:58 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2010-03-14 19:48:07 ----D---- C:\WINDOWS\system32\LogFiles
2010-03-14 18:53:42 ----HDC---- C:\WINDOWS\$NtUninstallKB944338$
2010-03-14 13:32:18 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-13 01:14:46 ----D---- C:\Program Files\Common Files\Java
2010-03-13 01:14:09 ----D---- C:\Program Files\Java
2010-03-13 01:09:47 ----D---- C:\Documents and Settings\All Users\Application Data\Toolbar4
2010-03-13 00:09:28 ----A---- C:\YServer.txt
2010-03-13 00:08:23 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-03-13 00:03:00 ----D---- C:\Program Files\SpywareBlaster
2010-03-12 23:24:51 ----D---- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
2010-03-12 23:24:50 ----D---- C:\Documents and Settings\michaelgonzales\Application Data\AVGTOOLBAR
2010-03-11 02:41:31 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2010-03-11 02:40:18 ----D---- C:\Program Files\Movie Maker
2010-03-02 00:30:12 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R1 SiSkp;SiSkp; C:\WINDOWS\System32\DRIVERS\srvkp.sys [2003-04-11 10624]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2010-03-13 56816]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2004-11-02 773565]
R3 IntelS51;Intel(R) 536EP Modem; C:\WINDOWS\system32\DRIVERS\IntelS51.sys [2004-12-10 1903338]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-03 10368]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2009-01-09 27136]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2002-08-29 5888]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2009-03-25 130432]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SunkFilt;Alcor Micro Corp - 9360; \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S2 nvcap;nVidia WDM Video Capture (universal); C:\WINDOWS\System32\DRIVERS\nvcap.sys [2003-07-30 126348]
S2 NVXBAR;nVidia WDM A/V Crossbar; C:\WINDOWS\System32\DRIVERS\NVxbar.sys [2003-07-30 13006]
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 EraserUtilDrvI9;EraserUtilDrvI9; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 RimUsb;BlackBerry Smartphone; C:\WINDOWS\System32\Drivers\RimUsb.sys [2008-05-20 22784]
S3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
S3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2004-08-04 166912]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2003-05-06 394752]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 Sunkfiltp;HP && Alcor Micro Corp for Phison; \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 viagfx;viagfx; C:\WINDOWS\System32\DRIVERS\vtmini.sys [2003-08-11 265344]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 IntuitUpdateService;Intuit Update Service; C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-09-29 13088]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-12-17 153376]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2003-08-19 77824]
S2 Roxio Upnp Server 9;Roxio Upnp Server 9; C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe [2007-12-06 362992]
S2 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe [2009-07-08 313840]
S2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2009-07-08 170480]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Roxio UPnP Renderer 9;Roxio UPnP Renderer 9; C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe [2007-12-06 88560]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2009-07-08 1108464]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------
Siin0137
Active Member
 
Posts: 13
Joined: January 20th, 2010, 8:15 pm

Re: I have a WORM/AMBLER.A.24 and a TRtrojan, PLEASE HELP!!!

Unread postby melboy » March 29th, 2010, 9:09 am

Hi

I needed to see what the other scanners detected it as (if anything). Not to worry though, I've an Idea of what it is now.


Uninstall list

Please post an Uninstall list.

  1. Open HijackThis.
  2. Click on the Open the Misc Tools section button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location, such as your Desktop By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this log in your next reply.


In your next reply.

1. Uninstall list.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 295 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware