Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win32tr.er.agent (WindowsTrojanDownloaderAgent) - Need Help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Win32tr.er.agent (WindowsTrojanDownloaderAgent) - Need Help

Unread postby akirakaneda » August 4th, 2009, 2:02 pm

Hello...working on a church computer that was donated...AdAware and other programs keep finding Win32.TrojanDownloader.Agent, but nothing seems to be able to remove it. It has also locked me out of editing the registry and the task manager. While I can use other programs to get into regedit and the task manager, upon restart everything's still locked out. Thanks for your help in advance...here is my Hijack This log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:39 PM, on 8/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\orvodx.exe
C:\WINDOWS\TEMP\winyerbpd.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wintdvfpc.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\windjqlr.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\owqy.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winofubrc.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winmppiea.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winrkbblv.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winxpuhno.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\qsshvn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 7965 bytes
akirakaneda
Active Member
 
Posts: 7
Joined: August 4th, 2009, 1:56 pm
Advertisement
Register to Remove

Re: Win32tr.er.agent (WindowsTrojanDownloaderAgent) - Need Help

Unread postby Dakeyras » August 7th, 2009, 4:37 pm

Hi :)

Hello...working on a church computer that was donated
Could you elaborate on this please. Do you mean you are a member of the parish and trying to fix this computer and or a IT Tech trying to fix etc?

Also there appears to be no Anti-Virus application installed/active are you aware of this?

Please answer these few queries of mine before we proceed any further, thank you.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Win32tr.er.agent (WindowsTrojanDownloaderAgent) - Need Help

Unread postby akirakaneda » August 7th, 2009, 4:54 pm

I am the pastor of the church. The computer has been use as the "secretary's computer" for some time...since we don't have a secretary at the moment, that means that the person gracious enough to make up the bulletin each week uses it. ;) It was donated a couple of years ago by a parishoner who I think may have come across the trojan as part of a screensaver program that I found and removed. I've cleaned off a variety of computers in the past for folks at seminary, etc. and never had a virus or trojan that stubbornly refused to come off the computer as this one has.

I am aware that there is no anti-virus software on the computer. The computer was here before I arrived.

Thanks...
akirakaneda
Active Member
 
Posts: 7
Joined: August 4th, 2009, 1:56 pm

Re: Win32tr.er.agent (WindowsTrojanDownloaderAgent) - Need Help

Unread postby Dakeyras » August 8th, 2009, 5:20 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hi akirakaneda and welcome to Malware Removal :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!.
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Thank you for answering my quires, your reply is quite acceptable to myself and you are welcome!

Security Application Advice:

The computer currently has several security applications active in system memory consecutively. This actually lessons online protection and will cause a system conflict.

I propose we uninstall three of them and deactivate one other as otherwise this will hinder the actual malware removal process also

Next:

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Ad-Aware
Trojan Remover
Windows Defender


To do so, click once on each of the above in turn to highlight and then click on the Remove button.

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

Disable Spybot S&D TeaTimer's Registry Guard:

This is so it does not interfere with the malware removal process, you may re-enable this when I give the all clear.

  • If you have version 1.5 or 1.6, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
  • Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
  • Click on Mode > Advanced Mode. When it prompts you, click Yes.
  • On the left hand side, click on Tools.
  • Check this box if it is not yet ticked: Resident.
  • You will notice that Resident is now added under Tools. Click on Resident.
  • Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active.
  • Exit Spybot Search & Destroy.
  • Restart your computer for the changes to take effect.

Note: The above must be completed before proceeding any further!

Very Important!:

You appear to have no Anti-Virus software installed and running. This is a very unsafe practice when accessing the internet and most likely the cause of your malware problems. Download just one only of the two free anti-virus programs listed below please:


Install>> Update >> Carry Out a Complete Scan. Have it fix anything it finds.

Scan with RSIT:

  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
Make sure that RSIT.exe is on the your Desktop before running the application!
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.

When completed the above, please post back the following in the order asked for:

  • How is you computer performing now, any further symptoms and or problems encountered?
  • Both RSIT logs. <-- Post them individually please, IE: one Log per post/reply.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Win32tr.er.agent (WindowsTrojanDownloaderAgent) - Need Help

Unread postby akirakaneda » August 10th, 2009, 2:38 pm

Posting a brief update...I was unable to get Spybot to load up at all, and the icon in the lower right hand corner has never appeared. I therefore removed it along with the three programs you requested. The first anti-virus program would not start its installation program, and Avast's website was down yesterday so I could not download it. I will be back tomorrow to attempt another installation of the anti-virus software and will be back with you shortly. Thank you for your help!
akirakaneda
Active Member
 
Posts: 7
Joined: August 4th, 2009, 1:56 pm

Re: Win32tr.er.agent (WindowsTrojanDownloaderAgent) - Need Help

Unread postby Dakeyras » August 10th, 2009, 3:53 pm

Hi :)

OK, thanks for the update and you are welcome!

If still a problem installing a Anti-Virus application, leave of doing so for the time being and just inform myself in your next reply.

Post both the RSIT logs and keep the computer offline as much as possible if not completely so. Then transfer the logs to say a USB stick and post them from another computer if available.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Win32tr.er.agent (WindowsTrojanDownloaderAgent) - Need Help

Unread postby akirakaneda » August 11th, 2009, 9:31 am

I couldn't get either anti-virus program to install when I downloaded them, just as an FYI. Here is the first log, log.txt, from RSIT.

Logfile of random's system information tool 1.06 (written by random/random)
Run by Barbra O'Mara at 2009-08-11 09:28:30
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 18 GB (48%) free of 38 GB
Total RAM: 351 MB (23% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:55 AM, on 8/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winntdu.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winvtmlvu.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winhjto.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winqkorw.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winseites.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\iawhqc.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\jmoyxk.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\bwmsd.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\yytpyu.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wghi.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\ctsdf.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winpcbgy.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wincmnv.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\gubycq.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\yqruwa.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wingrfad.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wingxmls.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winjhth.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winyngon.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winrlmyk.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\poty.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wineuejan.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\slxgs.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winjweu.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winsrjnck.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wfrirb.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winvbne.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winryidei.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winvyyglo.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\fjjbhk.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winxspqg.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\upaglq.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winnrcsl.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\ucxqox.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winukeado.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\bvpnkp.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\juwj.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wdenmr.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\tjlsh.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\hsuy.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winmmjxd.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winxjlok.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winqyito.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winryrm.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winudrpw.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winavkjbu.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\jght.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winuoltt.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wtqqc.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\lpqyhl.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winnyslxt.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\gmnls.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winyskaa.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winyebks.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\prcji.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winrmkc.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wrvdea.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winjnnyuf.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winlgopw.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\myno.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wvbcpj.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\imrux.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\xywica.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\fcickg.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\windewj.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\lpcbp.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winxnndk.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wincornlf.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winxbwrp.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\xifwaf.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winskqrl.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\windoyohf.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winqaogo.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winlgcq.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winxqqfwc.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winlqbm.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winpwrfim.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winuofr.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\kjafr.exe
C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winfkven.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Barbra O'Mara\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Barbra O'Mara.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 10645 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-07-23 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll [2009-07-15 669168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-04-28 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-06-28 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-06-28 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-07-23 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd []
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2004-02-09 134656]
"PCTVOICE"=C:\WINDOWS\system32\pctspk.exe [2002-07-09 167936]
"Motive SmartBridge"=C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe [2003-12-10 380928]
"PRISMSVR.EXE"=C:\WINDOWS\system32\PRISMSVR.EXE /APPLY []
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-05-08 128568]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-06-28 230808]
"cwcptray"=C:\Program Files\ContentWatch\Internet Protection\cwtray.exe [2009-04-25 422208]
""= []
"HPUsageTracking"=C:\Program Files\HP\HP UT\bin\hppusg.exe [2008-05-07 110592]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1768960]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2005-08-18 380928]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-01-24 39408]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disk Monitor]
C:\Program Files\IC\Card Reader Driver v1.9e2\Disk_Monitor.exe [2003-06-18 466944]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\MSMSGS.EXE [2008-04-13 1768960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
C:\WINDOWS\system32\pctspk.exe [2002-07-09 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
C:\WINDOWS\System32\keyhook.exe [2004-02-27 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
C:\WINDOWS\SiSUSBrg.exe [2002-07-12 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
C:\WINDOWS\SOUNDMAN.EXE [2004-02-09 134656]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2005-09-24 103424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\fxsclnt.exe"="C:\WINDOWS\system32\fxsclnt.exe:*:Disabled:Microsoft Fax Console"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\QV\QVLIB2\QVLIB.EXE"="C:\QV\QVLIB2\QVLIB.EXE:*:Enabled:QVLIB MFC Application. The QuickVerse Library is a STEP-compatible program used to enhance Bible study and general research."
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"E:\nwnq.pif"="E:\nwnq.pif:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\lrlu.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\lrlu.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\erfan.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\erfan.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winieomv.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winieomv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\tsenw.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\tsenw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\tbwsgn.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\tbwsgn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\tmjl.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\tmjl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\jalri.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\jalri.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\badga.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\badga.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\axqwo.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\axqwo.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winygqalg.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winygqalg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winwndexf.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winwndexf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wingcmawq.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wingcmawq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\mrtj.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\mrtj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\kfevt.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\kfevt.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\juee.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\juee.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winimynpc.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winimynpc.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\fgqmrk.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\fgqmrk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\jeuiag.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\jeuiag.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\doakdv.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\doakdv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wingyql.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wingyql.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\lpoe.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\lpoe.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\eteva.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\eteva.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winfkqnps.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winfkqnps.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winftpk.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winftpk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\jqmo.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\jqmo.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wincfhuny.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wincfhuny.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winxeskfj.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winxeskfj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\mgbm.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\mgbm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\windaxrn.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\windaxrn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\nnvw.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\nnvw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\rxncq.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\rxncq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\bfnhqn.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\bfnhqn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winaldn.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winaldn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\vhfrhp.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\vhfrhp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winwcpqjn.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winwcpqjn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winkjxdvi.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winkjxdvi.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wjyyi.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wjyyi.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winburnr.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winburnr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\qcxua.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\qcxua.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winobicfn.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winobicfn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winofqm.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winofqm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wingdtdj.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wingdtdj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winvsdn.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winvsdn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\hsjv.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\hsjv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winfltxng.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winfltxng.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\xfcgcu.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\xfcgcu.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\nwia.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\nwia.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winyxnr.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winyxnr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\skorm.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\skorm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\vgexms.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\vgexms.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winhndupg.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winhndupg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winvevmfl.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winvevmfl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\jfyh.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\jfyh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winxpnvko.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winxpnvko.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\hjaqnm.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\hjaqnm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\prnmdl.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\prnmdl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\diqh.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\diqh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\mwuesg.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\mwuesg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winferdb.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winferdb.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\snly.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\snly.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winmqbm.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winmqbm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\uabkh.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\uabkh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\mfla.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\mfla.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winilgk.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winilgk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\emlk.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\emlk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winkpnbk.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winkpnbk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winsoei.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winsoei.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\ajulb.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\ajulb.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wingawo.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wingawo.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winpkci.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winpkci.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winvbppot.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winvbppot.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winymmwfr.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winymmwfr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\kjnqtn.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\kjnqtn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winlogxtb.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winlogxtb.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winqitri.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winqitri.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\looajr.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\looajr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winctrmtt.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winctrmtt.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\erncu.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\erncu.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winfrkxj.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winfrkxj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winanphsb.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winanphsb.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winwvhwyx.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winwvhwyx.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\axqmu.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\axqmu.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winnkplkb.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winnkplkb.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winieumo.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winieumo.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winyrequ.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winyrequ.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winillsu.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winillsu.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winibcbq.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winibcbq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\jyflde.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\jyflde.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\viilgh.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\viilgh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winpbtolu.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winpbtolu.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winiqndfv.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\winiqndfv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wincmcepg.exe"="C:\DOCUME~1\BARBRA~1\LOCALS~1\Temp\wincmcepg.exe:*:Enabled:ipsec"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a82e7f8-d1b7-11db-b084-00115b4491db}]
shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{592d2d72-70ca-11de-b21e-00115b4491db}]
shell\autopLAy\command - E:\pvpdh.cmd
shell\AutoRun\command - E:\pvpdh.cmd
shell\explorE\command - E:\pvpdh.cmd
shell\OpEn\command - E:\pvpdh.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ea42cca-3529-11da-af28-00115b4491db}]
shell\aUtOplAY\command - E:\nwnq.pif
shell\AutoRun\command - E:\nwnq.pif
shell\eXploRe\command - E:\nwnq.pif
shell\opeN\command - E:\nwnq.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a43310ea-d552-11db-b08a-00115b4491db}]
shell\AutoRun\command - E:\LaunchU3.exe


======File associations======

.reg - edit -
.reg - open - regedit.exe %1

======List of files/folders created in the last 1 months======

2009-08-11 09:28:30 ----D---- C:\rsit
2009-07-31 14:17:11 ----D---- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2009-07-31 14:17:03 ----D---- C:\Program Files\Security Task Manager
2009-07-31 14:06:38 ----D---- C:\Program Files\Trend Micro
2009-07-31 11:58:43 ----AH---- C:\aaw7boot.cmd
2009-07-30 15:21:50 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-07-30 15:20:28 ----D---- C:\Program Files\Trojan Remover
2009-07-29 19:52:41 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-07-29 19:51:12 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-07-29 19:40:42 ----D---- C:\WINDOWS\ie8updates
2009-07-29 19:38:27 ----HDC---- C:\WINDOWS\ie8
2009-07-29 16:41:47 ----RA---- C:\WINDOWS\system32\HP2030SM.EXE
2009-07-29 16:41:47 ----A---- C:\WINDOWS\system32\zjbig.dll
2009-07-29 16:41:47 ----A---- C:\WINDOWS\system32\hpsfs.dll
2009-07-29 16:41:47 ----A---- C:\WINDOWS\system32\HPMCoSetup.dll
2009-07-29 16:41:47 ----A---- C:\WINDOWS\system32\HP2030LM.DLL
2009-07-29 16:39:37 ----D---- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2009-07-29 16:33:19 ----RA---- C:\WINDOWS\atprs.exe
2009-07-29 16:26:28 ----SHD---- C:\WINDOWS\ftpcache
2009-07-17 12:03:49 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-17 12:03:42 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-17 12:01:02 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$

======List of files/folders modified in the last 1 months======

2009-08-11 09:28:22 ----D---- C:\WINDOWS\Prefetch
2009-08-11 09:25:00 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-11 09:23:11 ----D---- C:\Program Files\Mozilla Firefox
2009-08-09 08:53:46 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-09 08:52:32 ----D---- C:\WINDOWS\Temp
2009-08-09 08:52:29 ----D---- C:\WINDOWS\system32\drivers
2009-08-09 08:52:21 ----A---- C:\WINDOWS\ModemLog_HSP56 MR.txt
2009-08-09 08:51:51 ----RD---- C:\Program Files
2009-08-09 08:51:08 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-09 08:45:25 ----HD---- C:\Config.Msi
2009-08-09 08:43:05 ----SHD---- C:\WINDOWS\Installer
2009-08-09 08:42:43 ----SD---- C:\WINDOWS\Tasks
2009-08-09 08:42:43 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-08-09 08:42:43 ----HD---- C:\WINDOWS\inf
2009-08-09 08:30:49 ----D---- C:\WINDOWS\system32
2009-07-29 20:07:04 ----D---- C:\WINDOWS
2009-07-29 19:55:30 ----D---- C:\WINDOWS\system32\en-US
2009-07-29 19:55:30 ----D---- C:\WINDOWS\Media
2009-07-29 19:55:30 ----D---- C:\WINDOWS\Help
2009-07-29 19:55:30 ----D---- C:\Program Files\Internet Explorer
2009-07-29 19:51:06 ----D---- C:\WINDOWS\WinSxS
2009-07-29 19:41:49 ----D---- C:\WINDOWS\ie7updates
2009-07-29 19:41:18 ----A---- C:\WINDOWS\imsins.BAK
2009-07-29 19:40:57 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-29 17:40:53 ----RSD---- C:\WINDOWS\assembly
2009-07-29 17:40:53 ----D---- C:\WINDOWS\Microsoft.NET
2009-07-29 17:17:24 ----D---- C:\WINDOWS\Registration
2009-07-29 16:39:37 ----D---- C:\Program Files\HP
2009-07-29 16:39:08 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-07-29 16:33:15 ----D---- C:\Documents and Settings\All Users\Application Data\HP
2009-07-21 10:04:49 ----D---- C:\Documents and Settings\Barbra O'Mara\Application Data\Image Zone Express
2009-07-19 18:48:58 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-19 09:18:59 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-14 19:03:34 ----A---- C:\WINDOWS\NeroDigital.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 SiSkp;SiSkp; C:\WINDOWS\system32\drivers\srvkp.sys [2004-02-26 11648]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.9; C:\WINDOWS\system32\DRIVERS\mdc8021x.sys [2004-04-13 15781]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2003-03-31 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2003-03-31 55936]
R3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-12-11 391424]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-02-18 610988]
R3 dac970nt;dac970nt; \??\C:\WINDOWS\system32\drivers\.sys []
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 Ptserial;W2K Pctel Serial Device Driver; C:\WINDOWS\System32\DRIVERS\ptserial.sys [2002-07-08 131676]
R3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2004-02-26 436608]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\sisnic.sys [2002-07-10 32256]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-13 12288]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2005-05-12 1332544]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-10-20 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-10-20 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-10-20 21568]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-13 40320]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WINFLASH;WINFLASH; \??\I:\BIOS WinFlash\AWARD-WINFLASH\WinFlash.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 CwAltaService20;ContentWatch; C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe [2009-04-25 1288512]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-06-28 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-28 256496]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 158768]
S3 WmcCds;Windows Media Connect (WMC); c:\program files\windows media connect\mswmccds.exe [2004-08-11 573440]
S3 WmcCdsLs;Windows Media Connect (WMC) Helper; C:\Program Files\Windows Media Connect\mswmcls.exe [2004-08-10 101888]

-----------------EOF-----------------
akirakaneda
Active Member
 
Posts: 7
Joined: August 4th, 2009, 1:56 pm

Re: Win32tr.er.agent (WindowsTrojanDownloaderAgent) - Need Help

Unread postby akirakaneda » August 11th, 2009, 9:34 am

Here is the log from info.txt:

info.txt logfile of random's system information tool 1.06 2009-08-11 09:29:06

======Uninstall list======

-->C:\Program Files\SBC LightSpeed Self Support Tool\CustomUninstall.exe SBC
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\setup.exe" -l0x9 -uninst
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2Wire Wireless Client-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A3BC5D37-30F9-4CF7-BD5C-0DFF063E4B6D}\Setup.exe" -l0x9 -L0x9
32 Bit HP CIO Components Installer-->MsiExec.exe /I{2614F54E-A828-49FA-93BA-45A3F756BFAA}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Art Explosion Christian Greeting Card Factory-->MsiExec.exe /X{AA6DB661-37A2-49DA-A6A6-06962600887C}
ClickArt 50,000-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58009112-76DC-49EE-A04A-2593BBA6E826}\setup.exe" -l0x9 anything
C-Media WDM Audio Driver-->C:\WINDOWS\system32\cmirmdrv.exe
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_9DE96A29E721D90A.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Customer Participation Program 7.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Imaging Device Functions 7.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP LaserJet P2030 Series-->C:\Program Files\HP\HP LaserJet P2030 Series\UnInstall.exe
HP Officejet All-In-One Series-->C:\Program Files\HP\Digital Imaging\{2D0DF835-98AB-487e-8514-0E0941F728C4}\setup\hpzscr01.exe -datfile hpwscr10.dat
HP Photosmart Essential-->MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP Product Assistant-->MsiExec.exe /I{36FDBE6E-6684-462B-AE98-9A39A1B200CC}
HP Solution Center 7.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update-->MsiExec.exe /X{FE57DE70-95DE-4B64-9266-84DA811053DB}
HPSSupply-->MsiExec.exe /X{7902E313-FF0F-4493-ACB1-A8147B78DCD0}
HSP56 MR Drivers-->ptuninst.exe
IC Card Reader Driver v1.9e2-->C:\WINDOWS\iun6002.exe "C:\Program Files\IC\Card Reader Driver v1.9e2\irunin.ini"
Internet Explorer Q903235-->C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Mozilla Firefox (3.0.1)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MrvlUsgTracking-->MsiExec.exe /I{A82D052A-0806-42DF-80CD-1730A1AC0ED3}
Nero Media Player-->C:\WINDOWS\UNNMP.exe /UNINSTALL
Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NeroVision Express 2-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Net Nanny Parental Controls 6.0-->"C:\Program Files\ContentWatch\Internet Protection\ContentProtect\Home\unins000.exe"
OCR Software by I.R.I.S 7.0-->C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Security Task Manager 1.7h-->C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
SiS 900 PCI Fast Ethernet Adapter Driver-->C:\Progra~1\SiSLan\Uninst.exe
SiS VGA Utilities-->Rundll32 SiSInst.dll,Uninstall VGA,r,0
Update for Windows Internet Explorer 8 (KB972636)-->"C:\WINDOWS\ie8updates\KB972636-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Connect-->msiexec.exe /I {F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
Windows Media Connect-->MsiExec.exe /I{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 9 Hotfix [See KB885492 for more information]-->C:\WINDOWS\$NtUninstallKB885492$\spuninst\spuninst.exe
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! Install Manager-->C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\common\YINSTH~1.DLL

=====HijackThis Backups=====

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 [2009-07-31]
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 [2009-07-31]

======System event log======

Computer Name: SECRETARY
Event Code: 3004
Message:
Record Number: 32476
Source Name: WinDefend
Time Written: 20090806225508.000000-240
Event Type: warning
User:

Computer Name: SECRETARY
Event Code: 3004
Message:
Record Number: 32475
Source Name: WinDefend
Time Written: 20090806225455.000000-240
Event Type: warning
User:

Computer Name: SECRETARY
Event Code: 3004
Message:
Record Number: 32474
Source Name: WinDefend
Time Written: 20090806225449.000000-240
Event Type: warning
User:

Computer Name: SECRETARY
Event Code: 3004
Message:
Record Number: 32473
Source Name: WinDefend
Time Written: 20090806225348.000000-240
Event Type: warning
User:

Computer Name: SECRETARY
Event Code: 3004
Message:
Record Number: 32469
Source Name: WinDefend
Time Written: 20090806222443.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: SECRETARY
Event Code: 1517
Message: Windows saved user SECRETARY\Barbra O'Mara registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1997
Source Name: Userenv
Time Written: 20070201094304.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: SECRETARY
Event Code: 1517
Message: Windows saved user SECRETARY\Barbra O'Mara registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1995
Source Name: Userenv
Time Written: 20070201091505.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: SECRETARY
Event Code: 1517
Message: Windows saved user SECRETARY\Barbra O'Mara registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1992
Source Name: Userenv
Time Written: 20070201090405.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: CBW-DIPLOMAT
Event Code: 1517
Message: Windows saved user CBW-DIPLOMAT\Barbra O'Mara registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1990
Source Name: Userenv
Time Written: 20070201085633.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: CBW-DIPLOMAT
Event Code: 1517
Message: Windows saved user CBW-DIPLOMAT\Volunteer registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1974
Source Name: Userenv
Time Written: 20070105141242.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
"PROCESSOR_REVISION"=0801
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CWALTAHOME"=C:\Program Files\ContentWatch

-----------------EOF-----------------
akirakaneda
Active Member
 
Posts: 7
Joined: August 4th, 2009, 1:56 pm

Re: Win32tr.er.agent (WindowsTrojanDownloaderAgent) - Need Help

Unread postby Dakeyras » August 11th, 2009, 3:34 pm

Hi,

I have bad news I'm afraid :(

This is a badly infected machine. It has multiple Backdoor Trojan Droppers, Backdoor Trojans and evidence of Rootkit activity.

OK since we are dealing with the aforementioned infection(s) I would be providing your good self with a disservice if I did not make you aware of the ramifications below:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows operating system, and that is the course we strongly recommend.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Any attempt to clean this machine may prove to be a futile endeavor and I can't guarantee that it will be at all secure afterwords. Or function in a correct manner again.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.

Next:

The mount points of this machine are also compromised with Backdoor Trojan Droppers, so any USB drives that may have been connected to this machine are in turn possibly comprised and or any computers they have been attached to.

If you have any I advise do not connect them to any other machine for the time being and I can provide instructions on how to first disinfect them, then format in a safe manner.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Win32tr.er.agent (WindowsTrojanDownloaderAgent) - Need Help

Unread postby akirakaneda » August 11th, 2009, 4:00 pm

Thanks for your help. Sadly, I had this feeling when I could not get my normal tools to work. I've disinfected many machines and never found one as thoroughly compromised as this one to where I was stymied. Thankfully, there are no saved financial documents on the machine. At this point, our best option is simply to reformat. So here are my questions before we simply reinstall and start over:

1. Is there any chance of files outside of executables being infected? There are some old documents on this machine that should be burned to a disc before we wipe the system, but they are all Excel and Word documents - no executables. Any danger in doing so? If so, is there a way to clean them?

2. Are USB devices outside of drives/sticks potentially affected (i.e. printers)?

3. I know that USB sticks have been used with this machine. How do we go about cleaning and formatting them?

Thanks again for your help...
akirakaneda
Active Member
 
Posts: 7
Joined: August 4th, 2009, 1:56 pm

Re: Win32tr.er.agent (WindowsTrojanDownloaderAgent) - Need Help

Unread postby Dakeyras » August 11th, 2009, 5:16 pm

Hi :)

Thanks for your help. Sadly, I had this feeling when I could not get my normal tools to work. I've disinfected many machines and never found one as thoroughly compromised as this one to where I was stymied. Thankfully, there are no saved financial documents on the machine. At this point, our best option is simply to reformat. So here are my questions before we simply reinstall and start over:
You're welcome and I will gladly answer your questions.

1. Is there any chance of files outside of executables being infected? There are some old documents on this machine that should be burned to a disc before we wipe the system, but they are all Excel and Word documents - no executables. Any danger in doing so? If so, is there a way to clean them?
I have detected no evidence of a file infector type malware so should be safe to do so.

2. Are USB devices outside of drives/sticks potentially affected (i.e. printers)?
No such as mentioned will not be at risk.

3. I know that USB sticks have been used with this machine. How do we go about cleaning and formatting them?
Via a known safe machine carry out the following.

Flash Disinfector:

  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in. <-- repeat this process as many times as required.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Now even though the USB drive(s) are disinfected and the hidden protection file in-place it would be prudent to format each drive as follows:

Double- click on My Computer >> right click on the drive icon letter designated for the USB drive and select Format...

Type in a Volume label name if you so wish >> Start >> follow the prompts.

Then re-run Flash Disinfector again. This might seem a tad long winded but at least you will be sure the USB drives are no longer a threat and less chance of them becoming compromised in the future.

Thanks again for your help...
As mentioned prior you are very welcome. I have some further advice below on what to do after the format.

Reformat and Reinstallation Advice:

  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
    Here are some free Anti Virus programs which I recommend to use:
    • Antivir PersonalEditionClassic
      • Free anti-virus software for Windows.
      • Detects and removes more than 50,000 viruses. Free support.
    • avast! 4 Home Edition
        • Anti-virus program for Windows.
        • The home edition is freeware for noncommercial users.
    • Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
    • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
      Here are some free Firewalls which I recommend to use:
      (Use only one, and disable your Windows Firewall)
    Note: Only ever have installed/use one Anti-Virus application and Software Firewall. Otherwise a system conflict will occur and this also lessens overall online protection!
  • Keep your system updated- Microsoft releases patches for Windows and other products regularly:
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialise and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Malwarebytes' Anti-Malware - Download it from here
    The tutorial on how to use MBAM is located here
  • Install WinPatrol - Download it from here
    You can find information about how WinPatrol works here
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    Download it from here
    The tutorial on how to use Spyware Blaster is located here
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and the potential for your computer becoming infected again will reduce dramatically. Any questions feel free to ask OK!
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Win32tr.er.agent (WindowsTrojanDownloaderAgent) - Need Help

Unread postby NonSuch » August 14th, 2009, 4:04 am

As this issue will be resolved with a reformat, this topic is now closed.

You can help support this site from this link:
Donations For Malware Removal
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27304
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 25 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware