AdvancedVirusRemover

[JimW]

I have a HP pavilion a510e running Windows XP Home Edition, V. 2002, SP 2  AMD Athlon XP2800+ with 2.08GHz, 448 MB Ram.
Avast has located  Win32:Trojan-gen  in many locations; Malwarebytes has located  Trojan_Vundo in several locations. Both programs have shown all infections quarantined and cleaned but at every bootup I get pop-ups from AdvancedVirusRemover, and get the message Task MGR has been disabled by ADMIN.
I have searched enough to figure out how to re-enable Task MGR and shut down all pop-ups and the AVR plus removing the exe in the registry but at next boot up it starts all over again. 
Here is the HighJack This log after boot-up:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:32 AM, on 12/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\winupdate86.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\CalendarPal\CalendarPal.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windstream.net/wind/portal/index.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [wcmdmgr] "C:\WINDOWS\wt\updater\wcmdmgrl.exe" -launch
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKCU\..\Run: [CalendarPal] C:\Program Files\CalendarPal\CalendarPal.exe -min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229982742853
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229982699869
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/installers/WebflowActiveXInstaller_3-0-0.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5422/mcfscan.cab
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.alltel.com/lwp/static/installers/ALLTELControls.cab
O18 - Filter hijack: text/html - {fc8f03c1-486f-4588-9775-8b394376bc52} - (no file)
O20 - AppInit_DLLs: c:\windows\system32\nemarato.dll mavozebu.dll 
O20 - Winlogon Notify: ljJcCSjJ - ljJcCSjJ.dll (file missing)
O21 - SSODL: ubtlbr - {A9C6B173-6578-4F2C-A862-529BFEF54649} - (no file)
O21 - SSODL: guzolenof - {e4f0da8b-f914-45d8-ae80-64a8f30cf159} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {e4f0da8b-f914-45d8-ae80-64a8f30cf159} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7492 bytes

[Pondus]

Is it this one

Remove Advanced Virus Remover (Removal Instructions)
http://www.bleepingcomputer.com/virus-removal/remove-advanced-virus-remover

can you post Malwarebytes scan log

[Pondus]

I see you are running IOBit360, read this

IOBit Steals Malwarebytes' Intellectual Property
http://www.malwarebytes.org/forums/index.php?showtopic=29681
http://blogs.computerworld.com/15026/iobit_accused_of_stealing_from_malwarebytes
http://antivirus.about.com/b/2009/11/03/iobit-steals-malwarebytes-intellectual-property.htm

[polonus]

Hi JimW,

Considering your HJT logfile, I propose the following items to be cleansed using HJT,
also gave a survey of your system tasks.

A new version of the service pack is available - SP3
You apparently have no software firewall active....

Fix   C:\WINDOWS\system32\winupdate86.exe


Nasty (1.6 / 5.00) Re: http://www.superantispyware.com/malwarefiles/WINUPDATE86.EXE.html
http://htlogs.com/what-is-winupdate86-exe-how-to-remove-winupdate86-exe/

Fix   F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe


Nasty (2.66 / 5.00)

Fix O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe


Extremely nasty
It seems that the name of this program is the same as the name of the file.
In the most cases this is the result of trojans.
To be sure, you should check this file.

Fix - Filter hijack: text/html - {fc8f03c1-486f-4588-9775-8b394376bc52} - (no file)


 
Fix - AppInit_DLLs: c:\windows\system32\nemarato.dll mavozebu.dll

Removal example here: http://forum.kaspersky.com/index.php?showtopic=114319
 
O20 - Winlogon Notify: ljJcCSjJ - ljJcCSjJ.dll (file missing)


Unnecessary (deactivated) entry that can be fixed.

Fix - SSODL: ubtlbr - {A9C6B173-6578-4F2C-A862-529BFEF54649} - (no file)


 
Fix - SSODL: guzolenof - {e4f0da8b-f914-45d8-ae80-64a8f30cf159} - (no file)


 
Fix - SharedTaskScheduler: kupuhivus - {e4f0da8b-f914-45d8-ae80-64a8f30cf159} - (no file)

Survey of active tasks

smss.exe   
System task

Session Manager Subsystem

csrss.exe   
System task

Microsoft Client/Server Runtime Server Subsystem

winlogon.exe   
System task

Microsoft Windows Logon Process

services.exe   
System task

Windows Service Controller

lsass.exe   
System task

Local Security Authority Service

svchost.exe   
System task

Microsoft Service Host Process

svchost.exe   
System task

Microsoft Service Host Process

svchost.exe   
System task

Microsoft Service Host Process

svchost.exe   
System task

Microsoft Service Host Process

svchost.exe   
System task

Microsoft Service Host Process

aswUpdSv.exe   
Virusscan

Avast Anti-Virus Component

ashServ.exe   
Virusscan

Avast

spoolsv.exe   
System task

Microsoft Printer Spooler Service

svchost.exe   
System task

Microsoft Service Host Process

IS360srv.exe   
Virusscan   

IObit Security 360
is a CONTROVERSIAL ANTI-MALWARE PROGRAM - better use MBAM, whose code they stole;

jqs.exe   
Background task

Java Quick Starter Service

svchost.exe   
System task

Microsoft Service Host Process

ashMaiSv.exe   
Virusscan

Avast Anti-Virus Component

ashWebSv.exe   
Virusscan

avast! Web Scanner

alg.exe   
Systeem taak

Application Layer Gateway Service

Explorer.EXE   
System task

Microsoft Windows Explorer

winupdate86.exe

Unknown task  Malware see above for instructions

Unknown task

EKIJ5000MUI.exe   
Driver

KODAK AiO Printer Driver

WDBtnMgr.exe   
Background task

WD Button Manager

ashDisp.exe   
Virusscan

Avast AntiVirus

IS360tray.exe   
Background task

IObit Security 360 See earlier remarks

CalendarPal.exe

Unknown task

Unknown task

ctfmon.exe   
System task

Alternative User Input Services

HijackThis.exe   
Application

Hijackthis

wmiprvse.exe   
System task

Microsoft Windows Management Instrumentation


polonus

[JimW]

I have always used Malwarebytes but this infection has disabled it saying file path not found and will not let me reinstall it. I can only run Malwarebytes from a USB stick which works but can't update it before running it. I'm running a scan now will post log when done. I only tried IObit when Malwarebytes was blocked but T/Y for info about it I will get rid of it.  The link you sent is where I found in my earlier searches how to delete the keys in the registry & remove the files but everything still shows back up on reboot.  I  am running a firewall on my belkin router.

[essexboy]

Hi lets have a look to see what is on your system and see if I can find the respawner

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:
• Reg - Shell Spawning
• File - Lop Check
• File - Purity Scan
• Evnt - EvtViewer (last 10)

• Under custom scans copy and paste the following

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop
%systemroot%\*. /mp /s
c:\$recycle.bin\*.* /s
CREATERESTOREPOINT[/list]

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

[JimW]

I can't get anything to paste under custom scan


Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

12/7/2009 2:59:28 PM
mbam-log-2009-12-07 (14-59-04).txt

Scan type: Quick Scan
Objects scanned: 106799





  It appears I'm thinning things out:  Vundo didn't show up this time!
Time elapsed: 10 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[essexboy]

Are you unable to use copy and paste ?

Run without the additional scans

[JimW]

I can right click highlight and copy but then I don't have the paste option   have tried on 2 different computers.    OK scan is running now w/o additional scans

[essexboy]

Ah control+v will paste

[JimW]

OK  have a log file tried using ctl-v  but still nothing shows in list under custom scans will try to post log now post log


http://www.mediafire.com/?gqjy5m5zuxm

http://www.mediafire.com/file/gqjy5m5zuxm/OTS.Txt

[JimW]

It seems it has mutaded again,  when I go to Task mgr to end task to try and stop warning window it restarts AdvancedVirusRemover program!!

[essexboy]

Yep I can see it all

You will need to do this in safe mode so that you are able to copy and paste.  If you are unable to do that then go straight to step 2

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.  OK the fix is to large for the forum so I have attached it as a text file download this to your desktop then open the text file and copy/paste the entire contents into the fix section

Code: [Select]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

STEP 2

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[JimW]

As per one of your previous posts I was using HJT to repair the listed items and using your link downloaded SuperAntiSpyware,,, it is running now, should I let it finish or go ahead & use the ComboFix now instead?

[essexboy]

Yes as here is a small sample of the files that needed to be deleted

NY ->  pateregu -> C:\WINDOWS\System32\pateregu
NY ->  6334.exe -> C:\WINDOWS\System32\6334.exe
NY ->  18467.exe -> C:\WINDOWS\System32\18467.exe
NY ->  41.exe -> C:\WINDOWS\System32\41.exe
NY ->  AVR10.exe -> C:\WINDOWS\System32\AVR10.exe
NY ->  winhelper86.dll -> C:\WINDOWS\System32\winhelper86.dll
NY ->  vxpoalfu.job -> C:\WINDOWS\tasks\vxpoalfu.job
NY ->  btvkokmo.job -> C:\WINDOWS\tasks\btvkokmo.job
NY ->  5705.exe -> C:\WINDOWS\System32\5705.exe
NY ->  24464.exe -> C:\WINDOWS\System32\24464.exe
NY ->  26962.exe -> C:\WINDOWS\System32\26962.exe
NY ->  29358.exe -> C:\WINDOWS\System32\29358.exe
NY ->  11478.exe -> C:\WINDOWS\System32\11478.exe
NY ->  15724.exe -> C:\WINDOWS\System32\15724.exe
NY ->  19169.exe -> C:\WINDOWS\System32\19169.exe
NY ->  26500.exe -> C:\WINDOWS\System32\26500.exe
NY ->  14771.exe -> C:\WINDOWS\System32\14771.exe
NY ->  21726.exe -> C:\WINDOWS\System32\21726.exe
NY ->  5447.exe -> C:\WINDOWS\System32\5447.exe
NY ->  19895.exe -> C:\WINDOWS\System32\19895.exe
NY ->  19718.exe -> C:\WINDOWS\System32\19718.exe
NY ->  18716.exe -> C:\WINDOWS\System32\18716.exe
NY ->  17421.exe -> C:\WINDOWS\System32\17421.exe
NY ->  12382.exe -> C:\WINDOWS\System32\12382.exe

Plus about 20 others and various login registry keys.  So I would highly recommend that you run Combofix as it is a great deal stronger than SAS