Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hiloti + Google hijack


  • This topic is locked This topic is locked
53 replies to this topic

#1 DaveGK

DaveGK

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 08 December 2009 - 11:11 PM

I'm usually pretty good with computers, but this bugger's super nasty.

My OS is Windows XP. Clicking on links from Google search results takes me to fake security software webpages or advertisements
Detected Hiloti GenA using Microsoft's online scanner
Cannot boot into safe mode -- computer just reboots if I try
Have attempted removal of the malware but doubt I got more than a piece of it. I zapped some dll files using malware scanners, but it doesn't seem to have been enough. I also zapped a fake ATI driver.

Here's the DDS log. RootRepeal appeared to hang up when doing the scan for the report. Is that normal? When doing the RootRepeal scan, my mouse cursor took minutes to respond. I eventually gave up.

SmitfraudFix running in normal mode Doing something temporarily made it so I could boot into safe mode so after I post these logs I will see if I can get back into safe mode. Maybe then I'll be able to get a RootRepeal log. After that, I'll let VundoFix run overnight.

Update: Maybe it was picking "Last known good configuration" and then rebooting after Windows started that let me get into Safe Mode, but it's not letting me into Safe Mode now. It's hanging at "mup.sys"

------------------------------------------------



DDS (Ver_09-12-01.01) - NTFSx86
Run by David at 21:53:35.75 on Tue 12/08/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.509 [GMT -5:00]


============== Running Processes ===============

C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
svchost.exe
C:WINDOWSsystem32brsvc01a.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32brss01a.exe
C:Program FilesCreativeShared FilesCTAudSvc.exe
C:WINDOWSExplorer.EXE
C:Program FilesCreativeSBAudigy2Surround MixerCTSysVol.exe
C:Program FilesJavajre1.5.0_03binjusched.exe
C:Program FilesCyberLinkPowerDVDPDVDServ.exe
C:Program FilesItivaItiva Media AcceleratorItivaMediaAccelerator.exe
C:Program FilesAdobeReader 9.0ReaderReader_sl.exe
C:Program FilesCreativeShared FilesModule LoaderDLLML.exe
C:WINDOWSCTHELPER.EXE
C:Program FilesCreativeSound Blaster X-FiVolume PanelVolPanlu.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
svchost.exe
C:Program FilesAsk & Record ToolbarFLVSrvc.exe
C:Program FilesATI TechnologiesATI.ACECore-StaticMOM.EXE
C:WINDOWSsystem32CTXFIHLP.EXE
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesLogitechMouseWaresystemem_exec.exe
C:Program FilesSiber SystemsAI RoboFormRoboTaskBarIcon.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesSqueezeCenterSqueezeTray.exe
C:Program FilesWindows Desktop SearchWindowsSearch.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesExecutive SoftwareDiskeeperDkService.exe
C:NVIDIANetworkAccessManagerApache GroupApache2binapache.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:NVIDIANetworkAccessManagerApache GroupApache2binapache.exe
C:NVIDIANetworkAccessManagerbinnSvcIp.exe
C:NVIDIANetworkAccessManagerbinnSvcLog.exe
C:WINDOWSsystem32PSIService.exe
C:PROGRA~1SQUEEZ~1serverBinMSWIN3~1mysqld.exe
C:WINDOWSSystem32MsPMSPSv.exe
C:WINDOWSsystem32SearchIndexer.exe
C:WINDOWSsystem32wscntfy.exe
C:Program FilesiPodbiniPodService.exe
C:WINDOWSSYSTEM32CTXFISPI.EXE
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsDavidDesktopsecurdds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:program filesrealrealplayerrpbrowserrecordplugin.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:program filessiber systemsai roboformroboform.dll
BHO: Ask && Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:program filesask.comGenericAskToolbar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:program filessiber systemsai roboformroboform.dll
TB: Ask && Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:program filesask.comGenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:program filesmessengermsmsgs.exe" /background
uRun: [RoboForm] "c:program filessiber systemsai roboformRoboTaskBarIcon.exe"
mRun: [CTSysVol] c:program filescreativesbaudigy2surround mixerCTSysVol.exe
mRun: [UpdReg] c:windowsUpdReg.EXE
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [SunJavaUpdateSched] c:program filesjavajre1.5.0_03binjusched.exe
mRun: [RemoteControl] "c:program filescyberlinkpowerdvdPDVDServ.exe"
mRun: [Itiva Media Accelerator] c:program filesitivaitiva media acceleratorItivaMediaAccelerator.exe
mRun: [StartCCC] "c:program filesati technologiesati.acecore-staticCLIStart.exe"
mRun: [pdfFactory Pro Dispatcher v3] "c:windowssystem32spooldriversw32x863fppdis3a.exe" /source=HKLM
mRun: [AppleSyncNotifier] c:program filescommon filesapplemobile device supportbinAppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
mRun: [AudioDrvEmulator] "c:program filescreativeshared filesmodule loaderdllml.exe" -1 audiodrvemulator "c:program filescreativeshared filesmodule loaderaudio emulatorAudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [VolPanel] "c:program filescreativesound blaster x-fivolume panelVolPanlu.exe" /r
mRun: [Ad-Watch] c:program fileslavasoftad-awareAAWTray.exe
mRun: [TkBellExe] "c:program filescommon filesrealupdate_obrealsched.exe" -osboot
mRun: [Ask and Record FLV Service] "c:program filesask & record toolbarFLVSrvc.exe" /run
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
StartupFolder: c:docume~1alluse~1startm~1programsstartupmicros~1.lnk - c:program filesmicrosoft officeoffice10OSA.EXE
StartupFolder: c:docume~1alluse~1startm~1programsstartupsqueez~1.lnk - c:program filessqueezecenterSqueezeTray.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupwindow~1.lnk - c:program fileswindows desktop searchWindowsSearch.exe
IE: Add to AD Black List - c:program filesavant browserAddToADBlackList.htm
IE: Block All Images from the Same Server - c:program filesavant browserAddAllToADBlackList.htm
IE: Customize Menu - file://c:program filessiber systemsai roboformRoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:progra~1micros~2office10EXCEL.EXE/3000
IE: Fill Forms - file://c:program filessiber systemsai roboformRoboFormComFillForms.html
IE: Highlight - c:program filesavant browserHighlight.htm
IE: Open All Links in This Page... - c:program filesavant browserOpenAllLinks.htm
IE: RoboForm Toolbar - file://c:program filessiber systemsai roboformRoboFormComShowToolbar.html
IE: Save Forms - file://c:program filessiber systemsai roboformRoboFormComSavePass.html
IE: Search - c:program filesavant browserSearch.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:program filessiber systemsai roboformRoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:program filessiber systemsai roboformRoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:program filessiber systemsai roboformRoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC} - c:program filesjavajre1.5.0_03binnpjpi150_03.dll
Trusted Zone: aol.comfree
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235106934859
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15108/CTPID.cab
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:program fileswindows desktop searchMSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1davidapplic~1mozillafirefoxprofilesxxum8275.default
FF - component: c:program filesrealrealplayerbrowserrecordcomponentsnprpbrowserrecordplugin.dll
FF - component: c:program filessiber systemsai roboformfirefoxcomponentsrfproxy_31.dll
FF - plugin: c:documents and settingsdavidapplication datamove networkspluginsnpqmp071500000347.dll
FF - plugin: c:documents and settingsdavidapplication datamove networkspluginsnpqmp071701000008.dll
FF - plugin: c:program filesitivaitiva media acceleratornpima.dll
FF - plugin: c:program filesjavajre1.5.0_03binNPJava11.dll
FF - plugin: c:program filesjavajre1.5.0_03binNPJava12.dll
FF - plugin: c:program filesjavajre1.5.0_03binNPJava13.dll
FF - plugin: c:program filesjavajre1.5.0_03binNPJava14.dll
FF - plugin: c:program filesjavajre1.5.0_03binNPJava32.dll
FF - plugin: c:program filesjavajre1.5.0_03binNPJPI150_03.dll
FF - plugin: c:program filesjavajre1.5.0_03binNPOJI610.dll
FF - plugin: c:program filesviewpointviewpoint media playernpViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: XULRunner: {BED0E1A5-B034-4DC3-85A7-412AE528D9FE} - c:documents and settingsdavidlocal settingsapplication data{BED0E1A5-B034-4DC3-85A7-412AE528D9FE}

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2009-11-3 64288]
R0 pavboot;pavboot;c:windowssystem32driverspavboot.sys [2008-11-29 28544]
R3 CT20XUT.SYS;CT20XUT.SYS;c:windowssystem32driversCT20XUT.sys [2008-10-8 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:windowssystem32driversCTEXFIFX.sys [2008-10-8 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:windowssystem32driversCTHWIUT.sys [2008-10-8 72728]
R3 dmxfire;DMX6fire WDM Audio;c:windowssystem32driversdmx6fire.sys [2003-8-29 148724]
R3 dmxsens;dmxsens;c:windowssystem32driversdmxsens.sys [2003-7-22 403968]
S3 CT20XUT;CT20XUT;c:windowssystem32driversCT20XUT.sys [2008-10-8 171032]
S3 CTEXFIFX;CTEXFIFX;c:windowssystem32driversCTEXFIFX.sys [2008-10-8 1324056]
S3 ctgame;Game Port;c:windowssystem32driversCTGAME.SYS [2002-12-29 12160]
S3 CTHWIUT;CTHWIUT;c:windowssystem32driversCTHWIUT.sys [2008-10-8 72728]

=============== Created Last 30 ================

2009-12-09 01:05:38 327 ----a-w- C:Start_.cmd
2009-12-08 23:06:18 0 d-----w- C:VundoFix Backups
2009-12-08 14:29:26 4298 ----a-w- c:windowssystem32tmp.reg
2009-12-08 13:48:10 54016 ----a-w- c:windowssystem32driversiakf.sys
2009-12-08 09:54:17 0 d-----w- c:docume~1davidapplic~1Malwarebytes
2009-12-08 09:54:14 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2009-12-08 09:54:12 19160 ----a-w- c:windowssystem32driversmbam.sys
2009-12-08 09:54:12 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2009-12-08 09:54:12 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2009-12-08 09:12:20 0 d-sha-r- C:cmdcons
2009-12-08 09:11:06 98816 ----a-w- c:windowssed.exe
2009-12-08 09:11:06 77312 ----a-w- c:windowsMBR.exe
2009-12-08 09:11:06 260608 ----a-w- c:windowsPEV.exe
2009-12-08 09:11:06 161792 ----a-w- c:windowsSWREG.exe
2009-12-06 00:34:04 120 ----a-w- c:windowsCzedur.dat
2009-12-06 00:34:04 0 ----a-w- c:windowsXzofujoyexamec.bin
2009-11-14 05:02:49 0 d-----w- c:program filesWinDirStat

==================== Find3M ====================

2009-11-29 03:06:46 20712 ----a-w- c:docume~1davidapplic~1GDIPFONTCACHEV1.DAT
2009-11-04 00:09:27 93360 ----a-w- c:windowssystem32driversSBREDrv.sys
2009-11-04 00:08:14 15880 ----a-w- c:windowssystem32lsdelete.exe
2009-09-25 16:41:26 856064 ----a-w- c:windowssystem32divx_xx0c.dll
2009-09-25 16:41:26 856064 ----a-w- c:windowssystem32divx_xx07.dll
2009-09-25 16:41:26 847872 ----a-w- c:windowssystem32divx_xx0a.dll
2009-09-25 16:41:26 843776 ----a-w- c:windowssystem32divx_xx16.dll
2009-09-25 16:41:26 839680 ----a-w- c:windowssystem32divx_xx11.dll
2009-09-25 16:41:26 696320 ----a-w- c:windowssystem32DivX.dll
2003-12-18 17:33:46 20102 ----a-w- c:program filesReadme.txt
2003-09-03 13:46:54 10960 ----a-w- c:program filesEULA.txt
2009-06-01 06:36:26 168 --sh--r- c:windowssystem32C875C4C38F.sys
2009-06-01 06:36:29 2828 --sha-w- c:windowssystem32KGyGaAvL.sys

============= FINISH: 21:56:05.76 ===============

Looks like getting back into safe mode is going to be a bit harder this time.

MOD EDIT: note that I ran "chkdsk c: /f" and can now get into Safe Mode.
I also merged this into one post~~~boopme


MOM.EXE had 99% CPU utilization. Ctrl-Alt-Deleted it. VundoFix ran quickly after that but didn't find any infection.

Installed ESET NOD32 Antivirus 4 Trial. Found 6 Infiltrations and damaged jar archives.
Log (filtered out informative entries):

C:pagefile.sys - error opening [4]
C:Documents and SettingsDavidApplication DataSunJavaDeploymentcachejavapiv1.0jaradcontroller.jar-1d98b267-1801f14a.zip » ZIP » META-INF/ - archive damaged
C:Documents and SettingsDavidApplication DataSunJavaDeploymentcachejavapiv1.0jarsdfg.jar-1bc53eac-4c04d3c4.zip » ZIP » myf/y/AppletX.class - probably a variant of Win32/Agent trojan
C:Documents and SettingsDavidApplication DataSunJavaDeploymentcachejavapiv1.0jarsdfg.jar-1bc53eac-4c04d3c4.zip » ZIP » myf/y/LoaderX.class - probably a variant of Win32/Agent trojan
C:Documents and SettingsDavidApplication DataSunJavaDeploymentcachejavapiv1.0jarsdfg.jar-1bc53eac-4c04d3c4.zip » ZIP » myf/y/PayloadX.class - probably a variant of Win32/Agent trojan
C:Documents and SettingsDavidApplication DataSunJavaDeploymentcachejavapiv1.0jarsdfg.jar-37c6641f-63c69ed3.zip » ZIP » myf/y/AppletX.class - probably a variant of Win32/Agent trojan
C:Documents and SettingsDavidApplication DataSunJavaDeploymentcachejavapiv1.0jarsdfg.jar-37c6641f-63c69ed3.zip » ZIP » myf/y/LoaderX.class - probably a variant of Win32/Agent trojan
C:Documents and SettingsDavidApplication DataSunJavaDeploymentcachejavapiv1.0jarsdfg.jar-37c6641f-63c69ed3.zip » ZIP » myf/y/PayloadX.class - probably a variant of Win32/Agent trojan

C:Documents and SettingsDavidMy DocumentsDownloadsmbam-setup.exe » INNO » files.info - file is not an archive
C:Program FilesCorelCorel Paint Shop Pro Photo X2Python LibrariesLibtesttesttar.tar » TAR » test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/ - archive damaged
C:Program FilesCorelCorel Paint Shop Pro Photo X2 - Installation FilesData1.cab » CAB » testtar.tar.0160FC08_F3D9_4869_9D41_C611C16F42D5 » TAR » test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/ - archive damaged
C:Program Filesfoobar2000uninstall.exe » NSIS - archive damaged - the file could not be extracted.
C:WINDOWSatmoUn.exe » NSIS - bad archive
C:WINDOWSsystem32ActiveScanpskavs.dll - probably a variant of Win32/Agent trojan - cleaned by deleting - quarantined [1]
C:Documents and SettingsDavidApplication DataSunJavaDeploymentcachejavapiv1.0jarsdfg.jar-1bc53eac-4c04d3c4.zip » ZIP » myf/y/AppletX.class - probably a variant of Win32/Agent trojan - was a part of the deleted object
C:Documents and SettingsDavidApplication DataSunJavaDeploymentcachejavapiv1.0jarsdfg.jar-1bc53eac-4c04d3c4.zip » ZIP » myf/y/LoaderX.class - probably a variant of Win32/Agent trojan - was a part of the deleted object
C:Documents and SettingsDavidApplication DataSunJavaDeploymentcachejavapiv1.0jarsdfg.jar-1bc53eac-4c04d3c4.zip » ZIP » myf/y/PayloadX.class - probably a variant of Win32/Agent trojan - was a part of the deleted object
C:Documents and SettingsDavidApplication DataSunJavaDeploymentcachejavapiv1.0jarsdfg.jar-37c6641f-63c69ed3.zip » ZIP » myf/y/AppletX.class - probably a variant of Win32/Agent trojan - was a part of the deleted object
C:Documents and SettingsDavidApplication DataSunJavaDeploymentcachejavapiv1.0jarsdfg.jar-37c6641f-63c69ed3.zip » ZIP » myf/y/LoaderX.class - probably a variant of Win32/Agent trojan - was a part of the deleted object
C:Documents and SettingsDavidApplication DataSunJavaDeploymentcachejavapiv1.0jarsdfg.jar-37c6641f-63c69ed3.zip » ZIP » myf/y/PayloadX.class - probably a variant of Win32/Agent trojan - was a part of the deleted object


Deleted six adcontroller.jar-1d... files ( 3 .zip and 3 .idx) from the Java Deployment cache

RootRepeal and my system still become unresponsive when I try to do the scan for the RootRepeal report. I also still have the Google hijack problem.

Attached Files


Edited by boopme, 11 December 2009 - 10:26 AM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 AM

Posted 20 December 2009 - 08:02 PM

Hi,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Then please post back here with the following logs:
  • OTL.txt
  • Extra.txt
Thanks

unite.jpg


#3 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 22 December 2009 - 12:22 AM

Thanks for offering to help. My computer's still infected, but in the morning, I'm leaving to visit relatives over the holidays. I won't be back until Jan. 2.

Can the staff leave this thread unlocked, or can I PM someone to have it unlocked when I get back?

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 AM

Posted 22 December 2009 - 04:54 PM

I will leave this topic open for you :(

If it does get closed, then just PM me.

unite.jpg


#5 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 03 January 2010 - 04:25 PM

Thanks for keeping this topic open.


I've tried running OTL with Windows in normal mode.

OTL doesn't seem to be able to get past "Scanning Session Manager AppCertDlls key..."

I checked Task Manager, and services.exe is taking 70-80% of my CPU with OTL taking the rest of the CPU time.

I've tried renaming OTL and rerunning the scan with the same result.

How long is OTL supposed to take "Scanning Session Manager AppCertDlls key"?

ETA: I started a new OTL scan. It's been running for over thirty minutes now, and it's still on that step.

Edited by DaveGK, 03 January 2010 - 04:57 PM.


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 AM

Posted 03 January 2010 - 05:03 PM

Hi,

OTL should not take that long, I have dealt with a few people who have had the same issue recently, we will run another scanner instead.
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Show All
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

unite.jpg


#7 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 04 January 2010 - 01:36 AM

^ You weren't kidding about closing all applications and disconnecting from the Internet. After the scan had finished running, I made the mistake of trying to connect to the Internet to check if there were any special instructions for saving the log file. I got a BSOD. I ran the scan again, and here's the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-04 01:27:48
Windows 5.1.2600 Service Pack 3
Running: d3klvzsl.exe; Driver: C:\DOCUME~1\David\LOCALS~1\Temp\fxtdypod.sys


---- System - GMER 1.0.15 ----

SSDT 854AE8A0 ZwAssignProcessToJobObject
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF75CC87E]
SSDT 854ADCB0 ZwOpenProcess
SSDT 854AE0D0 ZwOpenThread
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF75CCBFE]
SSDT 854AE6D0 ZwSuspendProcess
SSDT 854AE4F0 ZwSuspendThread
SSDT 854ADEE0 ZwTerminateProcess
SSDT 854AE310 ZwTerminateThread

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:384] 854AC930

---- EOF - GMER 1.0.15 ----

Edited by DaveGK, 04 January 2010 - 02:51 AM.


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 AM

Posted 04 January 2010 - 04:25 PM

Can you tell me what problems you are still currently having?

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Then please post back here with the following logs:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg


#9 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 05 January 2010 - 01:08 AM

Google links are still often being redirected to ads, including sites for fake malware cleaners. Also, even when I type the url, sometimes a new tab will open and go to one of the ads.

I updated Java before running the scans you asked for.

=============================

Malwarebytes' Anti-Malware 1.43
Database version: 3495
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/5/2010 12:50:28 AM
mbam-log-2010-01-05 (00-50-28).txt

Scan type: Quick Scan
Objects scanned: 117808
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

===============================================

Logfile of random's system information tool 1.06 (written by random/random)
Run by David at 2010-01-05 00:51:59
Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (15%) free of 71 GB
Total RAM: 1023 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:52:02, on 1/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\SqueezeCenter\SqueezeTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\SQUEEZ~1\server\SQUEEZ~1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\PSIService.exe
C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\David\Desktop\RSIT.exe
C:\Program Files\trend micro\David.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Ask && Record Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Itiva Media Accelerator] C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ask and Record FLV Service] "C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe" /run
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SqueezeCenter Tray Tool.lnk = C:\Program Files\SqueezeCenter\SqueezeTray.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1235106934859
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://ccfiles.creative.com/Web/softwareup...101/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareup...15108/CTPID.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SqueezeMySQL - Unknown owner - C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe

--
End of file - 12267 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2009-07-27 312928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2009-07-18 5960520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
Ask && Record Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2009-06-04 1144712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-05 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-05 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{724d43a0-0d85-11d4-9908-00400523e39a} - &RoboForm - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2009-07-18 5960520]
{D4027C7F-154A-4066-A1AD-4243D8127440} - Ask && Record Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2009-06-04 1144712]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"=C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe [2002-10-29 49152]
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"Logitech Utility"=C:\WINDOWS\Logi_MwX.Exe [2003-12-17 19968]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-07-15 32768]
"Itiva Media Accelerator"=C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe [2008-06-04 4994288]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2006-11-10 90112]
"pdfFactory Pro Dispatcher v3"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe [2008-03-05 516096]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-08-13 177440]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"AudioDrvEmulator"=C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe [2005-11-04 49152]
"CTHelper"=C:\WINDOWS\CTHELPER.EXE [2006-05-23 17920]
"VolPanel"=C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe [2008-08-06 233576]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-11-20 788880]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-07-27 198160]
"Ask and Record FLV Service"=C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe [2009-03-09 156672]
"CTxfiHlp"=C:\WINDOWS\system32\CTXFIHLP.EXE [2009-06-03 25600]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-10-28 141600]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-09-29 2054360]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2010-01-05 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"RoboForm"=C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [2009-07-18 160592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe [2007-10-30 16200]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
SqueezeCenter Tray Tool.lnk - C:\Program Files\SqueezeCenter\SqueezeTray.exe
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-01-09 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe"="C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\Documents and Settings\David\Desktop\utorrent.exe"="C:\Documents and Settings\David\Desktop\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe"="C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe:*:Enabled:Itiva Media Accelerator"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.js - edit -
.js - open - "C:\Program Files\UltraEdit\uedit32.exe" "%1"

======List of files/folders created in the last 1 months======

2010-01-05 00:51:59 ----D---- C:\rsit
2010-01-05 00:25:35 ----D---- C:\Program Files\Sun
2010-01-05 00:25:27 ----A---- C:\WINDOWS\system32\javaws.exe
2010-01-05 00:25:27 ----A---- C:\WINDOWS\system32\javaw.exe
2010-01-05 00:25:27 ----A---- C:\WINDOWS\system32\java.exe
2010-01-05 00:25:27 ----A---- C:\WINDOWS\system32\deploytk.dll
2010-01-04 22:57:32 ----D---- C:\Program Files\trend micro
2009-12-11 22:20:30 ----SHD---- C:\RECYCLER
2009-12-11 01:50:44 ----D---- C:\WINDOWS\BDOSCAN8
2009-12-11 01:31:53 ----D---- C:\WINDOWS\temp
2009-12-09 01:42:35 ----D---- C:\Program Files\ESET
2009-12-09 01:42:35 ----D---- C:\Documents and Settings\All Users\Application Data\ESET
2009-12-08 20:44:14 ----A---- C:\WINDOWS\ntbtlog.txt
2009-12-08 18:06:18 ----A---- C:\VundoFix.txt
2009-12-08 09:29:26 ----A---- C:\WINDOWS\system32\tmp.txt
2009-12-08 09:29:14 ----A---- C:\rapport.txt
2009-12-08 04:54:17 ----D---- C:\Documents and Settings\David\Application Data\Malwarebytes
2009-12-08 04:54:12 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-08 04:54:12 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-12-08 04:12:28 ----A---- C:\Boot.bak
2009-12-08 04:12:20 ----RASHD---- C:\cmdcons
2009-12-08 04:11:06 ----A---- C:\WINDOWS\zip.exe
2009-12-08 04:11:06 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-12-08 04:11:06 ----A---- C:\WINDOWS\SWSC.exe
2009-12-08 04:11:06 ----A---- C:\WINDOWS\SWREG.exe
2009-12-08 04:11:06 ----A---- C:\WINDOWS\sed.exe
2009-12-08 04:11:06 ----A---- C:\WINDOWS\PEV.exe
2009-12-08 04:11:06 ----A---- C:\WINDOWS\NIRCMD.exe
2009-12-08 04:11:06 ----A---- C:\WINDOWS\MBR.exe
2009-12-08 04:11:06 ----A---- C:\WINDOWS\grep.exe
2009-12-08 04:10:51 ----D---- C:\WINDOWS\ERDNT

======List of files/folders modified in the last 1 months======

2010-01-05 00:51:35 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-05 00:40:09 ----D---- C:\Program Files\Mozilla Firefox
2010-01-05 00:34:56 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-05 00:25:50 ----SHD---- C:\WINDOWS\Installer
2010-01-05 00:25:50 ----D---- C:\Config.Msi
2010-01-05 00:25:35 ----RD---- C:\Program Files
2010-01-05 00:25:27 ----D---- C:\WINDOWS\system32
2010-01-05 00:25:13 ----D---- C:\Program Files\Java
2010-01-05 00:08:04 ----D---- C:\WINDOWS\system32\Restore
2010-01-04 23:51:05 ----D---- C:\WINDOWS\Prefetch
2010-01-04 23:28:25 ----D---- C:\Program Files\Common Files
2010-01-04 23:12:53 ----D---- C:\WINDOWS
2010-01-04 22:54:26 ----HD---- C:\WINDOWS\inf
2010-01-04 22:54:26 ----D---- C:\Program Files\Windows Live Safety Center
2010-01-04 22:33:52 ----SHD---- C:\System Volume Information
2010-01-04 22:26:59 ----D---- C:\WINDOWS\system32\drivers
2010-01-04 01:35:15 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-01-04 00:25:05 ----SD---- C:\WINDOWS\Tasks
2010-01-03 18:48:50 ----D---- C:\Documents and Settings\David\Application Data\Empire Download Manager
2009-12-16 00:40:16 ----D---- C:\Documents and Settings\David\Application Data\uTorrent
2009-12-11 01:51:05 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-12-11 01:25:44 ----A---- C:\WINDOWS\system.ini
2009-12-11 01:15:19 ----D---- C:\WINDOWS\AppPatch
2009-12-09 02:43:15 ----D---- C:\WINDOWS\system32\ActiveScan
2009-12-08 04:43:00 ----D---- C:\Documents and Settings\David\Application Data\foobar2000
2009-12-08 04:12:28 ----RASH---- C:\boot.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-09-29 108792]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-09-29 96408]
R2 BrPar;BrPar; C:\WINDOWS\System32\drivers\BrPar.sys [2000-07-24 19537]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-09-29 116008]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-01-10 2846720]
R3 CT20XUT.SYS;CT20XUT.SYS; C:\WINDOWS\System32\drivers\CT20XUT.SYS [2009-06-04 171032]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\System32\drivers\ctac32k.sys [2009-06-04 511000]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2009-06-04 526232]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS; C:\WINDOWS\System32\drivers\CTEXFIFX.SYS [2009-06-04 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS; C:\WINDOWS\System32\drivers\CTHWIUT.SYS [2009-06-04 72728]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\System32\drivers\ctprxy2k.sys [2009-06-04 14360]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\drivers\ctsfm2k.sys [2009-06-04 158744]
R3 dmxfire;DMX6fire WDM Audio; C:\WINDOWS\system32\drivers\dmx6fire.sys [2003-08-29 148724]
R3 dmxsens;dmxsens; C:\WINDOWS\system32\drivers\dmxsens.sys [2003-07-22 403968]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\System32\drivers\emupia2k.sys [2009-06-04 95768]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-05-18 26600]
R3 ha20x2k;Creative 20X HAL Driver; C:\WINDOWS\system32\drivers\ha20x2k.sys [2009-06-04 1177624]
R3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16); C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys [2004-06-16 806464]
R3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys [2003-12-17 25505]
R3 LHidUsb;Logitech USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsb.Sys [2003-12-17 37887]
R3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-12-17 70801]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\System32\DRIVERS\NVENETFD.sys [2004-01-28 33280]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\System32\DRIVERS\nvnetbus.sys [2004-05-17 12928]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2009-06-04 130072]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 catchme;catchme; \??\C:\r5432cf\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 CT20XUT;CT20XUT; C:\WINDOWS\system32\drivers\CT20XUT.SYS [2009-06-04 171032]
S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\System32\drivers\ctdvda2k.sys [2009-06-04 347080]
S3 CTEXFIFX;CTEXFIFX; C:\WINDOWS\system32\drivers\CTEXFIFX.SYS [2009-06-04 1324056]
S3 ctgame;Game Port; C:\WINDOWS\System32\DRIVERS\ctgame.sys [2002-12-29 12160]
S3 CTHWIUT;CTHWIUT; C:\WINDOWS\system32\drivers\CTHWIUT.SYS [2009-06-04 72728]
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 rr;rr; \??\C:\WINDOWS\system32\drivers\rr.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-01-09 512000]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 Brother XP spl Service;BrSplService; C:\WINDOWS\system32\brsvc01a.exe [2003-08-27 57344]
R2 CTAudSvcService;Creative Audio Service; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [2009-02-23 307200]
R2 Diskeeper;Diskeeper; C:\Program Files\Executive Software\Diskeeper\DkService.exe [2004-01-06 327792]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-09-29 735960]
R2 ForcewareWebInterface;Forceware Web Interface; C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe [2004-02-28 20548]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-01-05 153376]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-03-19 335872]
R2 nSvcIp;ForceWare IP service; C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe [2004-05-17 106557]
R2 nSvcLog;ForceWare user log service; C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe [2004-05-17 53313]
R2 ProtexisLicensing;ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [2007-06-05 177704]
R2 SqueezeMySQL;SqueezeMySQL; C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe [2009-06-15 4149248]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2000-06-26 53520]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-10-28 545568]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-01-09 593920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-03-18 79360]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-09-29 20680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-11-20 1184912]
S3 WmcCds;Windows Media Connect (WMC); c:\program files\windows media connect\mswmccds.exe [2004-08-11 483328]
S3 WmcCdsLs;Windows Media Connect (WMC) Helper; C:\Program Files\Windows Media Connect\mswmcls.exe [2004-08-10 28160]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


===============================================

info.txt logfile of random's system information tool 1.06 2010-01-05 00:52:04

======Uninstall list======

-->"C:\Program Files\Creative\SBAudigy2\Program\SETUP.EXE" /S /U /W
-->"C:\Program Files\Creative\Sound Blaster X-Fi\Program\SETUP.EXE" /S /U /W
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF5F498-7FB5-11D6-9963-00A0C92C4EC3}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF5F498-7FB5-11D6-9963-00A0C92C4EC3}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{06E3E953-0570-4DFF-A7B5-46114C390228}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{06E3E953-0570-4DFF-A7B5-46114C390228}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EF644C7-1A0D-4B94-9AF5-AD04702094A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EF644C7-1A0D-4B94-9AF5-AD04702094A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2670895A-4E6C-4450-B868-7B7DB80A3357}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{888347B3-AEC5-4BB5-8BAB-781D72A57C73}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C229589D-CC1A-43FF-9507-CDED3AB85325}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C229589D-CC1A-43FF-9507-CDED3AB85325}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CC3D3A93-C433-4329-AC3A-7EFC52A332C2}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CC3D3A93-C433-4329-AC3A-7EFC52A332C2}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D8A544F4-AC5F-4B67-9C74-F3E976798797}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D8A544F4-AC5F-4B67-9C74-F3E976798797}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECC3C64B-2A22-48C5-857B-E952D7BE64F5}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECC3C64B-2A22-48C5-857B-E952D7BE64F5}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FBFF2411-D066-4D24-BCE0-893086009E1B}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FBFF2411-D066-4D24-BCE0-893086009E1B}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FCCDA302-32D9-4AE7-A094-4BE677554F26}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3DMark06-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\setup.exe" -l0x9 -removeonly
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Atmosphere Player for Acrobat and Adobe Reader-->C:\WINDOWS\atmoUn.exe
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Apple Application Support-->MsiExec.exe /I{B607C354-CD79-4D22-86D1-92DC94153F42}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ASF-AVI-RM-WMV Repair 1.82-->"C:\Program Files\ASF-AVI-RM-WMV Repair\unins000.exe"
Ask & Record Toolbar 4.01 -->"C:\WINDOWS\Ask & Record Toolbar\uninstall.exe" "/U:C:\Program Files\Ask & Record Toolbar\Uninstall\uninstall.xml"
Ask Toolbar-->MsiExec.exe /I{86D4B82A-ABED-442A-BE86-96357B70F4FE}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI AVIVO Codecs-->MsiExec.exe /I{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}
ATI Catalyst Control Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
ATI Parental Control & Encoder-->MsiExec.exe /I{9862B19F-4CAD-4EED-920F-2F378D84393F}
ATI Problem Report Wizard-->MsiExec.exe /X{5DA6F06A-B389-407B-BF8C-1548767914D8}
Avant Browser (remove only)-->"C:\Program Files\Avant Browser\uninst.exe"
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
CARA Room Acoustics 2.2 PLUS (English)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7339915-EA7C-11D6-927A-0000B458CE25}\setup.exe" -l0x9
Chessmaster 10th Edition-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E9AE9A91-AB45-4321-87BD-AD34855D944F}
ClearType Tuning Control Panel Applet-->MsiExec.exe /I{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}
CmdHere Powertoy For Windows XP-->MsiExec.exe /I{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}
Company of Heroes-->MsiExec.exe /X{BA801B94-C28D-46EE-B806-E1E021A3D519}
Corel Paint Shop Pro Photo X2-->MsiExec.exe /X{64E72FB1-2343-4977-B4A8-262CD53D0BD3}
Creative Audio Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9 /remove
Creative Console Launcher-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{888347B3-AEC5-4BB5-8BAB-781D72A57C73}\setup.exe" -l0x9 /remove
Creative Software AutoUpdate-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\setup.exe" -l0x9 /remove
Creative System Information-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative WaveStudio 7-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2670895A-4E6C-4450-B868-7B7DB80A3357}\setup.exe" -l0x9 /remove
Diskeeper Professional Edition-->MsiExec.exe /X{AA67205C-3E80-4062-9198-253A059DEE38}
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DMX 6fire 24/96 ControlPanel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A33D692-8679-4142-94C7-0BB784B9B3A3}\Setup.exe" -l0x9
Garmin Communicator Plugin-->MsiExec.exe /X{86B879A5-927E-4536-B5FC-17CA96B60078}
Garmin USB Drivers-->MsiExec.exe /X{B1102A25-3AA3-446B-AA0F-A699B07A02FD}
Garmin WebUpdater-->MsiExec.exe /X{E0783143-EAE2-4047-A8D6-E155523C594C}
GEAR driver installer for x86 and x64-->MsiExec.exe /I{2C9A62F0-D1B3-4E2C-A7D9-24F38FF2A379}
Hauppauge WinTV Scheduler-->C:\PROGRA~1\WinTV\SCHEDU~1\UNWISE.EXE C:\PROGRA~1\WinTV\SCHEDU~1\INSTALL.LOG
Hauppauge WinTV2000-->C:\PROGRA~1\WinTV\UNTV32.EXE C:\PROGRA~1\WinTV\WINTV2K.LOG
Hauppauge WinTV-PVR II PCI Drivers-->C:\PROGRA~1\WinTV\UNpvr48.EXE C:\PROGRA~1\WinTV\pvr48xxx.LOG
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Homeworld2-->C:\Program Files\Sierra\Homeworld2\uninstall.exe
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB915800-v4)-->"C:\WINDOWS\$NtUninstallKB915800-v4$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
InterVideo FilterSDK for Hauppauge-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2227E1FA-01F5-483C-AB0E-2A308E900B3D}\setup.exe" REMOVEALL
Itiva Media Accelerator-->C:\Program Files\Itiva\Itiva Media Accelerator\uninst.exe
iTunes-->MsiExec.exe /I{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}
Java DB 10.4.2.1-->MsiExec.exe /X{926C96FB-9D0A-4504-8000-C6D3A4A3118E}
Java™ 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216017FF}
Java™ SE Development Kit 6 Update 17-->MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160170}
Logitech MouseWare 9.79.1 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 -l0009 UNINSTALL
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Professional-->MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual J# .NET Redistributable Package 1.1-->MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Microsoft Visual Studio .NET Professional 2003 - English-->"C:\Program Files\Microsoft Visual Studio .NET 2003\Setup\Visual Studio .NET Professional 2003 - English\setup.exe" /MaintMode
Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
MobileMe Control Panel-->MsiExec.exe /I{3AC54383-31D1-4907-961B-B12CBB1D0AE8}
Mozilla Firefox (3.5.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
NCH Tone Generator Uninstall-->C:\Program Files\NCH Swift Sound\ToneGen\uninst.exe
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
NVIDIA ForceWare Network Access Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1F6423DE-7959-4178-80E0-023C7EAA5347} /l1033
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
OpenAL-->"C:\Program Files\OpenAL\OALInst.exe" /U
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Panda ActiveScan-->C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
pdfFactory Pro-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppinst3.exe /uninstall
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine-->MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Search 4 - KB963093-->"C:\WINDOWS\$NtUninstallKB963093$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Sid Meier's Civilization 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}\setup.exe" -l0x9 -removeonly
Soltek Hardware Monitor-->MsiExec.exe /I{7DDB3F86-E1E5-11D7-A04D-0050FCB66B41}
Sound Blaster Audigy 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E82BF103-904F-49C0-B77F-6EC110B71E87}\SETUP.EXE" -l0x9
Sound Blaster X-Fi-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}\SETUP.EXE" -l0x9 /remove
SoundFont Bank Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9 /remove
SpeechRedist-->MsiExec.exe /X{8795CBED-55E2-4693-9F14-84EC446935BE}
SqueezeCenter 7.3.3-->"C:\Program Files\SqueezeCenter\unins000.exe"
Stardock Central-->C:\PROGRA~1\Stardock\SDCENT~1\UNWISE.EXE C:\PROGRA~1\Stardock\SDCENT~1\INSTALL.LOG
UltraEdit-32-->"C:\Program Files\UltraEdit\Uninstall.exe" "C:\Program Files\UltraEdit\ueinstall.log"
Unreal Tournament 2004-->C:\UT2004\System\Setup.exe uninstall "UT2004"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB971180)-->"C:\WINDOWS\ie8updates\KB971180-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB973874)-->"C:\WINDOWS\ie8updates\KB973874-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VanDyke Software SecureCRT 4.1-->C:\PROGRA~1\SECURE~1\UNINSTAL.EXE C:\PROGRA~1\SECURE~1\INSTALL.LOG
VanDyke Software SecureFX 2.2-->C:\PROGRA~1\SecureFX\UNINSTAL.EXE C:\PROGRA~1\SecureFX\INSTALL.LOG
VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Volume Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FCCDA302-32D9-4AE7-A094-4BE677554F26}\setup.exe" -l0x9 /remove
WD Diagnostics-->MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)-->rundll32.exe C:\PROGRA~1\DIFX\15B7F172FC21855D\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\grmnusb_09F3E629557EBE4D2BA1A9469BDAE635AC0807AE\grmnusb.inf
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Connect-->msiexec.exe /I {F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
Windows Media Connect-->MsiExec.exe /I{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows PowerShell™ 1.0-->"C:\WINDOWS\$NtUninstallKB926139-v2$\spuninst\spuninst.exe"
Windows Search 4.0-->"C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"
X-Win32 6.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E914FD2E-6D90-4E49-A778-C44CF7978F10}\Setup.exe" -l0x9

======Security center information======

AV: ESET NOD32 Antivirus 4.0 (disabled)

======System event log======

Computer Name: ZIGGY
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 78187
Source Name: Tcpip
Time Written: 20090305012022.000000-300
Event Type: warning
User:

Computer Name: ZIGGY
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 78160
Source Name: W32Time
Time Written: 20090303124300.000000-300
Event Type: warning
User:

Computer Name: ZIGGY
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 78157
Source Name: Tcpip
Time Written: 20090303044745.000000-300
Event Type: warning
User:

Computer Name: ZIGGY
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 78156
Source Name: Tcpip
Time Written: 20090303041853.000000-300
Event Type: warning
User:

Computer Name: ZIGGY
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 78155
Source Name: Tcpip
Time Written: 20090303034508.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: ZIGGY
Event Code: 1517
Message: Windows saved user ZIGGY\David registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 5512
Source Name: Userenv
Time Written: 20070320021814.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: ZIGGY
Event Code: 1517
Message: Windows saved user ZIGGY\David registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 5503
Source Name: Userenv
Time Written: 20070320014724.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: ZIGGY
Event Code: 1517
Message: Windows saved user ZIGGY\David registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 5494
Source Name: Userenv
Time Written: 20070320003329.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: ZIGGY
Event Code: 1517
Message: Windows saved user ZIGGY\David registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 5489
Source Name: Userenv
Time Written: 20070319214513.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: ZIGGY
Event Code: 1517
Message: Windows saved user ZIGGY\David registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 5472
Source Name: Userenv
Time Written: 20070319003921.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\UltraEdit;C:\Program Files\Executive Software\Diskeeper;C:\Program Files\SecureCRT;C:\PROGRA~1\SecureFX;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Common Files\DivX Shared;C:\WINDOWS\system32\WindowsPowerShell\v1.0;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0c00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"INCLUDE"=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\include\
"LIB"=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Lib\
"VS71COMNTOOLS"=C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\Tools\
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip

-----------------EOF-----------------

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 AM

Posted 05 January 2010 - 01:19 AM

Ok I think I see what's causing your redirects, we will deal with that now. I see that you have run combofix back in December if you still have the log it produced please post it in your next reply.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

unite.jpg


#11 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 05 January 2010 - 02:19 AM

^ I don't think I have the ComboFix log anymore. I deleted ComboFix since I still had the Google hijack after running it. I just did the default run. I remember ComboFix deleted/quarantined a bunch of tmp files and the possibly fake ATI driver file. I'm thinking that may be what caused MOM.exe to start taking up 100% of my CPU time after Windows starts up. For the time being, I'm just Ctrl-Alt-Deleting MOM.exe. I'll uninstall and reinstall the ATI drivers after I'm sure I don't have to run ComboFix again.

I ran the GooredFix and so far I haven't had any Google redirect problems.

==============================

GooredFix by jpshortstuff (02.01.10.1)
Log created at 01:46 on 05/01/2010 (David)
Firefox version 3.5.6 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [09:44 19/01/2008]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [05:25 05/01/2010]

C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\xxum8275.default\extensions\
toolbar@ask.com [03:53 03/08/2009]
{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F} [20:50 14/11/2009]
{20a82645-c095-46ed-80e3-08825760534b} [15:05 03/10/2009]
{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [04:02 27/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [05:30 20/02/2009]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord" [03:31 28/07/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [05:25 05/01/2010]

-=E.O.F=-

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 AM

Posted 05 January 2010 - 02:25 AM

Well I didn't see what I was expecting to in the GooredFix log but we will see, were these redirects happening in IE, Firefox or both?

Please post a new DDS log.

unite.jpg


#13 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 05 January 2010 - 02:43 AM

^ I was about to edit by earlier post to say I spoke too soon; however, you had already posted. A Google link just got redirected to a site that was trying to get me to install its spyware removal.

I'll download and run the latest version of dds. Here's the log.
==========================================================


DDS (Ver_09-12-01.01) - NTFSx86
Run by David at 2:33:06.96 on Tue 01/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.315 [GMT -5:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\SqueezeCenter\SqueezeTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\SQUEEZ~1\server\SQUEEZ~1.EXE
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\PSIService.exe
C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\David\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Ask && Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Ask && Record Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Itiva Media Accelerator] c:\program files\itiva\itiva media accelerator\ItivaMediaAccelerator.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Ask and Record FLV Service] "c:\program files\ask & record toolbar\FLVSrvc.exe" /run
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\squeez~1.lnk - c:\program files\squeezecenter\SqueezeTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to AD Black List - c:\program files\avant browser\AddToADBlackList.htm
IE: Block All Images from the Same Server - c:\program files\avant browser\AddAllToADBlackList.htm
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Highlight - c:\program files\avant browser\Highlight.htm
IE: Open All Links in This Page... - c:\program files\avant browser\OpenAllLinks.htm
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Search - c:\program files\avant browser\Search.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235106934859
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15108/CTPID.cab
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\xxum8275.default\
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\david\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\david\application data\move networks\plugins\npqmp071701000008.dll
FF - plugin: c:\program files\itiva\itiva media accelerator\npima.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-3 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-29 28544]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-9-29 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-9-29 96408]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-9-29 735960]
R2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf squeezemysql --> c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf SqueezeMySQL [?]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
R3 dmxfire;DMX6fire WDM Audio;c:\windows\system32\drivers\dmx6fire.sys [2003-8-29 148724]
R3 dmxsens;dmxsens;c:\windows\system32\drivers\dmxsens.sys [2003-7-22 403968]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-3-18 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1324056]
S3 ctgame;Game Port;c:\windows\system32\drivers\CTGAME.SYS [2002-12-29 12160]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 72728]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
S3 rr;rr;\??\c:\windows\system32\drivers\rr.sys --> c:\windows\system32\drivers\rr.sys [?]

=============== Created Last 30 ================

2010-01-05 05:25:35 0 d-----w- c:\program files\Sun
2010-01-05 05:25:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-05 05:25:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-05 03:57:32 0 d-----w- c:\program files\trend micro
2009-12-09 06:42:35 0 d-----w- c:\program files\ESET
2009-12-08 09:54:17 0 d-----w- c:\docume~1\david\applic~1\Malwarebytes
2009-12-08 09:54:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-08 09:54:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-08 09:54:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-08 09:54:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-08 09:12:20 0 d-sha-r- C:\cmdcons
2009-12-08 09:11:06 98816 ----a-w- c:\windows\sed.exe
2009-12-08 09:11:06 77312 ----a-w- c:\windows\MBR.exe
2009-12-08 09:11:06 261632 ----a-w- c:\windows\PEV.exe
2009-12-08 09:11:06 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-01-04 05:46:57 79360 ----a-w- c:\windows\system32\drivers\nvatabus.sys
2009-11-29 03:06:46 20712 ----a-w- c:\docume~1\david\applic~1\GDIPFONTCACHEV1.DAT
2009-11-04 00:08:14 15880 ----a-w- c:\windows\system32\lsdelete.exe
2003-12-18 17:33:46 20102 ----a-w- c:\program files\Readme.txt
2003-09-03 13:46:54 10960 ----a-w- c:\program files\EULA.txt
2009-06-01 06:36:26 168 --sh--r- c:\windows\system32\C875C4C38F.sys
2009-06-01 06:36:29 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 2:34:25.20 ===============

--------------------------------------------------------------------------------------------------------

Other log file is attached

Attached Files



#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 AM

Posted 05 January 2010 - 02:54 AM

What about my question? Also can you PM me the link to a site you get redirected too.

were are these redirects happening in IE, Firefox or both?


unite.jpg


#15 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 05 January 2010 - 03:07 AM

The redirects happen with both Firefox and IE. The ads seem sensitive to the keywords used in the Google search. Also, some of the ads seem targeted to a medium-size city near where I live.

Next time I get a link advertising fake spyware removal software, I'll post it PM it to you. Is it safe to click 'Cancel' or the 'x' button when the dialog box prompting to install the fake spyware removal software pops up? I've been Ctrl-Alt-Deleting the browser when that happens.

I'll PM you a link to a site I get redirected to.

Edited by DaveGK, 05 January 2010 - 03:11 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users