PDA

View Full Version : nebuler.bho keeps starting my iexplore (Resolved)



loplo
2009-08-19, 21:21
Hi,

I think nebuler.bho is having fun in my PC.
I have 2x iexplore processes running in the background after each pc startup.

LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:36 PM, on 8/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\A4Tech\Keyboard\Ikeymain.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\ANYCOM\Blue USB-200-250\BTTray.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\ANYCOM\BLUEUS~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.ro
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.ro
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.ro
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [iKeyWorks] C:\Program Files\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249894611781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249894578875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B47AAD2E-AF4D-47D2-A756-8BCF4600DCEF}: NameServer = 192.168.178.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1ca19ad329a73a0) (gupdate1ca19ad329a73a0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 11539 bytes

Thanks in advance.

katana
2009-08-22, 13:23
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------


I have 2x iexplore processes running in the background after each pc startup.
This is normal for IE8
http://www.winhelponline.com/blog/multiple-instances-of-iexploreexe-run-when-using-internet-explorer-8/

Download and Run RSIT

Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:

log.txt will be opened maximized.
info.txt will be opened minimized.

Please post the contents of both log.txt and info.txt.
( They can also be found in the C:\RSIT folder )



Please Download GMER to your desktop

Download GMER (http://www.gmer.net/gmer.zip) and extract it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

Note:- If GMER doesn't run, please Reboot and then rename gmer.exe to Look.exe and try again

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click Yes.

Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.

GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.


DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

loplo
2009-08-23, 00:56
Thanks for helping me.
I'm sending the 3 logs.
1. info.txt
info.txt logfile of random's system information tool 1.06 2009-08-22 14:08:17

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->MsiExec.exe /X{6D8D64BE-F500-55B6-705D-DFD08AFE0624}
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch-->msiexec /I {AC76BA86-1033-F400-7761-000000000004}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Setup-->MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
aerosoft's - AES-Base&&AirportPack - FS2004-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{20A96613-3802-436C-842E-653C62FABA0D}\Setup.exe" -uninst
aerosoft's - Approaching Innsbruck 2004-->"C:\Program Files\InstallShield Installation Information\{555C7DA8-8A43-4A5B-A5FB-137C07AA81D0}\setup.exe" -runfromtemp -l0x0009 -removeonly
aerosoft's - Budapest 2007 - FS2004-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0976C02C-0F73-447D-9657-5318C0C45A05}\Setup.exe" -uninst
aerosoft's - German Airports 2 - Cologne-Bonn - FS2004-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{46464A5D-7D14-41E3-9C26-E3C186F37D84}\Setup.exe" -uninst
aerosoft's - German Airports 3 - Bremen-->"C:\Program Files\InstallShield Installation Information\{9A0906C7-D472-4C22-8D12-11D6AB2819E4}\setup.exe" -runfromtemp -l0x0009 -removeonly
aerosoft's - German Airports 4 - FS2004-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{674D3526-6B4F-468A-9802-1130A39B1562}\Setup.exe" -uninst
aerosoft's - Mega Airport Frankfurt - FS2004-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D4E22434-1BCE-4C91-A1E4-FC352DFD4B3B}\Setup.exe" -uninst
ANYCOM USB-200/250 Bluetooth Software-->MsiExec.exe /X{84814E6B-2581-46EC-926A-823BD1C670F6}
Brother MFL-Pro Suite-->"C:\Program Files\InstallShield Installation Information\{46E1B1F2-A279-4356-9B17-029F9CC72EAE}\Setup.exe" -runfromtemp -l0x0009 Brunin03.dll -removeonly
BS.Player PRO-->"C:\Program Files\Webteh\BSplayerPro\uninstall.exe"
Budapest Scenery Visual Update 2009 FS9 only-->D:\Games\Flight Simulator 9\Uninstall.exe
CDBurnerXP-->"C:\Program Files\CDBurnerXP\unins000.exe"
CLOUD9 Amsterdam 1.04-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2874FFC3-24DA-4BE7-B122-0573CED08A98}\Setup.exe" -l0x9
CLOUD9 Bergen FS9 1.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{33EB5D57-E4AB-4282-8E3A-277719688055}\Setup.exe" -l0x9
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DU Meter-->"C:\Program Files\DU Meter\unins000.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
FLIQLO Screen Saver-->C:\WINDOWS\system32\FLIQLO.scr /u
Foxit PDF Editor-->C:\Program Files\Foxit Software\PDF Editor\uninstall.exe
FS Real Time v1.83-->C:\WINDOWS\iun6002.exe "C:\Program Files\FS Real Time\irunin.ini"
FSacars-->MsiExec.exe /I{FFC78FC9-2FE6-4648-BFEB-446C61C2D61E}
FSD Porter\FS 2004-->D:\Games\Flight Simulator 9\Uninstal FSD Porter.exe
FSDreamTeam Geneva FS9 1.1-->"D:\Games\Flight Simulator 9\unins002.exe"
FSDreamTeam JFK FS9 1.0.2-->"D:\Games\Flight Simulator 9\unins000.exe"
FSDreamTeam Ohare9 1.1.1-->"D:\Games\Flight Simulator 9\unins001.exe"
FSDreamTeam Zurich9 1.3.1-->"D:\Games\Flight Simulator 9\unins003.exe"
Google Chrome-->"C:\Program Files\Google\Chrome\Application\2.0.172.39\Installer\setup.exe" --uninstall --system-level
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_E582EA556D8DE101.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
iKeyWorks 7.80-->C:\Program Files\A4Tech\Keyboard\Uninst32.exe
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
IvAe v1.0.4 (b322)-->"C:\Program Files\IVAO\IvAe\unins000.exe"
IvAp v1.3.8 (b2150)-->"C:\Program Files\IVAO\IvAp\unins000.exe"
JeppView / JeppView FliteDeck-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E0D150E-E486-4D20-BB7F-E091032C34D9}\setup.exe" -l0x9 AnyText
K-Lite Codec Pack 5.0.5 (Full)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Microsoft .NET Framework 2.0 Language Pack - DEU-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0 Language Pack - DEU\install.exe
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 German Language Pack-->C:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0 German Language Pack\setup.exe
Microsoft .NET Framework 3.0 German Language Pack-->MsiExec.exe /X{F2A7F421-1679-48D5-B918-96999014ED53}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft ActiveSync-->MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Flight Simulator 2004 A Century of Flight-->"D:\Games\Flight Simulator 9\UNINSTAL.EXE" /runtemp /addremove
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWudf01007$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Mobiola Web Camera for S60 3.0-->"C:\Program Files\Mobiola Web Camera for S60\unins000.exe"
Mozilla Firefox (3.5.2)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVC80_x86-->MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
Nokia Connectivity Cable Driver-->MsiExec.exe /I{52D02A2B-03D2-4E34-A358-DC5D951FD296}
Nokia PC Suite-->C:\Documents and Settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Nokia_PC_Suite_7_1_30_9_eng_web[1].exe
Nokia PC Suite-->MsiExec.exe /I{3D39E775-DDDA-4327-B747-0BDC5F191331}
Nokia Software Updater-->MsiExec.exe /X{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}
Notepad++-->C:\Program Files\Notepad++\uninstall.exe
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PC Connectivity Solution-->MsiExec.exe /I{0C973594-7DDF-4BD0-84ED-3517F7622037}
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PerfectDisk 10 Professional-->MsiExec.exe /I{7B738CD9-D107-48C7-8E65-2E6639A39C8D}
Philips PSC703 Support Files-->hduninst.exe
Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
PMDG 747-400 FS9 Update V1R12 (Unifies to FSX)-->C:\Program Files\InstallShield Installation Information\{304DAE83-906F-4005-BA09-2870349ABD14}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDG MD-11 FS9-->C:\Program Files\InstallShield Installation Information\{8BA8CE06-0C92-4A44-9924-2614DCD77F20}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDG_747-400_Sound_Update-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2758F387-D016-4725-9D03-AB039364DF3D}\setup.exe" -l0x9 -removeonly
PMDG747_400 Queen of the Skies-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97679567-0095-464E-B5F2-E218A1CF3421}\setup.exe" -l0x9 -removeonly
PMDG747_400F-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{164360E5-0AAD-48AD-8A36-3F8A859FAB6F}\setup.exe" -l0x9 -removeonly
PMDGMD11_FS9_GE_AA-->C:\Program Files\InstallShield Installation Information\{FA805C9A-03D4-4063-8725-7BB5D28751C7}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GE_AY2-->C:\Program Files\InstallShield Installation Information\{BBDA88D0-F718-4A4D-B3B2-50C82AD10E73}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GE_AZ-->C:\Program Files\InstallShield Installation Information\{1F937185-7C14-433D-A146-CE4A9A6AF1A9}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GE_CO-->C:\Program Files\InstallShield Installation Information\{5E0D5668-3AEF-470F-8269-0654DFB560FD}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GE_JJ-->C:\Program Files\InstallShield Installation Information\{462B1442-63C0-470B-8DED-E88D0EA615D5}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GE_KL1-->C:\Program Files\InstallShield Installation Information\{782CEE74-72A5-4244-8339-11AE07034213}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GE_LH-->C:\Program Files\InstallShield Installation Information\{6F405865-2269-40E7-9D45-7832DB75CE29}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GE_MD-->C:\Program Files\InstallShield Installation Information\{0D4DC13B-42AA-4574-AB2F-E0C36DF134FE}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GE_NZ-->C:\Program Files\InstallShield Installation Information\{F5F6B3A7-76EF-4AEE-8094-A3091884DF5D}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GE_OA-->C:\Program Files\InstallShield Installation Information\{B693A214-9D42-4059-A02A-44658D071AB9}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GE_TW-->C:\Program Files\InstallShield Installation Information\{321963F8-A9E2-44E0-AF5C-70C437C52C55}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GE_US-->C:\Program Files\InstallShield Installation Information\{95F02600-7C2C-40A4-BCC5-A1B92A9255AD}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GE_VS-->C:\Program Files\InstallShield Installation Information\{0E18F59F-1AB5-468D-AC9A-CBB40088C24D}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GEF_AZF2_A-->C:\Program Files\InstallShield Installation Information\{F8211534-CB0D-4352-AAED-1DA9B87688C9}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GEF_BRF2-->C:\Program Files\InstallShield Installation Information\{5FE64BB8-F6A2-41E8-820B-3063AF83D16F}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GEF_LHF1-->C:\Program Files\InstallShield Installation Information\{4E415661-FC7B-4E76-BB20-D147858096BC}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_GEF_LHF2-->C:\Program Files\InstallShield Installation Information\{0173F42A-DED4-4BAA-A8B2-295749882DC9}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PW_AC-->C:\Program Files\InstallShield Installation Information\{9AF793F9-9298-4CD0-A1CB-363F4877E3D4}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PW_BA-->C:\Program Files\InstallShield Installation Information\{3E45440B-8D5C-4FCA-9ECB-0B784CA62043}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PW_CI-->C:\Program Files\InstallShield Installation Information\{49B4706D-AB9D-44CB-AD30-4EDF6771168F}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PW_DL2-->C:\Program Files\InstallShield Installation Information\{EA11861A-FD68-4108-AE34-A5F5E7FCEBA8}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PW_DL3-->C:\Program Files\InstallShield Installation Information\{C79F979B-5556-4D8D-B8D3-9ED0FD7030D0}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PW_JL-->C:\Program Files\InstallShield Installation Information\{469E49E7-E1C4-4B4B-AD9D-4A613F309306}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PW_LT-->C:\Program Files\InstallShield Installation Information\{60FF2A02-EAEB-40EC-8CEC-A3D585800FC9}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PW_QF-->C:\Program Files\InstallShield Installation Information\{076F3CEA-BB9D-463A-A459-9480AC65888D}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PW_RG-->C:\Program Files\InstallShield Installation Information\{73929F70-F701-4B82-B2C8-B2F4EC9A36F1}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PW_RG2-->C:\Program Files\InstallShield Installation Information\{64F96B40-0669-4AAF-BDF4-4CF37F5764AC}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PW_SR2-->C:\Program Files\InstallShield Installation Information\{7FFA464F-EA14-4F95-A5F0-9B935DDD8879}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PW_UA3-->C:\Program Files\InstallShield Installation Information\{27D89681-2A44-4760-944D-0215C2017760}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PW_WO2-->C:\Program Files\InstallShield Installation Information\{CC36AF54-41D5-4174-8F70-AB522ABB3058}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PW_ZB-->C:\Program Files\InstallShield Installation Information\{11CB2445-87D5-4B07-AFCB-2175D844F8ED}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PWF_5XF-->C:\Program Files\InstallShield Installation Information\{86E0DB41-C3BE-41E1-ABA9-523B191FC5B2}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PWF_BAF1-->C:\Program Files\InstallShield Installation Information\{6E2D5029-36B8-4D9D-BC93-DEE08B11F6F6}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PWF_FXF-->C:\Program Files\InstallShield Installation Information\{A981F05D-AFD4-4E7C-B4DB-FF6EE33F8DCE}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PWF_MPF1-->C:\Program Files\InstallShield Installation Information\{A86F82A9-D501-4657-95FB-AFD54F41BA51}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PWF_MPF2-->C:\Program Files\InstallShield Installation Information\{8D82B66C-2215-48D5-95E6-E1D5ECA2DD52}\setup.exe -runfromtemp -l0x0009 -removeonly
PMDGMD11_FS9_PWF_WOF-->C:\Program Files\InstallShield Installation Information\{FCEBDFA6-EED5-4B0B-8187-46AC14F96E57}\setup.exe -runfromtemp -l0x0009 -removeonly
Reality XP Flight Line Wx500-->"D:\Games\Flight Simulator 9\RealityXP\Flight Line Wx500\unins000.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Skype web features-->MsiExec.exe /I{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}
Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TeamSpeak 2 RC2-->"C:\Program Files\Teamspeak2_RC2\unins000.exe"
Update for Windows Internet Explorer 8 (KB972636)-->"C:\WINDOWS\ie8updates\KB972636-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
VIA Rhine-Family Fast Ethernet Adapter-->Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
VLC media player 1.0.1-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Driver Package - Nokia Modem (06/01/2009 4.1)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokia_blue_C08496D7A0050438DFE13C55799AE2D4157A8E7A\nokia_bluetooth.inf
Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.3)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_9C48E34C57B7D4AAE5FFF5FB9B476B538394FD30\nokbtmdm.inf
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)-->C:\PROGRA~1\DIFX\B4723E9A0713E5B1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccsmcfd_A3B3916E5D8138F59EE218321B27B044D3B18294\pccsmcfd.inf
Windows Presentation Foundation Language Pack (DEU)-->MsiExec.exe /X{92DF2F1B-F63C-4D9A-B3E1-B2D11AE29790}
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation DE Language Pack-->MsiExec.exe /I{7228FD8C-3B9E-4204-AE36-8A466107685B}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Language Pack 1.0-->"C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

=====HijackThis Backups=====

O2 - BHO: D - {25D71C4A-EB55-3904-920D-69740475501D} - C:\WINDOWS\system32\xwr59365.dll [2009-08-15]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank [2009-08-15]

======Security center information======

AV: ESET Smart Security 4.0
FW: ESET Personal firewall

======System event log======

Computer Name: WONDERMACHINE
Event Code: 1007
Message: Your computer has automatically configured the IP address for the Network
Card with network address 0019155A28BF. The IP address being used is 169.254.164.115.

Record Number: 719
Source Name: Dhcp
Time Written: 20090812130930.000000+120
Event Type: warning
User:

Computer Name: WONDERMACHINE
Event Code: 20
Message: Printer Driver Microsoft Office Document Image Writer Driver for Windows NT x86 Version-3 was added or updated. Files:- mdigraph.dll, mdiui.dll, mdiui.dll.

Record Number: 686
Source Name: Print
Time Written: 20090812093217.000000+120
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: WONDERMACHINE
Event Code: 1007
Message: Your computer has automatically configured the IP address for the Network
Card with network address 0019155A28BF. The IP address being used is 169.254.164.115.

Record Number: 681
Source Name: Dhcp
Time Written: 20090812092408.000000+120
Event Type: warning
User:

Computer Name: WONDERMACHINE
Event Code: 1007
Message: Your computer has automatically configured the IP address for the Network
Card with network address 0019155A28BF. The IP address being used is 169.254.164.115.

Record Number: 635
Source Name: Dhcp
Time Written: 20090812082506.000000+120
Event Type: warning
User:

Computer Name: WONDERMACHINE
Event Code: 1007
Message: Your computer has automatically configured the IP address for the Network
Card with network address 0019155A28BF. The IP address being used is 169.254.164.115.

Record Number: 592
Source Name: Dhcp
Time Written: 20090811123113.000000+120
Event Type: warning
User:

=====Application event log=====

Computer Name: WONDERMACHINE
Event Code: 2002
Message: The MOF file created for the Outlook service could not be loaded. The
error code returned by the MOF Compiler is contained in the Record Data.
Before the performance counters of this service can be collected by WMI
the MOF file will need to be loaded manually. Contact the vendor of this
service for additional information.

Record Number: 164
Source Name: LoadPerf
Time Written: 20090812093857.000000+120
Event Type: warning
User:

Computer Name: WONDERMACHINE
Event Code: 63
Message: A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 162
Source Name: WinMgmt
Time Written: 20090812093103.000000+120
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: WONDERMACHINE
Event Code: 1000
Message: Faulting application skype.exe, version 4.1.0.141, faulting module skype.exe, version 4.1.0.141, fault address 0x00811f2b.

Record Number: 154
Source Name: Application Error
Time Written: 20090812085116.000000+120
Event Type: error
User:

Computer Name: WONDERMACHINE
Event Code: 1000
Message: Faulting application skype.exe, version 4.1.0.141, faulting module skype.exe, version 4.1.0.141, fault address 0x00811f2b.

Record Number: 153
Source Name: Application Error
Time Written: 20090812085025.000000+120
Event Type: error
User:

Computer Name: WONDERMACHINE
Event Code: 1517
Message: Windows saved user WONDERMACHINE\loplo registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 144
Source Name: Userenv
Time Written: 20090811225537.000000+120
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\PC Connectivity Solution\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0a00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

loplo
2009-08-23, 00:59
2. log.txt is to larg to paste it here, this is why I'm trying to attach it.
3. GMER log:
GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-22 23:49:50
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8658D630 ZwAssignProcessToJobObject
SSDT spmg.sys ZwCreateKey [0xF748E0E0]
SSDT spmg.sys ZwEnumerateKey [0xF74ACCA2]
SSDT spmg.sys ZwEnumerateValueKey [0xF74AD030]
SSDT spmg.sys ZwOpenKey [0xF748E0C0]
SSDT 8658CA60 ZwOpenProcess
SSDT 8658CE80 ZwOpenThread
SSDT spmg.sys ZwQueryKey [0xF74AD108]
SSDT spmg.sys ZwQueryValueKey [0xF74ACF88]
SSDT spmg.sys ZwSetValueKey [0xF74AD19A]
SSDT 8658D460 ZwSuspendProcess
SSDT 8658D280 ZwSuspendThread
SSDT 8658CC90 ZwTerminateProcess
SSDT 8658D0B0 ZwTerminateThread

INT 0x62 ? 86F6DBF8
INT 0x63 ? 86C95BF8
INT 0x63 ? 86C95BF8
INT 0x63 ? 86C95BF8
INT 0x63 ? 86C95BF8
INT 0x63 ? 86C95BF8
INT 0x82 ? 86F6DBF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 24C 804E28A8 2 Bytes [80, CE]
.text ntoskrnl.exe!_abnormal_termination + 24F 804E28AB 1 Byte [86]
.text ntoskrnl.exe!_abnormal_termination + 450 804E2AAC 2 Bytes [90, CC] {NOP ; INT 3 }
.text ntoskrnl.exe!_abnormal_termination + 453 804E2AAF 5 Bytes [86, B0, D0, 58, 86]
? spmg.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F6C398AC 5 Bytes JMP 86C951D8
.text adg6m049.SYS F6B49386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text adg6m049.SYS F6B493AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text adg6m049.SYS F6B493C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text adg6m049.SYS F6B493C9 1 Byte [2E]
.text adg6m049.SYS F6B493C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[384] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86FDC2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F74BFC4C] spmg.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F74BFCA0] spmg.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F748F040] spmg.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F748F13C] spmg.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F748F0BE] spmg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F748F7FC] spmg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F748F6D2] spmg.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86C952D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F749F048] spmg.sys
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!RtlInitUnicodeString] C483FFFF
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!swprintf] 0FC08520
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeSetEvent] 0001B185
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 46B70F00
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoGetConfigurationInformation] F44D8B48
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] C1815753
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!MmFreeMappingAddress] 00002590
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 467C8D51
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 76F0E84A
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!MmUnmapIoSpace] D88BFFFF
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 8504C483
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IofCompleteRequest] 5F0A75DB
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 5B08438D
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IofCallDriver] 5DE58B5E
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 259068C3
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 006A0000
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoConnectInterrupt] 88DCE853
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoDetachDevice] 558DFFFF
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeWaitForSingleObject] 90838DF8
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeInitializeEvent] 52000025
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeCancelTimer] 03895750
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] FFF363E8
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!RtlInitAnsiString] 0C458AFF
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 8B104D8B
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoQueueWorkItem] 43881855
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!MmMapIoSpace] 1C458B08
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 0F544389
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoReportDetectedDevice] 89FF45B6
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoReportResourceForDetection] 4D8B0C4B
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 50538920
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!NlsMbCodePageTag] 8924558B
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!PoRequestPowerIrp] 5389584B
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 0A43885C
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 0646B60F
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!sprintf] A818C483
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 8D7F743F
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!ObfDereferenceObject] 001A8C8B
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] E0835100
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 7E8D503F
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!ZwClose] C9E85728
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] 0F0000D2
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 8D0646B6
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 001B8093
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!PoStartNextPowerIrp] E0835200
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoCreateDevice] E857503F
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 0000ECC4
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 026B938D
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!RtlQueryRegistryValues] C6830000
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!ZwOpenKey] 0008B908
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!RtlFreeUnicodeString] FA8B0000
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoStartTimer] 758BA5F3
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeInitializeTimer] 064E8A08
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoInitializeTimer] 883FE180
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeInitializeDpc] 0002688B
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeInitializeSpinLock] 06468A00
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoInitializeIrp] 8306E8C0
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!ZwCreateKey] 023C18C4
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 02698388
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 19750000
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!ZwSetValueKey] 028C838D
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeInsertQueueDpc] 52500000
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 00C253E8
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoStartPacket] 08C48300
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 0575C085
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] EB08708D
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoFreeMdl] 074E8A54
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!MmUnlockPages] 026A8B88
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 83660000
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 7601487E
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 4AC68305
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!MmUnmapReservedMapping] F63302EB
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeSynchronizeExecution] 5614558B
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoStartNextPacket] 75E85352
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeBugCheckEx] 8BFFFFF4
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 0CC483F0
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeSetTimer] 2075F685
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!_allmul] 050C7D80
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!MmProbeAndLockPages] 0092850F
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!_except_handler3] 458B0000
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!PoSetPowerState] E85350F8
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] FFFFF848
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 8408C483
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] BE7875C0
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!_aulldiv] 00000008
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!strstr] F346E853
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!_strupr] C483FFFF
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeQuerySystemTime] 00F46804
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 838D0000
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!KeTickCount] 00001A8C
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] E850006A
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoDeleteDevice] FFFF87B6
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 0000F468
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoAllocateWorkItem] 808B8D00
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoAllocateIrp] 6A00001B
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoAllocateMdl] A3E85100
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 33FFFF87
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!MmLockPagableDataSection] 6B8389C0
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 89000002
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 00026F83
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!ExFreePoolWithTag] 73838900
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoFreeIrp] 89000002
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!IoFreeWorkItem] 00027783
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!InitSafeBootMode] 7B838900
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!RtlCompareMemory] 89000002
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!PoCallDriver] 00027F83
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!memmove] 83838900
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[ntoskrnl.exe!MmHighestUserAddress] 53000002
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[HAL.dll!KfAcquireSpinLock] 8BEC8B55
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[HAL.dll!READ_PORT_UCHAR] 00C73445
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[HAL.dll!KeGetCurrentIrql] 00000000
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[HAL.dll!KfRaiseIrql] 830C458B
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[HAL.dll!KfLowerIrql] C0840CEC
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[HAL.dll!HalGetInterruptVector] 053C0D74
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[HAL.dll!HalTranslateBusAddress] 57B80974
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[HAL.dll!KeStallExecutionProcessor] 8B000000
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[HAL.dll!KfReleaseSpinLock] 56C35DE5
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D08758B
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[HAL.dll!READ_PORT_USHORT] 8D51FC4D
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 8D52FD55
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[HAL.dll!WRITE_PORT_UCHAR] 8D51FE4D
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[WMILIB.SYS!WmiSystemControl] 8D51F84D
IAT \SystemRoot\System32\Drivers\adg6m049.SYS[WMILIB.SYS!WmiCompleteRequest] 5052F455

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86F6C1F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fastfat \FatCdrom 86B2B500

AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

Device \Driver\usbuhci \Device\USBPDO-0 86D391F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86FDA1F8
Device \Driver\dmio \Device\DmControl\DmConfig 86FDA1F8
Device \Driver\dmio \Device\DmControl\DmPnP 86FDA1F8
Device \Driver\dmio \Device\DmControl\DmInfo 86FDA1F8
Device \Driver\usbuhci \Device\USBPDO-1 86D391F8
Device \Driver\usbuhci \Device\USBPDO-2 86D391F8
Device \Driver\usbehci \Device\USBPDO-3 86C861F8
Device \Driver\sptd \Device\2160081594 spmg.sys

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

Device \Driver\Ftdisk \Device\HarddiskVolume1 86F6E1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86F6E1F8
Device \Driver\Cdrom \Device\CdRom0 86C9C500
Device \Driver\Ftdisk \Device\HarddiskVolume3 86F6E1F8
Device \Driver\Cdrom \Device\CdRom1 86C9C500
Device \Driver\Cdrom \Device\CdRom2 86C9C500
Device \Driver\Ftdisk \Device\HarddiskVolume4 86F6E1F8
Device \Driver\Ftdisk \Device\HarddiskVolume5 86F6E1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86CBF500
Device \Driver\USBSTOR \Device\00000078 869CC500
Device \Driver\PCI_PNP6594 \Device\0000004b spmg.sys
Device \Driver\NetBT \Device\NetbiosSmb 86CBF500
Device \Driver\USBSTOR \Device\00000079 869CC500

AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

Device \Driver\usbuhci \Device\USBFDO-0 86D391F8
Device \Driver\usbuhci \Device\USBFDO-1 86D391F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86A171F8
Device \Driver\usbuhci \Device\USBFDO-2 86D391F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86A171F8
Device \Driver\usbehci \Device\USBFDO-3 86C861F8
Device \Driver\Ftdisk \Device\FtControl 86F6E1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B47AAD2E-AF4D-47D2-A756-8BCF4600DCEF} 86CBF500
Device \Driver\adg6m049 \Device\Scsi\adg6m0491Port2Path0Target0Lun0 86C6A500
Device \Driver\adg6m049 \Device\Scsi\adg6m0491 86C6A500
Device \FileSystem\Fastfat \Fat 86B2B500

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs 86AAE500

---- Threads - GMER 1.0.15 ----

Thread System [4:548] 8658B790

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA3 0x66 0xCC 0x20 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE8 0xE1 0xE0 0xFA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xB0 0x26 0xCD 0x4B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA3 0x66 0xCC 0x20 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE8 0xE1 0xE0 0xFA ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xB0 0x26 0xCD 0x4B ...

---- EOF - GMER 1.0.15 ----

loplo
2009-08-23, 08:11
Still wan't abel to attach log.txt because of its size, so I've uploaded the file here (http://www.filefactory.com/file/ah3b5f2/n/log_txt).

katana
2009-08-23, 12:36
Information

REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

uTorrent

Please read the Guidelines for P2P Programs (http://forums.spybot.info/showpost.php?p=218503&postcount=4) where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.


----------------------------------------------------------------------------------------
Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


----------------------------------------------------------------------------------------
Step 2


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html)

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

MalwareBytes Log
Combofix Log
How are things running now ?

loplo
2009-08-23, 23:58
Sorry for the P2P stuff.
Malwarebytes solved the problem. It seems that the infection came via P2P.
Do I have to run ComboFix to?

Malvarebytes log:
Malwarebytes' Anti-Malware 1.40
Database version: 2684
Windows 5.1.2600 Service Pack 3

8/23/2009 10:45:54 PM
mbam-log-2009-08-23 (22-45-54).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 429612
Time elapsed: 1 hour(s), 43 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\D (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\D.1 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\w32id (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090815-234527-178.dll (Trojan.BHO) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{DB7EF094-4C81-4D98-A333-48BDA5CEEC4A}\RP6\A0002169.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EE3C6446-4B5D-4148-9668-93505CDAE30A}\RP19\A0033820.dll (Hacktool) -> Quarantined and deleted successfully.
D:\torrentdld\Sony.Soundforge.8.Inc.Keygen\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\xtreme\dlls\r1dll.dll (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
D:\kit\2007 09 September\Adobe Photoshop CS3 + Keygen -Working!\PhotoShop CS3 Extended Keygen + Activation.exe (Trojan.Horst) -> Quarantined and deleted successfully.
D:\kit\2008 04 April\Ahead.Nero.v8.3.2.1.Incl.Keymaker-EMBRACE\keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\CryptLoad_1.1.6\router\FRITZ!Box\nc.exe (PuP.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ctfmon_ly.exe (Trojan.Agent) -> Quarantined and deleted successfully.

katana
2009-08-24, 00:21
1) Malwarebytes solved the problem.
2) It seems that the infection came via P2P.
3) Do I have to run ComboFix to?

1) It generally does
2) Frequently, that is why we ask that they be removed.
3) Yes please.


Adobe Photoshop CS3 + Keygen -Working!\PhotoShop CS3 Extended Keygen + Activation.exe
Ahead.Nero.v8.3.2.1.Incl.Keymaker-EMBRACE\Keygen.exe

I don't provide help for those using any form of cracked software or Operating Systems.

In doing the crack, the 'cracker' has broken the 'End User Licence Agreement' (EULA) of the product.
The distribution and use of cracked copies is illegal in almost every developed country.
They are also one of the biggest causes of infection.

This applies to Cracks, Keygens and Warez

Since these files have been removed, I will continue to help you at this time
BUT, if I see any evidence of other similar files/programs this topic will be locked

In the future I strongly suggest you stay away from using cracks and/or Keygens.

loplo
2009-08-24, 00:54
Combofix:
ComboFix 09-08-22.06 - loplo 08/23/2009 23:45.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1024.586 [GMT 2:00]
Running from: c:\documents and settings\loplo\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\27862.msp
c:\windows\system32\Cache
c:\windows\system32\msssc.dll

.
((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.

2009-08-23 17:58 . 2009-08-23 17:58 -------- d-----w- c:\documents and settings\loplo\Application Data\Malwarebytes
2009-08-23 17:58 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-23 17:58 . 2009-08-23 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-23 17:58 . 2009-08-23 17:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-23 17:58 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-22 12:08 . 2009-08-23 20:46 -------- d-----w- C:\rsit
2009-08-20 13:25 . 2009-04-17 22:44 -------- d-----w- c:\temp\crack
2009-08-20 13:25 . 2009-04-01 08:43 36760064 ----a-w- c:\temp\essbe_nt32_enu.msi
2009-08-20 13:24 . 2009-08-20 13:27 -------- d-----w- C:\temp
2009-08-19 20:07 . 2009-08-19 20:08 -------- d-----w- c:\documents and settings\loplo\Application Data\Notepad++
2009-08-19 20:07 . 2009-08-19 20:08 -------- d-----w- c:\program files\Notepad++
2009-08-19 18:57 . 2009-08-19 18:57 766 ----a-r- c:\documents and settings\loplo\Application Data\Microsoft\Installer\{FFC78FC9-2FE6-4648-BFEB-446C61C2D61E}\_16496df1.exe
2009-08-19 18:57 . 2009-08-19 18:57 23558 ----a-r- c:\documents and settings\loplo\Application Data\Microsoft\Installer\{FFC78FC9-2FE6-4648-BFEB-446C61C2D61E}\_4ae13d6c.exe
2009-08-19 18:57 . 2009-08-19 18:57 2238 ----a-r- c:\documents and settings\loplo\Application Data\Microsoft\Installer\{FFC78FC9-2FE6-4648-BFEB-446C61C2D61E}\_69525f90.exe
2009-08-19 18:57 . 2009-08-19 18:57 2238 ----a-r- c:\documents and settings\loplo\Application Data\Microsoft\Installer\{FFC78FC9-2FE6-4648-BFEB-446C61C2D61E}\_5af141bb.exe
2009-08-19 18:57 . 2009-08-19 18:57 1078 ----a-r- c:\documents and settings\loplo\Application Data\Microsoft\Installer\{FFC78FC9-2FE6-4648-BFEB-446C61C2D61E}\_2cd672ae.exe
2009-08-19 18:57 . 2009-08-19 18:57 23558 ----a-r- c:\documents and settings\loplo\Application Data\Microsoft\Installer\{FFC78FC9-2FE6-4648-BFEB-446C61C2D61E}\_18be6784.exe
2009-08-19 18:57 . 2009-08-19 18:57 1078 ----a-r- c:\documents and settings\loplo\Application Data\Microsoft\Installer\{FFC78FC9-2FE6-4648-BFEB-446C61C2D61E}\_294823.exe
2009-08-19 18:57 . 2009-08-22 09:11 -------- d-----w- c:\program files\FSacars
2009-08-19 18:43 . 2009-08-19 18:42 737280 ----a-w- c:\windows\iun6002.exe
2009-08-19 18:42 . 2009-08-19 18:44 -------- d-----w- c:\program files\FS Real Time
2009-08-19 18:15 . 2009-08-19 18:15 -------- d-----w- c:\program files\ERUNT
2009-08-19 16:15 . 2009-08-19 16:22 131072 ----a-w- c:\windows\system32\SKCA32.dll
2009-08-19 16:15 . 2009-08-19 16:22 127488 ----a-w- c:\windows\system32\KEYLIB32.dll
2009-08-19 16:01 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-08-19 16:01 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-08-19 15:59 . 2009-08-19 15:58 101248 ----a-w- c:\windows\system32\drivers\avmaura.sys
2009-08-19 15:58 . 2009-08-19 16:12 -------- d-----w- c:\documents and settings\loplo\Local Settings\Application Data\Deployment
2009-08-19 15:57 . 2006-06-29 11:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-08-19 15:56 . 2009-08-19 15:56 -------- d-----w- c:\windows\system32\de-DE
2009-08-19 15:54 . 2009-08-19 15:54 -------- d-----w- c:\program files\MSBuild
2009-08-19 15:39 . 2009-08-20 00:44 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-19 15:37 . 2009-08-19 15:37 -------- d-----w- c:\program files\Reference Assemblies
2009-08-19 15:35 . 2009-08-19 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2009-08-19 15:27 . 2009-08-19 16:08 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-19 15:27 . 2009-08-19 16:02 65 ----a-w- c:\windows\system32\bd7030.dat
2009-08-19 15:26 . 2007-08-19 23:34 94208 ----a-w- c:\windows\system32\BRRBTOOL.EXE
2009-08-19 15:26 . 2004-09-23 22:00 24223 ----a-w- c:\windows\system32\BRLM03A.DLL
2009-08-19 15:26 . 2004-08-09 22:42 77824 ----a-w- c:\windows\system32\BRLMW03A.DLL
2009-08-19 15:25 . 2008-01-23 15:22 1397248 ----a-w- c:\windows\system32\BrWia07b.dll
2009-08-19 15:25 . 2007-07-16 13:34 45568 ----a-w- c:\windows\system32\BrUsi07b.dll
2009-08-19 15:25 . 2004-10-15 10:50 15295 ----a-w- c:\windows\system32\drivers\BrScnUsb.sys
2009-08-19 15:25 . 2007-01-26 14:13 54784 ------w- c:\windows\system32\brinsstr.dll
2009-08-19 15:09 . 2009-08-19 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-08-19 14:23 . 2009-08-19 14:23 -------- d-----w- c:\documents and settings\loplo\Local Settings\Application Data\Help
2009-08-19 14:07 . 2009-08-19 14:07 61 --sh--w- c:\windows\cnerolf.dat
2009-08-19 07:21 . 2007-03-05 08:51 360580 ----a-w- c:\windows\eSellerateEngine.dll
2009-08-19 06:38 . 2009-08-19 06:38 -------- d-----w- c:\documents and settings\loplo\Application Data\InstallShield
2009-08-18 21:46 . 2009-08-19 20:35 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-08-18 21:46 . 2009-08-23 10:45 -------- d-----w- c:\documents and settings\loplo\Application Data\teamspeak2
2009-08-18 21:34 . 2009-08-18 21:34 -------- d-----w- c:\documents and settings\loplo\Local Settings\Application Data\Yahoo
2009-08-18 21:32 . 2009-08-18 21:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-18 21:32 . 2009-05-26 17:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-08-18 21:32 . 2009-08-18 21:32 -------- d-----w- c:\program files\Yahoo!
2009-08-17 23:36 . 2009-08-17 23:38 -------- d-----w- c:\documents and settings\loplo\Application Data\BSplayer PRO
2009-08-17 23:35 . 2009-08-17 23:35 -------- d-----w- c:\program files\Webteh
2009-08-16 14:15 . 2009-08-19 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-16 14:11 . 2008-04-07 03:38 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2009-08-16 14:11 . 2008-04-07 03:38 45392 ----a-r- c:\windows\system32\AdobePDF.dll
2009-08-16 13:43 . 2009-07-22 15:44 57344 ----a-w- c:\windows\system32\zlib1i.dll
2009-08-16 13:43 . 2009-07-22 15:44 57344 ----a-w- c:\windows\system32\CGZipLibrary.dll
2009-08-16 13:43 . 2009-07-22 15:44 49152 ----a-w- c:\windows\system32\DSPing.dll
2009-08-16 13:43 . 2009-07-22 15:44 143360 ----a-w- c:\windows\system32\Unzip32.dll
2009-08-16 13:42 . 2009-08-22 18:28 -------- d-----w- c:\program files\IVAO
2009-08-16 08:42 . 2009-08-16 08:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
2009-08-16 08:41 . 2009-08-16 08:42 -------- d-----w- c:\program files\Raxco
2009-08-16 08:26 . 2009-08-19 17:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-15 21:43 . 2009-08-15 21:43 -------- d-----w- c:\program files\Trend Micro
2009-08-15 21:22 . 2009-08-15 21:42 -------- d-----w- c:\program files\Lavasoft
2009-08-15 21:22 . 2009-08-15 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-14 21:11 . 2009-08-14 21:11 -------- d-----w- c:\program files\Bonjour
2009-08-14 20:52 . 2009-08-19 18:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 20:52 . 2009-08-19 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-14 20:46 . 2009-08-14 20:46 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-08-14 17:25 . 2009-08-14 17:25 -------- d-----w- c:\documents and settings\loplo\Application Data\Canneverbe_Limited
2009-08-14 17:25 . 2009-08-23 05:59 29936 ----a-w- c:\documents and settings\loplo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-14 17:25 . 2009-08-14 17:25 -------- d-----w- c:\program files\CDBurnerXP
2009-08-14 16:42 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-14 16:42 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-14 16:42 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-14 16:42 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-14 16:42 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-14 16:42 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-14 16:42 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-14 11:22 . 2009-08-14 11:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-08-14 11:20 . 2009-08-14 11:20 -------- d-----w- c:\program files\Foxit Software
2009-08-12 20:33 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-08-12 07:32 . 2007-04-09 11:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2009-08-12 07:30 . 2009-08-12 07:30 -------- d-----w- c:\program files\Microsoft.NET
2009-08-12 07:28 . 2009-08-12 07:30 -------- d-----w- c:\windows\SHELLNEW
2009-08-12 07:23 . 2009-08-12 07:23 -------- d-----w- c:\program files\Alcohol Soft
2009-08-12 07:18 . 2009-08-12 07:18 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-12 07:17 . 2009-08-12 07:17 9459808 ----a-w- c:\documents and settings\loplo\Application Data\ALCOHOL - 120% 5.0 Blu-ray.exe
2009-08-12 06:33 . 2009-06-12 12:31 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe
2009-08-12 06:33 . 2009-06-12 12:31 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-08-12 06:33 . 2009-06-10 06:14 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2009-08-12 06:33 . 2009-06-10 14:13 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2009-08-12 06:33 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-08-12 06:33 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-12 06:32 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 12:31 . 2009-08-11 12:31 -------- d-----w- c:\documents and settings\loplo\Local Settings\Application Data\ESET
2009-08-11 08:57 . 2007-09-20 11:04 114688 ----a-w- c:\windows\system32\BTCamVideoSource.dll
2009-08-11 08:57 . 2009-08-11 08:57 -------- d-----w- c:\program files\Mobiola Web Camera for S60
2009-08-11 08:07 . 2009-08-12 07:30 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-11 07:48 . 2006-11-06 16:04 28672 -c--a-w- c:\windows\system32\dllcache\wceusbsh.sys
2009-08-11 07:48 . 2006-11-06 16:04 28672 ----a-w- c:\windows\system32\drivers\wceusbsh.sys
2009-08-11 07:42 . 2009-08-11 07:43 -------- d-----w- c:\documents and settings\loplo\Application Data\Media Player Classic
2009-08-11 05:30 . 2009-08-11 05:30 -------- d-----w- c:\windows\system32\FLIQLO dir
2009-08-11 05:30 . 2009-08-11 05:30 532480 ----a-w- c:\windows\system32\FLIQLO.scr
2009-08-11 05:26 . 2009-08-11 05:26 -------- d-----w- c:\program files\IrfanView
2009-08-11 05:23 . 2008-04-13 18:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2009-08-11 05:23 . 2008-04-13 18:45 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2009-08-11 05:21 . 2008-03-21 11:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-08-11 05:20 . 2009-08-11 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2009-08-11 05:19 . 2009-08-11 05:18 24501456 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\NokiaSoftwareUpdaterSetup_en.exe
2009-08-11 05:18 . 2009-08-11 05:18 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\msxml6Exec.exe
2009-08-11 05:18 . 2009-08-11 05:18 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\Sleep.exe
2009-08-11 05:18 . 2009-08-11 05:18 3181612 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\vcredistExec.exe
2009-08-11 04:54 . 1998-06-17 22:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2009-08-11 04:21 . 2009-08-11 04:21 -------- d-----w- c:\windows\system32\LogFiles
2009-08-11 04:18 . 2009-08-11 05:25 -------- d-----w- c:\documents and settings\loplo\Application Data\Nokia
2009-08-11 04:18 . 2009-08-11 04:21 -------- d-----w- c:\documents and settings\loplo\Application Data\PC Suite
2009-08-11 04:18 . 2009-08-11 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2009-08-11 04:18 . 2009-08-11 04:18 -------- d-----w- c:\program files\Common Files\PCSuite
2009-08-11 04:18 . 2009-08-11 05:19 -------- d-----w- c:\program files\Common Files\Nokia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 15:35 . 2009-08-10 08:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-20 20:19 . 2009-08-10 08:48 -------- d-----w- c:\program files\ESET
2009-08-19 15:26 . 2009-08-19 15:23 -------- d-----w- c:\program files\Brother
2009-08-19 14:16 . 2004-08-03 22:56 1388544 ----a-w- c:\windows\system32\msvbvm60.dll
2009-08-11 05:21 . 2009-08-11 05:21 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-08-11 05:21 . 2009-08-11 05:21 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-08-11 04:21 . 2009-08-11 04:21 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-08-11 04:21 . 2009-08-11 04:21 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-08-10 20:48 . 2009-08-10 08:14 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-10 10:32 . 2009-08-10 10:12 -------- d-----w- c:\documents and settings\loplo\Application Data\Winamp
2009-08-10 10:12 . 2009-08-10 10:12 -------- d-----w- c:\program files\Winamp
2009-08-10 08:56 . 2009-08-10 08:56 0 ----a-w- c:\windows\nsreg.dat
2009-08-10 08:50 . 2009-08-10 08:50 -------- d-----w- c:\documents and settings\loplo\Application Data\ESET
2009-08-10 08:48 . 2009-08-10 08:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-08-10 08:43 . 2009-08-10 08:43 -------- d-----w- c:\program files\Analog Devices
2009-08-10 08:43 . 2009-08-10 08:39 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-10 08:16 . 2009-08-10 08:16 -------- d-----w- c:\program files\microsoft frontpage
2009-08-10 08:15 . 2009-08-10 08:15 -------- d-----w- c:\program files\MSXML 6.0
2009-08-10 08:15 . 2009-08-10 08:15 -------- d-----w- c:\program files\MSXML 4.0
2009-08-10 08:11 . 2009-08-10 08:11 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-10 08:11 . 2009-08-10 08:11 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-05 10:29 . 2009-08-10 08:58 43008 ----a-w- c:\documents and settings\loplo\Application Data\Mozilla\Firefox\Profiles\4v761pwj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-08-05 10:29 . 2009-08-10 08:58 340480 ----a-w- c:\documents and settings\loplo\Application Data\Mozilla\Firefox\Profiles\4v761pwj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-08-05 10:28 . 2009-08-10 08:58 346112 ----a-w- c:\documents and settings\loplo\Application Data\Mozilla\Firefox\Profiles\4v761pwj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-08-05 09:01 . 2004-08-03 22:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-03 22:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 12:55 . 2009-08-10 10:41 329216 ----a-w- c:\documents and settings\loplo\Application Data\Mozilla\Firefox\Profiles\4v761pwj.default\extensions\fb_add_on@avm.de\components\FB_AddOn.dll
2009-07-17 09:10 . 2009-07-17 09:10 232200 ----a-w- c:\windows\system32\PDBoot.exe
2009-07-13 21:43 . 2007-07-22 10:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2007-07-22 10:17 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2007-07-22 10:31 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2007-07-22 10:16 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-03 22:56 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-05-10 22:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-03 22:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 07:19 . 2009-08-10 08:10 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2007-07-22 10:17 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-08 08:00 . 2009-06-08 08:00 71696 ----a-w- c:\windows\system32\drivers\DefragFs.sys
2009-06-03 19:09 . 2007-07-22 10:15 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2009-08-10 2582288]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-10 39408]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-09-02 205256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-17 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-17 86016]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"iKeyWorks"="c:\program files\A4Tech\Keyboard\Ikeymain.exe" [2007-06-25 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-10 122368]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-05 741376]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-03-19 2029640]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-11-17 1622016]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"TBTray"="acoustic.exe" - c:\windows\acoustic.exe [2002-04-26 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ANYCOM\Blue USB-200-250\BTTray.exe [2006-11-13 561213]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\system32\\sopocx.ocx"=
"%windir%\\system32\\tvu49.ocx"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\loplo\\Local Settings\\Apps\\2.0\\ZHWLB4QP.TGO\\DER104BN.P5J\\frit..tion_f8d772dfbb3f7453_0002.0001_0db5bf169ed5c0c1\\fritzbox-usb-fernanschluss.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/19/2009 11:44 AM 107256]
R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [8/10/2009 12:36 PM 1382672]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [3/19/2009 11:44 AM 731840]
R3 avmaura;AVM USB Remote Connection;c:\windows\system32\drivers\avmaura.sys [8/19/2009 5:59 PM 101248]
R3 tbHD;Philips PSC703 WDM Driver;c:\windows\system32\drivers\TBirdHD.sys [10/9/2007 6:05 PM 336066]
R3 TBhdgame;Philips PSC703 GamePort;c:\windows\system32\drivers\tbhdgame.sys [10/9/2007 6:05 PM 11491]
S2 gupdate1ca19ad329a73a0;Google Update Service (gupdate1ca19ad329a73a0);c:\program files\Google\Update\GoogleUpdate.exe [8/10/2009 1:24 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 11:24]

2009-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 11:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ANYCOM\Blue USB-200-250\btsendto_ie_ctx.htm
TCP: {B47AAD2E-AF4D-47D2-A756-8BCF4600DCEF} = 192.168.178.1
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\loplo\Application Data\Mozilla\Firefox\Profiles\4v761pwj.default\
FF - component: c:\documents and settings\loplo\Application Data\Mozilla\Firefox\Profiles\4v761pwj.default\extensions\fb_add_on@avm.de\components\FB_AddOn.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 23:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-08-23 23:51
ComboFix-quarantined-files.txt 2009-08-23 21:50

Pre-Run: 15,682,334,720 bytes free
Post-Run: 15,712,694,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

370 --- E O F --- 2009-08-20 00:50

katana
2009-08-24, 01:06
Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up



Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png




OTCleanup
Please download OTCleanup from HERE (http://oldtimer.geekstogo.com/OTC.exe)
Click the OTC.exe icon and then click the CleanUp button.
If you get any pop ups asking if it is OK let the program proceed. At the end the program will ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OT CleanIt




You can also delete any logs we have produced, and empty your Recycle bin.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details

AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner

Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections

Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

loplo
2009-08-24, 01:19
Thanks for you tips, it fully cleaned my PC.
OT CleanIt worked to.
I will take in consideration your tips.

Thanks again for your help!