View Full Version : Explorer.exe
Tony Tucker
2009-10-15, 21:17
Hello, I think there could be something wrong with my computer. When I look at my task manager Explorer.exe is running at about 6% to 8% even when my computer is idle and doing nothing. It did not used to do this. I have noticed however that when I put my CA antivirus on snooze explorer.exe goes back to zero straight away and when I unsnooze it goes up to 6% to 8% again. This is my Hijack log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:39 a.m., on 16/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\Firebird\FIREBI~1\Bin\FBGuard.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MINDAlink\mlp_manager.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Firebird\FIREBI~1\Bin\fbserver.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mlp_manager] C:\Program Files\MINDAlink\mlp_manager.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZboardTray] "C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" /autolaunch
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Registration Brothers In Arms.LNK = D:\Support\Register\RegistrationReminder.exe
O4 - Startup: Registration Ghost Recon Advanced Warfighter.LNK = C:\Program Files\Ubisoft\Ghost Recon Advanced Warfighter\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.playtech.co.nz
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15103/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFDDAEDD-5E84-4252-8351-D90A355AEF3A}: NameServer = 202.180.64.10 202.180.64.11
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: FirebirdGuardianDefaultInstance - The Firebird Project - C:\PROGRA~1\Firebird\FIREBI~1\Bin\FBGuard.EXE
O23 - Service: FirebirdServerDefaultInstance - The Firebird Project - C:\PROGRA~1\Firebird\FIREBI~1\Bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
--
End of file - 7378 bytes
Tony Tucker
2009-10-15, 21:24
Sorry this is my Hijack log unword wrapped.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:39 a.m., on 16/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\Firebird\FIREBI~1\Bin\FBGuard.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MINDAlink\mlp_manager.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Firebird\FIREBI~1\Bin\fbserver.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mlp_manager] C:\Program Files\MINDAlink\mlp_manager.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZboardTray] "C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" /autolaunch
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Registration Brothers In Arms.LNK = D:\Support\Register\RegistrationReminder.exe
O4 - Startup: Registration Ghost Recon Advanced Warfighter.LNK = C:\Program Files\Ubisoft\Ghost Recon Advanced Warfighter\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.playtech.co.nz
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15103/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFDDAEDD-5E84-4252-8351-D90A355AEF3A}: NameServer = 202.180.64.10 202.180.64.11
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: FirebirdGuardianDefaultInstance - The Firebird Project - C:\PROGRA~1\Firebird\FIREBI~1\Bin\FBGuard.EXE
O23 - Service: FirebirdServerDefaultInstance - The Firebird Project - C:\PROGRA~1\Firebird\FIREBI~1\Bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
--
End of file - 7378 bytes
Hi Tony Tucker,
When you added another post to your unanswered topic it removed the zero response helpers look for. :eek:
The Waiting Room (http://forums.spybot.info/forumdisplay.php?f=37)
Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/showthread.php?t=1137) :)
Tony Tucker
2009-10-23, 09:38
Hello Tashi, sorry about that. This is my current up to date HighJack This log as follows.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:15 p.m., on 23/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\Firebird\FIREBI~1\Bin\FBGuard.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MINDAlink\mlp_manager.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\PROGRA~1\Firebird\FIREBI~1\Bin\fbserver.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\ccupdate\CCUpdate.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Documents and Settings\Brian\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mlp_manager] C:\Program Files\MINDAlink\mlp_manager.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZboardTray] "C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" /autolaunch
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Registration Brothers In Arms.LNK = D:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.playtech.co.nz
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15103/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFDDAEDD-5E84-4252-8351-D90A355AEF3A}: NameServer = 202.180.64.10 202.180.64.11
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: FirebirdGuardianDefaultInstance - The Firebird Project - C:\PROGRA~1\Firebird\FIREBI~1\Bin\FBGuard.EXE
O23 - Service: FirebirdServerDefaultInstance - The Firebird Project - C:\PROGRA~1\Firebird\FIREBI~1\Bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
--
End of file - 7349 bytes
Hi Tony Tucker,
The Waiting Room (http://forums.spybot.info/forumdisplay.php?f=37)
Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/showthread.php?t=1137) :)
Please post in the Waiting Room with a link back to this topic which is
http://forums.spybot.info/showthread.php?t=52632
;)
Hello Tony
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Explorer will fluctuate depending on how many programs you have open.
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Please download Malwarebytes' Anti-Malware from Here ( http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please
Tony Tucker
2009-10-29, 03:30
Hello Ken, here is my report as follows
Malwarebytes' Anti-Malware 1.41
Database version: 3049
Windows 5.1.2600 Service Pack 3
29/10/2009 12:10:08 p.m.
mbam-log-2009-10-29 (12-10-08).txt
Scan type: Quick Scan
Objects scanned: 102608
Time elapsed: 6 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\jkkji.exe (Malware.Packer) -> Quarantined and deleted successfully.
C:\Program Files\Mission01.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Mission02.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Mission03.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Mission04.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Mission05.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Mission06.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Mission07.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Mission08.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Mission09.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Mission10.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Training01.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Training02.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Training03.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Training04.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
Here is my new Hijackthis report as follows
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:52 p.m., on 29/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\Firebird\FIREBI~1\Bin\FBGuard.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MINDAlink\mlp_manager.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\PROGRA~1\Firebird\FIREBI~1\Bin\fbserver.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Brian\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mlp_manager] C:\Program Files\MINDAlink\mlp_manager.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZboardTray] "C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" /autolaunch
O4 - Startup: Registration Brothers In Arms.LNK = D:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.playtech.co.nz
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15103/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFDDAEDD-5E84-4252-8351-D90A355AEF3A}: NameServer = 202.180.64.10 202.180.64.11
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: FirebirdGuardianDefaultInstance - The Firebird Project - C:\PROGRA~1\Firebird\FIREBI~1\Bin\FBGuard.EXE
O23 - Service: FirebirdServerDefaultInstance - The Firebird Project - C:\PROGRA~1\Firebird\FIREBI~1\Bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
--
End of file - 7301 bytes
Hello,
Do you use these two programs and know them to be safe ?
C:\Program Files\MINDAlink
C:\PROGRA~1\Firebird
The rest of your log looks fine, how are things running now ?
Tony Tucker
2009-10-30, 09:17
Hello Ken, I do not know what that Firebird programme is. My explorer.exe is still running at about 8 to 10% even when the computer is doing nothing. I am wondering if that Firebird programme is a bad thing.
Hi,
Open Hijackthis
Go to Misc Tools> Open Uninstall Manager.
Click on Save List.
The list will open in Notepad.
Copy and Paste the List into this thread
Tony Tucker
2009-10-31, 09:12
Hello Ken, the following is the uninstall list.
"Faces of War" (Remove Only)
Ad-Aware SE Personal
Adobe Flash Player ActiveX
Adobe Reader 8
AGEIA PhysX v2.3.3
Baldur's Gate(TM) II - Shadows of Amn(TM)
Battleship 2
BOILING POINT
CA Anti-Virus
Celtic Kings -- Rage of War
Clive Barker's Undying(tm)
Conflict Desert Storm II
DOOM II
Dungeon Lords
Dungeon Lords
DVD Region+CSS Free 5.9.4.0
DVD Solution
ERUNT 1.1j
Evil Islands
GetRight
Ghost Recon
Ghost Recon Advanced Warfighter
Gods - Lands of Infinity
Ground Control II
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Icewind Dale II
Interstate '76 Nitro Pack
Jagged Alliance 2 Gold Pack
Kaspersky Online Scanner
Malwarebytes' Anti-Malware
Medal of Honor Allied Assault
Medal of Honor Pacific Assault(tm)
Medal of Honor Pacific Assault(tm) Patch
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
MINDA Software
Morrowind
Multimedia Launcher
Nero OEM
Neverwinter Nights
NVIDIA Drivers
NVIDIA DVD Decoder
NVIDIA Media Center extensions for DVD
Prince of Persia T2T
Realtek AC'97 Audio
Redline
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shockwave
Sound Blaster 5.1
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Sudden Strike Gold
Sunbelt Personal Firewall
Supreme Commander Demo
System Requirements Lab
Terracide
TES Construction Set
Tomb Raider: Legend 1.0
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
USB Vibration Joystick
Windows Internet Explorer 8
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
Zboard (TM) Software
Hi,
I don't see an uninstall for Firebird. It appears to be legit. Is this computer one that you have gotten used from someone else.
http://www.file.net/process/fbguard.exe.html
You can go to Start > Run and type in services.msc and enter, then scroll to these two entries, right click on each one and select Properties and set the start up type to Disabled . Ok your way out and see if this made a difference, if it causes issues which it should not you can go back and re enable them
FirebirdGuardianDefaultInstance
FirebirdServerDefaultInstance
Tony Tucker
2009-11-01, 03:53
Hello Ken, I bought my computer brand new. I did disable these two things but then I put them back like they were because when I restarted the computer it said there was an error. Another message came up saying there was something wrong with my Mindalink programme so I suppose this Firebird works together with Mindalink. Are you wanting me to download RegistryBooster and scan my computer with it?
Tony,
MINDA Software <--Mindalink and Firebird appear to be linked together, did you install and use this software ?
One thing you don't want to do is run any registry cleaners. Remove the wrong entries and you can make your system inoperable.
Tony Tucker
2009-11-01, 04:55
Hello Ken, yes I was the one that installed and uses Mindalink. I have looked on the internet and found out that there is a "clicktilluwin" thing associated with explorer.exe and I have found this "clicktilluwin" when I searched my registry. I don't know if this means anything or not.
Good Morning,
clicktilluwin <-- This is a pain to remove and you may have gotten it from file sharing sites. Go to this site and lets try StopZilla and see if it removes it
http://www.safer-networking.com/tools/
Tony Tucker
2009-11-02, 22:53
Hello Ken, I do not use file sharing programmes. I have downloaded Stopzilla and run the scan but it says I have to register it to remove the things it has found.
OK,
Sorry, I thought it was the free version.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tony Tucker
2009-11-04, 12:38
Hello Ken, this is my Combofix log as follows
ComboFix 09-11-03.03 - Brian 04/11/2009 23:08.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.549 [GMT 13:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
.
ADS - explorer.exe: deleted 88 bytes in 2 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\aabdeg.ini
c:\windows\bedgjl.ini
c:\windows\kb913800.exe
c:\windows\oqprqr.ini
c:\windows\system32\Data
c:\windows\xyybbc.ini
.
((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.
2009-11-02 19:02 . 2009-11-02 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-11-02 19:02 . 2009-11-02 19:02 -------- d-----w- c:\program files\STOPzilla!
2009-11-02 19:02 . 2009-11-02 19:02 -------- d-----w- c:\program files\Common Files\iS3
2009-11-02 19:02 . 2009-11-04 09:34 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-28 22:39 . 2009-10-28 22:39 -------- d-----w- c:\documents and settings\Brian\Application Data\Malwarebytes
2009-10-28 22:38 . 2009-09-10 01:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 22:38 . 2009-10-28 22:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-28 22:38 . 2009-10-28 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-28 22:38 . 2009-09-10 01:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-26 22:08 . 2009-10-26 22:08 545424 ----a-r- c:\windows\system32\SZComp5.dll
2009-10-26 22:08 . 2009-10-26 22:08 402064 ----a-r- c:\windows\system32\SZBase5.dll
2009-10-26 21:59 . 2009-10-26 21:59 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-10-20 01:40 . 2009-10-20 01:40 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-10-20 01:40 . 2009-10-20 01:40 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-10-20 01:38 . 2009-10-20 01:38 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-10-20 01:37 . 2009-10-20 01:37 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-10-20 01:37 . 2009-10-20 01:37 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-10-20 01:35 . 2009-10-20 01:35 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-10-20 01:35 . 2009-10-20 01:35 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-10-20 01:35 . 2009-10-20 01:35 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-10-20 01:31 . 2009-10-20 01:31 729088 ----a-r- c:\windows\system32\IS3Base5.dll
2009-10-14 17:29 . 2009-10-14 17:29 739752 ----a-w- c:\windows\system32\drivers\vetefile.sys
2009-10-14 17:29 . 2009-10-14 17:29 133576 ----a-w- c:\windows\system32\drivers\veteboot.sys
2009-10-14 08:34 . 2009-10-28 22:35 -------- d-----w- c:\program files\ERUNT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 09:36 . 2006-05-13 20:46 -------- d-----w- c:\program files\GetRight
2009-11-04 09:35 . 2009-11-04 09:35 328 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-03 10:56 . 2009-10-03 10:56 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-10-03 10:56 . 2009-10-03 10:56 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-10-01 09:00 . 2006-03-08 23:39 1033728 ----a-w- c:\windows\explorer.exe
2009-09-29 07:38 . 2009-09-29 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\POP3Profiles
2009-09-11 14:18 . 2006-03-08 23:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 09:24 . 2007-07-11 09:38 -------- d-----w- c:\program files\Ubisoft
2009-09-11 09:24 . 2006-03-09 16:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-04 21:03 . 2006-03-08 23:39 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 10:18 . 2008-07-21 10:39 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-08-26 08:00 . 2006-03-08 23:40 247326 ----a-w- c:\windows\system32\strmdll.dll
2006-09-04 01:35 . 2006-03-23 21:12 0 ----a-w- c:\program files\ScriptErrors.txt
2004-10-01 23:00 . 2006-03-09 17:17 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2003-08-26 08:22 . 2008-08-19 00:50 3992958 ------w- c:\program files\CDS II.EXE
2003-08-20 09:18 . 2008-08-19 00:51 15805034 ----a-w- c:\program files\training04.dat
2003-08-20 08:04 . 2008-08-19 00:51 22771608 ----a-w- c:\program files\training02.dat
2003-08-20 01:47 . 2008-08-19 00:51 29273392 ----a-w- c:\program files\mission10.dat
2003-08-20 01:45 . 2008-08-19 00:50 10124929 ----a-w- c:\program files\chardata.dat
2003-08-20 01:44 . 2008-08-19 00:51 30075560 ----a-w- c:\program files\mission09.dat
2003-08-20 01:42 . 2008-08-19 00:51 24121273 ----a-w- c:\program files\mission08.dat
2003-08-20 01:40 . 2008-08-19 00:51 26365316 ----a-w- c:\program files\mission07.dat
2003-08-20 01:38 . 2008-08-19 00:51 25956451 ----a-w- c:\program files\mission06.dat
2003-08-20 01:36 . 2008-08-19 00:51 28174672 ----a-w- c:\program files\mission05.dat
2003-08-20 01:34 . 2008-08-19 00:51 22863301 ----a-w- c:\program files\mission04.dat
2003-08-20 01:33 . 2008-08-19 00:51 25251751 ----a-w- c:\program files\mission03.dat
2003-08-20 01:31 . 2008-08-19 00:50 30691944 ----a-w- c:\program files\mission02.dat
2003-08-20 01:29 . 2008-08-19 00:50 29289951 ----a-w- c:\program files\mission01.dat
2003-08-20 01:26 . 2008-08-19 00:51 17224834 ----a-w- c:\program files\training03.dat
2003-08-20 01:22 . 2008-08-19 00:51 16584121 ----a-w- c:\program files\training01.dat
2003-08-20 01:19 . 2008-08-19 00:50 257245 ----a-w- c:\program files\FrontEnd.dat
2003-08-20 01:19 . 2008-08-19 00:51 2447326 ----a-w- c:\program files\catalog.dat
2003-08-20 00:56 . 2008-08-19 00:51 7029197 ----a-w- c:\program files\mission10.sch
2003-08-20 00:55 . 2008-08-19 00:51 8022688 ----a-w- c:\program files\mission09.sch
2003-08-20 00:53 . 2008-08-19 00:51 7867105 ----a-w- c:\program files\mission08.sch
2003-08-20 00:51 . 2008-08-19 00:51 7306518 ----a-w- c:\program files\mission07.sch
2003-08-20 00:49 . 2008-08-19 00:51 7327195 ----a-w- c:\program files\mission06.sch
2003-08-20 00:48 . 2008-08-19 00:51 6482025 ----a-w- c:\program files\mission05.sch
2003-08-20 00:46 . 2008-08-19 00:51 6552978 ----a-w- c:\program files\mission04.sch
2003-08-20 00:45 . 2008-08-19 00:51 10336842 ----a-w- c:\program files\mission03.sch
2003-08-20 00:43 . 2008-08-19 00:51 9970473 ----a-w- c:\program files\mission02.sch
2003-08-20 00:41 . 2008-08-19 00:50 9775822 ----a-w- c:\program files\mission01.sch
2003-08-20 00:37 . 2008-08-19 00:51 11480020 ----a-w- c:\program files\training03.sch
2003-08-20 00:36 . 2008-08-19 00:51 9570464 ----a-w- c:\program files\training02.sch
2003-08-20 00:35 . 2008-08-19 00:51 9482396 ----a-w- c:\program files\training04.sch
2003-08-20 00:33 . 2008-08-19 00:51 11963776 ----a-w- c:\program files\training01.sch
2003-08-20 00:31 . 2008-08-19 00:50 75396 ----a-w- c:\program files\FrontEnd.sch
2003-08-08 05:45 . 2008-08-19 00:50 3686 ----a-w- c:\program files\default.key
2003-03-25 22:56 . 2008-08-19 00:51 357939 ----a-w- c:\program files\binkw32.dll
2002-06-05 12:09 . 2008-02-26 06:09 966016 ----a-w- c:\program files\chitin.key
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mlp_manager"="c:\program files\MINDAlink\mlp_manager.exe" [2006-09-04 2865664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-07-31 177392]
"CAVRID"="c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2009-10-14 230664]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 331776]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
GetRight - Tray Icon.lnk - c:\program files\GetRight\getright.exe [2006-6-17 2301952]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Zboard]
2003-09-02 19:14 49152 ----a-w- c:\windows\system32\Winlognotif.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/05/2009 2:13 p.m. 61328]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [26/04/2007 11:21 a.m. 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [26/04/2007 11:21 a.m. 72624]
R2 FirebirdGuardianDefaultInstance;FirebirdGuardianDefaultInstance;c:\progra~1\Firebird\FIREBI~1\Bin\FBGuard.EXE -s --> c:\progra~1\Firebird\FIREBI~1\Bin\FBGuard.EXE -s [?]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [26/04/2007 11:21 a.m. 1234480]
R3 FirebirdServerDefaultInstance;FirebirdServerDefaultInstance;c:\progra~1\Firebird\FIREBI~1\Bin\fbserver.exe -s -g --> c:\progra~1\Firebird\FIREBI~1\Bin\fbserver.exe -s -g [?]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/05/2009 2:13 p.m. 61328]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.nz/
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
LSP: c:\windows\system32\VetRedir.dll
TCP: {CFDDAEDD-5E84-4252-8351-D90A355AEF3A} = 202.180.64.10 202.180.64.11
.
- - - - ORPHANS REMOVED - - - -
Toolbar-SITEguard - (no file)
HKCU-Run-PowerBar - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 23:16
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????????????l?@?l?@?D?????A~??????????????A~l?@?l?@????? ???????????W?D~??A~??????A~K?A~x???????[?A~???????? ??????????????|x???0???????????? st??A~?????????????????'??????????????l?@?l?@?????Q?B~????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1202660629-823518204-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(636)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2009-11-04 23:19
ComboFix-quarantined-files.txt 2009-11-04 10:19
Pre-Run: 96,723,955,712 bytes free
Post-Run: 96,720,281,600 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
Here is my Highjackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:04 p.m., on 04/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\Firebird\FIREBI~1\Bin\FBGuard.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MINDAlink\mlp_manager.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\PROGRA~1\Firebird\FIREBI~1\Bin\fbserver.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Brian\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\Stopzilla!\Toolbar\SZSG.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\Stopzilla!\Toolbar\SZSG.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [mlp_manager] C:\Program Files\MINDAlink\mlp_manager.exe
O4 - Startup: Registration Brothers In Arms.LNK = D:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.playtech.co.nz
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15103/CTPID.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: FirebirdGuardianDefaultInstance - The Firebird Project - C:\PROGRA~1\Firebird\FIREBI~1\Bin\FBGuard.EXE
O23 - Service: FirebirdServerDefaultInstance - The Firebird Project - C:\PROGRA~1\Firebird\FIREBI~1\Bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
--
End of file - 6536 bytes
Hi,
You can go ahead and uninstall Stopzilla via Add Remove programs in the Control Panel
You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.
c:\windows\system32\drivers\is3srv.sys <--This file
Logs look good, how are things running now ???
Tony Tucker
2009-11-05, 10:31
Hello Ken, I have uninstalled Stopzilla and also is3 Stopzilla Toolbar aswell. This could be a problem. I can not find the file that you want me to submit to VirusTotal however. Before I uninstalled the is3 Stopzilla Toolbar there was a file there
called is3srv I think but it is now gone. Should I restore my computer back to the time just before I uninstalled the is3 Stopzilla toolbar and then submit this file?
Good Morning,
No, don't restore your computer, that file may have been related to Stopzilla.
How are things running now ?
Tony Tucker
2009-11-05, 19:44
Hello Ken, explorer.exe is still operating at 10% even when the computer is idle. I did a search in my registry for is3srv and it is there along with "clicktilluwin",explorer.exe, Firebird,LDAP32.DLL,dlder.exe, Flashplayer.
Hi,
Try this free program, it should remove clicktiluwin
http://www.lavasoft.com/products/ad_aware_free.php
Tony Tucker
2009-11-07, 19:57
Hello Ken, I have run the Addaware scan and it has removed some things but Explorer.exe is still operating at about 10% even when the computer is doing nothing.
CA antivirus <--Disable this and see if it goes down
Lets check to see if its infected
You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.
C:\WINDOWS\explorer.exe
Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Tony Tucker
2009-11-09, 04:45
Hello Ken, this is the imformation you have requested. Yes when I put my CA Antivirus on snooze it does indeed make explorer.exe go to 0 per cent and then up to 8 to 10% when I unsnooze CA again.I was unable to send the explorer file to Virusvault because it
would upload for a while and then the screen would change and say there has been an error.
I tried to do this several times but it would keep comming up with error all the time. However I was able to email it to them and
here is what I got back in the return email.
Complete scanning result of "explorer.exe", processed in VirusTotal at 11/09/2009 02:01:46 (CET).
[ file data ]
* name..: explorer.exe
* size..: 1033728
* md5...: 12896823fb95bfb3dc9b46bcaedc9923
* sha1..: 9d2bf84874abc5b6e9a2744b7865c193c08d362f
* peid..: -
[ scan result ]
a-squared 4.5.0.41/20091108 found nothing
AhnLab-V3 5.0.0.2/20091106 found nothing
AntiVir 7.9.1.61/20091108 found nothing
Antiy-AVL 2.0.3.7/20091105 found nothing
Authentium 5.2.0.5/20091108 found nothing
Avast 4.8.1351.0/20091108 found nothing
AVG 8.5.0.423/20091108 found nothing
BitDefender 7.2/20091109 found nothing
CAT-QuickHeal 10.00/20091107 found nothing
ClamAV 0.94.1/20091109 found nothing
Comodo 2890/20091109 found nothing
DrWeb 5.0.0.12182/20091109 found nothing
eTrust-Vet 35.1.7108/20091106 found nothing
F-Prot 4.5.1.85/20091108 found nothing
F-Secure 9.0.15370.0/20091104 found nothing
Fortinet 3.120.0.0/20091108 found nothing
GData 19/20091109 found nothing
Ikarus T3.1.1.74.0/20091108 found nothing
Jiangmin 11.0.800/20091108 found nothing
K7AntiVirus 7.10.891/20091107 found nothing
Kaspersky 7.0.0.125/20091108 found nothing
McAfee 5796/20091108 found nothing
McAfee+Artemis 5796/20091108 found nothing
McAfee-GW-Edition 6.8.5/20091109 found [Heuristic.LooksLike.Win32.Suspicious.K]
Microsoft 1.5202/20091108 found nothing
NOD32 4586/20091109 found nothing
Norman 6.03.02/20091106 found nothing
nProtect 2009.1.8.0/20091108 found nothing
Panda 10.0.2.2/20091108 found nothing
PCTools 7.0.3.5/20091106 found nothing
Prevx 3.0/20091109 found nothing
Rising 21.54.62.00/20091108 found nothing
Sophos 4.47.0/20091109 found nothing
Sunbelt 3.2.1858.2/20091108 found nothing
Symantec 1.4.4.12/20091109 found nothing
TheHacker 6.5.0.2.063/20091106 found nothing
TrendMicro 9.0.0.1003/20091108 found nothing
VBA32 3.12.10.11/20091109 found nothing
ViRobot 2009.11.6.2025/20091106 found nothing
VirusBuster 4.6.5.0/20091108 found nothing
Here is Esset Online Scanner text as follows
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b1e95bcb3514cc488b586db7399a1c7d
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-08 11:48:44
# local_time=2009-11-09 12:48:44 (+1200, New Zealand Daylight Time)
# country="New Zealand"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=256 16777215 100 0 77480063 77480063 0 0
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=4865 16777189 100 100 137953 79556218 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 25 13 76695792 76695815 0 0
# scanned=97266
# found=5
# cleaned=5
# scan_time=1827
C:\Qoobox\Quarantine\C\WINDOWS\aabdeg.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\bedgjl.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\oqprqr.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\xyybbc.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\VundoFix Backups\chtonf.dll.bad probably a variant of Win32/TrojanDownloader.ConHook.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
Here is RSIT imformation as follows
Logfile of random's system information tool 1.06 (written by random/random)
Run by Brian at 2009-11-09 15:16:57
Microsoft Windows XP Professional Service Pack 3
System drive C: has 91 GB (60%) free of 153 GB
Total RAM: 1023 MB (48% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:35 p.m., on 09/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\Firebird\FIREBI~1\Bin\FBGuard.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\MINDAlink\mlp_manager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Firebird\FIREBI~1\Bin\fbserver.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Brian\Desktop\RSIT.exe
C:\Documents and Settings\Brian\Desktop\Brian.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [mlp_manager] C:\Program Files\MINDAlink\mlp_manager.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Registration Brothers In Arms.LNK = D:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.playtech.co.nz
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15103/CTPID.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: FirebirdGuardianDefaultInstance - The Firebird Project - C:\PROGRA~1\Firebird\FIREBI~1\Bin\FBGuard.EXE
O23 - Service: FirebirdServerDefaultInstance - The Firebird Project - C:\PROGRA~1\Firebird\FIREBI~1\Bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
--
End of file - 6757 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}]
bho2gr Class - C:\Program Files\GetRight\xx2gr.dll [2005-02-14 233472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 853672]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-10 155648]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-06 64512]
"cctray"=C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe [2009-07-31 177392]
"CAVRID"=C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe [2009-10-15 230664]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2007-04-16 577536]
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"AGEIA PhysX SysTray"=C:\Program Files\AGEIA Technologies\TrayIcon.exe [2006-03-21 331776]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-12-05 8523776]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"mlp_manager"=C:\Program Files\MINDAlink\mlp_manager.exe [2006-09-04 2865664]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
GetRight - Tray Icon.lnk - C:\Program Files\GetRight\getright.exe
C:\Documents and Settings\Brian\Start Menu\Programs\Startup
Registration Brothers In Arms.LNK - D:\Support\Register\RegistrationReminder.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-08-11 241704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Zboard]
C:\WINDOWS\system32\Winlognotif.dll [2003-09-03 49152]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-10 49152]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe"="C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe:*:Enabled:Sunbelt Firewall GUI"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d885041-afa0-11da-a082-806d6172696f}]
shell\AutoRun\command - D:\Autorun.exe
======List of files/folders created in the last 3 months======
2009-11-09 15:16:57 ----D---- C:\rsit
2009-11-09 00:51:10 ----A---- C:\WINDOWS\ppyanti.txt
2009-11-08 23:02:41 ----D---- C:\Program Files\ESET
2009-11-07 23:54:58 ----A---- C:\WINDOWS\system32\lsdelete.exe
2009-11-07 09:23:58 ----HDC---- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-07 09:23:44 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-11-06 22:45:52 ----A---- C:\Program Files\Ad-AwareInstallation.exe
2009-11-05 16:20:00 ----D---- C:\WINDOWS\SxsCaPendDel
2009-11-04 23:19:33 ----D---- C:\WINDOWS\temp
2009-11-04 23:19:27 ----A---- C:\ComboFix.txt
2009-11-04 23:07:45 ----A---- C:\Boot.bak
2009-11-04 23:07:40 ----RASHD---- C:\cmdcons
2009-11-04 22:51:04 ----D---- C:\ComboFix
2009-11-04 15:54:30 ----A---- C:\WINDOWS\zip.exe
2009-11-04 15:54:30 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-11-04 15:54:30 ----A---- C:\WINDOWS\SWSC.exe
2009-11-04 15:54:30 ----A---- C:\WINDOWS\SWREG.exe
2009-11-04 15:54:30 ----A---- C:\WINDOWS\sed.exe
2009-11-04 15:54:30 ----A---- C:\WINDOWS\PEV.exe
2009-11-04 15:54:30 ----A---- C:\WINDOWS\NIRCMD.exe
2009-11-04 15:54:30 ----A---- C:\WINDOWS\MBR.exe
2009-11-04 15:54:30 ----A---- C:\WINDOWS\grep.exe
2009-11-04 15:52:14 ----D---- C:\Qoobox
2009-11-03 08:02:46 ----D---- C:\Documents and Settings\All Users\Application Data\SITEguard
2009-11-03 08:02:02 ----D---- C:\Program Files\Common Files\iS3
2009-11-03 08:02:01 ----D---- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2009-10-29 11:39:03 ----D---- C:\Documents and Settings\Brian\Application Data\Malwarebytes
2009-10-29 11:38:54 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-29 11:38:54 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-10-28 13:15:19 ----HDC---- C:\WINDOWS\$NtUninstallKB953295$
2009-10-26 09:28:49 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2009-10-26 09:26:22 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2009-10-23 20:01:36 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2009-10-23 20:01:29 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2009-10-23 20:01:18 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2009-10-21 19:28:55 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2009-10-20 20:35:06 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2009-10-20 20:34:53 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2009-10-19 22:39:54 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2009-10-14 21:36:18 ----D---- C:\WINDOWS\ERDNT
2009-10-14 21:34:31 ----D---- C:\Program Files\ERUNT
2009-10-03 23:56:40 ----D---- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
2009-10-03 23:56:39 ----D---- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
2009-09-29 20:38:04 ----D---- C:\Documents and Settings\All Users\Application Data\POP3Profiles
2009-09-12 00:13:00 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$
2009-09-11 16:42:48 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2009-09-11 07:31:54 ----HDC---- C:\WINDOWS\$NtUninstallKB973768$
2009-09-08 10:23:22 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-08-26 17:31:00 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$
2009-08-18 00:13:29 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-15 08:46:50 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-15 08:46:37 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-14 22:51:51 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-14 22:51:42 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-14 22:51:30 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-14 17:43:05 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-14 17:42:53 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-13 16:47:29 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
======List of files/folders modified in the last 3 months======
2009-11-09 15:16:44 ----D---- C:\WINDOWS\Prefetch
2009-11-09 13:10:45 ----D---- C:\WINDOWS\system32
2009-11-09 13:10:45 ----D---- C:\WINDOWS
2009-11-09 13:01:46 ----SD---- C:\WINDOWS\Tasks
2009-11-09 13:01:13 ----A---- C:\WINDOWS\ModemLog_SoftV92 Data Fax Modem.txt
2009-11-09 13:01:08 ----D---- C:\WINDOWS\Registration
2009-11-09 12:59:38 ----D---- C:\WINDOWS\CAVTemp
2009-11-09 01:35:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-08 23:02:44 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-08 23:02:43 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-08 23:02:41 ----RD---- C:\Program Files
2009-11-08 14:48:29 ----D---- C:\Program Files\GetRight
2009-11-08 14:45:18 ----D---- C:\Downloads
2009-11-08 14:22:43 ----HD---- C:\WINDOWS\inf
2009-11-08 14:22:33 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-08 14:22:14 ----HD---- C:\WINDOWS\$hf_mig$
2009-11-08 14:22:14 ----D---- C:\WINDOWS\system32\CatRoot
2009-11-07 22:53:55 ----D---- C:\WINDOWS\system32\drivers
2009-11-07 09:35:13 ----D---- C:\Program Files\Lavasoft
2009-11-07 09:35:12 ----D---- C:\Documents and Settings\Brian\Application Data\Lavasoft
2009-11-07 09:35:11 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-11-07 09:24:40 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-11-07 09:23:58 ----SHD---- C:\WINDOWS\Installer
2009-11-07 09:23:38 ----D---- C:\WINDOWS\WinSxS
2009-11-07 03:17:31 ----D---- C:\Program Files\Internet Explorer
2009-11-07 03:01:25 ----A---- C:\WINDOWS\imsins.BAK
2009-11-04 23:16:46 ----A---- C:\WINDOWS\system.ini
2009-11-04 23:13:19 ----D---- C:\WINDOWS\AppPatch
2009-11-04 23:13:18 ----D---- C:\Program Files\Common Files
2009-11-04 23:07:45 ----RASH---- C:\boot.ini
2009-11-03 08:12:54 ----D---- C:\WINDOWS\Minidump
2009-11-03 05:54:21 ----SHD---- C:\System Volume Information
2009-10-22 22:19:04 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-10-03 07:01:57 ----A---- C:\WINDOWS\system32\MRT.exe
2009-10-01 22:00:26 ----N---- C:\WINDOWS\explorer.exe
2009-10-01 12:32:04 ----D---- C:\WINDOWS\Help
2009-09-29 20:44:11 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-09-29 20:38:38 ----D---- C:\WINDOWS\system32\config
2009-09-29 20:38:24 ----D---- C:\WINDOWS\system32\wbem
2009-09-12 03:18:39 ----A---- C:\WINDOWS\system32\msv1_0.dll
2009-09-11 22:35:38 ----A---- C:\WINDOWS\DVDRegionFree.INI
2009-09-11 22:24:49 ----D---- C:\Program Files\Ubisoft
2009-09-11 22:24:46 ----HD---- C:\Program Files\InstallShield Installation Information
2009-09-11 07:31:56 ----D---- C:\WINDOWS\ehome
2009-09-05 10:03:36 ----A---- C:\WINDOWS\system32\msasn1.dll
2009-08-31 23:18:44 ----A---- C:\WINDOWS\system32\CmdLineExt03.dll
2009-08-29 21:08:21 ----A---- C:\WINDOWS\system32\wininet.dll
2009-08-29 21:08:21 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-08-29 21:08:20 ----A---- C:\WINDOWS\system32\occache.dll
2009-08-29 21:08:18 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2009-08-29 21:08:18 ----A---- C:\WINDOWS\system32\msfeeds.dll
2009-08-29 21:08:18 ----A---- C:\WINDOWS\system32\jsproxy.dll
2009-08-29 21:08:18 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-08-29 21:08:17 ----A---- C:\WINDOWS\system32\iepeers.dll
2009-08-29 21:08:16 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-08-29 21:08:13 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2009-08-28 23:35:52 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2009-08-26 21:00:21 ----A---- C:\WINDOWS\system32\strmdll.dll
2009-08-15 08:46:39 ----D---- C:\Program Files\Outlook Express
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 fwdrv;Firewall Driver; C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 302000]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 khips;Kerio HIPS Driver; C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 72624]
R1 VETEFILE;VET File Scan Engine; C:\WINDOWS\system32\drivers\VETEFILE.sys [2009-10-15 739752]
R1 VETFDDNT;VET Floppy Boot Sector Monitor; C:\WINDOWS\system32\drivers\VETFDDNT.sys [2007-05-03 21648]
R1 VET-FILT;VET File System Filter; C:\WINDOWS\system32\drivers\VET-FILT.sys [2007-05-03 26640]
R1 VETMONNT;VET File Monitor; C:\WINDOWS\system32\drivers\VETMONNT.sys [2007-05-03 32528]
R1 VET-REC;VET File System Recognizer; C:\WINDOWS\system32\drivers\VET-REC.sys [2007-05-03 21392]
R2 ithsgt;ithsgt; C:\WINDOWS\system32\DRIVERS\ithsgt.sys [2008-05-27 162432]
R2 lilsgt;lilsgt; C:\WINDOWS\system32\DRIVERS\lilsgt.sys [2008-05-27 12032]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-08-04 11868]
R2 NvNdis;NVIDIA NDIS IO Control Driver; \??\C:\WINDOWS\system32\Drivers\NvNdis.sys []
R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\drivers\PfModNT.sys []
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2007-10-26 4124352]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys [2004-08-04 1041536]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys [2004-08-04 220032]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-18 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-12-05 7435392]
R3 P16X;Sound Blaster 5.1; C:\WINDOWS\system32\drivers\P16X.sys [2005-07-22 1275776]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2004-10-12 9856]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 VETEBOOT;VET Boot Scan Engine; C:\WINDOWS\system32\drivers\VETEBOOT.sys [2009-10-15 133576]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys [2004-08-04 685056]
S3 catchme;catchme; \??\C:\DOCUME~1\Brian\LOCALS~1\Temp\catchme.sys []
S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS []
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-11 11008]
S3 OmniDrv;Ideazon Keyboard Driver; C:\WINDOWS\system32\DRIVERS\OmniDrv.sys [2004-01-05 30976]
S3 OmniUsb;Ideazon USB Zboard Driver; C:\WINDOWS\system32\DRIVERS\OmniUsb.sys [2005-04-08 28800]
S3 OmniUsbl;Ideazon USBl Zboard Driver; C:\WINDOWS\system32\DRIVERS\OmniUsbl.sys [2004-07-27 9696]
S3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\system32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-11 12032]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 CAISafe;CAISafe; C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe [2007-05-03 144960]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-10-12 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-06 102912]
R2 FirebirdGuardianDefaultInstance;FirebirdGuardianDefaultInstance; C:\PROGRA~1\Firebird\FIREBI~1\Bin\FBGuard.EXE [2005-10-03 65536]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-11-07 1179232]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-06 99328]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-12-05 155716]
R2 SPF4;Sunbelt Personal Firewall 4; C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe [2007-04-26 1234480]
R2 VETMSGNT;VET Message Service; C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe [2009-10-15 233472]
R3 CaCCProvSP;CaCCProvSP; C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe [2009-07-31 214256]
R3 FirebirdServerDefaultInstance;FirebirdServerDefaultInstance; C:\PROGRA~1\Firebird\FIREBI~1\Bin\fbserver.exe [2005-10-03 1527893]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-08-04 38912]
-----------------EOF-----------------
info.txt logfile of random's system information tool 1.06 2009-11-09 15:17:39
======Uninstall list======
"Faces of War" (Remove Only)-->"C:\Program Files\Ubisoft\Faces of War\unins000.exe"
-->"C:\Program Files\Creative\SB5.1\Program\Ctzapxx.EXE" /W /U /S
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
AGEIA PhysX v2.3.3-->"C:\Program Files\AGEIA Technologies\uninstall.exe"
Baldur's Gate(TM) II - Shadows of Amn(TM)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8DAE4336-2B71-11D4-9A6C-006067325E47}\setup.exe"
Battleship 2-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hasbro Interactive\Battleship 2\Uninst.isu"
BOILING POINT-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58AC967F-CE64-4065-AF54-FA66BAF31FE8}\SETUP.EXE" -l0x9
CA Anti-Virus-->"C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /u /product=av
Celtic Kings -- Rage of War-->C:\PROGRA~1\STRATE~1\CELTIC~1\UNWISE.EXE C:\PROGRA~1\STRATE~1\CELTIC~1\INSTALL.LOG
Clive Barker's Undying(tm)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{631A0B87-B0B7-4B47-00A2-119A4B942EB6}\setup.exe" -l0x9 Uninstall
Conflict Desert Storm II-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{08F0DDCB-05C1-4A0E-B9E7-9EE077A2EDAD}\setup.exe" -l0x9
DOOM II-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\DOOM II\DOOM II\DOOMII.isu"
Dungeon Lords-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4EC24B6B-6C6F-49EF-8856-0FF7634C2F4D}\setup.exe" -l0x9
Dungeon Lords-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F41D7749-D973-42E7-BD80-64309766C39E}\setup.exe" -l0x9 -removeonly
DVD Region+CSS Free 5.9.4.0-->"C:\Program Files\DVD Region+CSS Free\unins000.exe"
DVD Solution-->"C:\Program Files\Uninstall_CDS.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
Evil Islands-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34034600-FB40-4542-BF97-A87AF0A45BFF}\Setup.exe" -l0x9
GetRight-->C:\Program Files\GetRight\GETRIGHT.EXE /UNINSTALL
Ghost Recon Advanced Warfighter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFC97089-04D6-42CE-A707-A343B4A7D2CD}\Setup.exe" -l0x9
Ghost Recon-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D89EF3B3-6F17-4665-B7A9-A4235A6DC787}\setup.exe"
Gods - Lands of Infinity-->"C:\Program Files\Strategy First\Gods - LOI SE\Uninstall Information\unins000.exe"
Ground Control II-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21C41BAF-6F62-469D-A43B-DDF01628346E}\setup.exe" -l0x9
HijackThis 2.0.2-->"C:\Documents and Settings\Brian\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Player 10 (KB903157)-->"C:\WINDOWS\$NtUninstallKB903157$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Icewind Dale II-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{588C135F-0B15-4A02-8F2D-04697BE2904E}\setup.exe" -l0x9
Interstate '76 Nitro Pack-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Activision\I76Nitro\Uninst.isu"
Jagged Alliance 2 Gold Pack-->C:\PROGRA~1\STRATE~1\JAGGED~1\UNWISE.EXE C:\PROGRA~1\STRATE~1\JAGGED~1\INSTALL.LOG
Kaspersky Online Scanner-->C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Medal of Honor Allied Assault-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DEA94ED-915A-4834-A87E-388D012C8E02}\Setup.exe" -l0x9
Medal of Honor Pacific Assault(tm) Patch-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BA586D1D-6E4B-4A05-B956-4ACF063BA711}\setup.exe" -l0x9 -removeonly
Medal of Honor Pacific Assault(tm)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56CFA833-F44F-4199-8C58-7F8B38F2BC7B}\Setup.exe" -l0x9 -removeonly
Microsoft .NET Framework 1.0 Hotfix (KB953295)-->"C:\WINDOWS\$NtUninstallKB953295$\spuninst\spuninst.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
MINDA Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{339ABC2E-AA2B-46B1-A5F7-B2B0AA1D16C1}\Setup.exe" -l0x9 anything
Morrowind-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\Bethesda Softworks\Morrowind\MWUninstall\setup.exe" -l0x9
Multimedia Launcher-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Neverwinter Nights-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C503E58-B2BC-11D5-978A-0050BA84F5F7}\setup.exe" -l0x9
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA DVD Decoder-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055FEF8E-4B86-400F-A5C6-8FAC0042DCD9}\setup.exe" -l0x9 -uninstall
NVIDIA Media Center extensions for DVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ED5FE275-944A-4E31-A109-FC9CD9E5AEA4}\setup.exe" -l0x9 -uninstall
Prince of Persia T2T-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DFFE2B1F-07E0-45A9-8801-CD8514CAA876}\setup.exe" -l0x9 -removeonly
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Redline-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Accolade\Redline\Uninst.isu" -c"C:\Program Files\Accolade\Redline\Uninst.dll"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913433)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB913433.inf
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\INSTALL.LOG
Sound Blaster 5.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BD196DAC-F550-46C5-9D3A-FD04474C1FCC}\SETUP.EXE" -l0x9
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy 1.4-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
Sudden Strike Gold-->C:\Program Files\Sudden Strike Gold\uninstall.exe
Sunbelt Personal Firewall-->MsiExec.exe /X{BFD080F6-3BF0-40E1-9507-9CA969C35870}
Supreme Commander Demo-->C:\Program Files\InstallShield Installation Information\{25A1E6A4-2DBD-4AC0-8650-8EA9A45B1848}\setup.exe -runfromtemp -l0x0009 -removeonly
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Terracide-->C:\WINDOWS\uninst.exe -fC:\Terracide\DeIsL1.isu
TES Construction Set-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\Bethesda Softworks\Morrowind\CSUninstall\Setup.exe" -l0x9
Tomb Raider: Legend 1.0-->C:\Program Files\Tomb Raider - Legend\uninsttrl.exe
Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB910393)-->"C:\WINDOWS\$NtUninstallKB910393$\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB913800)-->"C:\WINDOWS\$NtUninstallKB913800$\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB926251)-->"C:\WINDOWS\$NtUninstallKB926251$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005-->C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
USB Vibration Joystick-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BA12FD6C-169A-11D7-A6A9-00C026281E5A}\setup.exe" -l0x9
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Media Center Edition 2005 KB908250-->"C:\WINDOWS\$NtUninstallKB908250$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB973768-->"C:\WINDOWS\$NtUninstallKB973768$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Zboard (TM) Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12B5658E-5E34-45C1-AAFA-8AF997684928}\Setup.exe" -l0x9
======Security center information======
AV: CA Anti-Virus
FW: Sunbelt Personal Firewall
======System event log======
Computer Name: YOUR-02F33F0187
Event Code: 1073
Message: The attempt to power off YOUR-02F33F0187 failed
Record Number: 102077
Source Name: USER32
Time Written: 20091001221556.000000+780
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: YOUR-02F33F0187
Event Code: 7000
Message: The Sunbelt Personal Firewall 4 service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Record Number: 102023
Source Name: Service Control Manager
Time Written: 20091001121951.000000+780
Event Type: error
User:
Computer Name: YOUR-02F33F0187
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the Sunbelt Personal Firewall 4 service to connect.
Record Number: 102022
Source Name: Service Control Manager
Time Written: 20091001121951.000000+780
Event Type: error
User:
Computer Name: YOUR-02F33F0187
Event Code: 7000
Message: The Sunbelt Personal Firewall 4 service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Record Number: 101761
Source Name: Service Control Manager
Time Written: 20090928191916.000000+780
Event Type: error
User:
Computer Name: YOUR-02F33F0187
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the Sunbelt Personal Firewall 4 service to connect.
Record Number: 101760
Source Name: Service Control Manager
Time Written: 20090928191916.000000+780
Event Type: error
User:
=====Application event log=====
Computer Name: YOUR-02F33F0187
Event Code: 1000
Message: Faulting application kpf4ss.exe, version 4.5.916.0, faulting module ntdll.dll, version 5.1.2600.5755, fault address 0x0001b21a.
Record Number: 6683
Source Name: Application Error
Time Written: 20090504053951.000000+720
Event Type: error
User:
Computer Name: YOUR-02F33F0187
Event Code: 1000
Message: Faulting application kpf4ss.exe, version 4.5.916.0, faulting module ntdll.dll, version 5.1.2600.5755, fault address 0x0001b21a.
Record Number: 6673
Source Name: Application Error
Time Written: 20090501060405.000000+720
Event Type: error
User:
Computer Name: YOUR-02F33F0187
Event Code: 1000
Message: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x519857d0.
Record Number: 6472
Source Name: Application Error
Time Written: 20090409205121.000000+720
Event Type: error
User:
Computer Name: YOUR-02F33F0187
Event Code: 1000
Message: Faulting application mlp_manager.exe, version 6.0.5.0, faulting module kernel32.dll, version 5.1.2600.5512, fault address 0x00012aeb.
Record Number: 5987
Source Name: Application Error
Time Written: 20090224062233.000000+780
Event Type: error
User:
Computer Name: YOUR-02F33F0187
Event Code: 212
Message:
Record Number: 5978
Source Name: FirebirdGuardianDefaultInstance
Time Written: 20090223155404.000000+780
Event Type: error
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 7 Stepping 10, AuthenticAMD
"PROCESSOR_REVISION"=070a
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
-----------------EOF-----------------
Hi Tony,
Don't see any sign of clicktiluwin, but lets do this.
You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Go to Task Manager and stop process on these, keep in mind there may be two explorer.exe so look them over carefully
ClickTillUWin
dlder.exe
explorer.exe
If you only see one explorer.exe running then leave it be
C:\Windows\explorer <--Not this one
C:\Windows\explorer\explorer.exe <--This one
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Dlder"=-
[HKEY_LOCAL_MACHINE\Software\games]
"ClickTillUWin"=-
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
If you saved the file correctly it should look like this http://i24.photobucket.com/albums/c30/ken545/reg.jpg
Delete the files in RED
C:\Windows\dlder.exe
C:\Windows\explorer\explorer.exe
C:\Windows\explorer <--Not this one.
Reboot and lets see if this helped
Tony Tucker
2009-11-10, 03:53
Hello Ken, ClickTillUWin,dlder.exe, are not in my task manager however I do have 2 iexplorers in my task manager. I could not find
C:\Windows\dlder.exe or C:\Windows\explorer\explorer.exe either. There are a explorer.exe and a explorer in Windows. Clicking on
explorer takes you to Local disk C and clicking on explorer.exe takes you to My Documents. The clicktilluwin in my registry is
located in Hkey Local Machine Hkey users S-1-5-21-1202660629-823518204-725345543-1004 Software Microsoft Search Assistant
ACMru 5603.
Your path to clicktiluwin does not make sense, you must have copied it wrong. Did you run the reg fix I posted ?
Open up Spybot Search and Destroy , go to Help> About and make sure its the latest version 1.6.2, if not uninstall it and download and install from this link.
http://www.safer-networking.org/en/home/index.html
Check for Updates and run a full scan, it should remove Clicktiluwin
Good Morning Tony
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:reg
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Then do this one with SystemLook
:regfind
ClickTillUWin
Tony Tucker
2009-11-11, 01:46
Hello Ken, yes you are right I have made a mistake it was located in My Computer Hkey users S-1-5-21-1202660629-823518204-725345543-1004 Software Microsoft Search Assistant
ACMru 5603. Yes I have run the regfix that you have told me to do. I have run a full scan using the latest Spybot that is fully updated but all it picked up is 2 tracking Cookies.
When I was intalling Spybot I did the full instalation however there was an option to install "Explorer file scan plugin(in file context menu)"
and I did not put a tick in this box. Was I suppossed do to this? I think there is definetly something wrong because Explorer.exe
is now about 9to10% where as before it was around 6to8% CPU. It is now 72000k Mem Usage where as before it was around 20000k to 30000k and my computer now is
often times freezing up for 20 seconds or more.
Tony Tucker
2009-11-11, 01:53
Hello Ken, yes sorry I did not see your last post before I made my last reply. I will do what you have told me to do and then report back.
Tony Tucker
2009-11-11, 03:34
Hello Ken, here is the imformation you have requested
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:17 on 11/11/2009 by Brian (Administrator - Elevation successful)
========== reg ==========
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AGEIA PhysX SysTray"="C:\Program Files\AGEIA Technologies\TrayIcon.exe"
"CAVRID"=""C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe""
"cctray"=""C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe""
"ehTray"="C:\WINDOWS\ehome\ehtray.exe"
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup"
"SoundMan"="SOUNDMAN.EXE"
"UpdReg"="C:\WINDOWS\UpdReg.EXE"
-=End Of File=-
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:19 on 11/11/2009 by Brian (Administrator - Elevation successful)
========== regfind ==========
Searching for "ClickTillUWin"
No data found.
-=End Of File=-
Tony,
I could be wrong but this may not be malware related. First off I see a ton of games installed, there could be one or more conflicting. I have seen some computers with lots of games and sometimes they cause issues.
Another thing
CA Internet Security Suite
You have this installed and it includes a firewall
C:\Program Files\Sunbelt Software\Personal Firewall
So no need for this one, uninstall it via Add Remove Programs, you should not have two firewalls running at the same time.
Why don't you post here and see if they can help you sort out some of your programs. I will keep this thread open for you for a week or so , post back and let me know if they fixed anything.
This is our sister site
http://forums.whatthetech.com/Microsoft_Windows_f119.html
Ken
Tony Tucker
2009-11-12, 03:16
Hello Ken, yes I have CA internet Security installed but I only have the Antivirus component. I have registered at What The Tech and will let you know what they tell me.
OK Tony, thanks for letting me know, you can link them to this thread if you like to let them see what we have done .
Tony Tucker
2009-11-14, 23:31
Hello Ken, you are right. I have been told that the problem is being caused by an update to CA Antivirus in late september. I looked on the
CA forum and there was a workaround but it does not work for me. It appears for the meantime at least I will have to just put
up with it. I understand now that the Clicktilluwin only has shown up in Search Assistant because I have searched for this
file using the seach companion in Windows. Thank you very much for trying to help me.
Hi Tony,
You can uninstall CA if you wish and download and install one of these free ones, your call on what you want to do.
Free Anti Virus Programs
AVG Free (http://free.grisoft.com/doc/avg-anti-virus-free/lng/us/tpl/v5)
Free Avast 4 Home Edition (http://www.avast.com/eng/avast_4_home.html)
Avira AntiVirŪ Personal Edition Classic (http://www.free-av.com/)
Good Luck,
Ken :)