Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Yourinputsurvey.com redirect (rootkit?)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Yourinputsurvey.com redirect (rootkit?)

Unread postby helpintoledo » February 24th, 2010, 10:01 pm

Hello, and thank you for your service in advance.
I found this forum while google searching on the string "yourinputsurvey.com" as that is the redirect this computer has been seeing regularly, and it led me to http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=48490

Prior to this I had run MBAM and SpyBotSD with success but obviously not full success. I have renamed the executables for most of the malware detectors, such as FindStuff for HijackThis and maybe killer for SBSD, so if any others are renamed, please let me know if they cause confusion or problems. I followed the above mentioned thread in attempting to gather reports before posting, but made no system changes. I got as far as the OTL, and tried to run the scan as directed, but it continuously hangs on the "Health Key and Certificate Management Service (hkmsvc)" which I have disabled, and I am not even sure why it is on this system, as my research points to this being a Vista system file and this computer is running WinXP MCE-SP3. Even disabled, OTL hangs on this service.

On with the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:40 PM, on 2/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\FindStuff.exe

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [SpybotDeletingA5046] command.com /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2914] cmd.exe /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5355] command.com /c del "C:\WINDOWS\wt\data.wts"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9341] cmd.exe /c del "C:\WINDOWS\wt\data.wts"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6048] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\actorobject.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9478] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\actorobject.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6495] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx5drv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4698] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx5drv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA344] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx7drv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC315] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx7drv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9199] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\objectbundle.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8044] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\objectbundle.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2550] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8642] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA321] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdcaps.ded"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7640] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdcaps.ded"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdengine.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5734] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdengine.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5207] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3492] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9995] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthost.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8346] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthost.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2355] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthostctl.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC924] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthostctl.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9558] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2096] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7460] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2721] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7760] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1687] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2808] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4708] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2582] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9866] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2824] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302Java.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6712] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302Java.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5914] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\jDRM0302.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5609] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\jDRM0302.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4315] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\rDRM0302.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1254] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\rDRM0302.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5586] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\controlpanel\index.html"
O4 - HKLM\..\RunOnce: [SpybotDeletingC866] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\controlpanel\index.html"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3114] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302.cdanfo"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7878] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302.cdanfo"
O4 - HKLM\..\RunOnce: [SpybotDeletingA468] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302_Uninstall.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2778] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302_Uninstall.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6340] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\actorobject.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6657] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\actorobject.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7064] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx5drv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC841] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx5drv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7919] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx7drv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7550] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx7drv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6877] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\jdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC333] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\jdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA397] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\npWTHost.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9102] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\npWTHost.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8133] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\nsIWTHostPlugin.xpt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2566] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\nsIWTHostPlugin.xpt"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5986] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\ObjectBundle.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8951] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\ObjectBundle.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1499] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\wt3d.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2650] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\rdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8539] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Sound.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC600] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Sound.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2249] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdcaps.ded"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1379] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdcaps.ded"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7002] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdengine.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1892] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdengine.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8791] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331.cdanfo"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3897] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331.cdanfo"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3711] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_fileList.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1572] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_fileList.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2827] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_Uninstall.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6568] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_Uninstall.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8442] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6221] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9029] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wildtangent.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6280] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wildtangent.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6322] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wt3d.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingC982] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wt3d.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7933] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHost.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6936] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHost.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2889] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHostCtl.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3496] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHostCtl.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5940] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7647] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9728] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3066] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5316] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3931] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4957] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ax"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9803] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ax"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5467] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3299] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6291] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\controlpanel\index.html"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6676] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\controlpanel\index.html"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3324] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\data.wts"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3212] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\data.wts"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5457] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1965] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4015] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\wt3d.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7812] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\update_info\data.wts"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3725] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\update_info\data.wts"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4375] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1.cdanfo"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5642] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1.cdanfo"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7539] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1_Uninstall.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5240] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1_Uninstall.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4613] command.com /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\WireControl.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1066] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\WireControl.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3067] command.com /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\controlpanel\index.html"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1959] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\controlpanel\index.html"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1788] command.com /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\install\WireControl.cdanfo"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9503] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\install\WireControl.cdanfo"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7175] command.com /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\install\WireControl_Uninstall.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2400] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\install\WireControl_Uninstall.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2789] command.com /c del "C:\WINDOWS\wt\wtupdates\wtwebdriver\update_info\data.wts"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2657] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\wtwebdriver\update_info\data.wts"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8951] command.com /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7072] cmd.exe /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3913] command.com /c del "C:\WINDOWS\wt\data.wts"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5031] cmd.exe /c del "C:\WINDOWS\wt\data.wts"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4536] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\actorobject.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9394] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\actorobject.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4442] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx5drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD637] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx5drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1215] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx7drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD564] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx7drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9157] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\objectbundle.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD210] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\objectbundle.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5270] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9529] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1879] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdcaps.ded"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2727] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdcaps.ded"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6157] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdengine.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3716] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdengine.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3842] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6567] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6588] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthost.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4330] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthost.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9216] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthostctl.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD982] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthostctl.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4794] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8033] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB667] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9689] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4253] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax"
O4 - HKCU\..\RunOnce: [SpybotDeletingD264] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2516] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4400] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingB883] command.com /c del "C:\WINDOWS\wt\wtupdates\wtwebdriver\update_info\data.wts"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8454] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1703] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302Java.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2429] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302Java.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7566] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\jDRM0302.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4873] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\jDRM0302.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4099] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\rDRM0302.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7136] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\rDRM0302.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB249] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\controlpanel\index.html"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1511] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\controlpanel\index.html"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6677] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302.cdanfo"
O4 - HKCU\..\RunOnce: [SpybotDeletingD587] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302.cdanfo"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2760] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302_Uninstall.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2080] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302_Uninstall.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2532] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\actorobject.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8847] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\actorobject.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4586] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx5drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5616] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx5drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5796] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx7drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4902] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx7drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5755] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\jdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4373] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\jdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2761] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\npWTHost.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8002] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\npWTHost.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6659] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\nsIWTHostPlugin.xpt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9622] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\nsIWTHostPlugin.xpt"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8669] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\ObjectBundle.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1221] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\ObjectBundle.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB467] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\rdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1003] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\rdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3521] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Sound.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1291] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Sound.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7609] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdcaps.ded"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7596] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdcaps.ded"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3230] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdengine.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD396] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdengine.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB961] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331.cdanfo"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4245] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331.cdanfo"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8557] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_fileList.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7081] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_fileList.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2123] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_Uninstall.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9041] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_Uninstall.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5831] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2707] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8422] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wildtangent.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7572] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wildtangent.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3357] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wt3d.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7189] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wt3d.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1292] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHost.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD183] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHost.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9663] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHostCtl.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2757] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHostCtl.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3682] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7468] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9306] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5517] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8455] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3271] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6704] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ax"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2753] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ax"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6142] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1149] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9144] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\controlpanel\index.html"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9747] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\controlpanel\index.html"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8561] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\data.wts"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2990] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\data.wts"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2797] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8231] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3462] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\wt3d.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9308] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\wt3d.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1663] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\update_info\data.wts"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9080] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\update_info\data.wts"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8094] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1.cdanfo"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3405] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1.cdanfo"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6042] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1_Uninstall.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4323] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1_Uninstall.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingB954] command.com /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\WireControl.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD74] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\WireControl.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB266] command.com /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\controlpanel\index.html"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6667] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\controlpanel\index.html"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8198] command.com /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\install\WireControl.cdanfo"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7682] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\install\WireControl.cdanfo"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2978] command.com /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\install\WireControl_Uninstall.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingD938] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\WireControl\1.1.0.23\files\install\WireControl_Uninstall.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6107] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\wtwebdriver\update_info\data.wts"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 31851 bytes

... and the Uninstall list:

Ad-Aware
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
America Online (Choose which version to remove)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Spyware Protection
AOL You've Got Pictures Screensaver
Athlon 64 Processor Driver
Avira AntiVir Personal - Free Antivirus
Bejeweled 2 Deluxe
Blackhawk Striker 2
Blasterball 2 Revolution
Critical Update for Windows Media Player 11 (KB959772)
Deal or No Deal
Digital Media Reader
Diner Dash
Disney's You Can Fly! with Tinker Bell
DVD Solution
FATE
Gateway Game Console
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 17
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Starter Edition 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Multimedia Keyboard Driver
Napster
Napster Burn Engine
NVIDIA Drivers
Panda ActiveScan 2.0
Penguins!
PokerStars
Polar Bowler
Polar Golfer
Power2Go 4.0
PowerDVD
Pure Networks Port Magic
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
Scooby-Doo 2 - Monsters Unleashed
SCRABBLE
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Soft Data Fax Modem with SmartCP
Sonic Encoders
Spybot - Search & Destroy
Tradewinds
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm
Advertisement
Register to Remove

Re: Yourinputsurvey.com redirect (rootkit?)

Unread postby MWR 3 day Mod » February 27th, 2010, 11:51 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Yourinputsurvey.com redirect (rootkit?)

Unread postby muppy03 » March 1st, 2010, 3:07 am

Hello and welcome to Malware Removal Forums

IMPORTANT

Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
To make cleaning this machine easier:-
  • Continue to respond to this thread until I give you the All Clean!
  • Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
  • Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
  • Please follow all instructions in the order posted.
  • If you have any questions or do not understand instructions, please ask before continuing.
  • Please reply to this thread. Do not start a new topic.

Go to Start-Settings-Control Panel, click on Add remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

    Spybot - Search & Destroy Uninstall until computer is clean

Once the above is done please REBOOT the computer.

NEXT Download and Run: RSIT

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

GMER Rootkit Scanner
Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please reply with:-
  • RSIT logs ( info.txt and log.txt)
  • GMER Log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Yourinputsurvey.com redirect (rootkit?)

Unread postby helpintoledo » March 1st, 2010, 2:53 pm

Log.txt:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2010-03-01 12:21:05
Microsoft Windows XP Professional Service Pack 3
System drive C: has 214 GB (92%) free of 233 GB
Total RAM: 895 MB (51% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:08 PM, on 3/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Owner.OAKES\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 4437 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\ISP signup reminder 2.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-08 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-09-18 7204864]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2005-09-18 86016]
"CHotkey"=C:\WINDOWS\zHotkey.exe [2004-12-08 550912]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-09-14 14820864]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-09-14 69632]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jvkphb]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2006-09-23 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
C:\Program Files\Digital Media Reader\readericon45G.exe [2005-12-09 139264]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\WINDOWS\Creator\Remind_XP.exe [2005-02-25 966656]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-12-05 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tqammy]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vijoloben]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate86.exe]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
C:\WINDOWS\system32\config\system [2010-03-01 8388608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner.OAKES^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
C:\WINDOWS\system32\config\system [2010-03-01 8388608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149
"NoActiveDesktopChanges"=0
"NoSetActiveDesktop"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoActiveDesktopChanges"=
"NoSetActiveDesktop"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe"="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\Program Files\Common Files\AOL\1159040204\EE\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1159040204\EE\AOLServiceHost.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe"="C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe"="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\mspaint.exe"="C:\WINDOWS\system32\mspaint.exe:*:Enabled:mspaint"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:LSA Shell"
"C:\Documents and Settings\Owner.OAKES\Local Settings\Temp\pdfupd.exe"="C:\Documents and Settings\Owner.OAKES\Local Settings\Temp\pdfupd.exe:*:Enabled:enable"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:LSA Shell"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{202c7ac9-fb3a-11de-8481-001617d8811d}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe
shell\Explore\command - J:\autorun.exe
shell\Open\command - J:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a522b6af-1d96-11df-84af-001617d8811d}]
shell\AutoRun\command - K:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2010-03-01 12:21:05 ----D---- C:\rsit
2010-02-23 07:00:25 ----D---- C:\Program Files\Panda Security
2010-02-23 04:53:04 ----A---- C:\WINDOWS\wininit.ini
2010-02-23 03:58:46 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-02-23 03:58:46 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-21 17:17:23 ----A---- C:\WINDOWS\system32\lsdelete.exe
2010-02-21 16:44:37 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-02-21 16:43:22 ----HDC---- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-21 16:43:10 ----D---- C:\Program Files\Lavasoft
2010-02-21 16:43:10 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2010-02-21 15:06:30 ----D---- C:\Program Files\Trend Micro
2010-02-21 14:19:49 ----D---- C:\Program Files\Avira
2010-02-21 14:19:49 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2010-02-19 17:03:44 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-02-19 17:03:26 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-02-19 17:01:25 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-02-19 17:01:21 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-02-19 17:01:16 ----HDC---- C:\WINDOWS\$NtUninstallKB978251$
2010-02-19 17:01:11 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-02-19 17:01:05 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-02-19 17:00:34 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-02-19 15:50:56 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

======List of files/folders modified in the last 1 months======

2010-03-01 12:20:48 ----D---- C:\WINDOWS\Prefetch
2010-03-01 12:12:24 ----D---- C:\WINDOWS\Temp
2010-03-01 12:09:22 ----SD---- C:\WINDOWS\Tasks
2010-03-01 12:08:31 ----D---- C:\WINDOWS\system32\Lang
2010-03-01 12:08:30 ----A---- C:\WINDOWS\ModemLog_PCI Soft Data Fax Modem with SmartCP.txt
2010-03-01 12:08:23 ----D---- C:\WINDOWS
2010-03-01 12:07:50 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-01 12:07:43 ----D---- C:\WINDOWS\Registration
2010-03-01 12:06:21 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-24 19:17:44 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-02-24 16:19:04 ----D---- C:\WINDOWS\system32\drivers
2010-02-23 07:00:25 ----HD---- C:\WINDOWS\inf
2010-02-23 07:00:25 ----D---- C:\Program Files
2010-02-23 07:00:05 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-02-23 04:29:03 ----D---- C:\WINDOWS\system32
2010-02-23 04:27:48 ----D---- C:\Program Files\RegistryFix
2010-02-21 16:43:26 ----SHD---- C:\WINDOWS\Installer
2010-02-21 16:43:25 ----D---- C:\WINDOWS\WinSxS
2010-02-21 14:24:19 ----D---- C:\Documents and Settings\All Users\Application Data\avg9
2010-02-19 17:03:44 ----HD---- C:\WINDOWS\$hf_mig$
2010-02-19 17:03:28 ----A---- C:\WINDOWS\imsins.BAK

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2004-11-10 44288]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2004-11-10 24832]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-10 12032]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2006-09-23 8552]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2010-02-22 56816]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2006-07-18 990592]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2006-07-18 256128]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-09-14 3856896]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-09-18 3493984]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2006-07-18 728192]
S1 5044049D;5044049D; \??\C:\WINDOWS\system32\drivers\5044049D.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2004-10-20 10328]
R2 AOL TopSpeedMonitor;AOL TopSpeed Monitor; C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [2004-10-15 100016]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-04-10 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-01-08 153376]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-21 1229232]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-09-18 131139]
R2 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2006-09-23 172032]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-25 182768]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Info.txt:

info.txt logfile of random's system information tool 1.06 2010-03-01 12:21:10

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware Email Scanner for Outlook-->MsiExec.exe /I{338F08AB-C262-42C7-B000-34DE1A475273}
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
America Online (Choose which version to remove)-->C:\Program Files\Common Files\aolshare\aolunins_us.exe
AOL Coach Version 2.0(Build:20041026.5 en)-->C:\Program Files\Common Files\AolCoach\en_en\AolCInUn.exe -lang=en_en -ext=UDP
AOL Connectivity Services-->"C:\Program Files\Common Files\AOL\ACS\AcsUninstall.exe" /c
AOL Spyware Protection-->C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\UNWISE.EXE C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\INSTALL.LOG
AOL You've Got Pictures Screensaver-->C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
Athlon 64 Processor Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Bejeweled 2 Deluxe-->"C:\Program Files\Gateway Games\Bejeweled 2 Deluxe\Uninstall.exe"
Blackhawk Striker 2-->"C:\Program Files\Gateway Games\Blackhawk Striker 2\Uninstall.exe"
Blasterball 2 Revolution-->"C:\Program Files\Gateway Games\Blasterball 2 Revolution\Uninstall.exe"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Deal or No Deal-->MsiExec.exe /X{CEA0BA90-DED4-169F-BA18-D9F57E43E6AD}
Digital Media Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875} /l1033
Diner Dash-->"C:\Program Files\Gateway Games\Diner Dash\Uninstall.exe"
Disney's You Can Fly! with Tinker Bell-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{91D4E3CC-406E-40C0-BCC3-CB23A96C3F7A}\setup.exe" -l0x9 Disney's You Can Fly! with Tinker Bell
DVD Solution-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
FATE-->"C:\Program Files\Gateway Games\FATE\Uninstall.exe"
Gateway Game Console-->"C:\Program Files\WildTangent\Apps\Gateway Game Console\Uninstall.exe"
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_0E996B068B56FCA2.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 10 (KB903157)-->"C:\WINDOWS\$NtUninstallKB903157$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Java(TM) 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216017FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.0 Hotfix (KB953295)-->"C:\WINDOWS\$NtUninstallKB953295$\spuninst\spuninst.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Digital Image Starter Edition 2006-->"C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Money 2006-->"C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
Multimedia Keyboard Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}\Setup.exe" -l0x9
Napster Burn Engine-->MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
Napster-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\setup.exe" -l0x9
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Penguins!-->"C:\Program Files\Gateway Games\Penguins!\Uninstall.exe"
PokerStars-->"C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars
Polar Bowler-->"C:\Program Files\Gateway Games\Polar Bowler\Uninstall.exe"
Polar Golfer-->"C:\Program Files\Gateway Games\Polar Golfer\Uninstall.exe"
Power2Go 4.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Pure Networks Port Magic-->C:\Program Files\Pure Networks\Port Magic\PortAOL.exe -Uninstall -ShowUI
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Scooby-Doo 2 - Monsters Unleashed-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B9BD9BF5-F1D1-4904-B348-40D0E9FF0023}\setup.exe" -l0x9 -uninst
SCRABBLE-->"C:\Program Files\Gateway Games\SCRABBLE\Uninstall.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913433)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB913433.inf
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F40&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDBRYCM5K.inf
Sonic Encoders-->MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Tradewinds-->"C:\Program Files\Gateway Games\Tradewinds\Uninstall.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB971180)-->"C:\WINDOWS\ie8updates\KB971180-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB910393)-->"C:\WINDOWS\$NtUninstallKB910393$\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB913800)-->"C:\WINDOWS\$NtUninstallKB913800$\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB926251)-->"C:\WINDOWS\$NtUninstallKB926251$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB953356)-->"C:\WINDOWS\$NtUninstallKB953356$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005-->C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766-->"C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB973768-->"C:\WINDOWS\$NtUninstallKB973768$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Security center information======

AV: AntiVir Desktop
FW: (disabled)

======System event log======

Computer Name: OAKES
Event Code: 50
Message: {Delayed Write Failed}
Windows was unable to save all the data for the file . The data has been lost.
This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Record Number: 22565
Source Name: Ntfs
Time Written: 20100131034642.000000-300
Event Type: warning
User:

Computer Name: OAKES
Event Code: 57
Message: The system failed to flush data to the transaction log. Corruption may occur.

Record Number: 22564
Source Name: Ftdisk
Time Written: 20100131034640.000000-300
Event Type: warning
User:

Computer Name: OAKES
Event Code: 50
Message: {Delayed Write Failed}
Windows was unable to save all the data for the file . The data has been lost.
This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Record Number: 22563
Source Name: Ntfs
Time Written: 20100131034640.000000-300
Event Type: warning
User:

Computer Name: OAKES
Event Code: 50
Message: {Delayed Write Failed}
Windows was unable to save all the data for the file . The data has been lost.
This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Record Number: 22562
Source Name: Ntfs
Time Written: 20100131034640.000000-300
Event Type: warning
User:

Computer Name: OAKES
Event Code: 57
Message: The system failed to flush data to the transaction log. Corruption may occur.

Record Number: 22561
Source Name: Ftdisk
Time Written: 20100131034638.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: OAKES
Event Code: 2001
Message: Unable to read the disk performance information from the system.
Disk performance counters must be enabled for at least one
physical disk or logical volume in order for these counters to appear.
Disk performance counters can be enabled by using the Hardware Device Manager property pages.
Status code returned is data DWORD 0.

Record Number: 6729
Source Name: PerfDisk
Time Written: 20100128111303.000000-300
Event Type: warning
User:

Computer Name: OAKES
Event Code: 2001
Message: Unable to read the disk performance information from the system.
Disk performance counters must be enabled for at least one
physical disk or logical volume in order for these counters to appear.
Disk performance counters can be enabled by using the Hardware Device Manager property pages.
Status code returned is data DWORD 0.

Record Number: 6728
Source Name: PerfDisk
Time Written: 20100128111258.000000-300
Event Type: warning
User:

Computer Name: OAKES
Event Code: 2001
Message: Unable to read the disk performance information from the system.
Disk performance counters must be enabled for at least one
physical disk or logical volume in order for these counters to appear.
Disk performance counters can be enabled by using the Hardware Device Manager property pages.
Status code returned is data DWORD 0.

Record Number: 6727
Source Name: PerfDisk
Time Written: 20100128111255.000000-300
Event Type: warning
User:

Computer Name: OAKES
Event Code: 2001
Message: Unable to read the disk performance information from the system.
Disk performance counters must be enabled for at least one
physical disk or logical volume in order for these counters to appear.
Disk performance counters can be enabled by using the Hardware Device Manager property pages.
Status code returned is data DWORD 0.

Record Number: 6726
Source Name: PerfDisk
Time Written: 20100128111253.000000-300
Event Type: warning
User:

Computer Name: OAKES
Event Code: 2001
Message: Unable to read the disk performance information from the system.
Disk performance counters must be enabled for at least one
physical disk or logical volume in order for these counters to appear.
Disk performance counters can be enabled by using the Hardware Device Manager property pages.
Status code returned is data DWORD 0.

Record Number: 6725
Source Name: PerfDisk
Time Written: 20100128111245.000000-300
Event Type: warning
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 39 Stepping 1, AuthenticAMD
"PROCESSOR_REVISION"=2701
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Gmer.txt:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-01 13:50:15
Windows 5.1.2600 Service Pack 3
Running: 8rocfd8k.exe; Driver: C:\DOCUME~1\OWNER~1.OAK\LOCALS~1\Temp\kxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT F7D74356 ZwCreateKey
SSDT F7D7434C ZwCreateThread
SSDT F7D7435B ZwDeleteKey
SSDT F7D74365 ZwDeleteValueKey
SSDT F7D7436A ZwLoadKey
SSDT F7D74338 ZwOpenProcess
SSDT F7D7433D ZwOpenThread
SSDT F7D74374 ZwReplaceKey
SSDT F7D7436F ZwRestoreKey
SSDT F7D74360 ZwSetValueKey
SSDT F7D74347 ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 856D2618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\Temp\nsvo.tmp 0 bytes
File C:\WINDOWS\Temp\fltt.tmp 0 bytes
File C:\WINDOWS\Temp\wvrc.tmp 0 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Yourinputsurvey.com redirect (rootkit?)

Unread postby muppy03 » March 1st, 2010, 4:34 pm

TDSSKiller

  • Please Download TDSSKiller.zip and save it on your desktop.
  • Next extract (unzip) its contents to your Desktop.
  • Next double-click the TDSSKiller Folder on your desktop.
  • Next right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.<---Important
  • Next Highlight and copy all the text (including the quote marks) in the codebox below.
    Code: Select all
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
  • When finished a log file should be created on your desktop named tdsskiller.txt
  • Copy the contents of the log & post in your next reply.

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. This includes Avira and Ad aware.
  • If you need help to disable your protection programs see here.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image
Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please reply with:-
  • TDSS log
  • Combofix log
  • New HJT log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Yourinputsurvey.com redirect (rootkit?)

Unread postby helpintoledo » March 2nd, 2010, 3:49 am

tdsskiller.tx:

01:14:28:031 2948 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
01:14:28:031 2948 ================================================================================
01:14:28:031 2948 SystemInfo:

01:14:28:031 2948 OS Version: 5.1.2600 ServicePack: 3.0
01:14:28:031 2948 Product type: Workstation
01:14:28:031 2948 ComputerName: OAKES
01:14:28:031 2948 UserName: Owner
01:14:28:031 2948 Windows directory: C:\WINDOWS
01:14:28:031 2948 Processor architecture: Intel x86
01:14:28:031 2948 Number of processors: 1
01:14:28:031 2948 Page size: 0x1000
01:14:28:031 2948 Boot type: Normal boot
01:14:28:031 2948 ================================================================================
01:14:28:031 2948 UnloadDriverW: NtUnloadDriver error 2
01:14:28:031 2948 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
01:14:28:062 2948 Initialize success
01:14:28:062 2948
01:14:28:062 2948 Scanning Services ...
01:14:28:062 2948 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
01:14:28:062 2948 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
01:14:28:062 2948 wfopen_ex: Trying to KLMD file open
01:14:28:062 2948 wfopen_ex: File opened ok (Flags 2)
01:14:28:062 2948 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
01:14:28:062 2948 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
01:14:28:062 2948 wfopen_ex: Trying to KLMD file open
01:14:28:062 2948 wfopen_ex: File opened ok (Flags 2)
01:14:28:312 2948 GetAdvancedServicesInfo: Raw services enum returned 345 services
01:14:28:312 2948 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
01:14:28:312 2948 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
01:14:28:312 2948
01:14:28:328 2948 Scanning Kernel memory ...
01:14:28:328 2948 Devices to scan: 11
01:14:28:328 2948
01:14:28:328 2948 Driver Name: Disk
01:14:28:328 2948 IRP_MJ_CREATE : F7742BB0
01:14:28:328 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
01:14:28:328 2948 IRP_MJ_CLOSE : F7742BB0
01:14:28:328 2948 IRP_MJ_READ : F773CD1F
01:14:28:328 2948 IRP_MJ_WRITE : F773CD1F
01:14:28:328 2948 IRP_MJ_QUERY_INFORMATION : 804F355A
01:14:28:328 2948 IRP_MJ_SET_INFORMATION : 804F355A
01:14:28:328 2948 IRP_MJ_QUERY_EA : 804F355A
01:14:28:328 2948 IRP_MJ_SET_EA : 804F355A
01:14:28:328 2948 IRP_MJ_FLUSH_BUFFERS : F773D2E2
01:14:28:328 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
01:14:28:328 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
01:14:28:328 2948 IRP_MJ_DIRECTORY_CONTROL : 804F355A
01:14:28:328 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
01:14:28:328 2948 IRP_MJ_DEVICE_CONTROL : F773D3BB
01:14:28:328 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7740F28
01:14:28:328 2948 IRP_MJ_SHUTDOWN : F773D2E2
01:14:28:328 2948 IRP_MJ_LOCK_CONTROL : 804F355A
01:14:28:328 2948 IRP_MJ_CLEANUP : 804F355A
01:14:28:328 2948 IRP_MJ_CREATE_MAILSLOT : 804F355A
01:14:28:328 2948 IRP_MJ_QUERY_SECURITY : 804F355A
01:14:28:328 2948 IRP_MJ_SET_SECURITY : 804F355A
01:14:28:328 2948 IRP_MJ_POWER : F773EC82
01:14:28:328 2948 IRP_MJ_SYSTEM_CONTROL : F774399E
01:14:28:328 2948 IRP_MJ_DEVICE_CHANGE : 804F355A
01:14:28:328 2948 IRP_MJ_QUERY_QUOTA : 804F355A
01:14:28:328 2948 IRP_MJ_SET_QUOTA : 804F355A
01:14:28:343 2948 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
01:14:28:343 2948 sion
01:14:28:359 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
01:14:28:359 2948
01:14:28:359 2948 Driver Name: Disk
01:14:28:359 2948 IRP_MJ_CREATE : F7742BB0
01:14:28:359 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
01:14:28:359 2948 IRP_MJ_CLOSE : F7742BB0
01:14:28:359 2948 IRP_MJ_READ : F773CD1F
01:14:28:359 2948 IRP_MJ_WRITE : F773CD1F
01:14:28:359 2948 IRP_MJ_QUERY_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_SET_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_QUERY_EA : 804F355A
01:14:28:359 2948 IRP_MJ_SET_EA : 804F355A
01:14:28:359 2948 IRP_MJ_FLUSH_BUFFERS : F773D2E2
01:14:28:359 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_DIRECTORY_CONTROL : 804F355A
01:14:28:359 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
01:14:28:359 2948 IRP_MJ_DEVICE_CONTROL : F773D3BB
01:14:28:359 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7740F28
01:14:28:359 2948 IRP_MJ_SHUTDOWN : F773D2E2
01:14:28:359 2948 IRP_MJ_LOCK_CONTROL : 804F355A
01:14:28:359 2948 IRP_MJ_CLEANUP : 804F355A
01:14:28:359 2948 IRP_MJ_CREATE_MAILSLOT : 804F355A
01:14:28:359 2948 IRP_MJ_QUERY_SECURITY : 804F355A
01:14:28:359 2948 IRP_MJ_SET_SECURITY : 804F355A
01:14:28:359 2948 IRP_MJ_POWER : F773EC82
01:14:28:359 2948 IRP_MJ_SYSTEM_CONTROL : F774399E
01:14:28:359 2948 IRP_MJ_DEVICE_CHANGE : 804F355A
01:14:28:359 2948 IRP_MJ_QUERY_QUOTA : 804F355A
01:14:28:359 2948 IRP_MJ_SET_QUOTA : 804F355A
01:14:28:359 2948 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
01:14:28:359 2948 sion
01:14:28:359 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
01:14:28:359 2948
01:14:28:359 2948 Driver Name: Disk
01:14:28:359 2948 IRP_MJ_CREATE : F7742BB0
01:14:28:359 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
01:14:28:359 2948 IRP_MJ_CLOSE : F7742BB0
01:14:28:359 2948 IRP_MJ_READ : F773CD1F
01:14:28:359 2948 IRP_MJ_WRITE : F773CD1F
01:14:28:359 2948 IRP_MJ_QUERY_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_SET_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_QUERY_EA : 804F355A
01:14:28:359 2948 IRP_MJ_SET_EA : 804F355A
01:14:28:359 2948 IRP_MJ_FLUSH_BUFFERS : F773D2E2
01:14:28:359 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_DIRECTORY_CONTROL : 804F355A
01:14:28:359 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
01:14:28:359 2948 IRP_MJ_DEVICE_CONTROL : F773D3BB
01:14:28:359 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7740F28
01:14:28:359 2948 IRP_MJ_SHUTDOWN : F773D2E2
01:14:28:359 2948 IRP_MJ_LOCK_CONTROL : 804F355A
01:14:28:359 2948 IRP_MJ_CLEANUP : 804F355A
01:14:28:359 2948 IRP_MJ_CREATE_MAILSLOT : 804F355A
01:14:28:359 2948 IRP_MJ_QUERY_SECURITY : 804F355A
01:14:28:359 2948 IRP_MJ_SET_SECURITY : 804F355A
01:14:28:359 2948 IRP_MJ_POWER : F773EC82
01:14:28:359 2948 IRP_MJ_SYSTEM_CONTROL : F774399E
01:14:28:359 2948 IRP_MJ_DEVICE_CHANGE : 804F355A
01:14:28:359 2948 IRP_MJ_QUERY_QUOTA : 804F355A
01:14:28:359 2948 IRP_MJ_SET_QUOTA : 804F355A
01:14:28:359 2948 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
01:14:28:359 2948 sion
01:14:28:359 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
01:14:28:359 2948
01:14:28:359 2948 Driver Name: Disk
01:14:28:359 2948 IRP_MJ_CREATE : F7742BB0
01:14:28:359 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
01:14:28:359 2948 IRP_MJ_CLOSE : F7742BB0
01:14:28:359 2948 IRP_MJ_READ : F773CD1F
01:14:28:359 2948 IRP_MJ_WRITE : F773CD1F
01:14:28:359 2948 IRP_MJ_QUERY_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_SET_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_QUERY_EA : 804F355A
01:14:28:359 2948 IRP_MJ_SET_EA : 804F355A
01:14:28:359 2948 IRP_MJ_FLUSH_BUFFERS : F773D2E2
01:14:28:359 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_DIRECTORY_CONTROL : 804F355A
01:14:28:359 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
01:14:28:359 2948 IRP_MJ_DEVICE_CONTROL : F773D3BB
01:14:28:359 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7740F28
01:14:28:359 2948 IRP_MJ_SHUTDOWN : F773D2E2
01:14:28:359 2948 IRP_MJ_LOCK_CONTROL : 804F355A
01:14:28:359 2948 IRP_MJ_CLEANUP : 804F355A
01:14:28:359 2948 IRP_MJ_CREATE_MAILSLOT : 804F355A
01:14:28:359 2948 IRP_MJ_QUERY_SECURITY : 804F355A
01:14:28:359 2948 IRP_MJ_SET_SECURITY : 804F355A
01:14:28:359 2948 IRP_MJ_POWER : F773EC82
01:14:28:359 2948 IRP_MJ_SYSTEM_CONTROL : F774399E
01:14:28:359 2948 IRP_MJ_DEVICE_CHANGE : 804F355A
01:14:28:359 2948 IRP_MJ_QUERY_QUOTA : 804F355A
01:14:28:359 2948 IRP_MJ_SET_QUOTA : 804F355A
01:14:28:359 2948 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
01:14:28:359 2948 sion
01:14:28:359 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
01:14:28:359 2948
01:14:28:359 2948 Driver Name: usbstor
01:14:28:359 2948 IRP_MJ_CREATE : ED04B218
01:14:28:359 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
01:14:28:359 2948 IRP_MJ_CLOSE : ED04B218
01:14:28:359 2948 IRP_MJ_READ : ED04B23C
01:14:28:359 2948 IRP_MJ_WRITE : ED04B23C
01:14:28:359 2948 IRP_MJ_QUERY_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_SET_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_QUERY_EA : 804F355A
01:14:28:359 2948 IRP_MJ_SET_EA : 804F355A
01:14:28:359 2948 IRP_MJ_FLUSH_BUFFERS : 804F355A
01:14:28:359 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
01:14:28:359 2948 IRP_MJ_DIRECTORY_CONTROL : 804F355A
01:14:28:359 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
01:14:28:359 2948 IRP_MJ_DEVICE_CONTROL : ED04B180
01:14:28:359 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : ED0469E6
01:14:28:359 2948 IRP_MJ_SHUTDOWN : 804F355A
01:14:28:359 2948 IRP_MJ_LOCK_CONTROL : 804F355A
01:14:28:359 2948 IRP_MJ_CLEANUP : 804F355A
01:14:28:359 2948 IRP_MJ_CREATE_MAILSLOT : 804F355A
01:14:28:359 2948 IRP_MJ_QUERY_SECURITY : 804F355A
01:14:28:359 2948 IRP_MJ_SET_SECURITY : 804F355A
01:14:28:359 2948 IRP_MJ_POWER : ED04A5F0
01:14:28:359 2948 IRP_MJ_SYSTEM_CONTROL : ED048A6E
01:14:28:359 2948 IRP_MJ_DEVICE_CHANGE : 804F355A
01:14:28:359 2948 IRP_MJ_QUERY_QUOTA : 804F355A
01:14:28:359 2948 IRP_MJ_SET_QUOTA : 804F355A
01:14:28:359 2948 siohd: 0
01:14:28:375 2948 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
01:14:28:375 2948
01:14:28:375 2948 Driver Name: usbstor
01:14:28:375 2948 IRP_MJ_CREATE : ED04B218
01:14:28:375 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
01:14:28:375 2948 IRP_MJ_CLOSE : ED04B218
01:14:28:375 2948 IRP_MJ_READ : ED04B23C
01:14:28:375 2948 IRP_MJ_WRITE : ED04B23C
01:14:28:375 2948 IRP_MJ_QUERY_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_SET_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_EA : 804F355A
01:14:28:375 2948 IRP_MJ_SET_EA : 804F355A
01:14:28:375 2948 IRP_MJ_FLUSH_BUFFERS : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_DIRECTORY_CONTROL : 804F355A
01:14:28:375 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
01:14:28:375 2948 IRP_MJ_DEVICE_CONTROL : ED04B180
01:14:28:375 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : ED0469E6
01:14:28:375 2948 IRP_MJ_SHUTDOWN : 804F355A
01:14:28:375 2948 IRP_MJ_LOCK_CONTROL : 804F355A
01:14:28:375 2948 IRP_MJ_CLEANUP : 804F355A
01:14:28:375 2948 IRP_MJ_CREATE_MAILSLOT : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_SECURITY : 804F355A
01:14:28:375 2948 IRP_MJ_SET_SECURITY : 804F355A
01:14:28:375 2948 IRP_MJ_POWER : ED04A5F0
01:14:28:375 2948 IRP_MJ_SYSTEM_CONTROL : ED048A6E
01:14:28:375 2948 IRP_MJ_DEVICE_CHANGE : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_QUOTA : 804F355A
01:14:28:375 2948 IRP_MJ_SET_QUOTA : 804F355A
01:14:28:375 2948 siohd: 0
01:14:28:375 2948 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
01:14:28:375 2948
01:14:28:375 2948 Driver Name: usbstor
01:14:28:375 2948 IRP_MJ_CREATE : ED04B218
01:14:28:375 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
01:14:28:375 2948 IRP_MJ_CLOSE : ED04B218
01:14:28:375 2948 IRP_MJ_READ : ED04B23C
01:14:28:375 2948 IRP_MJ_WRITE : ED04B23C
01:14:28:375 2948 IRP_MJ_QUERY_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_SET_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_EA : 804F355A
01:14:28:375 2948 IRP_MJ_SET_EA : 804F355A
01:14:28:375 2948 IRP_MJ_FLUSH_BUFFERS : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_DIRECTORY_CONTROL : 804F355A
01:14:28:375 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
01:14:28:375 2948 IRP_MJ_DEVICE_CONTROL : ED04B180
01:14:28:375 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : ED0469E6
01:14:28:375 2948 IRP_MJ_SHUTDOWN : 804F355A
01:14:28:375 2948 IRP_MJ_LOCK_CONTROL : 804F355A
01:14:28:375 2948 IRP_MJ_CLEANUP : 804F355A
01:14:28:375 2948 IRP_MJ_CREATE_MAILSLOT : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_SECURITY : 804F355A
01:14:28:375 2948 IRP_MJ_SET_SECURITY : 804F355A
01:14:28:375 2948 IRP_MJ_POWER : ED04A5F0
01:14:28:375 2948 IRP_MJ_SYSTEM_CONTROL : ED048A6E
01:14:28:375 2948 IRP_MJ_DEVICE_CHANGE : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_QUOTA : 804F355A
01:14:28:375 2948 IRP_MJ_SET_QUOTA : 804F355A
01:14:28:375 2948 siohd: 0
01:14:28:375 2948 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
01:14:28:375 2948
01:14:28:375 2948 Driver Name: usbstor
01:14:28:375 2948 IRP_MJ_CREATE : ED04B218
01:14:28:375 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
01:14:28:375 2948 IRP_MJ_CLOSE : ED04B218
01:14:28:375 2948 IRP_MJ_READ : ED04B23C
01:14:28:375 2948 IRP_MJ_WRITE : ED04B23C
01:14:28:375 2948 IRP_MJ_QUERY_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_SET_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_EA : 804F355A
01:14:28:375 2948 IRP_MJ_SET_EA : 804F355A
01:14:28:375 2948 IRP_MJ_FLUSH_BUFFERS : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_DIRECTORY_CONTROL : 804F355A
01:14:28:375 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
01:14:28:375 2948 IRP_MJ_DEVICE_CONTROL : ED04B180
01:14:28:375 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : ED0469E6
01:14:28:375 2948 IRP_MJ_SHUTDOWN : 804F355A
01:14:28:375 2948 IRP_MJ_LOCK_CONTROL : 804F355A
01:14:28:375 2948 IRP_MJ_CLEANUP : 804F355A
01:14:28:375 2948 IRP_MJ_CREATE_MAILSLOT : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_SECURITY : 804F355A
01:14:28:375 2948 IRP_MJ_SET_SECURITY : 804F355A
01:14:28:375 2948 IRP_MJ_POWER : ED04A5F0
01:14:28:375 2948 IRP_MJ_SYSTEM_CONTROL : ED048A6E
01:14:28:375 2948 IRP_MJ_DEVICE_CHANGE : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_QUOTA : 804F355A
01:14:28:375 2948 IRP_MJ_SET_QUOTA : 804F355A
01:14:28:375 2948 siohd: 0
01:14:28:375 2948 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
01:14:28:375 2948
01:14:28:375 2948 Driver Name: Disk
01:14:28:375 2948 IRP_MJ_CREATE : F7742BB0
01:14:28:375 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
01:14:28:375 2948 IRP_MJ_CLOSE : F7742BB0
01:14:28:375 2948 IRP_MJ_READ : F773CD1F
01:14:28:375 2948 IRP_MJ_WRITE : F773CD1F
01:14:28:375 2948 IRP_MJ_QUERY_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_SET_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_EA : 804F355A
01:14:28:375 2948 IRP_MJ_SET_EA : 804F355A
01:14:28:375 2948 IRP_MJ_FLUSH_BUFFERS : F773D2E2
01:14:28:375 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_DIRECTORY_CONTROL : 804F355A
01:14:28:375 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
01:14:28:375 2948 IRP_MJ_DEVICE_CONTROL : F773D3BB
01:14:28:375 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7740F28
01:14:28:375 2948 IRP_MJ_SHUTDOWN : F773D2E2
01:14:28:375 2948 IRP_MJ_LOCK_CONTROL : 804F355A
01:14:28:375 2948 IRP_MJ_CLEANUP : 804F355A
01:14:28:375 2948 IRP_MJ_CREATE_MAILSLOT : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_SECURITY : 804F355A
01:14:28:375 2948 IRP_MJ_SET_SECURITY : 804F355A
01:14:28:375 2948 IRP_MJ_POWER : F773EC82
01:14:28:375 2948 IRP_MJ_SYSTEM_CONTROL : F774399E
01:14:28:375 2948 IRP_MJ_DEVICE_CHANGE : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_QUOTA : 804F355A
01:14:28:375 2948 IRP_MJ_SET_QUOTA : 804F355A
01:14:28:375 2948 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
01:14:28:375 2948 sion
01:14:28:375 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
01:14:28:375 2948
01:14:28:375 2948 Driver Name: Disk
01:14:28:375 2948 IRP_MJ_CREATE : F7742BB0
01:14:28:375 2948 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
01:14:28:375 2948 IRP_MJ_CLOSE : F7742BB0
01:14:28:375 2948 IRP_MJ_READ : F773CD1F
01:14:28:375 2948 IRP_MJ_WRITE : F773CD1F
01:14:28:375 2948 IRP_MJ_QUERY_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_SET_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_EA : 804F355A
01:14:28:375 2948 IRP_MJ_SET_EA : 804F355A
01:14:28:375 2948 IRP_MJ_FLUSH_BUFFERS : F773D2E2
01:14:28:375 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
01:14:28:375 2948 IRP_MJ_DIRECTORY_CONTROL : 804F355A
01:14:28:375 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
01:14:28:375 2948 IRP_MJ_DEVICE_CONTROL : F773D3BB
01:14:28:375 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7740F28
01:14:28:375 2948 IRP_MJ_SHUTDOWN : F773D2E2
01:14:28:375 2948 IRP_MJ_LOCK_CONTROL : 804F355A
01:14:28:375 2948 IRP_MJ_CLEANUP : 804F355A
01:14:28:375 2948 IRP_MJ_CREATE_MAILSLOT : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_SECURITY : 804F355A
01:14:28:375 2948 IRP_MJ_SET_SECURITY : 804F355A
01:14:28:375 2948 IRP_MJ_POWER : F773EC82
01:14:28:375 2948 IRP_MJ_SYSTEM_CONTROL : F774399E
01:14:28:375 2948 IRP_MJ_DEVICE_CHANGE : 804F355A
01:14:28:375 2948 IRP_MJ_QUERY_QUOTA : 804F355A
01:14:28:375 2948 IRP_MJ_SET_QUOTA : 804F355A
01:14:28:375 2948 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
01:14:28:375 2948 sion
01:14:28:375 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
01:14:28:375 2948
01:14:28:375 2948 Driver Name: atapi
01:14:28:375 2948 IRP_MJ_CREATE : 856D2618
01:14:28:375 2948 IRP_MJ_CREATE_NAMED_PIPE : 856D2618
01:14:28:390 2948 IRP_MJ_CLOSE : 856D2618
01:14:28:390 2948 IRP_MJ_READ : 856D2618
01:14:28:390 2948 IRP_MJ_WRITE : 856D2618
01:14:28:390 2948 IRP_MJ_QUERY_INFORMATION : 856D2618
01:14:28:390 2948 IRP_MJ_SET_INFORMATION : 856D2618
01:14:28:390 2948 IRP_MJ_QUERY_EA : 856D2618
01:14:28:390 2948 IRP_MJ_SET_EA : 856D2618
01:14:28:390 2948 IRP_MJ_FLUSH_BUFFERS : 856D2618
01:14:28:390 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 856D2618
01:14:28:390 2948 IRP_MJ_SET_VOLUME_INFORMATION : 856D2618
01:14:28:390 2948 IRP_MJ_DIRECTORY_CONTROL : 856D2618
01:14:28:390 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 856D2618
01:14:28:390 2948 IRP_MJ_DEVICE_CONTROL : 856D2618
01:14:28:390 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : 856D2618
01:14:28:390 2948 IRP_MJ_SHUTDOWN : 856D2618
01:14:28:390 2948 IRP_MJ_LOCK_CONTROL : 856D2618
01:14:28:390 2948 IRP_MJ_CLEANUP : 856D2618
01:14:28:390 2948 IRP_MJ_CREATE_MAILSLOT : 856D2618
01:14:28:390 2948 IRP_MJ_QUERY_SECURITY : 856D2618
01:14:28:390 2948 IRP_MJ_SET_SECURITY : 856D2618
01:14:28:390 2948 IRP_MJ_POWER : 856D2618
01:14:28:390 2948 IRP_MJ_SYSTEM_CONTROL : 856D2618
01:14:28:390 2948 IRP_MJ_DEVICE_CHANGE : 856D2618
01:14:28:390 2948 IRP_MJ_QUERY_QUOTA : 856D2618
01:14:28:390 2948 IRP_MJ_SET_QUOTA : 856D2618
01:14:28:390 2948 ihd: 4, FFDF0308, 313, 101, 3, 89, 1
01:14:28:390 2948 Driver "atapi" Irp handler infected by TDSS rootkit ... 01:14:28:390 2948 cured
01:14:28:390 2948 Driver "atapi" StartIo handler infected by TDSS rootkit ... 01:14:28:390 2948 cured
01:14:28:390 2948 siohd: 0
01:14:28:390 2948 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
01:14:28:390 2948 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 01:14:28:390 2948 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
01:14:28:390 2948 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
01:14:28:515 2948 vfvi6
01:14:28:562 2948 !dsvbh1
01:14:29:140 2948 dsvbh2
01:14:29:140 2948 fdfb2
01:14:29:140 2948 Backup copy found, using it..
01:14:29:187 2948 will be cured on next reboot
01:14:29:187 2948 Reboot required for cure complete..
01:14:29:187 2948 Cure on reboot scheduled successfully
01:14:29:187 2948
01:14:29:187 2948 Completed
01:14:29:187 2948
01:14:29:187 2948 Results:
01:14:29:187 2948 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
01:14:29:187 2948 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
01:14:29:203 2948 File objects infected / cured / cured on reboot: 1 / 0 / 1
01:14:29:203 2948
01:14:29:203 2948 UnloadDriverW: NtUnloadDriver error 1
01:14:29:203 2948 KLMD_Unload: UnloadDriverW(klmd21) error 1
01:14:29:203 2948 KLMD(ARK) unloaded successfully

Combofix log.txt:

ComboFix 10-03-01.01 - Owner 03/02/2010 2:28.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.500 [GMT -5:00]
Running from: c:\documents and settings\Owner.OAKES\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Flags.dtd
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\UA.dtd
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\UAcpt.dtd
c:\recycler\S-1-5-21-647897914-117768116-4006539887-500
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PODMENA
-------\Legacy_PODMENADRV


((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 05:11 . 2010-03-02 05:23 4295121291 ----a-w- c:\documents and settings\Owner.OAKES\Oakes.My Documents.zip
2010-03-01 17:21 . 2010-03-01 17:21 -------- d-----w- C:\rsit
2010-02-23 12:00 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-23 12:00 . 2010-02-23 12:00 -------- d-----w- c:\program files\Panda Security
2010-02-23 08:58 . 2010-03-01 17:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-23 08:58 . 2010-03-01 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-21 22:17 . 2010-02-21 21:44 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-21 21:43 . 2010-02-21 21:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-21 21:43 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-21 21:43 . 2010-02-21 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-21 21:43 . 2010-02-21 21:43 -------- d-----w- c:\program files\Lavasoft
2010-02-21 20:06 . 2010-02-21 20:06 -------- d-----w- c:\program files\Trend Micro
2010-02-21 19:19 . 2010-02-22 19:20 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-21 19:19 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-21 19:19 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-02-21 19:19 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-02-21 19:19 . 2010-02-21 19:19 -------- d-----w- c:\program files\Avira
2010-02-21 19:19 . 2010-02-21 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-02-19 21:43 . 2010-02-19 21:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-19 20:50 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 20:50 . 2010-02-21 18:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 20:50 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-31 17:02 . 2010-01-31 17:02 -------- d-----w- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 06:16 . 2004-08-04 05:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-25 01:24 . 2006-06-19 04:25 42032 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-23 09:27 . 2010-01-10 21:17 -------- d-----w- c:\program files\RegistryFix
2010-02-21 19:24 . 2010-01-09 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-04 15:53 . 2010-02-21 21:44 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-24 15:45 . 2006-09-23 19:35 -------- d-----w- c:\program files\Microsoft Works
2010-01-23 21:12 . 2010-01-23 21:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-10 21:21 . 2010-01-10 21:21 -------- d-----w- c:\documents and settings\Owner.OAKES\Application Data\Auslogics
2010-01-10 20:39 . 2010-01-10 17:59 -------- d-----w- c:\documents and settings\Owner.OAKES\Application Data\SUPERAntiSpyware.com
2010-01-10 17:59 . 2010-01-10 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-09 06:48 . 2010-01-09 06:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-09 04:44 . 2010-01-09 04:44 -------- d-----w- c:\program files\AVG
2010-01-09 04:25 . 2010-01-09 04:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-09 04:25 . 2006-09-23 19:31 -------- d-----w- c:\program files\Java
2010-01-09 04:24 . 2006-09-23 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-09 04:24 . 2010-01-09 04:24 152576 ----a-w- c:\documents and settings\Owner.OAKES\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-09 02:48 . 2006-09-23 19:36 -------- d-----w- c:\program files\BigFix
2010-01-07 03:27 . 2010-01-07 03:27 -------- d-----w- c:\documents and settings\Owner.OAKES\Application Data\Malwarebytes
2010-01-07 03:16 . 2010-01-07 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-31 16:50 . 2006-06-17 09:23 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-17 09:23 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2006-06-17 09:35 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2006-06-17 09:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2006-06-17 09:23 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"nwiz"="nwiz.exe" [2005-09-18 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
backup=c:\windows\pss\AntiVirus Plus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.OAKES^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
backup=c:\windows\pss\AntiVirus Plus.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jvkphb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tqammy
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vijoloben

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-23 19:37 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-12-10 01:44 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 01:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-06 01:04 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1159040204\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mspaint.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/21/2010 4:44 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/23/2010 7:00 AM 28552]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/21/2010 2:19 PM 108289]
S0 xzskjaoi;xzskjaoi; [x]
S1 5044049D;5044049D;\??\c:\windows\system32\drivers\5044049D.sys --> c:\windows\system32\drivers\5044049D.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1229232]
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:44]

2006-12-25 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-winupdate86 - (no file)
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 02:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7d,ac,62,1e,32,34,b4,47,99,a3,18,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7d,ac,62,1e,32,34,b4,47,99,a3,18,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2908)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\RUNDLL32.EXE
c:\windows\zHotkey.exe
c:\windows\RTHDCPL.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-03-02 02:36:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-02 07:36

Pre-Run: 220,209,360,896 bytes free
Post-Run: 220,388,777,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 3FB512BB9E2C5CAF39AE7F5333E527E7

New Hijackthis.log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:44 AM, on 3/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\FindStuff.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 4693 bytes
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Yourinputsurvey.com redirect (rootkit?)

Unread postby muppy03 » March 2nd, 2010, 4:22 am

Please update me on how the computer is running after doing the following? Are the re-directs gone?

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    C:\found.000
    
    Folder::
    c:\documents and settings\All Users\Application Data\avg9
    c:\program files\AVG
    c:\documents and settings\All Users\Application Data\McAfee
    c:\windows\pss\AntiVirus Plus.lnkCommon Startup
    c:\windows\pss\AntiVirus Plus.lnkStartup
    
    Driver::
    xzskjaoi
    5044049D
     
    Registry::
    
    [-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
    
    [-HKLM\~\startupfolder\C:^Documents and Settings^Owner.OAKES^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jvkphb]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tqammy]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vijoloben]
     
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Please reply with:-
  • Combofix log
  • New HJT log
  • Update on how computer is running
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Yourinputsurvey.com redirect (rootkit?)

Unread postby helpintoledo » March 2nd, 2010, 2:07 pm

I cannot seem to get the computer to do ANYTHING wrong! Thank you very much! All redirects have stopped.

2 questions: Is there anything to worry about other than the slight privacy issues and bandwidth usage of WildTangent software, in the expert opinion? This box is used by a couple of children that enjoy games running with WildTangent. I removed it before joining this forum, and wonder if it is ok to reinstall it. And are there any registry issues from any of the software I've used on your advice that should be attended to after I remove all of the programs?

ComboFix log:

ComboFix 10-03-01.04 - Owner 03/02/2010 12:24:56.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.585 [GMT -5:00]
Running from: c:\documents and settings\Owner.OAKES\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.OAKES\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"C:\found.000"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\avg9
c:\documents and settings\All Users\Application Data\avg9\Cfg\changecfgreg.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\krnl.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\mail.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\malrep.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\scan.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\sched.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\update.cfg
c:\documents and settings\All Users\Application Data\avg9\Cfg\user.cfg
c:\documents and settings\All Users\Application Data\avg9\CfgAll\falsealarm.cfg
c:\documents and settings\All Users\Application Data\avg9\CfgAll\krnlall.cfg
c:\documents and settings\All Users\Application Data\avg9\CfgAll\srmall.cfg
c:\documents and settings\All Users\Application Data\avg9\CfgAll\updateall.cfg
c:\documents and settings\All Users\Application Data\avg9\Log\avgcfg.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgcfg.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgchjw.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgchjw.log.1
c:\documents and settings\All Users\Application Data\avg9\Log\avgchjw.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgchjwsrv.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgchjwsrv.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgcore.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgcore.log.1
c:\documents and settings\All Users\Application Data\avg9\Log\avgcore.log.2
c:\documents and settings\All Users\Application Data\avg9\Log\avgcore.log.3
c:\documents and settings\All Users\Application Data\avg9\Log\avgcore.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgfrw.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgfrw.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgldr.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgldr.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avglng.log
c:\documents and settings\All Users\Application Data\avg9\Log\avglng.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgns.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgns.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgrs.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgrs.log.1
c:\documents and settings\All Users\Application Data\avg9\Log\avgrs.log.2
c:\documents and settings\All Users\Application Data\avg9\Log\avgrs.log.3
c:\documents and settings\All Users\Application Data\avg9\Log\avgrs.log.4
c:\documents and settings\All Users\Application Data\avg9\Log\avgrs.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgscan.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgscan.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgsched.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgsched.log.1
c:\documents and settings\All Users\Application Data\avg9\Log\avgsched.log.2
c:\documents and settings\All Users\Application Data\avg9\Log\avgsched.log.3
c:\documents and settings\All Users\Application Data\avg9\Log\avgsched.log.4
c:\documents and settings\All Users\Application Data\avg9\Log\avgsched.log.5
c:\documents and settings\All Users\Application Data\avg9\Log\avgsched.log.6
c:\documents and settings\All Users\Application Data\avg9\Log\avgsched.log.7
c:\documents and settings\All Users\Application Data\avg9\Log\avgsched.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgsrm.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgsrm.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgsrmac.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgsrmac.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgsrmacstat.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgsrmacstat.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgtdi.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgtdi.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgui.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgui.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgupd.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgupd.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.1
c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.10
c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.2
c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.3
c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.4
c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.5
c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.6
c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.7
c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.8
c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.9
c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\avgwdsvc.log
c:\documents and settings\All Users\Application Data\avg9\Log\avgwdsvc.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\commonpriv.log
c:\documents and settings\All Users\Application Data\avg9\Log\commonpriv.log.1
c:\documents and settings\All Users\Application Data\avg9\Log\commonpriv.log.10
c:\documents and settings\All Users\Application Data\avg9\Log\commonpriv.log.2
c:\documents and settings\All Users\Application Data\avg9\Log\commonpriv.log.3
c:\documents and settings\All Users\Application Data\avg9\Log\commonpriv.log.4
c:\documents and settings\All Users\Application Data\avg9\Log\commonpriv.log.5
c:\documents and settings\All Users\Application Data\avg9\Log\commonpriv.log.6
c:\documents and settings\All Users\Application Data\avg9\Log\commonpriv.log.7
c:\documents and settings\All Users\Application Data\avg9\Log\commonpriv.log.8
c:\documents and settings\All Users\Application Data\avg9\Log\commonpriv.log.9
c:\documents and settings\All Users\Application Data\avg9\Log\commonpriv.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\fixcfg.log
c:\documents and settings\All Users\Application Data\avg9\Log\fixcfg.log.lock
c:\documents and settings\All Users\Application Data\avg9\Log\history.xml
c:\documents and settings\All Users\Application Data\avg9\Log\vault.log
c:\documents and settings\All Users\Application Data\avg9\Log\vault.log.lock
c:\documents and settings\All Users\Application Data\avg9\scanlogs\I_00000001.log
c:\documents and settings\All Users\Application Data\avg9\scanlogs\I_00000005.log
c:\documents and settings\All Users\Application Data\avg9\scanlogs\I_00000006.log
c:\documents and settings\All Users\Application Data\avg9\scanlogs\I_00000007.log
c:\documents and settings\All Users\Application Data\avg9\scanlogs\I_00000008.log
c:\documents and settings\All Users\Application Data\avg9\scanlogs\I_00000009.log
c:\documents and settings\All Users\Application Data\avg9\scanlogs\I_00000010.log
c:\documents and settings\All Users\Application Data\avg9\scanlogs\srm.idx
c:\documents and settings\All Users\Application Data\avg9\Temp\02c383eb-abb4-41a0-8e40-2636b06f1a12-4e8-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\039fb4eb-51b0-42dc-9f25-57e53be4dd48-4f0-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\042c3293-432b-48b3-8f7e-da3ddc19c77b-500-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\0aa3cce8-7fec-4afa-b0e1-465df48cd825-4e4-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\0ba0d9b3-4325-4d6b-adf6-592691ccd7f4-4e8-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\1416aebe-f25b-4681-8d25-1938da23282e-4e8-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\298a6ab1-566e-42dd-b561-33f14ce7bf31-4e8-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\2ac3c935-a994-42a9-80b5-202e42bddcbb-564-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\37070f3c-d5e1-4b30-a335-70dd27c5e933-50c-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\397d3916-41af-46cf-b821-293b79943336-4f0-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\3c454b0c-bd7b-4eaa-b944-efbf4a62de53-540-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\3f883194-83de-46d2-8f26-e83ba99eb290-4ec-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\4447e972-3aab-49b0-8670-e2aaa5abe7bd-4d0-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\4778efdd-c9d1-427f-86eb-04d3c5c08d56-4cc-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\487f83ac-0146-4e4c-8f8f-23dbcb6543d7-49c-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\499786e2-48d9-4b34-afcd-346f5bf09624-4e0-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\4ad55131-87d4-45a7-809a-0a6f11e6a754-4f0-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\53adbab1-21c7-487a-95bc-4f2c84a4fe34-4e0-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\565c49f5-4357-441e-b387-ffac1968e3a8-4ec-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\6978c4a6-1d11-4a82-b21e-56eae9676c0f-52c-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\715f3290-dfe9-4b07-acb2-6ec3184e8211-d88-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\78fe38d9-fbb1-4d11-8b19-2cb2d28b85d8-6f4-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\7d65e959-0538-4a25-afd5-c6b980771c41-4ec-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\7f43c8bb-926c-4cb0-89bf-47e3a50d764b-4ac-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\82c6f32f-2284-4ec2-aeca-080abfa16975-4c8-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\87a87a12-0e02-40c4-8ffa-c6e9d63cf7b5-4cc-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\98b3d20f-b51b-4226-b39d-dc1d8e12af4a-564-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\a0f143b0-af8f-4937-8aec-a50c94736413-4e8-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\a61f0a34-2570-4a5e-8bd8-297cdf0b3b80-4ec-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\a76956a2-750b-4bf5-a8aa-02d7b148847b-470-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\a8adbda7-4e17-426d-81a7-01c3bc03ca13-47c-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\aa12ff7e-200c-4d7a-82a0-d8e9808b678d-49c-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\ae7ddc0a-8d13-458d-8ac9-d7fa99d8396e-4d8-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\b4e67baa-0727-4398-9998-453438a520d9-4f8-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\c5a39af2-6027-4a6c-96d5-93dab0a02972-508-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\c8ef1543-8451-4d02-bc91-b83e6f7f97e6-4d8-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\ccd6838f-e65e-4921-a195-4f8b4c9b2789-4d8-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\cfe6ac28-7b9b-4f5c-b914-997bb3e37741-4d0-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\d564a682-b8a6-4a38-9da6-d0b39639990c-4dc-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\d69d8589-f922-4ab3-a4df-b880de91443b-4dc-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\df469de6-4dc4-4640-8317-36731b7a0b3c-4e0-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\e39e1ad2-9538-4f4a-b8f2-63a2a11f22d7-4b4-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\eb1fbbad-318c-4b9c-a1c9-d68f767978d8-4d0-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\ebfbeca8-fcdb-4b78-b7e3-121f5beb1fc5-4e4-oopp.tmp
c:\documents and settings\All Users\Application Data\avg9\Temp\file9514.tmp
c:\documents and settings\All Users\Application Data\avg9\update\backup\incavi.avm
c:\documents and settings\All Users\Application Data\avg9\update\backup\sb.dat
c:\documents and settings\All Users\Application Data\avg9\update\backup\sb2.dat
c:\documents and settings\All Users\Application Data\avg9\update\backup\sc.dat
c:\documents and settings\All Users\Application Data\avg9\update\prepare\temp\cty.cty
c:\documents and settings\All Users\Application Data\McAfee
c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\Common\MSI3FBD\MSI3FBD000.log
c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\Common\MSI3FC2\MSI3FC2000.log
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\AbuseDesks.dat
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Accounts.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Configuration.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Filters.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Friends.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Logs\Complaints.log
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Logs\Filtering.log
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Logs\System.log
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\MskDetct.dat
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\SLD.dat
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Templates\Templates.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\TLD.dat
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\1\Filters.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\1\Friends.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\2\Filters.xml
c:\documents and settings\All Users\Application Data\McAfee\SpamKiller\Users\2\Friends.xml
c:\program files\AVG
c:\windows\system32\config\systemprofile\Application Data\alot

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_5044049D
-------\Legacy_XZSKJAOI
-------\Service_5044049D
-------\Service_xzskjaoi


((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 05:11 . 2010-03-02 05:23 4295121291 ----a-w- c:\documents and settings\Owner.OAKES\Oakes.My Documents.zip
2010-03-01 17:21 . 2010-03-01 17:21 -------- d-----w- C:\rsit
2010-02-23 12:00 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-23 12:00 . 2010-02-23 12:00 -------- d-----w- c:\program files\Panda Security
2010-02-23 08:58 . 2010-03-01 17:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-23 08:58 . 2010-03-01 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-21 22:17 . 2010-02-21 21:44 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-21 21:43 . 2010-02-21 21:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-21 21:43 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-21 21:43 . 2010-02-21 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-21 21:43 . 2010-02-21 21:43 -------- d-----w- c:\program files\Lavasoft
2010-02-21 20:06 . 2010-02-21 20:06 -------- d-----w- c:\program files\Trend Micro
2010-02-21 19:19 . 2010-02-22 19:20 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-21 19:19 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-21 19:19 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-02-21 19:19 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-02-21 19:19 . 2010-02-21 19:19 -------- d-----w- c:\program files\Avira
2010-02-21 19:19 . 2010-02-21 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-02-19 21:43 . 2010-02-19 21:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-19 20:50 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 20:50 . 2010-02-21 18:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 20:50 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 06:16 . 2004-08-04 05:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-25 01:24 . 2006-06-19 04:25 42032 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-23 09:27 . 2010-01-10 21:17 -------- d-----w- c:\program files\RegistryFix
2010-01-24 15:45 . 2006-09-23 19:35 -------- d-----w- c:\program files\Microsoft Works
2010-01-23 21:12 . 2010-01-23 21:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-10 21:21 . 2010-01-10 21:21 -------- d-----w- c:\documents and settings\Owner.OAKES\Application Data\Auslogics
2010-01-10 20:39 . 2010-01-10 17:59 -------- d-----w- c:\documents and settings\Owner.OAKES\Application Data\SUPERAntiSpyware.com
2010-01-10 17:59 . 2010-01-10 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-09 06:48 . 2010-01-09 06:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-09 04:25 . 2010-01-09 04:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-09 04:25 . 2006-09-23 19:31 -------- d-----w- c:\program files\Java
2010-01-09 04:24 . 2010-01-09 04:24 152576 ----a-w- c:\documents and settings\Owner.OAKES\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-09 02:48 . 2006-09-23 19:36 -------- d-----w- c:\program files\BigFix
2010-01-07 03:27 . 2010-01-07 03:27 -------- d-----w- c:\documents and settings\Owner.OAKES\Application Data\Malwarebytes
2010-01-07 03:16 . 2010-01-07 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-31 16:50 . 2006-06-17 09:23 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-17 09:23 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2006-06-17 09:35 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2006-06-17 09:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2006-06-17 09:23 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-02_07.33.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-02 17:30 . 2010-03-02 17:30 16384 c:\windows\Temp\Perflib_Perfdata_b28.dat
+ 2010-03-02 17:30 . 2010-03-02 17:30 16384 c:\windows\Temp\Perflib_Perfdata_290.dat
- 2008-07-14 11:09 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2008-07-14 11:09 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
+ 2006-06-17 09:44 . 2010-03-02 17:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-06-17 09:44 . 2010-03-02 07:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-03-02 17:02 . 2010-03-02 17:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
- 2006-06-17 09:23 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2006-06-17 09:23 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
- 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
+ 2010-03-02 08:00 . 2010-03-02 08:00 195584 c:\windows\Installer\18ed00.msi
+ 2010-03-02 08:00 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-03-02 08:00 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-03-02 08:00 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"nwiz"="nwiz.exe" [2005-09-18 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-23 19:37 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-12-10 01:44 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 01:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-06 01:04 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1159040204\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mspaint.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/21/2010 4:44 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/23/2010 7:00 AM 28552]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/21/2010 2:19 PM 108289]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1229232]
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:44]

2006-12-25 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 12:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7d,ac,62,1e,32,34,b4,47,99,a3,18,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7d,ac,62,1e,32,34,b4,47,99,a3,18,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(216)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\zHotkey.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-03-02 12:33:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-02 17:33
ComboFix2.txt 2010-03-02 07:36

Pre-Run: 220,373,823,488 bytes free
Post-Run: 220,328,706,048 bytes free

- - End Of File - - 5539C1AE2F1402EB49A4FCE1C2FC4783

Newest HJT Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:04 PM, on 3/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\FindStuff.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 4628 bytes
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Yourinputsurvey.com redirect (rootkit?)

Unread postby muppy03 » March 2nd, 2010, 6:10 pm

I cannot seem to get the computer to do ANYTHING wrong! Thank you very much! All redirects have stopped.

Excellent :thumbright:

2 questions: Is there anything to worry about other than the slight privacy issues and bandwidth usage of WildTangent software, in the expert opinion? This box is used by a couple of children that enjoy games running with WildTangent.

Wild Tangent is not malware and is classed as an optional fix. If it was not in use I would suggest removing it, but if your children are using it, then go ahead. :)


And are there any registry issues from any of the software I've used on your advice that should be attended to after I remove all of the programs?
We will remove everything I have asked you to download before we finish, just a couple of things to do first, so do not uninstall any yet.

You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.2 are vulnerable.
  • Go HERE and click on AdbeRdr920_en_US.exe to download the latest version of Adobe Acrobat Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.


Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 18.
  • Go to Java Site
  • Scroll down to where it says "JDK 6 Update 18 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE) listed below in the code box.
    Code: Select all
    J2SE Runtime Environment 5.0 Update 2
    Java(TM) 6 Update 17
    
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel

Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply


Please reply with:-
  • Kaspersky log
  • New HJT log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Yourinputsurvey.com redirect (rootkit?)

Unread postby helpintoledo » March 3rd, 2010, 5:39 am

Kaspersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, March 3, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, March 03, 2010 00:33:27
Records in database: 3689876
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 78224
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 01:32:45


File name / Threat / Threats count
D:\i386\Apps\App17981\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

Selected area has been scanned.


HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:23 AM, on 3/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\FindStuff.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 5284 bytes
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Yourinputsurvey.com redirect (rootkit?)

Unread postby muppy03 » March 3rd, 2010, 6:08 am

Well that all looks great. :cheers: A handy tool to keep on board is ATF Cleaner. You can use this whenever you like and as often as you like. I have posted the instructions below but I do not necessarily need it run just now.

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
Make sure that all browser windows are closed.

    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
    (If you use FireFox or the Opera browser,To keep saved passwords, click No at the prompt.)
    Click Exit on the Main menu to close the program.


So if you are not having any further problems, I would suggest you proceed as follows.

MBAM and ATF are great tools for you to keep and use on a regular basis.

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove ComboFix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
OTC
Download OTC by Old Timer here & save it to your desktop.
Double click on OTC.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.

Here are some free programs I recommend that could help you improve your computer's security.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here


Read some information here how to prevent Malware.


Please reply if you have any problems or questions :flower:
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Yourinputsurvey.com redirect (rootkit?)

Unread postby jmw3 » March 6th, 2010, 4:54 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware