BleepingComputer.com: CPU Usage peaking regularly

Hi,

How's the computer running?

Pretty much the same as when we started. I've downloaded YesScript 1.9, which is a Firefox add-on that allows me to block scripts from sites that seem to get hung up running. Politicalwire.com is one such site.

I occasionally get messages that Firefox is using a lot of memory and suggests I close down some sites, but I can't say for sure that it's related to my problem.

My problem may be--and this is something you'd know better than I--that using MS Office 2007 and other programs that use more memory than my machine with its measly 2 GB of memory can handle.

BTW, I re-installed Window Search as deleting it didn't seem to help and I missed the fast searching of my Outlook files.

P.S. Sorry about the pvt. message poke. I didn't think to look for a page 2.

OK, let's not rule out the possibility that the machine is infected.


ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

• Please go here to run the scan.
  

  Quote

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  
• Now click on Advanced Settings and select the following:

• Scan for potentially unwanted applications
  
• Scan for potentially unsafe applications
  
• Enable Anti-Stealth Technology



• Now click on:
  
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  
• When completed the Online Scan will begin automatically.
  
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  
• When completed select Uninstall application on close, but make sure you copy the logfile first.
  
• Now click on:
  
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

I stopped AVG for 15 min., but the scan took well over an hour. It indicated finding three threats, but log file suggest they were unable to clean. Here's the log file:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=58e67759dcfe3e49887dbe9a17b997ec
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-02-08 02:36:50
# local_time=2012-02-07 09:36:50 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 122786336 122786336 0 0
# compatibility_mode=1024 16777191 100 0 10953217 10953217 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=141190
# found=3
# cleaned=0
# scan_time=8771
C:\Documents and Settings\Bob\Application

Data\Sun\Java\Deployment\cache\6.0\53\3d923f5-4e512efe multiple threats (unable to clean)

00000000000000000000000000000000 I
C:\Documents and Settings\Bob\Local Settings\Application

Data\Mozilla\Firefox\Profiles\fue73tck.default\Cache\0\74\8AD5Dd01 HTML/Iframe.B.Gen

virus (unable to clean) 00000000000000000000000000000000 I
C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application

(unable to clean) 00000000000000000000000000000000 I

We need to execute an OTM script

• Please download OTM by OldTimer and save it to your desktop.
  
• Double click the icon on your desktop.
  
• Paste the following code under the area. Do not include the word "Code".
  
  

  :Files
  C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\6.0\53\3d923f5-4e512efe 
  C:\Documents and Settings\Bob\Local Settings\Application Data\Mozilla\Firefox\Profiles\fue73tck.default\Cache\0\74\8AD5Dd01 
  C:\I386\GTDownDE_87.ocx
  
  :Commands
  [emptytemp]
  

  
  
  
• Push the large button.
  
• OTM may ask to reboot the machine. Please do so if asked.
  
• Copy/Paste the contents under the line here in your next reply.
  
• If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

• It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE

• Close any open windows, including this one.

• Double click on ComboFix.exe & follow the prompts.

• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

• If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.

• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

• When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Both seemed to run fine, EXCEPT, there may have been an operator error. As I was running the OTM program, it appeared it had stopped, so I copied the log and hit Exit. But it wouldn't exit. Instead, it seemed to continue running as I heard my hard drive running and the green status bar at the very bottom seemed to indicate something was happening. It continued for several minutes then automatically rebooted. When it did, I got a message that I needed to give permission to OTM to run, which I did. The OTM log came up and I've posted it below.

The Combo Fix seemed to run exactly as you described, but didn't give me an option of copying a log, and your instructions didn't indicate I needed to. However, I got a dialogue box that said Threat Found or something similar. But it was an AVG box. (Yes, I did disable it prior to running the programs.) It said the threat was: ComboFix/CF3180.3xe. It recommended I quarantine it. I clicked the box and it indicated it was successfully quarantined. I was also able to find that there were 346 processes terminated, 13 files removed, and 22 registry keys deleted.

Let me know if I need to re-run OTM--and this time be more patient.

All processes killed
========== FILES ==========
C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\6.0\53\3d923f5-4e512efe moved successfully.
C:\Documents and Settings\Bob\Local Settings\Application Data\Mozilla\Firefox\Profiles\fue73tck.default\Cache\0\74\8AD5Dd01 moved successfully.
C:\I386\GTDownDE_87.ocx moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 82 bytes

User: All Users

User: Bob
->Temp folder emptied: 59469430 bytes
->Temporary Internet Files folder emptied: 106557417 bytes
->Java cache emptied: 82487809 bytes
->FireFox cache emptied: 585766979 bytes
->Flash cache emptied: 79034 bytes

User: Bob 2

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56584 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49286 bytes
->FireFox cache emptied: 3618974 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 6597 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 8225809 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 33554 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 354983158 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 419920 bytes

Total Files Cleaned = 1,146.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 02092012_100655

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_e08.dat not found!

Registry entries deleted on Reboot...

Hi,

No need to re-run OTM, it does the job that we asked to.

Looks like AVG interfered with Combofix, can you please double check if there's a log located at C:\ComboFix.txt.


Please do this:

Click Start > Run then copy/paste the following bolded text below. A log file will open, please post the contents in your next reply.

Here it is:

Volume in drive C has no label.
Volume Serial Number is BCD4-F40D

Directory of C:\QooBox

02/09/2012 10:26 AM <DIR> .
02/09/2012 10:26 AM <DIR> ..
02/09/2012 10:28 AM <DIR> BackEnv
02/09/2012 10:38 AM <DIR> LastRun
02/09/2012 10:31 AM <DIR> Quarantine
02/09/2012 10:35 AM <DIR> Test
02/09/2012 10:26 AM <DIR> TestC
0 File(s) 0 bytes

Directory of C:\QooBox\BackEnv

02/09/2012 10:28 AM <DIR> .
02/09/2012 10:28 AM <DIR> ..
02/09/2012 10:28 AM 286 AppData.folder.dat
02/09/2012 10:28 AM 404 Cache.folder.dat
02/09/2012 10:28 AM 194 Cookies.folder.dat
02/09/2012 10:28 AM 241 Desktop.folder.dat
02/09/2012 10:28 AM 178 Favorites.folder.dat
02/09/2012 10:28 AM 254 History.folder.dat
02/09/2012 10:28 AM 290 LocalAppData.folder.dat
02/09/2012 10:28 AM 281 LocalSettings.folder.dat
02/09/2012 10:28 AM 217 Music.folder.dat
02/09/2012 10:28 AM 92 NetHood.folder.dat
02/09/2012 10:28 AM 124 Personal.folder.dat
02/09/2012 10:28 AM 227 Pictures.folder.dat
02/09/2012 10:28 AM 150 PrintHood.folder.dat
02/09/2012 10:28 AM 306 Profiles.Folder.dat
02/09/2012 10:28 AM 512 Profiles.Folder.folder.dat
02/09/2012 10:28 AM 239 Programs.folder.dat
02/09/2012 10:28 AM 141 Recent.folder.dat
02/09/2012 10:28 AM 141 SendTo.folder.dat
02/09/2012 10:28 AM 7,232 SetPath.bat
02/09/2012 10:28 AM 148 StartMenu.folder.dat
02/09/2012 10:28 AM 341 StartUp.folder.dat
02/09/2012 10:27 AM 2,600 SysPath.dat
02/09/2012 10:28 AM 145 Templates.folder.dat
02/09/2012 10:28 AM 2,187 VikPev00
24 File(s) 16,930 bytes

Directory of C:\QooBox\LastRun

02/09/2012 10:38 AM <DIR> .
02/09/2012 10:38 AM <DIR> ..
02/09/2012 10:38 AM 0 CregC.old
02/09/2012 10:38 AM 0 d-del4AV.dat
02/09/2012 10:38 AM 270 drev_.dat
02/09/2012 10:38 AM 169 drev_F.dat
02/09/2012 10:26 AM 10 erunt.dat
02/09/2012 10:31 AM 13 Gateway
02/09/2012 10:36 AM 0 RenVDel.dat
02/09/2012 10:31 AM 117 SvcTarget.dat
02/09/2012 10:38 AM 33,034 zhsvc.old
9 File(s) 33,613 bytes

Directory of C:\QooBox\Quarantine

02/09/2012 10:31 AM <DIR> .
02/09/2012 10:31 AM <DIR> ..
02/09/2012 10:38 AM <DIR> C
02/09/2012 10:26 AM 51 catchme.log
02/09/2012 10:36 AM <DIR> Registry_backups
1 File(s) 51 bytes

Directory of C:\QooBox\Quarantine\C

02/09/2012 10:38 AM <DIR> .
02/09/2012 10:38 AM <DIR> ..
02/09/2012 10:38 AM <DIR> Documents and Settings
08/20/2008 11:42 AM 8,720 Documents.vir
02/09/2012 10:38 AM <DIR> drvrtmp
02/09/2012 10:38 AM <DIR> WINDOWS
1 File(s) 8,720 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings

02/09/2012 10:38 AM <DIR> .
02/09/2012 10:38 AM <DIR> ..
02/09/2012 10:38 AM <DIR> All Users
02/09/2012 10:38 AM <DIR> Bob
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\All Users

02/09/2012 10:38 AM <DIR> .
02/09/2012 10:38 AM <DIR> ..
02/09/2012 10:38 AM <DIR> Application Data
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data

02/09/2012 10:38 AM <DIR> .
02/09/2012 10:38 AM <DIR> ..
02/09/2012 10:38 AM <DIR> TEMP
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\TEMP

02/09/2012 10:38 AM <DIR> .
02/09/2012 10:38 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\Bob

02/09/2012 10:38 AM <DIR> .
02/09/2012 10:38 AM <DIR> ..
02/09/2012 10:38 AM <DIR> Application Data
12/18/2008 04:36 PM 66,360 g2ax_customer_downloadhelper_win32_x86.exe.vir
12/28/2011 04:02 PM 60,304 g2mdlhlpx.exe.vir
07/08/2009 12:12 PM 103,720 GoToAssistDownloadHelper.exe.vir
02/09/2012 10:38 AM <DIR> WINDOWS
3 File(s) 230,384 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\Bob\Application Data

02/09/2012 10:38 AM <DIR> .
02/09/2012 10:38 AM <DIR> ..
02/09/2012 10:38 AM <DIR> .#
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\Bob\Application Data\.#

02/09/2012 10:38 AM <DIR> .
02/09/2012 10:38 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\Bob\WINDOWS

02/09/2012 10:38 AM <DIR> .
02/09/2012 10:38 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\drvrtmp

02/09/2012 10:38 AM <DIR> .
02/09/2012 10:38 AM <DIR> ..
12/30/2010 04:38 PM <DIR> drvrtmp
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\drvrtmp\drvrtmp

12/30/2010 04:38 PM <DIR> .
12/30/2010 04:38 PM <DIR> ..
12/30/2010 04:38 PM <DIR> Win2K
12/30/2010 04:38 PM <DIR> WinXP
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\drvrtmp\drvrtmp\Win2K

12/30/2010 04:38 PM <DIR> .
12/30/2010 04:38 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\drvrtmp\drvrtmp\WinXP

12/30/2010 04:38 PM <DIR> .
12/30/2010 04:38 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS

02/09/2012 10:38 AM <DIR> .
02/09/2012 10:38 AM <DIR> ..
02/09/2012 10:38 AM <DIR> SYSTEM32
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32

02/09/2012 10:38 AM <DIR> .
02/09/2012 10:38 AM <DIR> ..
12/18/2009 05:04 PM 677,888 MailBee.dll.vir
12/23/2011 08:58 PM 172,032 muzapp.exe.vir
2 File(s) 849,920 bytes

Directory of C:\QooBox\Quarantine\Registry_backups

02/09/2012 10:36 AM <DIR> .
02/09/2012 10:36 AM <DIR> ..
02/09/2012 10:36 AM 6,398 tcpip.reg
1 File(s) 6,398 bytes

Directory of C:\QooBox\Test

02/09/2012 10:35 AM <DIR> .
02/09/2012 10:35 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\TestC

02/09/2012 10:26 AM <DIR> .
02/09/2012 10:26 AM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
41 File(s) 1,146,016 bytes
65 Dir(s) 29,327,020,032 bytes free

Please delete your copy of combofix and then download a new copy. Reboot your computer in safe mode and then run combofix from there, kindly monitor it while running and when it reboots your system while running... make sure to boot it again in safe mode to complete the process.

After Combofix had scanned 50 sections, or whatever they were, I got a message that PEV.exe encountered a problem and must close. I hit Don't Send. After a few seconds, however, Combofix repared a log. Here it is: (What Pev.exe?)
ComboFix 12-02-12.01 - Administrator 02/12/2012 17:14:44.2.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1770 [GMT -5:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Bob\Application Data\.#
c:\documents and settings\Bob\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\Bob\g2mdlhlpx.exe
c:\documents and settings\Bob\GoToAssistDownloadHelper.exe
c:\documents and settings\Bob\WINDOWS
C:\Documents
C:\drvrtmp
c:\windows\system32\MailBee.dll
c:\windows\system32\muzapp.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-12 to 2012-02-12 )))))))))))))))))))))))))))))))
.
.
2012-02-12 21:50 . 2012-02-12 21:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2012-02-12 21:49 . 2012-02-12 21:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-02-09 15:06 . 2012-02-09 15:06 -------- d-----w- C:\_OTM
2012-02-03 14:25 . 2012-02-03 14:25 -------- d-----w- c:\documents and settings\Bob\Application Data\Windows Desktop Search
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 20:01 . 2011-05-24 20:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-24 01:58 . 2012-01-11 16:23 4659712 ----a-w- c:\windows\system32\Redemption.dll
2011-12-24 01:58 . 2011-12-24 01:58 90112 ----a-w- c:\windows\MAMCityDownload.ocx
2011-12-24 01:58 . 2011-12-24 01:58 325552 ----a-w- c:\windows\MASetupCaller.dll
2011-12-24 01:58 . 2011-12-24 01:58 30568 ----a-w- c:\windows\MusiccityDownload.exe
2011-12-24 01:58 . 2011-12-24 01:58 974848 ----a-w- c:\windows\system32\cis-2.4.dll
2011-12-24 01:58 . 2011-12-24 01:58 81920 ----a-w- c:\windows\system32\issacapi_bs-2.3.dll
2011-12-24 01:58 . 2011-12-24 01:58 65536 ----a-w- c:\windows\system32\issacapi_pe-2.3.dll
2011-12-24 01:58 . 2011-12-24 01:58 57344 ----a-w- c:\windows\system32\MTXSYNCICON.dll
2011-12-24 01:58 . 2011-12-24 01:58 57344 ----a-w- c:\windows\system32\MK_Lyric.dll
2011-12-24 01:58 . 2011-12-24 01:58 57344 ----a-w- c:\windows\system32\issacapi_se-2.3.dll
2011-12-24 01:58 . 2011-12-24 01:58 569344 ----a-w- c:\windows\system32\muzdecode.ax
2011-12-24 01:58 . 2011-12-24 01:58 491520 ----a-w- c:\windows\system32\muzapp.dll
2011-12-24 01:58 . 2011-12-24 01:58 49152 ----a-w- c:\windows\system32\MaJGUILib.dll
2011-12-24 01:58 . 2011-12-24 01:58 45056 ----a-w- c:\windows\system32\MaXMLProto.dll
2011-12-24 01:58 . 2011-12-24 01:58 45056 ----a-w- c:\windows\system32\MACXMLProto.dll
2011-12-24 01:58 . 2011-12-24 01:58 40960 ----a-w- c:\windows\system32\MTTELECHIP.dll
2011-12-24 01:58 . 2011-12-24 01:58 40960 ----a-w- c:\windows\system32\MAMACExtract.dll
2011-12-24 01:58 . 2011-12-24 01:58 352256 ----a-w- c:\windows\system32\MSLUR71.dll
2011-12-24 01:58 . 2011-12-24 01:58 258048 ----a-w- c:\windows\system32\muzoggsp.ax
2011-12-24 01:58 . 2011-12-24 01:58 245760 ----a-w- c:\windows\system32\MSCLib.dll
2011-12-24 01:58 . 2011-12-24 01:58 24576 ----a-w- c:\windows\system32\MASetupCleaner.exe
2011-12-24 01:58 . 2011-12-24 01:58 200704 ----a-w- c:\windows\system32\muzwmts.dll
2011-12-24 01:58 . 2011-12-24 01:58 155648 ----a-w- c:\windows\system32\MSFLib.dll
2011-12-24 01:58 . 2011-12-24 01:58 143360 ----a-w- c:\windows\system32\3DAudio.ax
2011-12-24 01:58 . 2011-12-24 01:58 14336 ----a-w- c:\windows\system32\avrt.dll
2011-12-24 01:58 . 2011-12-24 01:58 135168 ----a-w- c:\windows\system32\muzaf1.dll
2011-12-24 01:58 . 2011-12-24 01:58 131072 ----a-w- c:\windows\system32\muzmpgsp.ax
2011-12-24 01:58 . 2011-12-24 01:58 122880 ----a-w- c:\windows\system32\muzeffect.ax
2011-12-24 01:58 . 2011-12-24 01:58 118784 ----a-w- c:\windows\system32\MaDRM.dll
2011-12-24 01:58 . 2011-12-24 01:58 110592 ----a-w- c:\windows\system32\muzmp4sp.ax
2011-12-24 01:58 . 2012-01-11 16:22 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2011-12-24 01:58 . 2012-01-11 16:22 20032 ----a-w- c:\windows\system32\drivers\dgderdrv.sys
2011-12-24 01:58 . 2012-01-11 16:22 821824 ----a-w- c:\windows\system32\dgderapi.dll
2011-12-10 20:24 . 2010-12-13 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-08 04:22 . 2012-01-11 16:28 181432 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
2011-12-08 04:22 . 2012-01-11 16:28 80184 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2011-11-25 21:57 . 2004-08-04 11:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-04 11:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 11:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-04 11:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-04 11:00 152064 ----a-w- c:\windows\system32\schannel.dll
2012-02-12 21:31 . 2011-04-27 14:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
2007-07-17 19:59 1379352 ----a-w- c:\program files\Wisdom-soft\tbWisd.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6dfc55bb-bfff-485a-9709-90c3fdf6db58}"= "c:\program files\Wisdom-soft\tbWisd.dll" [2007-07-17 1379352]
.
[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Matrox Powerdesk"="c:\windows\system32\PDesk\PDesk.exe" [2006-03-02 684032]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880]
"Matrox PowerDesk SE"="c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe" [2009-02-06 4223232]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-10-02 113024]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-03 15:49 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EzBackup Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EzBackup Monitor.lnk
backup=c:\windows\pss\EzBackup Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Bob\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Yankee Clipper III.lnk]
path=c:\documents and settings\Bob\Start Menu\Programs\Startup\Yankee Clipper III.lnk
backup=c:\windows\pss\Yankee Clipper III.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrStsMon00]
2010-02-09 20:43 2621440 ------r- c:\program files\Browny02\Brother\BrStMonW.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2008-12-24 14:26 114688 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting]
2011-12-28 21:03 39816 ----a-w- c:\program files\Citrix\GoToMeeting\880\g2mstart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2008-07-10 03:05 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 18:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesHelper]
2011-12-28 04:21 937360 ----a-w- c:\program files\Samsung\Kies\KiesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPDLR]
2011-12-28 04:21 21392 ----a-w- c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2011-12-28 04:21 3508624 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 21:33 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 21:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2008-07-10 03:07 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 02:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 19:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-02-03 22:07 4617600 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 07:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2008-09-17 01:14 2065648 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2010-03-17 20:55 1565696 ----a-w- c:\program files\Verizon\McciTrayApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"NetSvc"=2 (0x2)
"MGABGEXE"=2 (0x2)
"McciCMService"=2 (0x2)
"LVSrvLauncher"=3 (0x3)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"DSBrokerService"=3 (0x3)
"BrYNSvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"sprtsvc_dellsupportcenter"=2 (0x2)
"odserv"=3 (0x3)
"Matrox.Pdesk.ServicesHost"=2 (0x2)
"Matrox Centering Service"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"!SASCORE"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\Quote.com\\QCharts 5.1\\QCharts.exe"=
"c:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"c:\\WINDOWS\\SYSTEM32\\DPNSVR.EXE"=
"c:\\WINDOWS\\SYSTEM32\\DXDIAG.EXE"=
"c:\\WINDOWS\\SYSTEM32\\FTP.EXE"=
"c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Quote.com\\51021\\QCharts.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\QCharts\\winros.exe"=
"c:\\Program Files\\Brother\\Brmfl10c\\FAXRX.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Carbonite\\Carbonite Backup\\CarboniteService.exe"=
"c:\\Program Files\\Carbonite\\Carbonite Backup\\CarboniteSetup.exe"=
"c:\\Program Files\\Carbonite\\Carbonite Backup\\CarboniteUI.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Documents and Settings\\Bob\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"36867:TCP"= 36867:TCP:PORT_36867
"26176:TCP"= 26176:TCP:PORT_26176
"58411:TCP"= 58411:TCP:PORT_58411
"12916:TCP"= 12916:TCP:PORT_12916
"30059:TCP"= 30059:TCP:PORT_30059
"29741:TCP"= 29741:TCP:PORT_29741
"20715:TCP"= 20715:TCP:PORT_20715
"35317:TCP"= 35317:TCP:PORT_35317
"33497:TCP"= 33497:TCP:PORT_33497
"37171:TCP"= 37171:TCP:PORT_37171
"10654:TCP"= 10654:TCP:PORT_10654
"38446:TCP"= 38446:TCP:PORT_38446
"27641:TCP"= 27641:TCP:PORT_27641
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\SYSTEM32\DRIVERS\AVGIDSEH.sys [9/13/2010 3:27 PM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [9/7/2010 2:48 AM 32592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [9/7/2010 2:48 AM 230608]
S1 Avgtdix;AVG TDI Driver;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [9/7/2010 2:49 AM 295248]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 3:03 PM 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 3:03 PM 67664]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/29/2010 3:24 PM 136176]
S2 mrtRate;mrtRate;c:\windows\SYSTEM32\DRIVERS\MRTRATE.SYS [1/17/2005 7:40 PM 36404]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\SYSTEM32\DRIVERS\AVGIDSDriver.sys [8/19/2010 8:42 PM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\SYSTEM32\DRIVERS\AVGIDSFilter.sys [8/19/2010 8:42 PM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\SYSTEM32\DRIVERS\AVGIDSShim.sys [8/19/2010 8:42 PM 16720]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\SYSTEM32\DRIVERS\ssudbus.sys [1/11/2012 11:28 AM 80184]
S3 G200;G200;c:\windows\SYSTEM32\DRIVERS\g200mini.sys [3/3/2007 12:43 PM 261120]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/29/2010 3:24 PM 136176]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 3:51 PM 12872]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\SYSTEM32\DRIVERS\ssudmdm.sys [1/11/2012 11:28 AM 181432]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/10/2010 8:02 AM 116608]
S4 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [7/2/2010 7:07 PM 245760]
S4 Matrox Centering Service;Matrox Centering Service;c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe [2/6/2009 1:09 PM 1263872]
S4 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe [2/6/2009 1:08 PM 344832]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-29 20:24]
.
2012-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-29 20:24]
.
2012-02-12 c:\windows\Tasks\User_Feed_Synchronization-{3A350F5B-B24E-4DC9-8AE9-F4088621E086}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email05.secureserver.net/Download.CAB
DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://networksolutionsemailpopwizard.com/TrueSwitchEC.exe
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\fue73tck.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/p/d.html
FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4da073b0&i=23&tp=ab&nt=1&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\Samsung\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-12 17:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(212)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1532)
c:\windows\system32\WININET.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2012-02-12 17:34:00
ComboFix-quarantined-files.txt 2012-02-12 22:33
.
Pre-Run: 31,317,204,992 bytes free
Post-Run: 31,266,881,536 bytes free
.
- - End Of File - - A5FF66EE8CDAC0F072814B6528CA613F

FYI, I rebooted in safe mode but after several minutes, nothing happened, so I rbooted in regular mode.

Thanks, please do the following:


Please go to http://virscan.org/

• Navigate the following file path into the "Suspicious files to scan" box on the top of the page:
  
  
  c:\WINDOWS\SYSTEM32\MMC.EXE
  c:\WINDOWS\SYSTEM32\DPNSVR.EXE
  c:\WINDOWS\SYSTEM32\DXDIAG.EXE
  c:\WINDOWS\SYSTEM32\FTP.EXE
  c:\WINDOWS\SYSTEM32\DPVSETUP.EXE
  
  
• Click on the Upload button
  
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  
• Paste the contents of the Clipboard in your next reply.

We need to execute a ComboFix script.

The Viruscan went without a hitch.

The ComboFix script went fine until rebooting, when I unexpectedly got a couple of dialogue boxes from AVG saying threats had been found:
c:\combofix\NIRCMD.EXE (or maybe .3xe)
c:\combofix\NIRCMDB.3xe
c:\combofix\CF28743.3xe

I choose to proceed with removing those threats. It required a reboot, which I did.

Upon rebooting I got another AVG message indicating that there was another threat: c:\programfiles\carbonite\carbonitebackup\carbonitesetup.exe and a note that 26 files were removed. When I clicked on "details" I found that of the 26 were files such as AVGEMCX.ex*:ENABLED:PERSONAL and CARBONITEUI.EXE*:ENABLED. Most of the files looked like legitimate executables for some of my programs. However, I couldn't see how to copy the details to send to you, although I have found it in AVG and could transcribe it all if you need it.

While in AVG, I found that it found two threats last night when it did its regular scan:

"";"C:\Documents and Settings\Bob\Local Settings\Application Data\Mozilla\Firefox\Profiles\fue73tck.default\Cache\2\B0\8A3E8d01";"Virus found HTML/Framer";"Moved to Virus Vault"

"";"C:\Documents and Settings\Bob\Local Settings\Application Data\Mozilla\Firefox\Profiles\fue73tck.default\Cache\A\1F\6E56Fd01";"Virus found HTML/Framer";"Moved to Virus Vault"

Here are the two log files you requested:
VirSCAN.org Scanned Report :
Scanned time : 2012/02/13 21:52:23 (EST)
Scanner results: Scanners did not find malware!
File Name : MMC.EXE
File Size : 1414656 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 682b5487811c86c8d7a5c86c34295599
SHA1 : af850e6fb865fb121e5642ff38b14e367b0155e3
Online report : http://r.virscan.org/60aa817daf1bb2d9ca5587823aa261bf

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120213131427 2012-02-13 0.38 -
AhnLab V3 2012.02.14.00 2012.02.14 2012-02-14 3.92 -
AntiVir 8.2.8.44 7.11.21.199 2012-01-27 0.17 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.33 -
Arcavir 2011 201202091446 2012-02-09 3.67 -
Authentium 5.1.1 201202131923 2012-02-13 1.46 -
AVAST! 4.7.4 120213-2 2012-02-13 0.43 -
AVG 10.0.1405 2090/4808 2012-02-13 0.24 -
BitDefender 7.90123.7780593 7.41001 2012-02-14 4.04 -
ClamAV 0.97.3 14445 2012-02-14 0.45 -
Comodo 5.1 11515 2012-02-13 2.24 -
CP Secure 1.3.0.5 2012.02.14 2012-02-14 0.51 -
Dr.Web 7.0.0.11250 2012.02.12 2012-02-12 11.51 -
F-Prot 4.6.2.117 20120213 2012-02-13 0.89 -
F-Secure 7.02.73807 2012.02.07.03 2012-02-07 0.24 -
Fortinet 4.3.388 15.206 2012-02-13 0.26 -
GData 22.3870 20120214 2012-02-14 5.50 -
ViRobot 20120211 2012.02.11 2012-02-11 0.41 -
Ikarus T3.1.32.20.0 2012.02.13.80475 2012-02-13 6.03 -
JiangMin 13.0.900 2012.01.31 2012-01-31 2.12 -
Kaspersky 5.5.10 2012.02.08 2012-02-08 0.30 -
KingSoft 2009.2.5.15 2012.2.13.14 2012-02-13 1.01 -
McAfee 5400.1158 6619 2012-02-13 10.68 -
Microsoft 1.8001 2012.02.14 2012-02-14 3.51 -
NOD32 3.0.21 6841 2012-01-30 0.16 -
Panda 9.05.01 2012.02.13 2012-02-13 2.60 -
Trend Micro 9.500-1005 8.774.07 2012-02-13 0.23 -
Quick Heal 11.00 2012.02.13 2012-02-13 1.50 -
Rising 20.0 23.97.00.02 2012-02-13 2.92 -
Sophos 3.28.1 4.74 2012-02-14 5.40 -
Sunbelt 3.9.2527.2 11542 2012-02-13 1.01 -
Symantec 1.3.0.24 20120213.002 2012-02-13 0.73 -
nProtect 20120213.03 11754821 2012-02-13 1.22 -
The Hacker 6.7.0.1 v00397 2012-02-13 0.79 -
VBA32 3.12.16.4 20120213.0728 2012-02-13 3.45 -
VirusBuster 5.4.1.7 14.1.216.0/78072642012-02-14 0.20 -


VirSCAN.org Scanned Report :
Scanned time : 2012/02/13 21:55:34 (EST)
Scanner results: Scanners did not find malware!
File Name : DPNSVR.EXE
File Size : 17920 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 7e51f5bc7016acc4b7ca017a197d63fd
SHA1 : 58ad34bdc320e2c35f01142e38ff7298941a3739
Online report : http://r.virscan.org/c6bb4fc13c45df780e171de4ef1b84f9

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120213131427 2012-02-13 0.37 -
AhnLab V3 2012.02.14.00 2012.02.14 2012-02-14 5.21 -
AntiVir 8.2.8.44 7.11.21.199 2012-01-27 0.17 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.29 -
Arcavir 2011 201202091446 2012-02-09 4.20 -
Authentium 5.1.1 201202131923 2012-02-13 1.49 -
AVAST! 4.7.4 120213-2 2012-02-13 0.18 -
AVG 10.0.1405 2090/4808 2012-02-13 0.28 -
BitDefender 7.90123.7780593 7.41001 2012-02-14 3.92 -
ClamAV 0.97.3 14445 2012-02-14 0.17 -
Comodo 5.1 11515 2012-02-13 2.31 -
CP Secure 1.3.0.5 2012.02.14 2012-02-14 0.20 -
Dr.Web 7.0.0.11250 2012.02.12 2012-02-12 11.96 -
F-Prot 4.6.2.117 20120213 2012-02-13 0.87 -
F-Secure 7.02.73807 2012.02.07.03 2012-02-07 2.53 -
Fortinet 4.3.388 15.206 2012-02-13 0.22 -
GData 22.3870 20120214 2012-02-14 5.47 -
ViRobot 20120211 2012.02.11 2012-02-11 0.45 -
Ikarus T3.1.32.20.0 2012.02.13.80475 2012-02-13 5.45 -
JiangMin 13.0.900 2012.01.31 2012-01-31 2.42 -
Kaspersky 5.5.10 2012.02.08 2012-02-08 0.28 -
KingSoft 2009.2.5.15 2012.2.13.14 2012-02-13 0.95 -
McAfee 5400.1158 6619 2012-02-13 10.86 -
Microsoft 1.8001 2012.02.14 2012-02-14 4.61 -
NOD32 3.0.21 6841 2012-01-30 0.18 -
Panda 9.05.01 2012.02.13 2012-02-13 2.17 -
Trend Micro 9.500-1005 8.774.07 2012-02-13 0.26 -
Quick Heal 11.00 2012.02.13 2012-02-13 0.97 -
Rising 20.0 23.97.00.02 2012-02-13 2.82 -
Sophos 3.28.1 4.74 2012-02-14 4.81 -
Sunbelt 3.9.2527.2 11542 2012-02-13 1.82 -
Symantec 1.3.0.24 20120213.002 2012-02-13 0.35 -
nProtect 20120213.03 11754821 2012-02-13 1.59 -
The Hacker 6.7.0.1 v00397 2012-02-13 0.66 -
VBA32 3.12.16.4 20120213.0728 2012-02-13 3.27 -
VirusBuster 5.4.1.7 14.1.216.0/78072642012-02-14 0.24 -



VirSCAN.org Scanned Report :
Scanned time : 2012/02/14 08:54:24 (EST)
Scanner results: Scanners did not find malware!
File Name : DXDIAG.EXE
File Size : 1298432 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 06ac31bac1c7a6ec43a26730a3a11779
SHA1 : 0bca6df6756cd9f6888999b0bfd3fbb62cc8c6c8
Online report : http://r.virscan.org/de51eeddb806a801bbe8543cd4e9877a

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120214150239 2012-02-14 0.42 -
AhnLab V3 2012.02.14.00 2012.02.14 2012-02-14 4.43 -
AntiVir 8.2.8.44 7.11.21.199 2012-01-27 0.19 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.41 -
Arcavir 2011 201202091446 2012-02-09 4.01 -
Authentium 5.1.1 201202140215 2012-02-14 1.57 -
AVAST! 4.7.4 120213-2 2012-02-13 0.39 -
AVG 10.0.1405 2090/4809 2012-02-14 0.24 -
BitDefender 7.90123.7776703 7.41004 2012-02-14 4.09 -
ClamAV 0.97.3 14453 2012-02-14 0.49 -
Comodo 5.1 11522 2012-02-14 2.15 -
CP Secure 1.3.0.5 2012.02.14 2012-02-14 0.48 -
Dr.Web 7.0.0.11250 2012.02.12 2012-02-12 11.48 -
F-Prot 4.6.2.117 20120213 2012-02-13 0.94 -
F-Secure 7.02.73807 2012.02.07.03 2012-02-07 0.24 -
Fortinet 4.3.388 15.208 2012-02-13 0.28 -
GData 22.3872 20120214 2012-02-14 5.51 -
ViRobot 20120214 2012.02.14 2012-02-14 0.40 -
Ikarus T3.1.32.20.0 2012.02.14.80479 2012-02-14 5.21 -
JiangMin 13.0.900 2012.02.14 2012-02-14 2.17 -
Kaspersky 5.5.10 2012.02.08 2012-02-08 0.37 -
KingSoft 2009.2.5.15 2012.2.14.18 2012-02-14 0.94 -
McAfee 5400.1158 6619 2012-02-13 10.91 -
Microsoft 1.8001 2012.02.14 2012-02-14 3.43 -
NOD32 3.0.21 6841 2012-01-30 0.16 -
Panda 9.05.01 2012.02.13 2012-02-13 2.42 -
Trend Micro 9.500-1005 8.776.03 2012-02-13 0.22 -
Quick Heal 11.00 2012.02.13 2012-02-13 1.51 -
Rising 20.0 23.97.01.01 2012-02-14 2.90 -
Sophos 3.28.1 4.74 2012-02-14 4.75 -
Sunbelt 3.9.2527.2 11544 2012-02-14 2.08 -
Symantec 1.3.0.24 20120213.002 2012-02-13 0.64 -
nProtect 20120214.01 11739244 2012-02-14 1.98 -
The Hacker 6.7.0.1 v00397 2012-02-13 1.08 -
VBA32 3.12.16.4 20120214.0956 2012-02-14 3.60 -
VirusBuster 5.4.1.7 14.1.216.0/78072642012-02-14 0.18 -



VirSCAN.org Scanned Report :
Scanned time : 2012/02/14 08:57:00 (EST)
Scanner results: Scanners did not find malware!
File Name : FTP.EXE
File Size : 42496 byte
File Type : PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5 : 0f91c0dbdd463a1f0fc13fab46522c87
SHA1 : 4112aa01c1484fef54718a4919a3a717b3ad990c
Online report : http://r.virscan.org/6e2ca0745c31de6e21456837a9aea0b9

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120214150239 2012-02-14 0.47 -
AhnLab V3 2012.02.14.00 2012.02.14 2012-02-14 7.26 -
AntiVir 8.2.8.44 7.11.21.199 2012-01-27 0.19 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.28 -
Arcavir 2011 201202091446 2012-02-09 5.43 -
Authentium 5.1.1 201202140215 2012-02-14 1.76 -
AVAST! 4.7.4 120213-2 2012-02-13 0.25 -
AVG 10.0.1405 2090/4809 2012-02-14 0.46 -
BitDefender 7.90123.7776703 7.41004 2012-02-14 4.26 -
ClamAV 0.97.3 14453 2012-02-14 0.18 -
Comodo 5.1 11522 2012-02-14 2.17 -
CP Secure 1.3.0.5 2012.02.14 2012-02-14 0.22 -
Dr.Web 7.0.0.11250 2012.02.12 2012-02-12 11.77 -
F-Prot 4.6.2.117 20120213 2012-02-13 0.86 -
F-Secure 7.02.73807 2012.02.07.03 2012-02-07 0.28 -
Fortinet 4.3.388 15.208 2012-02-13 0.26 -
GData 22.3872 20120214 2012-02-14 5.50 -
ViRobot 20120214 2012.02.14 2012-02-14 0.41 -
Ikarus T3.1.32.20.0 2012.02.14.80479 2012-02-14 4.97 -
JiangMin 13.0.900 2012.02.14 2012-02-14 2.08 -
Kaspersky 5.5.10 2012.02.08 2012-02-08 0.29 -
KingSoft 2009.2.5.15 2012.2.14.18 2012-02-14 0.98 -
McAfee 5400.1158 6619 2012-02-13 10.71 -
Microsoft 1.8001 2012.02.14 2012-02-14 3.64 -
NOD32 3.0.21 6841 2012-01-30 0.16 -
Panda 9.05.01 2012.02.13 2012-02-13 2.91 -
Trend Micro 9.500-1005 8.776.03 2012-02-13 0.20 -
Quick Heal 11.00 2012.02.13 2012-02-13 1.11 -
Rising 20.0 23.97.01.01 2012-02-14 2.77 -
Sophos 3.28.1 4.74 2012-02-14 4.89 -
Sunbelt 3.9.2527.2 11544 2012-02-14 0.80 -
Symantec 1.3.0.24 20120213.002 2012-02-13 0.59 -
nProtect 20120214.01 11739244 2012-02-14 1.46 -
The Hacker 6.7.0.1 v00397 2012-02-13 0.55 -
VBA32 3.12.16.4 20120214.0956 2012-02-14 3.14 -
VirusBuster 5.4.1.7 14.1.216.0/78072642012-02-14 0.18 -



VirSCAN.org Scanned Report :
Scanned time : 2012/02/14 08:59:08 (EST)
Scanner results: Scanners did not find malware!
File Name : DPVSETUP.EXE
File Size : 83456 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : ea36b806e30d927f70e24eaf545ccc17
SHA1 : 92ab07441979c65ddcde4e1d9a96c7cb20c756a0
Online report : http://r.virscan.org/0c22e22d2b86d3e061c14f72f4f606e7

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120214150239 2012-02-14 0.34 -
AhnLab V3 2012.02.14.00 2012.02.14 2012-02-14 5.80 -
AntiVir 8.2.8.44 7.11.21.199 2012-01-27 0.18 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.27 -
Arcavir 2011 201202091446 2012-02-09 3.59 -
Authentium 5.1.1 201202140215 2012-02-14 1.48 -
AVAST! 4.7.4 120213-2 2012-02-13 0.18 -
AVG 10.0.1405 2090/4809 2012-02-14 0.25 -
BitDefender 7.90123.7776703 7.41004 2012-02-14 4.36 -
ClamAV 0.97.3 14453 2012-02-14 0.20 -
Comodo 5.1 11522 2012-02-14 2.21 -
CP Secure 1.3.0.5 2012.02.14 2012-02-14 0.22 -
Dr.Web 7.0.0.11250 2012.02.12 2012-02-12 12.71 -
F-Prot 4.6.2.117 20120213 2012-02-13 0.99 -
F-Secure 7.02.73807 2012.02.07.03 2012-02-07 2.44 -
Fortinet 4.3.388 15.208 2012-02-13 0.28 -
GData 22.3872 20120214 2012-02-14 5.43 -
ViRobot 20120214 2012.02.14 2012-02-14 0.42 -
Ikarus T3.1.32.20.0 2012.02.14.80479 2012-02-14 5.52 -
JiangMin 13.0.900 2012.02.14 2012-02-14 2.17 -
Kaspersky 5.5.10 2012.02.08 2012-02-08 0.38 -
KingSoft 2009.2.5.15 2012.2.14.18 2012-02-14 0.98 -
McAfee 5400.1158 6619 2012-02-13 10.73 -
Microsoft 1.8001 2012.02.14 2012-02-14 3.58 -
NOD32 3.0.21 6841 2012-01-30 0.23 -
Panda 9.05.01 2012.02.13 2012-02-13 4.91 -
Trend Micro 9.500-1005 8.776.03 2012-02-13 0.27 -
Quick Heal 11.00 2012.02.13 2012-02-13 1.11 -
Rising 20.0 23.97.01.01 2012-02-14 2.72 -
Sophos 3.28.1 4.74 2012-02-14 6.66 -
Sunbelt 3.9.2527.2 11544 2012-02-14 0.96 -
Symantec 1.3.0.24 20120213.002 2012-02-13 0.43 -
nProtect 20120214.01 11739244 2012-02-14 1.66 -
The Hacker 6.7.0.1 v00397 2012-02-13 0.66 -
VBA32 3.12.16.4 20120214.0956 2012-02-14 4.97 -
VirusBuster 5.4.1.7 14.1.216.0/78072642012-02-14 0.29 -


---------------
ComboFix 12-02-12.01 - Bob 02/14/2012 9:42.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1203 [GMT -5:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bob\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-14 to 2012-02-14 )))))))))))))))))))))))))))))))
.
.
2012-02-12 21:50 . 2012-02-12 21:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2012-02-12 21:49 . 2012-02-12 21:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-02-09 15:06 . 2012-02-09 15:06 -------- d-----w- C:\_OTM
2012-02-03 14:25 . 2012-02-03 14:25 -------- d-----w- c:\documents and settings\Bob\Application Data\Windows Desktop Search
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 20:01 . 2011-05-24 20:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-24 01:58 . 2012-01-11 16:23 4659712 ----a-w- c:\windows\system32\Redemption.dll
2011-12-24 01:58 . 2011-12-24 01:58 90112 ----a-w- c:\windows\MAMCityDownload.ocx
2011-12-24 01:58 . 2011-12-24 01:58 325552 ----a-w- c:\windows\MASetupCaller.dll
2011-12-24 01:58 . 2011-12-24 01:58 30568 ----a-w- c:\windows\MusiccityDownload.exe
2011-12-24 01:58 . 2011-12-24 01:58 974848 ----a-w- c:\windows\system32\cis-2.4.dll
2011-12-24 01:58 . 2011-12-24 01:58 81920 ----a-w- c:\windows\system32\issacapi_bs-2.3.dll
2011-12-24 01:58 . 2011-12-24 01:58 65536 ----a-w- c:\windows\system32\issacapi_pe-2.3.dll
2011-12-24 01:58 . 2011-12-24 01:58 57344 ----a-w- c:\windows\system32\MTXSYNCICON.dll
2011-12-24 01:58 . 2011-12-24 01:58 57344 ----a-w- c:\windows\system32\MK_Lyric.dll
2011-12-24 01:58 . 2011-12-24 01:58 57344 ----a-w- c:\windows\system32\issacapi_se-2.3.dll
2011-12-24 01:58 . 2011-12-24 01:58 569344 ----a-w- c:\windows\system32\muzdecode.ax
2011-12-24 01:58 . 2011-12-24 01:58 491520 ----a-w- c:\windows\system32\muzapp.dll
2011-12-24 01:58 . 2011-12-24 01:58 49152 ----a-w- c:\windows\system32\MaJGUILib.dll
2011-12-24 01:58 . 2011-12-24 01:58 45056 ----a-w- c:\windows\system32\MaXMLProto.dll
2011-12-24 01:58 . 2011-12-24 01:58 45056 ----a-w- c:\windows\system32\MACXMLProto.dll
2011-12-24 01:58 . 2011-12-24 01:58 40960 ----a-w- c:\windows\system32\MTTELECHIP.dll
2011-12-24 01:58 . 2011-12-24 01:58 40960 ----a-w- c:\windows\system32\MAMACExtract.dll
2011-12-24 01:58 . 2011-12-24 01:58 352256 ----a-w- c:\windows\system32\MSLUR71.dll
2011-12-24 01:58 . 2011-12-24 01:58 258048 ----a-w- c:\windows\system32\muzoggsp.ax
2011-12-24 01:58 . 2011-12-24 01:58 245760 ----a-w- c:\windows\system32\MSCLib.dll
2011-12-24 01:58 . 2011-12-24 01:58 24576 ----a-w- c:\windows\system32\MASetupCleaner.exe
2011-12-24 01:58 . 2011-12-24 01:58 200704 ----a-w- c:\windows\system32\muzwmts.dll
2011-12-24 01:58 . 2011-12-24 01:58 155648 ----a-w- c:\windows\system32\MSFLib.dll
2011-12-24 01:58 . 2011-12-24 01:58 143360 ----a-w- c:\windows\system32\3DAudio.ax
2011-12-24 01:58 . 2011-12-24 01:58 14336 ----a-w- c:\windows\system32\avrt.dll
2011-12-24 01:58 . 2011-12-24 01:58 135168 ----a-w- c:\windows\system32\muzaf1.dll
2011-12-24 01:58 . 2011-12-24 01:58 131072 ----a-w- c:\windows\system32\muzmpgsp.ax
2011-12-24 01:58 . 2011-12-24 01:58 122880 ----a-w- c:\windows\system32\muzeffect.ax
2011-12-24 01:58 . 2011-12-24 01:58 118784 ----a-w- c:\windows\system32\MaDRM.dll
2011-12-24 01:58 . 2011-12-24 01:58 110592 ----a-w- c:\windows\system32\muzmp4sp.ax
2011-12-24 01:58 . 2012-01-11 16:22 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2011-12-24 01:58 . 2012-01-11 16:22 20032 ----a-w- c:\windows\system32\drivers\dgderdrv.sys
2011-12-24 01:58 . 2012-01-11 16:22 821824 ----a-w- c:\windows\system32\dgderapi.dll
2011-12-10 20:24 . 2010-12-13 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-08 04:22 . 2012-01-11 16:28 181432 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
2011-12-08 04:22 . 2012-01-11 16:28 80184 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2011-11-25 21:57 . 2004-08-04 11:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-04 11:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 11:00 60416 ----a-w- c:\windows\system32\packager.exe
2012-02-12 21:31 . 2011-04-27 14:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\SYSTEM32\DPNSVR.EXE ---
Company: Microsoft Corporation
File Description: Microsoft DirectPlay8 Server
File Version: 5.03.2600.5512 (xpsp.080413-0845)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: dpnsvr.exe
File size: 17920
Created time: 2004-08-04 11:00
Modified time: 2008-04-14 00:12
MD5: 7E51F5BC7016ACC4B7CA017A197D63FD
SHA1: 58AD34BDC320E2C35F01142E38FF7298941A3739
.
.
--- c:\windows\SYSTEM32\DPVSETUP.EXE ---
Company: Microsoft Corporation
File Description: Microsoft DirectPlay Voice Test
File Version: 5.03.2600.5512 (xpsp.080413-0845)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: dpvsetup.exe
File size: 83456
Created time: 2004-08-04 11:00
Modified time: 2008-04-14 00:12
MD5: EA36B806E30D927F70E24EAF545CCC17
SHA1: 92AB07441979C65DDCDE4E1D9A96C7CB20C756A0
.
.
--- c:\windows\SYSTEM32\DXDIAG.EXE ---
Company: Microsoft Corporation
File Description: Microsoft DirectX Diagnostic Tool
File Version: 5.03.2600.5512 (xpsp.080413-0845)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: dxdiag.exe
File size: 1298432
Created time: 2004-08-04 11:00
Modified time: 2008-04-14 00:12
MD5: 06AC31BAC1C7A6EC43A26730A3A11779
SHA1: 0BCA6DF6756CD9F6888999B0BFD3FBB62CC8C6C8
.
.
--- c:\windows\SYSTEM32\FTP.EXE ---
Company: Microsoft Corporation
File Description: File Transfer Program
File Version: 5.1.2600.5512 (xpsp.080413-0852)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: ftp.exe
File size: 42496
Created time: 2004-08-04 11:00
Modified time: 2008-04-14 00:12
MD5: 0F91C0DBDD463A1F0FC13FAB46522C87
SHA1: 4112AA01C1484FEF54718A4919A3A717B3AD990C
.
.
--- c:\windows\SYSTEM32\MMC.EXE ---
Company: Microsoft Corporation
File Description: Microsoft Management Console
File Version: 5.2.3790.4136 (srv03_sp2_qfe.070821-1204)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: mmc.exe
File size: 1414656
Created time: 2004-08-04 11:00
Modified time: 2008-04-14 00:12
MD5: 682B5487811C86C8D7A5C86C34295599
SHA1: AF850E6FB865FB121E5642FF38B14E367B0155E3
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6dfc55bb-bfff-485a-9709-90c3fdf6db58}"= "c:\program files\Wisdom-soft\tbWisd.dll" [2007-07-17 1379352]
.
[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
2007-07-17 19:59 1379352 ----a-w- c:\program files\Wisdom-soft\tbWisd.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6dfc55bb-bfff-485a-9709-90c3fdf6db58}"= "c:\program files\Wisdom-soft\tbWisd.dll" [2007-07-17 1379352]
.
[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6DFC55BB-BFFF-485A-9709-90C3FDF6DB58}"= "c:\program files\Wisdom-soft\tbWisd.dll" [2007-07-17 1379352]
.
[HKEY_CLASSES_ROOT\clsid\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2007-12-07 315392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Matrox Powerdesk"="c:\windows\system32\PDesk\PDesk.exe" [2006-03-02 684032]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880]
"Matrox PowerDesk SE"="c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe" [2009-02-06 4223232]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-10-02 113024]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-03 15:49 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EzBackup Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EzBackup Monitor.lnk
backup=c:\windows\pss\EzBackup Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Bob\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Yankee Clipper III.lnk]
path=c:\documents and settings\Bob\Start Menu\Programs\Startup\Yankee Clipper III.lnk
backup=c:\windows\pss\Yankee Clipper III.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrStsMon00]
2010-02-09 20:43 2621440 ------r- c:\program files\Browny02\Brother\BrStMonW.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2008-12-24 14:26 114688 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting]
2011-12-28 21:03 39816 ----a-w- c:\program files\Citrix\GoToMeeting\880\g2mstart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2008-07-10 03:05 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 18:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesHelper]
2011-12-28 04:21 937360 ----a-w- c:\program files\Samsung\Kies\KiesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPDLR]
2011-12-28 04:21 21392 ----a-w- c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2011-12-28 04:21 3508624 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 21:33 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 21:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2008-07-10 03:07 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 02:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 19:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-02-03 22:07 4617600 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 07:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2008-09-17 01:14 2065648 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2010-03-17 20:55 1565696 ----a-w- c:\program files\Verizon\McciTrayApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"NetSvc"=2 (0x2)
"MGABGEXE"=2 (0x2)
"McciCMService"=2 (0x2)
"LVSrvLauncher"=3 (0x3)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"DSBrokerService"=3 (0x3)
"BrYNSvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"sprtsvc_dellsupportcenter"=2 (0x2)
"odserv"=3 (0x3)
"Matrox.Pdesk.ServicesHost"=2 (0x2)
"Matrox Centering Service"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"!SASCORE"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\Quote.com\\QCharts 5.1\\QCharts.exe"=
"c:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"c:\\WINDOWS\\SYSTEM32\\DPNSVR.EXE"=
"c:\\WINDOWS\\SYSTEM32\\DXDIAG.EXE"=
"c:\\WINDOWS\\SYSTEM32\\FTP.EXE"=
"c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Quote.com\\51021\\QCharts.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\QCharts\\winros.exe"=
"c:\\Program Files\\Brother\\Brmfl10c\\FAXRX.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Carbonite\\Carbonite Backup\\CarboniteService.exe"=
"c:\\Program Files\\Carbonite\\Carbonite Backup\\CarboniteSetup.exe"=
"c:\\Program Files\\Carbonite\\Carbonite Backup\\CarboniteUI.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Documents and Settings\\Bob\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\SYSTEM32\DRIVERS\AVGIDSEH.sys [9/13/2010 3:27 PM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [9/7/2010 2:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [9/7/2010 2:48 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [9/7/2010 2:49 AM 295248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 3:03 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 3:03 PM 67664]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R2 mrtRate;mrtRate;c:\windows\SYSTEM32\DRIVERS\MRTRATE.SYS [1/17/2005 7:40 PM 36404]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\SYSTEM32\DRIVERS\AVGIDSDriver.sys [8/19/2010 8:42 PM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\SYSTEM32\DRIVERS\AVGIDSFilter.sys [8/19/2010 8:42 PM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\SYSTEM32\DRIVERS\AVGIDSShim.sys [8/19/2010 8:42 PM 16720]
R3 G200;G200;c:\windows\SYSTEM32\DRIVERS\g200mini.sys [3/3/2007 12:43 PM 261120]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/29/2010 3:24 PM 136176]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\SYSTEM32\DRIVERS\ssudbus.sys [1/11/2012 11:28 AM 80184]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/29/2010 3:24 PM 136176]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 3:51 PM 12872]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\SYSTEM32\DRIVERS\ssudmdm.sys [1/11/2012 11:28 AM 181432]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/10/2010 8:02 AM 116608]
S4 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [7/2/2010 7:07 PM 245760]
S4 Matrox Centering Service;Matrox Centering Service;c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe [2/6/2009 1:09 PM 1263872]
S4 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe [2/6/2009 1:08 PM 344832]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-29 20:24]
.
2012-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-29 20:24]
.
2012-02-14 c:\windows\Tasks\User_Feed_Synchronization-{3A350F5B-B24E-4DC9-8AE9-F4088621E086}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.hackerwatch.org/library/app/feedback/?Md5=3DC9256DA25BDFF582D7D46C59AD7112
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email05.secureserver.net/Download.CAB
DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://networksolutionsemailpopwizard.com/TrueSwitchEC.exe
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\fue73tck.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/p/d.html
FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4da073b0&i=23&tp=ab&nt=1&q=
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-14 09:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1037992188-3050498942-1453969639-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1680)
c:\windows\system32\WININET.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\PDesk\PDKERNEL.DLL
c:\windows\system32\PDesk\PDTOOLS.DLL
c:\windows\system32\PDesk\PDRESENG.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\CyberPower PowerPanel Personal Edition\ppped.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\AVG\AVG2012\avgnsx.exe
.
**************************************************************************
.
Completion time: 2012-02-14 10:05:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-14 15:05
ComboFix2.txt 2012-02-12 22:34
.
Pre-Run: 28,971,028,480 bytes free
Post-Run: 28,969,119,744 bytes free
.
- - End Of File - - 5C180AFA1FBE127A06D39124532519DE

BTW, I really appreciate your efforts here. Thank you.
Bob

Hi,

Quote

AVG is targeting some Combofix embedded files, this is not a new issue.

How's the PC running now?

It doesn't seem to spike and lock up as much, hardly at all the last couple of days. Except--and this may be unrelated, all of sudden my thesaurus in Word is not working. It can't find any word options when I launch the thesaurus. Odd.

Do I take away from your very thorough trouble shooting that I had -- or did not have -- viruses or other malware on my computer?

Bob