A dirty little bug is in my house

[jeffce]

Hi mnyyoungs,

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click VirusTotal

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\Config.Msi\89120.rbf
C:\Documents and Settings\Family\Downloads\PageRageSetup.exe


scroll down a bit and click "send file", wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------

 

[mnyyoungs]

C:\Config.Msi\89120.rbf -- ** Maximum size exceeded: you have tried to upload a file which is larger than 20MB**

 

[mnyyoungs]

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
MD5: b2770db7f4935c810f7dd5ccf69791a9
Date first seen: 2011-07-23 01:14:08 (UTC)
Date last seen: 2011-09-08 22:57:32 (UTC)
Detection ratio: 10/44

What do you wish to do?
Reanalyse View last report

Antivirus Version Last Update Result
AhnLab-V3 2011.09.08.01 2011.09.08 -
AntiVir 7.11.14.152 2011.09.08 -
Antiy-AVL 2.0.3.7 2011.09.08 -
Avast 4.8.1351.0 2011.09.08 -
Avast5 5.0.677.0 2011.09.08 -
AVG 10.0.0.1190 2011.09.09 -
BitDefender 7.2 2011.09.09 -
ByteHero 1.0.0.1 2011.08.22 -
CAT-QuickHeal 11.00 2011.09.08 -
ClamAV 0.97.0.0 2011.09.09 -
Commtouch 5.3.2.6 2011.09.09 -
Comodo 10043 2011.09.08 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.09.09 -
Emsisoft 5.1.0.11 2011.09.08 Trojan.Agent3!IK
eSafe 7.0.17.0 2011.09.07 -
eTrust-Vet 36.1.8547 2011.09.08 -
F-Prot 4.6.2.117 2011.09.09 -
F-Secure 9.0.16440.0 2011.09.09 -
Fortinet 4.3.370.0 2011.09.08 -
GData 22 2011.09.08 -
Ikarus T3.1.1.107.0 2011.09.08 Trojan.Agent3
Jiangmin 13.0.900 2011.09.08 -
K7AntiVirus 9.112.5108 2011.09.08 Adware
Kaspersky 9.0.0.837 2011.09.08 -
McAfee 5.400.0.1158 2011.09.08 Artemis!B2770DB7F493
McAfee-GW-Edition 2010.1D 2011.09.08 Artemis!B2770DB7F493
Microsoft 1.7604 2011.09.08 -
NOD32 6448 2011.09.09 probably a variant of Win32/Adware.HFXSRJX
Norman 6.07.11 2011.09.08 W32/Agent.VBAZ.dropper
nProtect 2011-09-08.02 2011.09.08 -
Panda 10.0.3.5 2011.09.08 -
PCTools 8.0.0.5 2011.09.08 -
Prevx 3.0 2011.09.09 -
Rising 23.74.02.03 2011.09.07 -
Sophos 4.69.0 2011.09.09 -
SUPERAntiSpyware 4.40.0.1006 2011.09.09 -
Symantec 20111.2.0.82 2011.09.08 -
TheHacker 6.7.0.1.291 2011.09.08 -
TrendMicro 9.500.0.1008 2011.09.06 -
TrendMicro-HouseCall 9.500.0.1008 2011.09.09 -
VBA32 3.12.16.4 2011.09.08 Adware.Yontoo.a
VIPRE 10413 2011.09.08 Yontoo (v)
ViRobot 2011.9.8.4663 2011.09.08 -
VirusBuster 14.0.204.1 2011.09.08 -
Additional information
Show all
MD5 : b2770db7f4935c810f7dd5ccf69791a9
SHA1 : 7bdfe18dedeb58e79522e325ba58fef7c3993ec0
SHA256: fdb9b313700faac8370ff779c930c2977a3c8080bf743b3c8826992b731390dc
ssdeep: 12288:NI7Omj7TPjx9kfwgB6kYSoSeTSyrdrfM6hEOAccBornce61pOy5VmxuCk:GvTr0fzANSa
Q2EuapOfLk
File size : 670976 bytes
First seen: 2011-07-23 01:14:08
Last seen : 2011-09-08 22:57:32
Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID:
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: Yontoo LLC
copyright....: Copyright (c) 2011 Yontoo LLC. All rights reserved.
product......: Yontoo Layers Runtime
description..: Installer
original name: n/a
internal name: TSULoader
file version.: 2011.7.20.1540
comments.....: WinNT (x86) Unicode
signers......: -
signing date.: -
verified.....: Unsigned
PEiD: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1627
timedatestamp....: 0x4C6DB95D (Thu Aug 19 23:08:13 2010)
machinetype......: 0x14C (Intel I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x1DB6, 0x1E00, 6.49, 7508f33e50f18a2454cd55b62913deee
.rdata, 0x3000, 0x90E, 0xA00, 4.3, d71c5473f843570f56b8eab5487551ac
.data, 0x4000, 0x8, 0x0, 0.0, d41d8cd98f00b204e9800998ecf8427e
.rsrc, 0x5000, 0x1F0C, 0x2000, 4.4, b1e195d753eb6b16e975204ea83b8a64
.reloc, 0x7000, 0x154, 0x200, 3.22, 44d995d95911f517ba48d8fef2897b8b

[[ 4 import(s) ]]
kernel32.dll: HeapAlloc, HeapFree, OutputDebugStringW, CloseHandle, GetExitCodeProcess, GetLastError, lstrlenW, lstrcpynW, UnmapViewOfFile, MultiByteToWideChar, MapViewOfFile, CreateFileMappingW, GetFileSize, CreateFileW, GetCommandLineW, ExitProcess, Sleep, DeleteFileW, SetFileAttributesW, GetFileAttributesW, lstrcatW, GetTempPathW, GetModuleHandleW, GetModuleFileNameW, GetSystemInfo, GetProcAddress, GetModuleHandleA, GetVersionExW, GetCurrentProcessId, GetProcessHeap, ReadFile, WriteFile, SetFileTime, SetFilePointer
shell32.dll: ShellExecuteExW
user32.dll: MessageBoxW, wvsprintfW, PeekMessageW, DispatchMessageW, TranslateMessage, MsgWaitForMultipleObjects, wsprintfW
version.dll: GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
Androguard:
-
ExifTool:
file metadata
FileSize: 655 kB
FileType: DOS EXE
MIMEType: application/octet-stream
Symantec reputation:Suspicious.Insight

VT Community

1

User:
Anonymous
Reputation:
1 credits
Comment date:
2011-08-07 18:17:30 (UTC)
THIS IS A REALLY BAD FILE, THESE PEEPS ARE NOTHING MORE THAN SCAMMERS TRYING TO HARM YOU!
Tags: Malware, yontoo, artemis, b2770db7f493

 

[mnyyoungs]

C:\Config.Msi\89120.rbf -- ** Maximum size exceeded: you have tried to upload a file which is larger than 20MB**

this file is 36MB...please advise AND THANK YOU!!!!!

 

[jeffce]

Hi mnyyoungs,

Let's use MediaFire.

Please go here and we can take a look at that file.

Click on the large grey folder > Press the small + symbol and browse to where you have that file saved > select Open > press Begin Upload > select Copy Link and then copy and paste that link into your next reply. I can get it from there.

Let me know if you have any problems with that.

 

[mnyyoungs]

http://www.mediafire.com/?tglj18v8585s5v5

 

[jeffce]

Hi mnyyoungs,

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

  File::
  C:\Config.Msi\89120.rbf 
  C:\Documents and Settings\Family\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\110830165148805.rsc 
  C:\Documents and Settings\Family\Downloads\PageRageSetup.exe 
  C:\Program Files\AVG\AVG2012\avgrsx.exe 
  C:\Program Files\Google\Chrome\Application\15.0.874.106\Installer\setup.exe 
  C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe 
  C:\TDSSKiller_Quarantine\30.10.2011_10.36.17\pmax0000\svc0000\tsk0000.dta 
  C:\Users\Family\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\110830165148805.rsc 
  C:\Users\Family\Downloads\PageRageSetup.exe 
  C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

 

[mnyyoungs]

I am running this set of instructions now. However, something is corrupt with the AVG. It it not allowing me to uninstall the program OR disable it...I'll post the results shortly.

 

[mnyyoungs]

Part 1

ComboFix 11-11-14.02 - Family 14/11/2011 18:17:18.8.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1033 [GMT -5:00]
Running from: C:\ComboFix.exe
Command switches used :: c:\users\Family\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\config.msi\89120.rbf"
"c:\documents and settings\Family\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\110830165148805.rsc"
"c:\documents and settings\Family\Downloads\PageRageSetup.exe"
"c:\program files\AVG\AVG2012\avgrsx.exe"
"c:\program files\Google\Chrome\Application\15.0.874.106\Installer\setup.exe"
"c:\program files\Google\Google Toolbar\GoogleToolbarUser_32.exe"
"c:\tdsskiller_quarantine\30.10.2011_10.36.17\pmax0000\svc0000\tsk0000.dta"
"c:\users\Family\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\110830165148805.rsc"
"c:\users\Family\Downloads\PageRageSetup.exe"
"c:\windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.1845"
.
.
((((((((((((((((((((((((( Files Created from 2011-10-14 to 2011-11-14 )))))))))))))))))))))))))))))))
.
.
2011-11-14 23:40 . 2011-11-14 23:41 -------- d-----w- c:\users\Family\AppData\Local\temp
2011-11-14 23:40 . 2011-11-14 23:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-12 17:56 . 2011-11-12 17:56 -------- d-----w- c:\program files\ESET
2011-11-09 19:05 . 2011-11-09 19:05 -------- d-----w- c:\users\Family\AppData\Local\WinZip
2011-11-09 19:03 . 2011-11-09 19:04 -------- d-----w- c:\programdata\WinZip
2011-10-31 18:18 . 2011-10-31 18:18 1529728 ----a-w- c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2011-10-31 18:13 . 2011-10-31 18:13 145184 ----a-w- c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
2011-10-30 14:38 . 2011-10-30 14:38 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-28 08:13 . 2011-10-18 06:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D208FC11-8E7A-4DE4-917E-F39D40F22D8F}\mpengine.dll
2011-10-25 22:48 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-24 17:56 . 2011-10-24 17:56 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-30 14:43 . 2009-07-26 02:26 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-25 23:46 . 2008-07-19 16:29 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-30 23:06 . 2011-10-12 15:36 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02 . 2011-10-12 15:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01 . 2011-10-12 15:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01 . 2011-10-12 15:36 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01 . 2011-10-12 15:36 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07 . 2011-10-12 15:36 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29 . 2011-10-12 15:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28 . 2011-10-12 15:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-13 10:30 . 2011-09-13 10:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:30 . 2011-10-12 15:36 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 21:00 . 2008-05-06 03:54 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-25 16:15 . 2011-10-12 15:35 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-08-25 16:14 . 2011-10-12 15:35 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-08-25 16:14 . 2011-10-12 15:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-25 13:31 . 2011-10-12 15:35 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-08-24 11:57 . 2011-08-24 11:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-14 18:01 . 2010-10-25 17:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SacReminderHDDV2N"="c:\programdata\Clickfree\C2NPlus\reminder\SacReminder.exe" [2011-01-20 870224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-22 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-26 129560]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-10-13 984408]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-10-22 611144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStartupSound"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-24 09:27 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2008-12-20 04:48 342848 ----a-w- c:\users\Family\Program Files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-08-31 21:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-04-16 22:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-11-22 12:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 CFUACProxy_c2nplus;CFUACProxy_c2nplus;c:\programdata\Clickfree\C2NPlus\UACProxy.exe [2011-10-31 87368]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [x]
R2 gupdate1c9834ebde52a90;Google Update Service (gupdate1c9834ebde52a90);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programdata\Clickfree\C2NPlus\Reminder\SacNetAgent.exe [2011-10-25 157296]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-07-26 1025352]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2008-07-09 47360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-07-11 229840]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-06-28 101720]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [2011-09-12 5265248]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2011-10-31 192776]
S2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [2011-10-31 246600]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134736]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-07-11 16720]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-10-31 18:10]
.
2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{1A27E350-4EB9-4A64-8D25-115B91043FBF}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.

 

[mnyyoungs]

Part 2

------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.2.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
FF - ProfilePath - c:\users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\85q3ua9k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e2b35e5&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=ca&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Canadian English Dictionary: en-CA@dictionaries.addons.mozilla.org - %profile%\extensions\en-CA@dictionaries.addons.mozilla.org
FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Security Toolbar em:version=7.008.031.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\AVG\AVG10\Toolbar\Firefox\avg@igeared
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG2012\Firefox4
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-14 18:41
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass]
"ImagePath"="\*"
.
Completion time: 2011-11-14 18:46:42
ComboFix-quarantined-files.txt 2011-11-14 23:46
ComboFix2.txt 2011-11-09 01:02
.
Pre-Run: 54,251,012,096 bytes free
Post-Run: 54,177,079,296 bytes free
.
- - End Of File - - 6638062CFCC0A2CA4BAB1C28A42BAA51

 

[jeffce]

Hi mnyyoungs,

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

I would like you to take the following steps:

• Click Start then Run type Notepad and click Ok
• Copy and Paste the contents of the Code box below into Notepad
  
  

  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass]
  "DisplayName"="Keyboard Class Driver"
  "Group"="Keyboard Class"
  "ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6b,00,62,00,64,00,63,00,6c,00,61,\
  00,73,00,73,00,2e,00,73,00,79,00,73,00,00,00
  "ErrorControl"=dword:00000001
  "Start"=dword:00000001
  "Type"=dword:00000001
  "Tag"=dword:00000002
  
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters]
  "ConnectMultiplePorts"=dword:00000000
  "KeyboardDataQueueSize"=dword:00000064
  "KeyboardDeviceBaseName"="KeyboardClass"
  "MaximumPortsServiced"=dword:00000003
  "SendOutputToAllPorts"=dword:00000001
  
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass\Enum]
  "0"="Root\\RDP_KBD\\0000"
  "Count"=dword:00000002
  "NextInstance"=dword:00000002
  "1"="ACPI\\PNP0303\\4&19f4fe01&0"

• Save as regfix.reg to your Desktop
• Make sure to save file type as All Files
• Now right-click regfix.reg and select Merge

-----------

• Right-click and Run as Administrator SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :reg
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
--------------------

Is your keyboard working again?

 

[mnyyoungs]

No keyboard not working still...so I'm mousing it or cutting and pasting letters from the various notepad files.

SystemLook 30.07.11 by jpshortstuff
Log created at 10:32 on 16/11/2011 by Family
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass]
"DisplayName"="Keyboard Class Driver"
"Group"="Keyboard Class"
"ImagePath"="system32\DRIVERS\kbdclass.sys"
"ErrorControl"= 0x0000000001 (1)
"Start"= 0x0000000001 (1)
"Type"= 0x0000000001 (1)
"Tag"= 0x0000000002 (2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass\Parameters]


-= EOF =-

 

[jeffce]

Hi mnyyoungs,

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

  FCopy::
  C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_a81145df\kbdclass.sys | C:\Windows\System32\DRIVERS\kbdclass.sys

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

Try the keyboard now. Is it working?

 

[mnyyoungs]

Jeff, how are we coming on this process..just a check in...I am finding it facilitating....albeit frustrating, at times, too! lol Here is the combofix report from your last post....AND I have a working KEYBOARD! My computer thank you and want's to know if you'll marry it!!!!! lol...

ComboFix 11-11-14.02 - Family 16/11/2011 21:11:51.9.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1136 [GMT -5:00]
Running from: C:\ComboFix.exe
Command switches used :: c:\users\Family\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\System32\DriverStore\FileRepository\keyboard.inf_a81145df\kbdclass.sys --> c:\windows\System32\DRIVERS\kbdclass.sys
.
((((((((((((((((((((((((( Files Created from 2011-10-17 to 2011-11-17 )))))))))))))))))))))))))))))))
.
.
2011-11-17 02:32 . 2011-11-17 02:33 -------- d-----w- c:\users\Family\AppData\Local\temp
2011-11-17 02:32 . 2011-11-17 02:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-17 02:11 . 2008-02-29 08:13 35384 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2011-11-17 02:06 . 2011-11-17 02:06 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D208FC11-8E7A-4DE4-917E-F39D40F22D8F}\offreg.dll
2011-11-16 15:27 . 2011-11-16 15:27 -------- d-----w- c:\program files\ERUNT
2011-11-16 15:22 . 2011-11-16 15:22 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-11-16 15:22 . 2011-11-16 15:22 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-11-16 15:22 . 2011-11-16 15:22 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-11-16 15:22 . 2011-11-16 15:22 8646 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-11-16 15:22 . 2011-11-16 15:22 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-11-16 15:22 . 2011-11-16 15:22 5927 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2011-11-16 15:22 . 2011-11-16 15:22 8613 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-11-16 15:22 . 2011-11-16 15:22 1651 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2011-11-16 15:22 . 2011-11-16 15:22 6910 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-11-16 15:22 . 2011-11-16 15:22 18541 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2011-11-16 15:22 . 2011-11-16 15:22 8288 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2011-11-16 15:22 . 2011-11-16 15:22 6208 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2011-11-16 15:21 . 2011-11-16 15:21 51852 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2011-11-16 15:21 . 2011-11-16 15:21 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-11-16 15:21 . 2011-11-16 15:21 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-11-16 15:21 . 2011-11-16 15:21 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-11-16 15:21 . 2011-11-16 15:21 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-11-12 17:56 . 2011-11-12 17:56 -------- d-----w- c:\program files\ESET
2011-11-09 19:05 . 2011-11-09 19:05 -------- d-----w- c:\users\Family\AppData\Local\WinZip
2011-11-09 19:03 . 2011-11-09 19:04 -------- d-----w- c:\programdata\WinZip
2011-10-31 18:18 . 2011-10-31 18:18 1529728 ----a-w- c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2011-10-31 18:13 . 2011-10-31 18:13 145184 ----a-w- c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
2011-10-30 14:38 . 2011-10-30 14:38 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-28 08:13 . 2011-10-18 06:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D208FC11-8E7A-4DE4-917E-F39D40F22D8F}\mpengine.dll
2011-10-25 22:48 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-24 17:56 . 2011-10-24 17:56 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-30 14:43 . 2009-07-26 02:26 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-25 23:46 . 2008-07-19 16:29 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-30 23:06 . 2011-10-12 15:36 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02 . 2011-10-12 15:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01 . 2011-10-12 15:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01 . 2011-10-12 15:36 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01 . 2011-10-12 15:36 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07 . 2011-10-12 15:36 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29 . 2011-10-12 15:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28 . 2011-10-12 15:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-06 13:30 . 2011-10-12 15:36 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 21:00 . 2008-05-06 03:54 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-25 16:15 . 2011-10-12 15:35 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-08-25 16:14 . 2011-10-12 15:35 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-08-25 16:14 . 2011-10-12 15:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-25 13:31 . 2011-10-12 15:35 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-08-24 11:57 . 2011-08-24 11:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-14 18:01 . 2010-10-25 17:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SacReminderHDDV2N"="c:\programdata\Clickfree\C2NPlus\reminder\SacReminder.exe" [2011-01-20 870224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-22 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-26 129560]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNzYxOTIwNjE3LUZMMTArMS1ERFQrMjM4NDAtVFVHKzMtREQxMEYrMS1TVDEwRkFQUCsxLUYxME0xMkFOKzItRjEwTTEyQSsxLUYxME0xMkFCKzEtVTEw" [?]
.
c:\users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-10-13 984408]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-10-22 611144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStartupSound"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-24 09:27 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2008-12-20 04:48 342848 ----a-w- c:\users\Family\Program Files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-08-31 21:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-04-16 22:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-11-22 12:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 CFUACProxy_c2nplus;CFUACProxy_c2nplus;c:\programdata\Clickfree\C2NPlus\UACProxy.exe [2011-10-31 87368]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [x]
R2 gupdate1c9834ebde52a90;Google Update Service (gupdate1c9834ebde52a90);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programdata\Clickfree\C2NPlus\Reminder\SacNetAgent.exe [2011-10-25 157296]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2008-07-09 47360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-06-28 101720]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]
S4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
S4 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S4 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
S4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [x]
S4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S4 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Avgldx86
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-10-31 18:10]
.
2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{1A27E350-4EB9-4A64-8D25-115B91043FBF}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\85q3ua9k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e2b35e5&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=ca&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Canadian English Dictionary: en-CA@dictionaries.addons.mozilla.org - %profile%\extensions\en-CA@dictionaries.addons.mozilla.org
FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-16 21:33
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass]
"ImagePath"="\*"
.
Completion time: 2011-11-16 21:38:13
ComboFix-quarantined-files.txt 2011-11-17 02:38
ComboFix2.txt 2011-11-14 23:46
ComboFix3.txt 2011-11-09 01:02
.
Pre-Run: 54,547,578,880 bytes free
Post-Run: 53,052,522,496 bytes free
.
- - End Of File - - 1D30503FAD01C21A35046BBA7619DA4D

 

[jeffce]

Hi mnyyoungs,

LOL!! Glad that you have your keyboard back. This has really been a team effort.

Here is the AVG uninstall tool to help with the removal of AVG. Usually AVG is bad about leaving behind bits and pieces of itself on a computer. After you have downloaded the tool please right-click and run the program.
---------------

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

  DDS::
  Trusted Zone: internet
  Trusted Zone: mcafee.com
  
  ReglockDel::
  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass]

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

 

[mnyyoungs]

Have we solved the RootKit/virus problem? My apologies if you are busy and haven't gotten back to it. Have a great Saturday!

 

[jeffce]

Hi mnyyoungs,

No need to apologize. It seems like the main infection has been neutralized yes. Were you able to run ComboFix with the fix I previously gave instructions for? If so please post the log that was created. I hope you are having a great Saturday as well!!

 

[mnyyoungs]

Please advise, Combo Fix states that there is a newer version and that it has expired. I've tried removing and downloading again, but get the same messages. Thank you!

 

[jeffce]

Hi mnyyoungs,

Go ahead and delete your copy of ComboFix using right-click > delete and then download a fresh copy from
Link 1
Link 2

If you still have problems please let me know.

 

[mnyyoungs]

here it is in 2 parts....

ComboFix 11-11-20.01 - Family 20/11/2011 9:50.10.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1214 [GMT -5:00]
Running from: c:\users\Family\Downloads\ComboFix.exe
Command switches used :: c:\users\Family\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_COMSysApp
.
.
((((((((((((((((((((((((( Files Created from 2011-10-20 to 2011-11-20 )))))))))))))))))))))))))))))))
.
.
2011-11-20 15:11 . 2011-11-20 15:15 -------- d-----w- c:\users\Family\AppData\Local\temp
2011-11-20 15:11 . 2011-11-20 15:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-17 02:11 . 2008-02-29 08:13 35384 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2011-11-16 15:27 . 2011-11-16 15:27 -------- d-----w- c:\program files\ERUNT
2011-11-12 17:56 . 2011-11-12 17:56 -------- d-----w- c:\program files\ESET
2011-11-09 19:05 . 2011-11-09 19:05 -------- d-----w- c:\users\Family\AppData\Local\WinZip
2011-11-09 19:03 . 2011-11-09 19:04 -------- d-----w- c:\programdata\WinZip
2011-10-31 18:18 . 2011-10-31 18:18 1529728 ----a-w- c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2011-10-31 18:13 . 2011-10-31 18:13 145184 ----a-w- c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
2011-10-30 14:38 . 2011-10-30 14:38 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-28 08:13 . 2011-10-18 06:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D208FC11-8E7A-4DE4-917E-F39D40F22D8F}\mpengine.dll
2011-10-25 22:48 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-24 17:56 . 2011-10-24 17:56 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-30 14:43 . 2009-07-26 02:26 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-25 23:46 . 2008-07-19 16:29 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-30 23:06 . 2011-10-12 15:36 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02 . 2011-10-12 15:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01 . 2011-10-12 15:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01 . 2011-10-12 15:36 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01 . 2011-10-12 15:36 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07 . 2011-10-12 15:36 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29 . 2011-10-12 15:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28 . 2011-10-12 15:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-06 13:30 . 2011-10-12 15:36 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 21:00 . 2008-05-06 03:54 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-25 16:15 . 2011-10-12 15:35 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-08-25 16:14 . 2011-10-12 15:35 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-08-25 16:14 . 2011-10-12 15:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-25 13:31 . 2011-10-12 15:35 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-08-24 11:57 . 2011-08-24 11:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-14 18:01 . 2010-10-25 17:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SacReminderHDDV2N"="c:\programdata\Clickfree\C2NPlus\reminder\SacReminder.exe" [2011-01-20 870224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-22 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-26 129560]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
.
c:\users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-10-13 984408]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-10-22 611144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStartupSound"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-24 09:27 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2008-12-20 04:48 342848 ----a-w- c:\users\Family\Program Files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-08-31 21:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-04-16 22:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-11-22 12:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [x]
R2 gupdate1c9834ebde52a90;Google Update Service (gupdate1c9834ebde52a90);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2008-07-09 47360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-06-28 101720]
S2 CFUACProxy_c2nplus;CFUACProxy_c2nplus;c:\programdata\Clickfree\C2NPlus\UACProxy.exe [2011-10-31 87368]
S2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programdata\Clickfree\C2NPlus\Reminder\SacNetAgent.exe [2011-10-25 157296]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]
.
.