Author Topic: System process taking up 100% CPU usage.... (Read 17393 times)

singher · « **on:** August 14, 2010, 11:30:06 PM »

Help! I've noticed that when I start Windows my CPU usage goes up to 100% for some time.... and as soon as I start internet explorer it rarely comes back down (same problem with Mozilla)...

There are usually 2iexplore running in the task manager and both of them combined with the 'system' process really slow down my computer constantly taking up 100% usage especially with some sites like YouTube..... I can't understand why this is happening....

Does this normally happen with flash sites..... or is there a way out....

LOGS

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/15/2010 at 01:14 AM

Application Version : 4.41.1000

Core Rules Database Version : 5358
Trace Rules Database Version: 3170

Scan type : Quick Scan
Total Scan Time : 00:39:24

Memory items scanned : 551
Memory threats detected : 0
Registry items scanned : 1751
Registry threats detected : 15
File items scanned : 45444
File threats detected : 22

Adware.HotBar/ShopperReports (Low Risk)
   HKU\S-1-5-21-1935655697-1580436667-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{100EB1FD-D03E-47FD-81F3-EE91287F9465}
   HKCR\CLSID\{100EB1FD-D03E-47FD-81F3-EE91287F9465}

Adware.RX Toolbar
   HKU\S-1-5-21-1935655697-1580436667-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}
   HKCR\CLSID\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}

Trojan.Media-Codec
   HKU\S-1-5-21-1935655697-1580436667-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{96EBBE6A-2864-4345-B32B-26EE9BE524B5}
   HKCR\CLSID\{96EBBE6A-2864-4345-B32B-26EE9BE524B5}
   HKU\S-1-5-21-1935655697-1580436667-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE18DA4E-BE15-4925-81BB-890C04AF0200}
   HKCR\CLSID\{AE18DA4E-BE15-4925-81BB-890C04AF0200}
   HKU\S-1-5-21-1935655697-1580436667-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{96EBBE6A-2864-4345-B32B-26EE9BE524B5}

Adware.SystemProcess
   HKU\S-1-5-21-1935655697-1580436667-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C2EEB4FA-B6D6-41B9-9CFA-ABA87F862BCB}
   HKCR\CLSID\{C2EEB4FA-B6D6-41B9-9CFA-ABA87F862BCB}

Adware.Zango/ShoppingReport
   HKU\S-1-5-21-1935655697-1580436667-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B2}
   HKCR\CLSID\{C5428486-50A0-4A02-9D20-520B59A9F9B2}
   HKU\S-1-5-21-1935655697-1580436667-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B3}
   HKCR\CLSID\{C5428486-50A0-4A02-9D20-520B59A9F9B3}

Malware.SpywareNuker
   C:\WINDOWS\SYSTEM32\DRIVERS\PSHOOK11.SYS

Application.PowerReg Scheduler
   C:\WINDOWS\PSS\POWERREG SCHEDULER V3.EXESTARTUP

Adware.Tracking Cookie
   C:\Documents and Settings\Admin\Cookies\admin@fastclick[1].txt
   C:\Documents and Settings\Admin\Cookies\[email protected][1].txt
   C:\Documents and Settings\Admin\Cookies\admin@atdmt[1].txt
   C:\Documents and Settings\Admin\Cookies\admin@zedo[2].txt
   C:\Documents and Settings\Admin\Cookies\[email protected][2].txt
   C:\Documents and Settings\Admin\Cookies\admin@serving-sys[2].txt
   C:\Documents and Settings\Admin\Cookies\admin@kontera[2].txt
   C:\Documents and Settings\Admin\Cookies\admin@interclick[2].txt
   C:\Documents and Settings\Admin\Cookies\[email protected][2].txt
   C:\Documents and Settings\Admin\Cookies\[email protected][1].txt
   C:\Documents and Settings\Admin\Cookies\[email protected][2].txt
   C:\Documents and Settings\Admin\Cookies\[email protected][1].txt
   C:\Documents and Settings\Admin\Cookies\[email protected][1].txt
   C:\Documents and Settings\Admin\Cookies\[email protected][2].txt
   C:\Documents and Settings\Admin\Cookies\[email protected][1].txt
   C:\Documents and Settings\Admin\Cookies\[email protected][2].txt
   C:\Documents and Settings\Admin\Cookies\[email protected][2].txt
   C:\Documents and Settings\Admin\Cookies\[email protected][3].txt
   C:\Documents and Settings\Admin\Cookies\[email protected][1].txt
   C:\Documents and Settings\Admin\Cookies\[email protected][2].txt

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4429

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/15/2010 2:12:02 AM
mbam-log-2010-08-15 (02-12-02).txt

Scan type: Quick scan
Objects scanned: 151723
Time elapsed: 7 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 19
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{700016cf-23e4-16cb-9f2e-730a000091e1} (Rogue.SpywareNukerXT) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{c2eeb4fa-b6d6-41b9-9cfa-aba87f862bcb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AXPSHOOK11 (Rogue.SpywareNukerXT) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AxPsHook11 (Rogue.SpywareNukerXT) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AXPSHOOK11 (Rogue.SpywareNukerXT) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AxPsHook11 (Rogue.SpywareNukerXT) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\w32id (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\xml2u (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Admin\Application Data\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\dwld (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\report (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\db (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\res2 (Adware.ShopperReports) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ustart.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\Config.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\res2\WhiteList.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:46:06 AM, on 8/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\AVG\AVG9\avgchsvx.exe
D:\Program Files\AVG\AVG9\avgrsx.exe
D:\Program Files\AVG\AVG9\avgcsrvx.exe
D:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Airtel NetXpert\bin\sprtsvc.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Airtel NetXpert\bin\tgsrvc.exe
D:\PROGRA~1\AVG\AVG9\avgtray.exe
D:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Airtel NetXpert\bin\sprtcmd.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Sunaina Ji\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Sunaina Ji\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
D:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
D:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
D:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
D:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HijackThis\Trend Micro\HiJackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 204.51.174.152:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [AVG9_TRAY] D:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [netxpert] "C:\Program Files\Airtel NetXpert\bin\sprtcmd.exe" /P netxpert
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "D:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Sunaina Ji\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EA Core] "D:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - Startup: Product Registration.lnk = C:\Program Files\Common Files\LogiShared\eReg\SetPoint\eReg.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138278269546
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpc/downloads/msxml4.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2169162C-B377-4C9F-815E-617F58AF797D}: NameServer = 202.56.215.54,202.56.215.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{2169162C-B377-4C9F-815E-617F58AF797D}: NameServer = 202.56.215.54,202.56.215.55
O17 - HKLM\System\CS2\Services\Tcpip\..\{2169162C-B377-4C9F-815E-617F58AF797D}: NameServer = 202.56.215.54,202.56.215.55
O17 - HKLM\System\CS3\Services\Tcpip\..\{2169162C-B377-4C9F-815E-617F58AF797D}: NameServer = 202.56.215.6,202.56.230.6
O17 - HKLM\System\CS4\Services\Tcpip\..\{2169162C-B377-4C9F-815E-617F58AF797D}: NameServer = 202.56.215.54,202.56.215.55
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - D:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Update Service (gupdate1c8e7d52f7d6ca) (gupdate1c8e7d52f7d6ca) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - D:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: SupportSoft Sprocket Service (netxpert) (sprtsvc_netxpert) - SupportSoft, Inc. - C:\Program Files\Airtel NetXpert\bin\sprtsvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - D:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: SupportSoft Repair Service (netxpert) (tgsrvc_netxpert) - SupportSoft, Inc. - C:\Program Files\Airtel NetXpert\bin\tgsrvc.exe
O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD File Management Engine (WDFME) - Unknown owner - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
O23 - Service: WD File Management Shadow Engine (WDSC) - Unknown owner - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe

--
End of file - 12897 bytes

SuperDave · « **Reply #1 on:** August 16, 2010, 05:16:44 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

*************************************************
Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
*************************************************

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

**************************************************
Download ComboFix by sUBs from one of the below links.

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.

Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

singher · « **Reply #2 on:** August 17, 2010, 12:08:44 AM »

Hi Dave! Really appreciate the help. I followed the steps and here are the results:

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
AVG Free 9.0
Online Armor 4.0
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Adobe Flash Player 10.1.53.64
Adobe Reader 8.2.3
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.6) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
Tall Emu Online Armor OAcat.exe
Tall Emu Online Armor oasrv.exe
Tall Emu Online Armor oaui.exe
Tall Emu Online Armor OAhlp.exe
````````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````

ComboFix 10-08-16.03 - Sunaina Ji 08/17/2010 11:31:29.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1418 [GMT 5.5:30]
Running from: c:\documents and settings\Sunaina Ji\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\desktop
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\system.dat
c:\windows\system32\tmp.reg

----- BITS: Possible infected sites -----

hxxp://netxpert.airtelbroadband.in
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISRD

((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.

2010-08-15 05:12 . 2010-08-15 05:12   388096   ----a-r-   c:\documents and settings\Sunaina Ji\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-15 05:12 . 2010-08-15 05:12   --------   d-----w-   c:\program files\TrendMicro
2010-08-14 20:32 . 2010-08-14 20:32   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\Malwarebytes
2010-08-14 20:31 . 2010-04-29 10:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-14 20:31 . 2010-08-14 20:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-14 20:31 . 2010-04-29 10:09   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-08-14 19:49 . 2010-08-14 19:49   --------   d-----w-   C:\FOUND.008
2010-08-14 19:02 . 2010-08-14 19:02   63488   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-14 19:02 . 2010-08-14 19:02   52224   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-14 19:02 . 2010-08-14 19:02   117760   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-14 19:01 . 2010-08-14 19:01   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\SUPERAntiSpyware.com
2010-08-14 19:01 . 2010-08-14 19:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-14 19:01 . 2010-08-14 19:01   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-08-14 17:38 . 2010-08-14 17:38   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\OnlineArmor
2010-08-14 17:38 . 2010-08-14 17:38   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2010-08-08 17:16 . 2010-08-08 17:16   --------   d-----w-   c:\program files\TOEFL Official Guide
2010-08-08 17:16 . 2010-08-08 17:16   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\M-HTOEFL
2010-08-07 17:19 . 2010-08-07 17:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-07 17:17 . 2010-08-07 17:17   --------   d-----w-   c:\program files\QuickTime
2010-08-07 17:14 . 2010-08-07 17:14   --------   d-----w-   c:\program files\Bonjour
2010-08-07 08:53 . 2010-08-07 08:53   503808   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-65bfe8db-n\msvcp71.dll
2010-08-07 08:53 . 2010-08-07 08:53   499712   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-65bfe8db-n\jmc.dll
2010-08-07 08:53 . 2010-08-07 08:53   12800   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-63bc1f3f-n\decora-d3d.dll
2010-08-07 08:53 . 2010-08-07 08:53   61440   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-63bc1f3f-n\decora-sse.dll
2010-08-07 08:53 . 2010-08-07 08:53   348160   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-65bfe8db-n\msvcr71.dll
2010-07-27 06:30 . 2010-07-27 06:30   8462336   ------w-   c:\windows\system32\dllcache\shell32.dll
2010-07-23 12:13 . 2010-07-23 12:13   198448   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-21 11:00 . 2010-07-21 11:00   73000   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-20 12:49 . 2010-07-20 12:49   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\Logitech
2010-07-20 12:49 . 2010-07-20 12:49   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\Leadertech
2010-07-20 12:49 . 2010-07-20 12:49   10134   ----a-r-   c:\documents and settings\Sunaina Ji\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-07-20 12:49 . 2010-07-20 12:49   --------   d-----w-   c:\program files\Common Files\LogiShared
2010-07-20 12:48 . 2010-07-20 12:48   10134   ----a-r-   c:\documents and settings\Sunaina Ji\Application Data\Microsoft\Installer\{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}\ARPPRODUCTICON.exe
2010-07-20 12:48 . 2007-04-11 10:02   20496   ----a-w-   c:\windows\system32\drivers\L8042Kbd.sys
2010-07-20 12:48 . 2007-04-11 10:02   36112   ----a-w-   c:\windows\system32\drivers\LMouFilt.Sys
2010-07-20 12:48 . 2007-04-11 10:02   34832   ----a-w-   c:\windows\system32\drivers\LHidFilt.Sys
2010-07-20 12:48 . 2007-04-11 10:02   56080   ----a-w-   c:\windows\KHALMNPR.Exe
2010-07-20 12:47 . 2007-04-11 10:03   1419024   ----a-w-   c:\windows\system32\WdfCoInstaller01005.dll
2010-07-20 12:47 . 2007-04-11 10:03   28688   ----a-w-   c:\windows\system32\drivers\LUsbFilt.sys
2010-07-20 12:47 . 2007-04-22 22:30   69632   ----a-w-   c:\windows\system32\KemXML.dll
2010-07-20 12:47 . 2007-04-22 22:30   163840   ----a-w-   c:\windows\system32\kemutb.dll
2010-07-20 12:47 . 2007-04-22 22:30   135168   ----a-w-   c:\windows\system32\KemUtil.dll
2010-07-20 12:47 . 2007-04-22 22:30   110592   ----a-w-   c:\windows\system32\KemWnd.dll
2010-07-20 12:47 . 2010-07-20 12:47   --------   d-----w-   c:\documents and settings\All Users\Application Data\Logitech
2010-07-20 12:47 . 2010-07-20 12:47   --------   d-----w-   c:\program files\Logitech
2010-07-20 12:47 . 2010-07-20 12:47   10134   ----a-r-   c:\documents and settings\Sunaina Ji\Application Data\Microsoft\Installer\{56918C0C-0D87-4CA6-92BF-4975A43AC719}\ARPPRODUCTICON.exe
2010-07-20 12:47 . 2010-07-20 12:47   --------   d-----w-   c:\program files\Common Files\Logitech
2010-07-20 12:46 . 2010-07-20 12:46   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\InstallShield
2010-07-20 12:46 . 2010-07-20 12:46   --------   d-----w-   c:\documents and settings\All Users\Application Data\LogiShrd
2010-07-20 12:45 . 2008-04-13 18:45   10368   ----a-w-   c:\windows\system32\drivers\hidusb.sys
2010-07-20 12:45 . 2008-04-13 18:45   10368   ----a-w-   c:\windows\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-20 12:48 . 2010-07-20 12:48   0   ---ha-w-   c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-07-20 12:48 . 2010-07-20 12:48   0   ---ha-w-   c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-07-17 06:24 . 2009-06-18 16:14   243024   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-07-17 06:24 . 2010-07-17 06:24   12536   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-07-17 06:23 . 2008-07-11 17:23   216400   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-07-16 23:30 . 2010-04-15 13:43   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-13 06:19 . 2010-07-13 06:19   --------   d-----w-   c:\program files\Airtel NetXpert
2010-07-13 06:19 . 2010-07-13 06:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\SupportSoft
2010-07-10 07:30 . 2010-07-01 10:07   57344   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-10 07:30 . 2010-07-10 07:30   56765   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-10 07:30 . 2010-07-10 07:30   57715   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-07-10 07:29 . 2010-07-10 07:29   84054   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-07-10 07:29 . 2010-07-10 07:29   54153   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-07-10 07:19 . 2010-07-01 10:07   1062184   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-07-10 07:19 . 2010-07-01 10:07   895256   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-07-07 06:55 . 2009-07-31 15:59   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-07-07 06:55 . 2009-07-31 15:59   28232   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-07-07 06:55 . 2009-07-31 15:59   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-07-01 13:04 . 2010-07-01 13:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\Norton
2010-07-01 13:04 . 2010-07-01 13:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\NortonInstaller
2010-07-01 10:06 . 2010-07-01 10:06   56997   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-07-01 10:06 . 2010-07-01 10:06   53600   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-07-01 10:06 . 2010-07-01 10:06   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\DivX
2010-07-01 10:06 . 2010-07-01 10:06   57054   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-07-01 10:06 . 2010-07-01 10:06   57532   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-07-01 10:06 . 2010-07-01 10:06   54166   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-07-01 10:06 . 2010-07-01 10:06   56458   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-06-09 23:01 . 2006-03-16 11:05   126448   ------w-   c:\windows\system32\pxinsi64.exe
2010-06-09 23:01 . 2006-03-16 11:05   123888   ------w-   c:\windows\system32\pxcpyi64.exe
2010-06-03 05:21 . 2008-07-11 17:23   29584   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-05-31 08:57 . 2005-11-24 10:22   26736   ----a-w-   c:\documents and settings\Sunaina Ji\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-29 05:48 . 2010-05-29 05:48   503808   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-59b3ccdc-n\msvcp71.dll
2010-05-29 05:48 . 2010-05-29 05:48   499712   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-59b3ccdc-n\jmc.dll
2010-05-29 05:48 . 2010-05-29 05:48   348160   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-59b3ccdc-n\msvcr71.dll
2010-05-29 05:48 . 2010-05-29 05:48   61440   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-63371cec-n\decora-sse.dll
2010-05-29 05:48 . 2010-05-29 05:48   12800   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-63371cec-n\decora-d3d.dll
2006-08-13 18:20 . 2006-08-13 18:20   774144   ----a-w-   c:\program files\RngInterstitial.dll
2004-12-21 10:03 . 2007-12-23 10:53   86016   ----a-w-   c:\program files\TATAUninstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Sunaina Ji\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-24 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2006-03-31 28672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-10 307200]
"AVG9_TRAY"="d:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-17 2065760]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"netxpert"="c:\program files\Airtel NetXpert\bin\sprtcmd.exe" [2009-12-22 206120]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"@OnlineArmor GUI"="d:\program files\Tall Emu\Online Armor\oaui.exe" [2010-07-07 6854984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - d:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-8-29 610365]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-5-10 4456448]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-7-20 692224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "d:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-07-07 924488]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 06:24   12536   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sunaina Ji^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Sunaina Ji\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sunaina Ji^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Sunaina Ji\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24   40368   ----a-w-   c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 04:36   88363   ----a-w-   c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2004-12-07 08:53   57344   ----a-w-   c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2004-12-10 10:08   2749440   ----a-w-   c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2006-03-31 02:17   28672   ----a-w-   c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2003-06-05 07:05   335872   ----a-w-   c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ----a-w-   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:27   133016   ----a-w-   d:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 20:52   3739648   ----a-w-   c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-08-12 12:15   61952   ------w-   c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-09-20 05:02   77824   ----a-w-   c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
2003-09-15 15:30   270336   ----a-w-   c:\program files\ATI Technologies\ATI HydraVision\HydraDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionViewport]
2003-09-15 15:30   364544   ----a-w-   c:\program files\ATI Technologies\ATI HydraVision\HydraMD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 05:02   77824   ----a-w-   c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 05:06   114688   ----a-w-   c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-09-20 05:05   94208   ----a-w-   c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 16:46   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-11-02 09:23   77824   ----a-w-   c:\windows\SoundMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 07:33   36975   ----a-w-   c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-04-14 05:03   202256   ----a-w-   c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\system32\\ccapp.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\StubInstaller.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\WINDOWS\\System32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"d:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\JRE6\\BIN\\JAVA.EXE"=
"d:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"d:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49152:TCP"= 49152:TCP:Azureus
"49152:UDP"= 49152:UDP:Azure

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/11/2008 10:53 PM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/18/2009 9:44 PM 243024]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [7/31/2009 9:29 PM 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [7/31/2009 9:29 PM 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [7/31/2009 9:29 PM 28232]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:55 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/11/2010 12:11 AM 67656]
R2 avg9wd;AVG Free WatchDog;d:\program files\AVG\AVG9\avgwdsvc.exe [7/17/2010 11:54 AM 308136]
R2 OAcat;Online Armor Helper Service;d:\program files\Tall Emu\Online Armor\oacat.exe [7/31/2009 9:29 PM 1283400]
R2 sprtsvc_netxpert;SupportSoft Sprocket Service (netxpert);c:\program files\Airtel NetXpert\bin\sprtsvc.exe [7/13/2010 11:49 AM 206120]
R2 tgsrvc_netxpert;SupportSoft Repair Service (netxpert);c:\program files\Airtel NetXpert\bin\tgsrvc.exe [7/13/2010 11:49 AM 185640]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [5/10/2010 11:33 AM 110592]
R2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [5/10/2010 11:32 AM 1858048]
R2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [5/10/2010 11:32 AM 482304]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [3/24/2009 8:11 PM 33792]
R3 SvcOnlineArmor;Online Armor;d:\program files\Tall Emu\Online Armor\oasrv.exe [7/31/2009 9:29 PM 3364680]
S2 gupdate1c8e7d52f7d6ca;Google Update Service (gupdate1c8e7d52f7d6ca);c:\program files\Google\Update\GoogleUpdate.exe [7/17/2008 11:48 AM 133104]
S3 autorun;autorun;\??\c:\huadio.tmp --> c:\huadio.tmp [?]
S3 DUSBCamera;IBM UltraPort Camera;c:\windows\system32\drivers\IBM_501B.SYS [1/30/2002 9:44 PM 122388]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys --> c:\windows\system32\DRIVERS\ivusb.sys [?]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [7/26/2006 9:04 PM 223128]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/31/2010 11:12 PM 11520]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/26/2006 9:00 PM 643072]
.
Contents of the 'Scheduled Tasks' folder

2010-08-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1580436667-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 16:39]

2010-08-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1580436667-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 16:39]

2010-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1580436667-725345543-1003Core1cb0ca4aa6ed070.job
- c:\documents and settings\Sunaina Ji\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-01 18:43]

2010-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 06:20]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-17 11:57]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-17 11:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 204.51.174.152:80
uInternet Settings,ProxyOverride = local;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
TCP: {2169162C-B377-4C9F-815E-617F58AF797D} = 202.56.215.54,202.56.215.55
FF - ProfilePath - c:\documents and settings\Sunaina Ji\Application Data\Mozilla\Firefox\Profiles\ze72yu61.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\Sunaina Ji\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Lively\nplively.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: d:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-EA Core - d:\program files\Electronic Arts\EADM\Core.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-DSLAGENTEXE - c:\program files\GlobespanVirata\Adsl\dslagent.exe
MSConfigStartUp-DSLSTATEXE - c:\program files\GlobespanVirata\Adsl\dslstat.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
MSConfigStartUp-PWRISOVM - d:\program files\PowerISO\PWRISOVM.EXE
MSConfigStartUp-SemanticInsight - c:\program files\RXToolBar\Semantic Insight\SemanticInsight.exe
MSConfigStartUp-SmcService - c:\progra~1\Sygate\SPF\smc.exe
MSConfigStartUp-SWN2 - d:\program files\Spyware Nuker\swnxt.exe
MSConfigStartUp-UpdateManager - c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
MSConfigStartUp-Yahoo! Pager - c:\progra~1\YAHOO!\MESSEN~1\ypager.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-17 11:36
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\autorun]
"ImagePath"="\??\c:\huadio.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1740)
c:\windows\system32\WININET.dll
d:\program files\Tall Emu\Online Armor\OAwatch.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\AVG\AVG9\avgchsvx.exe
d:\program files\AVG\AVG9\avgrsx.exe
d:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
d:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\documents and settings\Sunaina Ji\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
d:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-08-17 11:42:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 06:12

Pre-Run: 4,017,504,256 bytes free
Post-Run: 4,041,031,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - BA87B2125ACD84F99D3B2F00259FE7F8

SuperDave · « **Reply #3 on:** August 18, 2010, 06:58:50 PM »

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
**************************************

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

File::
C:\FOUND.008
c:\windows\ALCMTR.EXE

Rootkit::
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

**********************************
P2P - I see you have P2P software installed on your machine (LimeWire and uTorrent. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
********************************************
* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

singher · « **Reply #4 on:** August 19, 2010, 12:05:57 AM »

Hi Dave,

Followed all the steps (including shutting down firewall and AVG) but Combofix did not generate the report. Is it because after the reboot OA starts again?

Have uninstalled both the P2P software.

Also even Online Armor hogs CPU usage sometimes.

Here's the RootRepeal report:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/08/19 11:36
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA90A8000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5C0000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\SUNAIN~1\LOCALS~1\Temp\mbr.sys
Address: 0xBA418000   Size: 20864   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA86D1000   Size: 49152   File Visible: No   Signed: -
Status: -

SSDT
-------------------
#: 017   Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa928bed0

#: 019   Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa928c700

#: 031   Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9289da0

#: 037   Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa92999c0

#: 046   Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa92898e0

#: 047   Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9286620

#: 048   Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9286a30

#: 050   Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9285ef0

#: 053   Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9287f20

#: 057   Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9288b90

#: 068   Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa92896f0

#: 097   Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa928b490

#: 116   Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa929a040

#: 122   Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9287a20

#: 125   Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9286310

#: 128   Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9288420

#: 137   Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa928c350

#: 145   Function Name: NtQueryDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa928ba70

#: 180   Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa928c8a0

#: 199   Function Name: NtRequestPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa928a9a0

#: 200   Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa928af90

#: 204   Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9299550

#: 206   Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9289340

#: 210   Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa928a190

#: 213   Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9288970

#: 240   Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9288d30

#: 249   Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa928b370

#: 253   Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9289520

#: 254   Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9289130

#: 255   Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9288f40

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9287c80

#: 258   Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa9288760

#: 262   Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa928b780

#: 277   Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa928c520

==EOF==

SuperDave · « **Reply #5 on:** August 19, 2010, 12:49:32 PM »

Quote

Followed all the steps (including shutting down firewall and AVG) but Combofix did not generate the report. Is it because after the reboot OA starts again?

You can probably find the log in C:\ComboFix. Just look for .txt file

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

singher · « **Reply #6 on:** August 24, 2010, 12:34:56 PM »

Hi Dave! UPDATE: --- Over the weekend my PC got HUNG multiple times each time I started it..... Same problem: system resources kept getting hogged! This had increased exponentially when I installed online armour (as suggested on the before you post guide)

After waiting for 3 hours for my PC to start, I uninstalled OA and my system performance has improved but still lags frequently as before... I'm currently using Windows Firewall because it doesn't matter which firewall i try.... this same problem crops up.....

Here's the combofix log

ComboFix 10-08-17.04 - Sunaina Ji 08/19/2010 11:07:07.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1411 [GMT 5.5:30]
Running from: C:\Documents and Settings\Sunaina Ji\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sunaina Ji\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

FILE ::
"C:\FOUND.008"
"c:\windows\ALCMTR.EXE"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\ALCMTR.EXE

----- BITS: Possible infected sites -----

hxxp://netxpert.airtelbroadband.in
C:\WINDOWS\system32\drivers\ntfs.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.

and the ESETScan log:

C:\Program Files\AVG\AVG8\avgtoolbar.dll   probably a variant of Win32/Genetik trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{71E6E842-1E64-448C-843D-EBC3EC81B496}\RP1281\A0429089.dll   probably a variant of Win32/Genetik trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{71E6E842-1E64-448C-843D-EBC3EC81B496}\RP1265\A0419358.exe   Win32/Adware.BlockChecker application   cleaned by deleting - quarantined

SuperDave · « **Reply #7 on:** August 24, 2010, 01:10:59 PM »

Please download SystemLook from one of the links below and save it to your desktop.

Link # 1
Link # 2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click SystemLook.exe to run it.

Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind
ntfs.sys

Click the Look button to start the scan.

Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).

When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt

singher · « **Reply #8 on:** August 24, 2010, 11:55:32 PM »

SystemLook LOG

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:40 on 25/08/2010 by Sunaina Ji (Administrator - Elevation successful)

========== filefind ==========

Searching for "ntfs.sys "
C:\cmdcons\NTFS.SYS   --a--- 574592 bytes   [17:45 03/08/2004]   [17:45 03/08/2004] B78BE402C3F63DD55521F73876951CDD
C:\WINDOWS\$hf_mig$\KB930916\SP2QFE\ntfs.sys   ------ 574976 bytes   [11:23 09/02/2007]   [11:23 09/02/2007] 05AB81909514BFD69CBB1F2C147CF6B9
C:\WINDOWS\ERDNT\cache\ntfs.sys   --a--- 574976 bytes   [06:09 17/08/2010]   [19:15 13/04/2008] 78A08DD6A8D65E697C18E1DB01C5CDCA
C:\WINDOWS\system32\drivers\ntfs.sys   --a--- 574976 bytes   [06:30 23/08/2001]   [19:15 13/04/2008] 78A08DD6A8D65E697C18E1DB01C5CDCA

-=End Of File=-

SuperDave · « **Reply #9 on:** August 25, 2010, 04:38:37 PM »

Ok. That's great. Let's try this to get that file cleaned.

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

FCopy::
C:\WINDOWS\ERDNT\cache\ntfs.sys | C:\WINDOWS\system32\drivers\ntfs.sys

Rootkit::
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

singher · « **Reply #10 on:** August 26, 2010, 07:27:09 AM »

COMBOFIX LOG

ComboFix 10-08-25.01 - Sunaina Ji 08/26/2010 19:02:27.3.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1302 [GMT 5.5:30]
Running from: c:\documents and settings\Sunaina Ji\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sunaina Ji\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\ALCMTR.EXE

----- BITS: Possible infected sites -----

hxxp://netxpert.airtelbroadband.in
-- Previous Run --

c:\windows\system32\drivers\ntfs.sys . . . is infected!!

--------

.
--------------- FCopy ---------------

c:\windows\ERDNT\cache\ntfs.sys --> c:\windows\system32\drivers\ntfs.sys
.
((((((((((((((((((((((((( Files Created from 2010-07-26 to 2010-08-26 )))))))))))))))))))))))))))))))
.

2010-08-24 17:37 . 2010-08-24 17:37   --------   d-----w-   c:\program files\ESET
2010-08-23 17:48 . 2010-08-23 17:48   --------   d-----w-   c:\program files\QuickTime
2010-08-20 14:25 . 2009-07-20 06:55   301656   ----a-w-   c:\windows\system32\BtCoreIf.dll
2010-08-20 14:25 . 2010-08-20 14:25   10134   ----a-r-   c:\documents and settings\Sunaina Ji\Application Data\Microsoft\Installer\{3101CB58-3482-4D21-AF1A-7057FC935355}\ARPPRODUCTICON.exe
2010-08-20 14:25 . 2010-08-20 14:25   --------   d-----w-   c:\program files\Common Files\Logishrd
2010-08-20 14:15 . 2010-08-20 14:15   --------   d-----w-   C:\FOUND.015
2010-08-19 06:05 . 2010-08-19 06:05   --------   d-----w-   C:\RootRepeal
2010-08-19 05:28 . 2010-08-19 05:28   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-08-19 05:28 . 2010-08-19 05:28   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-08-19 05:27 . 2010-08-19 05:27   77184   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-08-19 05:27 . 2010-08-19 05:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-08-18 10:49 . 2010-08-18 10:49   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\Floodlight Games
2010-08-18 10:49 . 2010-08-18 10:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\Floodlight Games
2010-08-15 05:12 . 2010-08-15 05:12   388096   ----a-r-   c:\documents and settings\Sunaina Ji\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-15 05:12 . 2010-08-15 05:12   --------   d-----w-   c:\program files\TrendMicro
2010-08-14 20:32 . 2010-08-14 20:32   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\Malwarebytes
2010-08-14 20:31 . 2010-04-29 10:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-14 20:31 . 2010-08-14 20:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-14 20:31 . 2010-04-29 10:09   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-08-14 19:49 . 2010-08-14 19:49   --------   d-----w-   C:\FOUND.008
2010-08-14 19:02 . 2010-08-14 19:02   63488   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-14 19:02 . 2010-08-14 19:02   52224   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-14 19:02 . 2010-08-14 19:02   117760   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-14 19:01 . 2010-08-14 19:01   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\SUPERAntiSpyware.com
2010-08-14 19:01 . 2010-08-14 19:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-14 19:01 . 2010-08-14 19:01   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-08-08 17:16 . 2010-08-08 17:16   --------   d-----w-   c:\program files\TOEFL Official Guide
2010-08-08 17:16 . 2010-08-08 17:16   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\M-HTOEFL
2010-08-07 17:19 . 2010-08-07 17:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-07 17:14 . 2010-08-07 17:14   --------   d-----w-   c:\program files\Bonjour
2010-08-07 08:53 . 2010-08-07 08:53   503808   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-65bfe8db-n\msvcp71.dll
2010-08-07 08:53 . 2010-08-07 08:53   499712   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-65bfe8db-n\jmc.dll
2010-08-07 08:53 . 2010-08-07 08:53   12800   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-63bc1f3f-n\decora-d3d.dll
2010-08-07 08:53 . 2010-08-07 08:53   61440   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-63bc1f3f-n\decora-sse.dll
2010-08-07 08:53 . 2010-08-07 08:53   348160   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-65bfe8db-n\msvcr71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 13:01 . 2008-10-27 15:45   27556   ---ha-w-   c:\windows\system32\mlfcache.dat
2010-08-20 14:26 . 2010-08-20 14:26   0   ---ha-w-   c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2010-07-23 12:13 . 2010-07-23 12:13   198448   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-21 11:00 . 2010-07-21 11:00   73000   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-20 12:49 . 2010-07-20 12:49   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\Logitech
2010-07-20 12:49 . 2010-07-20 12:49   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\Leadertech
2010-07-20 12:49 . 2010-07-20 12:49   10134   ----a-r-   c:\documents and settings\Sunaina Ji\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-07-20 12:49 . 2010-07-20 12:49   --------   d-----w-   c:\program files\Common Files\LogiShared
2010-07-20 12:48 . 2010-07-20 12:48   0   ---ha-w-   c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-07-20 12:48 . 2010-07-20 12:48   0   ---ha-w-   c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-07-20 12:47 . 2010-07-20 12:47   --------   d-----w-   c:\documents and settings\All Users\Application Data\Logitech
2010-07-20 12:47 . 2010-07-20 12:47   --------   d-----w-   c:\program files\Logitech
2010-07-20 12:47 . 2010-07-20 12:47   --------   d-----w-   c:\program files\Common Files\Logitech
2010-07-20 12:46 . 2010-07-20 12:46   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\InstallShield
2010-07-20 12:46 . 2010-07-20 12:46   --------   d-----w-   c:\documents and settings\All Users\Application Data\LogiShrd
2010-07-17 17:28 . 2010-07-17 17:28   503808   ----a-w-   c:\documents and settings\Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1d776259-n\msvcp71.dll
2010-07-17 17:28 . 2010-07-17 17:28   499712   ----a-w-   c:\documents and settings\Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1d776259-n\jmc.dll
2010-07-17 17:28 . 2010-07-17 17:28   348160   ----a-w-   c:\documents and settings\Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1d776259-n\msvcr71.dll
2010-07-17 17:28 . 2010-07-17 17:28   61440   ----a-w-   c:\documents and settings\Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2886b506-n\decora-sse.dll
2010-07-17 17:28 . 2010-07-17 17:28   12800   ----a-w-   c:\documents and settings\Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2886b506-n\decora-d3d.dll
2010-07-17 06:24 . 2009-06-18 16:14   243024   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-07-17 06:24 . 2010-07-17 06:24   12536   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-07-17 06:23 . 2008-07-11 17:23   216400   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-07-16 23:30 . 2010-04-15 13:43   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-13 06:19 . 2010-07-13 06:19   --------   d-----w-   c:\program files\Airtel NetXpert
2010-07-13 06:19 . 2010-07-13 06:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\SupportSoft
2010-07-10 07:30 . 2010-07-01 10:07   57344   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-10 07:30 . 2010-07-10 07:30   56765   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-10 07:30 . 2010-07-10 07:30   57715   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-07-10 07:29 . 2010-07-10 07:29   84054   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-07-10 07:29 . 2010-07-10 07:29   54153   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-07-10 07:19 . 2010-07-01 10:07   1062184   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-07-10 07:19 . 2010-07-01 10:07   895256   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-07-01 13:04 . 2010-07-01 13:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\Norton
2010-07-01 13:04 . 2010-07-01 13:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\NortonInstaller
2010-07-01 10:06 . 2010-07-01 10:06   56997   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-07-01 10:06 . 2010-07-01 10:06   53600   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-07-01 10:06 . 2010-07-01 10:06   --------   d-----w-   c:\documents and settings\Sunaina Ji\Application Data\DivX
2010-07-01 10:06 . 2010-07-01 10:06   57054   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-07-01 10:06 . 2010-07-01 10:06   57532   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-07-01 10:06 . 2010-07-01 10:06   54166   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-07-01 10:06 . 2010-07-01 10:06   56458   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-06-09 23:01 . 2006-03-16 11:05   126448   ------w-   c:\windows\system32\pxinsi64.exe
2010-06-09 23:01 . 2006-03-16 11:05   123888   ------w-   c:\windows\system32\pxcpyi64.exe
2010-06-03 05:21 . 2008-07-11 17:23   29584   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-05-31 08:57 . 2005-11-24 10:22   26736   ----a-w-   c:\documents and settings\Sunaina Ji\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-29 05:48 . 2010-05-29 05:48   503808   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-59b3ccdc-n\msvcp71.dll
2010-05-29 05:48 . 2010-05-29 05:48   499712   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-59b3ccdc-n\jmc.dll
2010-05-29 05:48 . 2010-05-29 05:48   348160   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-59b3ccdc-n\msvcr71.dll
2010-05-29 05:48 . 2010-05-29 05:48   61440   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-63371cec-n\decora-sse.dll
2010-05-29 05:48 . 2010-05-29 05:48   12800   ----a-w-   c:\documents and settings\Sunaina Ji\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-63371cec-n\decora-d3d.dll
2006-08-13 18:20 . 2006-08-13 18:20   774144   ----a-w-   c:\program files\RngInterstitial.dll
2004-12-21 10:03 . 2007-12-23 10:53   86016   ----a-w-   c:\program files\TATAUninstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Sunaina Ji\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-24 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2006-03-31 28672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-10 307200]
"AVG9_TRAY"="d:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-17 2065760]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"netxpert"="c:\program files\Airtel NetXpert\bin\sprtcmd.exe" [2009-12-22 206120]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-14 202256]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-09 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - d:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-8-29 610365]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-7-20 813584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 06:24   12536   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 06:58   72208   ----a-w-   c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sunaina Ji^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Sunaina Ji\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sunaina Ji^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Sunaina Ji\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 04:36   88363   ----a-w-   c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2004-12-10 10:08   2749440   ----a-w-   c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2006-03-31 02:17   28672   ----a-w-   c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2003-06-05 07:05   335872   ----a-w-   c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ----a-w-   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:27   133016   ----a-w-   d:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 20:52   3739648   ----a-w-   c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-08-12 12:15   61952   ------w-   c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-09-20 05:02   77824   ----a-w-   c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
2003-09-15 15:30   270336   ----a-w-   c:\program files\ATI Technologies\ATI HydraVision\HydraDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionViewport]
2003-09-15 15:30   364544   ----a-w-   c:\program files\ATI Technologies\ATI HydraVision\HydraMD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 05:02   77824   ----a-w-   c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 05:06   114688   ----a-w-   c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-09-20 05:05   94208   ----a-w-   c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-09 23:45   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-11-02 09:23   77824   ----a-w-   c:\windows\SoundMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 07:33   36975   ----a-w-   c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-04-14 05:03   202256   ----a-w-   c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\system32\\ccapp.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\WINDOWS\\System32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"d:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\JRE6\\BIN\\JAVA.EXE"=
"d:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"d:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49152:TCP"= 49152:TCP:Azureus
"49152:UDP"= 49152:UDP:Azure

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/11/2008 10:53 PM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/18/2009 9:44 PM 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:55 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/11/2010 12:11 AM 67656]
R2 avg9wd;AVG Free WatchDog;d:\program files\AVG\AVG9\avgwdsvc.exe [7/17/2010 11:54 AM 308136]
R2 sprtsvc_netxpert;SupportSoft Sprocket Service (netxpert);c:\program files\Airtel NetXpert\bin\sprtsvc.exe [7/13/2010 11:49 AM 206120]
R2 tgsrvc_netxpert;SupportSoft Repair Service (netxpert);c:\program files\Airtel NetXpert\bin\tgsrvc.exe [7/13/2010 11:49 AM 185640]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [3/24/2009 8:11 PM 33792]
S2 gupdate1c8e7d52f7d6ca;Google Update Service (gupdate1c8e7d52f7d6ca);c:\program files\Google\Update\GoogleUpdate.exe [7/17/2008 11:48 AM 133104]
S3 autorun;autorun;\??\c:\huadio.tmp --> c:\huadio.tmp [?]
S3 DUSBCamera;IBM UltraPort Camera;c:\windows\system32\drivers\IBM_501B.SYS [1/30/2002 9:44 PM 122388]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys --> c:\windows\system32\DRIVERS\ivusb.sys [?]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [7/26/2006 9:04 PM 223128]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/26/2006 9:00 PM 643072]
.
Contents of the 'Scheduled Tasks' folder

2010-08-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1580436667-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 16:39]

2010-08-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1580436667-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 16:39]

2010-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1580436667-725345543-1003Core1cb0ca4aa6ed070.job
- c:\documents and settings\Sunaina Ji\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-01 18:43]

2010-08-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 06:20]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-17 11:57]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-17 11:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 128.112.139.108:3128
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
TCP: {2169162C-B377-4C9F-815E-617F58AF797D} = 202.56.215.54,202.56.215.55
FF - ProfilePath - c:\documents and settings\Sunaina Ji\Application Data\Mozilla\Firefox\Profiles\ze72yu61.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-Alcmtr - ALCMTR.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-26 19:07
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\autorun]
"ImagePath"="\??\c:\huadio.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(508)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3812)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\AVG\AVG9\avgchsvx.exe
d:\program files\AVG\AVG9\avgrsx.exe
d:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
d:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\documents and settings\Sunaina Ji\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
d:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-08-26 19:10:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-26 13:40
ComboFix2.txt 2010-08-17 06:12

Pre-Run: 3,680,354,304 bytes free
Post-Run: 3,928,752,128 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 8F877220A07272C13F16F4605C8FBF89

SuperDave · « **Reply #11 on:** August 26, 2010, 01:25:51 PM »

Ok. How's your computer working now? Please run another ESET scan and post the log.

Computer Hope Forum

News:

Author Topic: System process taking up 100% CPU usage.... (Read 17393 times)

singher

System process taking up 100% CPU usage....

SuperDave

Re: System process taking up 100% CPU usage....

singher

Re: System process taking up 100% CPU usage....

SuperDave

Re: System process taking up 100% CPU usage....

singher

Re: System process taking up 100% CPU usage....

SuperDave

Re: System process taking up 100% CPU usage....

singher

Re: System process taking up 100% CPU usage....

SuperDave

Re: System process taking up 100% CPU usage....

singher

Re: System process taking up 100% CPU usage....

SuperDave

Re: System process taking up 100% CPU usage....

singher

Re: System process taking up 100% CPU usage....

SuperDave

Re: System process taking up 100% CPU usage....