TaxSleuth

Actually, it looks like I was able to manually generate a log.txt by moving to step four. Here it is. Actually, if it's a part of PCMover software, then it's OK. ************************************************************************************************************ ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533) # OnlineScanner.ocx=1.0.0.6427 # api_version=3.0.2 # EOSSerial=0c54e853784de247bf4126cbb5453eac # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2011-05-01 07:12:15 # local_time=2011-05-01 03:12:15 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 2 # compatibility_mode=1026 16777214 0 2 51090314 51090314 0 0 # compatibility_mode=1536 16777215 100 0 7250420 7250420 0 0 # compatibility_mode=1797 16774142 0 6 0 35812416 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=171101 # found=3 # cleaned=0 # scan_time=9533 C:\Documents and Settings\Markham & Company\Local Settings\Application Data\Downloaded Installations\{8DFD5BB4-544D-446C-AA81-578300727545}\PCmover.msi a variant of Win32/PSWTool.PWDump.A application (unable to clean) 00000000000000000000000000000000 I C:\Program Files\Perfect Uninstaller\PU.exe a variant of Win32/PerfectUninstaller application (unable to clean) 00000000000000000000000000000000 I ${Memory} a variant of Win32/PerfectUninstaller application 00000000000000000000000000000000 I ****************************************************************************************************************************

The ESET scanner froze after completing a scan. After it had scanned everything, it didn't go to step 4 and generate a log. I am re-running. In the meantime, I am uploading a screen shots. I note that it found one virus PSWTool.PWDump.A The other one Perfect Uninstaller. I THINK is a false positive. You had asked if the computer was working better. Frankly, it is. Although that virus looks pretty scary. If I get the scanner to do a log.txt, I will post it here. ScreenShot.bmp

I created the txt file as instructed and dragged it over combofix.exe. Combofix launched again, and asked me to install the Microsoft thing again (eventhough it was installed before). It froze while saying: "Scanning for infected files..." I then realized I need to stop the anti-virus and malware bytes again. (I had re-enabled them.) I hope this didn't screw anything up. So, re-ran everything with the AV and MWBytes turned off and got the following log report: ***************************************************************************************************************************************************** ComboFix 11-04-30.03 - [Deleted] 04/30/11 23:11:46.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1385 [GMT -4:00] Running from: c:\documents and settings\[Deleted]\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\[Deleted]\Desktop\CFScript.txt . . ((((((((((((((((((((((((( Files Created from 2011-04-01 to 2011-05-01 ))))))))))))))))))))))))))))))) . . 2011-04-30 15:29 . 2011-04-30 15:29 -------- d-----w- c:\windows\system32\wbem\Repository 2011-04-28 22:10 . 2011-04-28 22:10 -------- d-----w- c:\program files\Avira 2011-04-28 22:10 . 2011-04-28 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-04-11 18:13 . 2011-04-11 18:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\IsolatedStorage 2011-04-06 04:26 . 2011-04-06 04:26 -------- d-----w- c:\program files\Defraggler 2011-04-06 03:31 . 2011-04-06 03:31 -------- d-----w- c:\program files\Common Files\Java 2011-04-06 02:13 . 2011-04-06 02:13 -------- d-----w- c:\documents and settings\[Deleted]\Local Settings\Application Data\PackageAware . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-04-28 01:29 . 2010-05-01 00:40 848 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys 2011-04-22 23:08 . 2007-11-12 14:50 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-03-18 18:32 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx 2011-02-03 01:40 . 2010-08-20 00:05 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-02-02 23:19 . 2007-07-09 12:34 73728 ----a-w- c:\windows\system32\javacpl.cpl . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green] @="{95A27763-F62A-4114-9072-E81D87DE3B68}" [HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}] 2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial] @="{E300CD91-100F-4E67-9AF3-1384A6124015}" [HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}] 2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow] @="{5E529433-B50E-4bef-A63B-16A6B71B071A}" [HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}] 2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Shadow"="c:\program files\NewTech Infosystems\NTI Shadow 3\Shadow.exe" [2006-08-17 503808] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472] "TaskScheduler"="c:\prowin10\32bit\tasksch.exe" [2011-04-03 441176] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888] "Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC] 2010-07-26 18:42 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-11-10 16:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-11-11 05:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] 2010-12-30 19:17 19972712 ----a-w- c:\windows\RTHDCPL.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskScheduler] 2011-04-03 14:26 441176 ----a-w- c:\prowin10\32bit\TaskSch.exe . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP Media Vault\\Utilities\\NASSelector.exe"= "c:\\Program Files\\HP Media Vault\\Utilities\\hpezbkup.exe"= . R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/28/10 10:48 PM 363344] R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [05/27/09 3:27 AM 29262680] R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [01/22/10 8:40 PM 45824] R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [08/21/10 3:51 PM 582992] R2 SupportSpaceHelperService;SupportSpace platform helper service;c:\program files\SupportSpace\Support Platform\supportspace_tools.exe [01/20/08 5:12 PM 308464] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/28/10 10:48 PM 20952] R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [01/22/10 8:40 PM 56960] R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [08/21/10 3:51 PM 206608] S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [01/20/10 9:23 PM 81920] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [08/04/10 12:51 AM 136176] S2 mrtRate;mrtRate; [x] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [01/22/10 8:02 PM 1691480] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [08/04/10 12:51 AM 136176] S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe [12/16/06 4:24 PM 72704] S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [03/13/06 3:59 PM 4736] S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [03/13/06 3:59 PM 8960] S3 PortAcc;Spearit Port Access;c:\program files\Laplink\PCmover\PortAcc.sys [03/13/06 3:48 PM 10752] S3 SIWIO;SIWIO;\??\c:\windows\TEMP\SiwIo.sys --> c:\windows\TEMP\SiwIo.sys [?] S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [08/21/10 3:51 PM 206608] . Contents of the 'Scheduled Tasks' folder . 2011-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-04 04:51] . 2011-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-04 04:51] . 2011-04-30 c:\windows\Tasks\Malwarebytes' Scheduled Scan for [Deleted].job - c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-11-29 23:08] . 2011-04-30 c:\windows\Tasks\Malwarebytes' Scheduled Update for [Deleted].job - c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-11-29 23:08] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.google.com/ mStart Page = about:blank uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: cumberlandcounty.org Trusted Zone: intuit.com\ttlc Trusted Zone: mainelandrecords.com\www Trusted Zone: refund-advantage.com\www TCP: {CF2F86EA-5FC2-499A-BBD0-24EFF03A193F} = 4.2.2.2,8.8.8.8 DPF: Microsoft XML Parser for Java DPF: Web-Based Email Tools - hxxp://email03.secureserver.net/Download.CAB DPF: {009F119F-8723-11D3-8791-00A0C9EF9624} - hxxps://eformrs.com/FormOpen/RSFormsTV.cab DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://inotes.adrus.com/dwa85W.cab DPF: {187728C3-71FD-11D3-878E-00A0C9EF9624} - hxxps://eformrs.com/FormOpen/Dll/RSFCalc.cab DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} DPF: {99140A4E-88C5-11D3-8793-00A0C9EF9624} - hxxps://eformrs.com/FormOpen/RSFormsDP.cab DPF: {9D27C3FA-6662-4D29-99FB-A58A405FD584} - hxxps://secureshare.prometric.com/COM/MOVEitUploadWizard4.0.0.ocx DPF: {DC4B2445-4A2C-46FF-BAAE-C0FBB45D866D} - hxxps://www.laserapp.com/dev/detect/lavdetect.ocx DPF: {DE1319F8-DE5B-42EB-9407-4067FB8A09FD} - hxxp://wkforms.com/BuildRelease/wkforms/perform%20plus%20III/release/install.cab . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-30 23:21 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKCU\Software\Microsoft\Windows\CurrentVersion\Run TaskScheduler = c:\prowin10\32bit\tasksch.exe?????????Ux????+.Tx????L?????????Ux????????<??????????????NL??????N????n???????0???.?Uxo???????$???I??@l???8?????C???????@?a??@l???l???X?????C??????yA????????@P?D?l??????@????D-C??????H@?@?C???8?&???!?????8?@?C?Z?8?????????X?8?@?C . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1316) c:\windows\system32\Ati2evxx.dll c:\windows\system32\atiadlxx.dll c:\program files\Citrix\GoToMyPC\G2WinLogon.dll . - - - - - - - > 'explorer.exe'(4036) c:\windows\system32\WININET.dll c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\ieframe.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Citrix\GoToMyPC\g2svc.exe c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\program files\Citrix\GoToMyPC\g2comm.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Citrix\GoToMyPC\g2pre.exe c:\program files\Citrix\GoToMyPC\g2tray.exe c:\program files\Common Files\Protexis\License Service\PsiService_2.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\windows\system32\SearchIndexer.exe c:\windows\system32\fxssvc.exe c:\windows\system32\SearchProtocolHost.exe c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe c:\windows\system32\SearchFilterHost.exe . ************************************************************************** . Completion time: 2011-04-30 23:35:53 - machine was rebooted ComboFix-quarantined-files.txt 2011-05-01 03:35 ComboFix2.txt 2011-05-01 00:56 ComboFix3.txt 2010-11-13 20:52 . Pre-Run: 35,210,702,848 bytes free Post-Run: 35,221,270,528 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 5EDBC0F9CDEE736888F957791C8F1E56

Thank you so much for taking a look at this! Here is the ComboFix log: ********************************************************************************************************************* ComboFix 11-04-30.02 - [Deleted] 04/30/11 20:43:34.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1260 [GMT -4:00] Running from: c:\documents and settings\[Deleted]\Desktop\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\[Deleted]\g2ax_customer_downloadhelper_win32_x86.exe c:\documents and settings\[Deleted]\g2mdlhlpx.exe c:\documents and settings\[Deleted]\GoToAssistDownloadHelper.exe c:\windows\system32\BSTIep~1.dll c:\windows\system32\BSTIEPrintCtl1.dll c:\windows\system32\gotomon.log c:\windows\system32\spool\prtprocs\w32x86\atx_print.dll . . ((((((((((((((((((((((((( Files Created from 2011-04-01 to 2011-05-01 ))))))))))))))))))))))))))))))) . . 2011-04-30 15:29 . 2011-04-30 15:29 -------- d-----w- c:\windows\system32\wbem\Repository 2011-04-28 22:10 . 2011-04-28 22:10 -------- d-----w- c:\program files\Avira 2011-04-28 22:10 . 2011-04-28 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-04-11 18:13 . 2011-04-11 18:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\IsolatedStorage 2011-04-06 04:26 . 2011-04-06 04:26 -------- d-----w- c:\program files\Defraggler 2011-04-06 03:31 . 2011-04-06 03:31 -------- d-----w- c:\program files\Common Files\Java 2011-04-06 02:13 . 2011-04-06 02:13 -------- d-----w- c:\documents and settings\[Deleted]\Local Settings\Application Data\PackageAware . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-04-28 01:29 . 2010-05-01 00:40 848 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys 2011-04-22 23:08 . 2007-11-12 14:50 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-03-18 18:32 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx 2011-02-03 01:40 . 2010-08-20 00:05 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-02-02 23:19 . 2007-07-09 12:34 73728 ----a-w- c:\windows\system32\javacpl.cpl . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green] @="{95A27763-F62A-4114-9072-E81D87DE3B68}" [HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}] 2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial] @="{E300CD91-100F-4E67-9AF3-1384A6124015}" [HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}] 2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow] @="{5E529433-B50E-4bef-A63B-16A6B71B071A}" [HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}] 2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Shadow"="c:\program files\NewTech Infosystems\NTI Shadow 3\Shadow.exe" [2006-08-17 503808] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472] "TaskScheduler"="c:\prowin10\32bit\tasksch.exe" [2011-04-03 441176] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888] "Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC] 2010-07-26 18:42 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-11-10 16:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-11-11 05:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] 2010-12-30 19:17 19972712 ----a-w- c:\windows\RTHDCPL.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskScheduler] 2011-04-03 14:26 441176 ----a-w- c:\prowin10\32bit\TaskSch.exe . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP Media Vault\\Utilities\\NASSelector.exe"= "c:\\Program Files\\HP Media Vault\\Utilities\\hpezbkup.exe"= . R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/28/10 10:48 PM 363344] R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [05/27/09 3:27 AM 29262680] R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [01/22/10 8:40 PM 45824] R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [08/21/10 3:51 PM 582992] R2 SupportSpaceHelperService;SupportSpace platform helper service;c:\program files\SupportSpace\Support Platform\supportspace_tools.exe [01/20/08 5:12 PM 308464] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/28/10 10:48 PM 20952] R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [01/22/10 8:40 PM 56960] R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [08/21/10 3:51 PM 206608] S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [01/20/10 9:23 PM 81920] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [08/04/10 12:51 AM 136176] S2 mrtRate;mrtRate; [x] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [01/22/10 8:02 PM 1691480] S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe [12/16/06 4:24 PM 72704] S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [03/13/06 3:59 PM 4736] S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [03/13/06 3:59 PM 8960] S3 PortAcc;Spearit Port Access;c:\program files\Laplink\PCmover\PortAcc.sys [03/13/06 3:48 PM 10752] S3 SIWIO;SIWIO;\??\c:\windows\TEMP\SiwIo.sys --> c:\windows\TEMP\SiwIo.sys [?] S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [08/21/10 3:51 PM 206608] . Contents of the 'Scheduled Tasks' folder . 2011-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-04 04:51] . 2011-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-04 04:51] . 2011-04-30 c:\windows\Tasks\Malwarebytes' Scheduled Scan for [Deleted].job - c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-11-29 23:08] . 2011-04-30 c:\windows\Tasks\Malwarebytes' Scheduled Update for [Deleted].job - c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-11-29 23:08] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.google.com/ mStart Page = about:blank uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: cumberlandcounty.org Trusted Zone: intuit.com\ttlc Trusted Zone: mainelandrecords.com\www Trusted Zone: refund-advantage.com\www TCP: {CF2F86EA-5FC2-499A-BBD0-24EFF03A193F} = 4.2.2.2,8.8.8.8 DPF: Microsoft XML Parser for Java DPF: Web-Based Email Tools - hxxp://email03.secureserver.net/Download.CAB DPF: {009F119F-8723-11D3-8791-00A0C9EF9624} - hxxps://eformrs.com/FormOpen/RSFormsTV.cab DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://inotes.adrus.com/dwa85W.cab DPF: {187728C3-71FD-11D3-878E-00A0C9EF9624} - hxxps://eformrs.com/FormOpen/Dll/RSFCalc.cab DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} DPF: {99140A4E-88C5-11D3-8793-00A0C9EF9624} - hxxps://eformrs.com/FormOpen/RSFormsDP.cab DPF: {9D27C3FA-6662-4D29-99FB-A58A405FD584} - hxxps://secureshare.prometric.com/COM/MOVEitUploadWizard4.0.0.ocx DPF: {DC4B2445-4A2C-46FF-BAAE-C0FBB45D866D} - hxxps://www.laserapp.com/dev/detect/lavdetect.ocx DPF: {DE1319F8-DE5B-42EB-9407-4067FB8A09FD} - hxxp://wkforms.com/BuildRelease/wkforms/perform%20plus%20III/release/install.cab . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-30 20:51 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKCU\Software\Microsoft\Windows\CurrentVersion\Run TaskScheduler = c:\prowin10\32bit\tasksch.exe?????????Ux????+.Tx????L?????????Ux????????<??????????????NL??????N????n???????0???.?Uxo???????$???=???l???8?????C???????@?????l???l???X?????C??????yA?????u???P?D?l???????????D-C??????H@?@?C???8?&???!?????8?@?C???8???????????8?@?C . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1344) c:\windows\system32\Ati2evxx.dll c:\windows\system32\atiadlxx.dll c:\program files\Citrix\GoToMyPC\G2WinLogon.dll . Completion time: 2011-04-30 20:56:46 ComboFix-quarantined-files.txt 2011-05-01 00:56 ComboFix2.txt 2010-11-13 20:52 . Pre-Run: 35,350,523,904 bytes free Post-Run: 35,370,778,624 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 2D31A3E070ABCA9CE7BC8DAD349278FA

My PC is sending out IPs that Malwarebytes has blocked. In addition, at times it appears to be running slowly. Finally, when I try to run GMER, it tends to crash (shuts down) before completing. I have run Malwarebytes Pro and Avira and found nothing. I am posting the DDS.TXT below. Please note that the GMER printout was generated by having the PC run in safe mode. Not sure that helps or not. The DDS.TXT and Attach.TXT were generated when the computer was working "normally". Thanks to anyone for taking a look. Also, let me know if you see stuff that I can just go ahead and delete. I can keep trying to run GMER in its normal state if that's critical. ******************************************************************************************************************************* . DDS (Ver_11-03-05.01) - NTFSx86 Run by [Deleted] at 11:25:03.81 on 04/29/11 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1197 [GMT -4:00] . AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Citrix\GoToMyPC\g2svc.exe C:\Program Files\Citrix\GoToMyPC\g2comm.exe C:\Program Files\Citrix\GoToMyPC\g2pre.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Citrix\GoToMyPC\g2tray.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\SupportSpace\Support Platform\supportspace_tools.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\Citrix\GoToMyPC\g2mainh.exe C:\Program Files\Citrix\GoToMyPC\g2host.exe C:\Program Files\SupportSpace\Support Platform\supportspace_tools.exe C:\Program Files\Citrix\GoToMyPC\g2printh.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Citrix\GoToMyPC\g2audioh.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\NewTech Infosystems\NTI Shadow 3\Shadow.exe C:\WINDOWS\system32\ctfmon.exe C:\ProWin10\32bit\tasksch.exe C:\Documents and Settings\Markham & Company\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.google.com/ mStart Page = about:blank uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll TB: {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - No File TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File uRun: [shadow] c:\program files\newtech infosystems\nti shadow 3\Shadow.exe --minimize uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe" AcPro7_1_0 -reboot 1 uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [TaskScheduler] c:\prowin10\32bit\tasksch.exe mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL Trusted Zone: cumberlandcounty.org Trusted Zone: intuit.com\ttlc Trusted Zone: mainelandrecords.com\www Trusted Zone: refund-advantage.com\www DPF: Microsoft XML Parser for Java DPF: Web-Based Email Tools - hxxp://email03.secureserver.net/Download.CAB DPF: {009F119F-8723-11D3-8791-00A0C9EF9624} - hxxps://eformrs.com/FormOpen/RSFormsTV.cab DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://inotes.adrus.com/dwa85W.cab DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://www.refund-advantage.com/pcheck103010/smsx.cab DPF: {187728C3-71FD-11D3-878E-00A0C9EF9624} - hxxps://eformrs.com/FormOpen/Dll/RSFCalc.cab DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://ccllcnc.com/Remote/msrdp.cab DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} DPF: {99140A4E-88C5-11D3-8793-00A0C9EF9624} - hxxps://eformrs.com/FormOpen/RSFormsDP.cab DPF: {9D27C3FA-6662-4D29-99FB-A58A405FD584} - hxxps://secureshare.prometric.com/COM/MOVEitUploadWizard4.0.0.ocx DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {DC4B2445-4A2C-46FF-BAAE-C0FBB45D866D} - hxxps://www.laserapp.com/dev/detect/lavdetect.ocx DPF: {DE1319F8-DE5B-42EB-9407-4067FB8A09FD} - hxxp://wkforms.com/BuildRelease/wkforms/perform%20plus%20III/release/install.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://intuit.webex.com/client/T27LC/webex/ieatgpc.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: {CF2F86EA-5FC2-499A-BBD0-24EFF03A193F} = 4.2.2.2,8.8.8.8 Notify: AtiExtEvent - Ati2evxx.dll Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ============= SERVICES / DRIVERS =============== . R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-28 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-28 135336] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-28 269480] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-28 61960] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-11-28 363344] R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680] R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2010-1-22 45824] R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2010-8-21 582992] R2 SupportSpaceHelperService;SupportSpace platform helper service;c:\program files\supportspace\support platform\supportspace_tools.exe [2008-1-20 308464] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-28 20952] R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2010-1-22 56960] R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-8-21 206608] S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2010-1-20 81920] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-4 136176] S2 mrtRate;mrtRate; [x] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-1-22 1691480] S3 cpuz132;cpuz132;\??\c:\docume~1\instal~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\instal~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-4 136176] S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\common files\intuit\fuse\service\Intuit Fuse Service.exe [2006-12-16 72704] S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2006-3-13 4736] S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2006-3-13 8960] S3 PortAcc;Spearit Port Access;c:\program files\laplink\pcmover\PortAcc.sys [2006-3-13 10752] S3 SIWIO;SIWIO;\??\c:\windows\temp\siwio.sys --> c:\windows\temp\SiwIo.sys [?] S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-8-21 206608] . =============== Created Last 30 ================ . 2011-04-28 22:10:59 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-28 22:10:58 -------- d-----w- c:\program files\Avira 2011-04-28 22:10:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira 2011-04-06 04:26:29 -------- d-----w- c:\program files\Defraggler 2011-04-06 02:13:49 -------- d-----w- c:\docume~1\markha~1\locals~1\applic~1\PackageAware . ==================== Find3M ==================== . 2011-04-28 19:53:00 848 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys 2011-04-22 23:08:16 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-03-18 18:32:10 71072 ----a-w- c:\windows\CouponPrinter.ocx 2011-03-18 17:02:01 103720 ----a-w- c:\documents and settings\markham & company\GoToAssistDownloadHelper.exe 2011-02-03 01:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-02-02 23:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl . ============= FINISH: 11:29:00.73 =============== Attach.zip