TechSpot

"Bad Image" pop up problem when opening programs and on start up

Inactive
By Paulo1913
Dec 14, 2010
  1. Hi guys,

    I don't know much about computers but I have followed the instuctions to create a few logs from those programs mentioned in the 6 steps to getting rid of malware (I think this may be one) so I will post them on here so maybe someone can show me what to do to get rid of the annoying pop ups when I start programs.

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5309

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18975

    14/12/2010 5:44:44 p.m.
    mbam-log-2010-12-14 (17-44-44).txt

    Scan type: Quick scan
    Objects scanned: 134579
    Time elapsed: 17 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-14 17:53:11
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543216L9A300 rev.FB2OC40C
    Running: rxsv655l.exe; Driver: C:\Users\Paul\AppData\Local\Temp\kgtdapod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Paul at 18:02:24.44 on Tue 14/12/2010
    Internet Explorer: 8.0.6001.18975
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.64.1033.18.955.360 [GMT 13:00]

    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Acer\Mobility Center\MobilityService.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\PLFSetI.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Launch Manager\LManager.exe
    C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\igfxext.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Users\Paul\AppData\Local\Temp\RtkBtMnt.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\conime.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    c:\Users\Paul\Documents\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.co.nz/
    uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1409&s=2&o=vz32&d=0309&m=extensa_4230
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1409&s=2&o=vz32&d=0309&m=extensa_4230
    uURLSearchHooks: H - No File
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: RadioBar Toolbar: {5b291e6c-9a74-4034-971b-a4b007a0b315} - c:\program files\radiobar\toolbar.ni.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: RadioBar Toolbar: {5b291e6c-9a74-4034-971b-a4b007a0b315} - c:\program files\radiobar\toolbar.ni.dll
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [PLFSetI] c:\windows\PLFSetI.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [LManager] c:\progra~1\launch~1\LManager.exe
    mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe
    mRun: [eRecoveryService]
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    StartupFolder: c:\users\paul\appdata\roaming\micros~1\windows\startm~1\programs\startup\zooskm~1.lnk - c:\program files\zooskmessenger\ZooskMessenger.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Handler: toolbarchrome - {718733BC-AD64-4e5f-AC18-A85FBD75D54D} - c:\program files\radiobar\toolbar.ni.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2009-1-25 24576]
    R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-9-24 144632]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-3-29 210432]
    R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-1-25 93968]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-12 136176]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2009-1-25 3663360]
    S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-9-24 50424]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    =============== Created Last 30 ================

    2010-12-14 03:31:43 -------- d-----w- c:\program files\Clean Disk Security
    2010-12-14 03:29:53 -------- d-----w- c:\program files\Disk Investigator
    2010-12-13 23:06:36 -------- d-----w- c:\users\paul\appdata\roaming\Malwarebytes
    2010-12-13 23:06:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-13 23:06:18 -------- d-----w- c:\progra~2\Malwarebytes
    2010-12-13 23:05:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-13 23:05:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-07 07:44:34 -------- d-----w- c:\users\paul\appdata\roaming\AVG10
    2010-12-07 07:38:25 -------- d--h--w- c:\progra~2\Common Files
    2010-12-07 07:35:43 -------- d-----w- c:\windows\system32\drivers\AVG
    2010-12-07 07:35:43 -------- d-----w- c:\progra~2\AVG10
    2010-12-07 04:38:28 -------- d-----w- c:\progra~2\MFAData
    2010-11-29 02:43:22 -------- d-----w- c:\program files\vym
    2010-11-23 18:54:00 7680 ----a-w- c:\program files\internet explorer\iecompat.dll

    ==================== Find3M ====================


    ============= FINISH: 18:07:27.69 ===============

    Any help is much appreciated :)
     
  2. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =======================================================================

    Attach.txt part of DDS is missing. Please, post it.

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. Paulo1913

    Paulo1913 TS Rookie Topic Starter

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Business
    Boot Device: \Device\HarddiskVolume2
    Install Date: 24/03/2009 2:12:47 p.m.
    System Uptime: 14/12/2010 6:27:27 p.m. (0 hours ago)

    Motherboard: Acer | | Extensa 4230
    Processor: Genuine Intel(R) CPU T1600 @ 1.66GHz | uPGA-478 | 1662/166mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 70 GiB total, 39.559 GiB free.
    D: is FIXED (NTFS) - 70 GiB total, 69.201 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e97d-e325-11ce-bfc1-08002be10318}
    Description: Terminal Server Device Redirector
    Device ID: ROOT\RDPDR\0000
    Manufacturer: (Standard system devices)
    Name: Terminal Server Device Redirector
    PNP Device ID: ROOT\RDPDR\0000
    Service: rdpdr

    ==== System Restore Points ===================


    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    Acer Crystal Eye Webcam 2.0.8
    Acer Empowering Technology
    Acer ePower Management
    Acer eRecovery Management
    Acer GridVista
    Acer Mobility Center Plug-In
    Acer ScreenSaver
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9
    Adobe Shockwave Player 11.5
    AVG 2011
    Broadcom Gigabit Integrated Controller
    BufferChm
    Business Contact Manager for Outlook 2007 SP2
    Clean Disk Security 7.84
    Compatibility Pack for the 2007 Office system
    Copy
    Debut Video Capture Software
    Destinations
    DeviceDiscovery
    Disk Investigator 1.51
    DJ_AIO_05_F4400_Software_Min
    eSobi v2
    F4400
    Free Internet Eraser 3.0
    GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
    Google Earth
    Google Update Helper
    GPBaseService2
    HDAUDIO Soft Data Fax Modem with SmartCP
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Deskjet F4400 Printer Driver Software 13.0 Rel .5
    HP Imaging Device Functions 13.0
    HP Print Projects 1.0
    HP Smart Web Printing 4.5
    HP Solution Center 13.0
    HP Update
    HPPhotoGadget
    hpPrintProjects
    HPProductAssistant
    hpWLPGInstaller
    Intel(R) Graphics Media Accelerator Driver
    J2SE Runtime Environment 5.0 Update 5
    JMicron JMB38X Flash Media Controller
    Junk Mail filter update
    Launch Manager
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office 2007 Primary Interop Assemblies
    Microsoft Office Small Business Connectivity Components
    Microsoft Office Standard Edition 2003
    Microsoft Office Suite Activation Assistant
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NTI Backup Now 5
    NTI Backup Now Standard
    NTI Shadow
    OGA Notifier 2.0.0048.0
    Power Challenge Game Plugin
    RadioBar Toolbar
    Realtek High Definition Audio Driver
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Skype Toolbars
    Skype™ 4.2
    SmartWebPrinting
    SolutionCenter
    Status
    Synaptics Pointing Device Driver
    Toolbox
    TrayApp
    Tweak UI
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VYM (View Your Mind) 1.12.7 for Windows
    WebLab ViewerPro
    WebReg
    WIDCOMM Bluetooth Software 6.0.1.6400
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer

    ==== End Of File ===========================

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Business Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: Acer
    BIOS Manufacturer: Acer
    System Manufacturer: Acer
    System Product Name: Extensa 4230
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 153):
    0x81E06000 \SystemRoot\system32\ntkrnlpa.exe
    0x821BF000 \SystemRoot\system32\hal.dll
    0x80408000 \SystemRoot\system32\kdcom.dll
    0x8040F000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x8047F000 \SystemRoot\system32\PSHED.dll
    0x80490000 \SystemRoot\system32\BOOTVID.dll
    0x80498000 \SystemRoot\system32\CLFS.SYS
    0x804D9000 \SystemRoot\system32\CI.dll
    0x8060B000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x80687000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x80694000 \SystemRoot\system32\drivers\acpi.sys
    0x806DA000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x806E3000 \SystemRoot\system32\drivers\msisadrv.sys
    0x806EB000 \SystemRoot\system32\drivers\pci.sys
    0x80712000 \SystemRoot\System32\drivers\partmgr.sys
    0x80721000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x80724000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x8072E000 \SystemRoot\system32\drivers\volmgr.sys
    0x8073D000 \SystemRoot\System32\drivers\volmgrx.sys
    0x80787000 \SystemRoot\system32\DRIVERS\pcmcia.sys
    0x807B4000 \SystemRoot\System32\drivers\mountmgr.sys
    0x807C4000 \SystemRoot\system32\drivers\atapi.sys
    0x807CC000 \SystemRoot\system32\drivers\ataport.SYS
    0x807EA000 \SystemRoot\system32\drivers\msahci.sys
    0x805B9000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x805C7000 \SystemRoot\system32\drivers\fltmgr.sys
    0x85E09000 \SystemRoot\system32\drivers\fileinfo.sys
    0x85E19000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x85E8A000 \SystemRoot\system32\drivers\ndis.sys
    0x85F95000 \SystemRoot\system32\drivers\msrpc.sys
    0x85FC0000 \SystemRoot\system32\drivers\NETIO.SYS
    0x86003000 \SystemRoot\System32\drivers\tcpip.sys
    0x860ED000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x86209000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x86319000 \SystemRoot\system32\drivers\volsnap.sys
    0x86352000 \SystemRoot\System32\Drivers\spldr.sys
    0x8635A000 \SystemRoot\System32\Drivers\mup.sys
    0x86369000 \SystemRoot\System32\drivers\ecache.sys
    0x86390000 \SystemRoot\system32\drivers\disk.sys
    0x863A1000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x863C2000 \SystemRoot\system32\drivers\crcdisk.sys
    0x863CB000 \SystemRoot\system32\DRIVERS\avgrkx86.sys
    0x863D0000 \SystemRoot\system32\DRIVERS\AVGIDSEH.Sys
    0x86108000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x86200000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x86113000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x8A20C000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
    0x8A907000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x8A9A8000 \SystemRoot\System32\drivers\watchdog.sys
    0x8A9B4000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x8A9BF000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x86122000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x86131000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8AC0C000 \SystemRoot\system32\DRIVERS\athr.sys
    0x8ACFB000 \SystemRoot\system32\DRIVERS\b57nd60x.sys
    0x8AD32000 \SystemRoot\system32\DRIVERS\jmcr.sys
    0x8AD49000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
    0x8AD6F000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x8AD73000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8AD86000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
    0x8AD90000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8AD9B000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x8ADCA000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8ADCC000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8ADD7000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8ADEF000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
    0x8ADF7000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x861BE000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8AE0A000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8AE4B000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8AE56000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8AE6D000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8AE78000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8AE9B000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8AEAA000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8AEBE000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x8AED3000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8AEE3000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8AEE5000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8AF0F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8AF19000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8AF26000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8AF5B000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8B002000 \SystemRoot\system32\drivers\RTKVHDA.sys
    0x8B228000 \SystemRoot\system32\drivers\portcls.sys
    0x8B255000 \SystemRoot\system32\drivers\drmk.sys
    0x8B27A000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
    0x8B2B8000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
    0x8B40C000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
    0x8B4C1000 \SystemRoot\system32\drivers\modem.sys
    0x8B4CE000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
    0x8B4DA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8B4E3000 \SystemRoot\System32\Drivers\Null.SYS
    0x8B4EA000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8B4F1000 \SystemRoot\System32\drivers\vga.sys
    0x8B4FD000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8B51E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8B526000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8B52E000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8B539000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8B547000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8B550000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8B566000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8B57A000 \SystemRoot\system32\DRIVERS\avgtdix.sys
    0x8B5C2000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8AF6C000 \SystemRoot\system32\drivers\afd.sys
    0x8B3BB000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8B3D1000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8B3DF000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x8AFB4000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8B5F4000 \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys
    0x8B400000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8B60C000 \SystemRoot\system32\drivers\csc.sys
    0x8B667000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x8B67E000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8B695000 \SystemRoot\system32\DRIVERS\avgldx86.sys
    0x8B6D1000 \SystemRoot\System32\Drivers\usbvideo.sys
    0x8B6F2000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x8B6FF000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x8B70A000 \SystemRoot\System32\Drivers\dump_msahci.sys
    0x81620000 \SystemRoot\System32\win32k.sys
    0x8B714000 \SystemRoot\System32\drivers\Dxapi.sys
    0x8B71E000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x81840000 \SystemRoot\System32\TSDDD.dll
    0x81860000 \SystemRoot\System32\cdd.dll
    0x8B72D000 \SystemRoot\system32\drivers\luafv.sys
    0x8B748000 \SystemRoot\system32\drivers\spsys.sys
    0x8AFF0000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0xA580C000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0xA5836000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA5840000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0xA5853000 \SystemRoot\system32\drivers\HTTP.sys
    0xA58C0000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0xA58DD000 \SystemRoot\system32\DRIVERS\bowser.sys
    0xA58F6000 \SystemRoot\System32\drivers\mpsdrv.sys
    0xA590B000 \SystemRoot\system32\drivers\mrxdav.sys
    0xA592C000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xA594B000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0xA5984000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0xA599C000 \SystemRoot\System32\DRIVERS\srv2.sys
    0xA6607000 \SystemRoot\System32\DRIVERS\srv.sys
    0xA6655000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
    0xA6660000 \??\C:\Windows\system32\drivers\int15.sys
    0xA6668000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xA666C000 \SystemRoot\system32\drivers\peauth.sys
    0xA674A000 \SystemRoot\System32\Drivers\secdrv.SYS
    0xA6754000 \SystemRoot\System32\drivers\tcpipreg.sys
    0xA6760000 \SystemRoot\system32\DRIVERS\xaudio.sys
    0xA6768000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
    0xA6772000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
    0xA679A000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0xA67B0000 \??\C:\Users\Paul\AppData\Local\Temp\mbr.sys
    0x76EB0000 \Windows\System32\ntdll.dll

    Processes (total 83):
    0 System Idle Process
    4 System
    452 C:\Windows\System32\smss.exe
    484 C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    700 csrss.exe
    752 csrss.exe
    760 C:\Windows\System32\wininit.exe
    800 C:\Windows\System32\services.exe
    812 C:\Windows\System32\lsass.exe
    824 C:\Windows\System32\lsm.exe
    892 C:\Windows\System32\winlogon.exe
    1004 C:\Windows\System32\svchost.exe
    1068 C:\Windows\System32\svchost.exe
    1204 C:\Windows\System32\svchost.exe
    1232 C:\Windows\System32\svchost.exe
    1244 C:\Windows\System32\svchost.exe
    1308 C:\Windows\System32\audiodg.exe
    1328 C:\Windows\System32\svchost.exe
    1368 C:\Windows\System32\SLsvc.exe
    1412 C:\Windows\System32\svchost.exe
    1552 C:\Windows\System32\svchost.exe
    1724 C:\Windows\System32\spoolsv.exe
    1748 C:\Windows\System32\svchost.exe
    1956 C:\Program Files\AVG\AVG10\avgwdsvc.exe
    1984 C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    2000 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    468 C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
    1456 C:\Windows\System32\svchost.exe
    1836 C:\ACER\Mobility Center\MobilityService.exe
    1060 C:\Windows\System32\svchost.exe
    2084 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    2336 C:\Program Files\AVG\AVG10\avgnsx.exe
    2388 C:\Program Files\AVG\AVG10\avgemcx.exe
    2464 C:\Windows\System32\taskeng.exe
    2472 C:\Windows\System32\svchost.exe
    2552 C:\Windows\System32\svchost.exe
    2572 C:\Windows\System32\taskeng.exe
    2868 C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    2884 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    2964 C:\Windows\System32\svchost.exe
    3008 C:\Windows\System32\svchost.exe
    3048 C:\Windows\System32\SearchIndexer.exe
    3188 C:\Windows\System32\drivers\XAudio.exe
    3284 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    3460 C:\Windows\System32\dwm.exe
    3488 C:\Windows\explorer.exe
    3800 WmiPrvSE.exe
    3912 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    3980 C:\Windows\System32\hkcmd.exe
    4052 C:\Windows\System32\igfxpers.exe
    1000 C:\Windows\PLFSetI.exe
    2440 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    2312 C:\Program Files\Internet Explorer\iexplore.exe
    464 C:\Program Files\Launch Manager\LManager.exe
    2060 C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
    1968 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    912 C:\Program Files\AVG\AVG10\avgtray.exe
    2044 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    3300 C:\Program Files\Internet Explorer\iexplore.exe
    2372 C:\Windows\System32\igfxsrvc.exe
    2820 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    2272 C:\Windows\System32\igfxext.exe
    276 C:\Windows\System32\igfxsrvc.exe
    3832 C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
    3080 C:\Windows\System32\wbem\unsecapp.exe
    2984 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
    3216 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    4036 C:\Users\Paul\AppData\Local\Temp\RtkBtMnt.exe
    4156 C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    4516 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
    4716 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    5976 C:\Windows\System32\wuauclt.exe
    5056 C:\Windows\System32\conime.exe
    4444 C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    344 C:\Program Files\AVG\AVG10\avgcsrvx.exe
    5512 C:\Windows\System32\notepad.exe
    4148 C:\Windows\System32\VSSVC.exe
    5416 C:\Windows\System32\svchost.exe
    4120 C:\Windows\System32\notepad.exe
    268 C:\Program Files\Internet Explorer\iexplore.exe
    5768 C:\Windows\System32\SearchProtocolHost.exe
    3976 C:\Windows\System32\SearchFilterHost.exe
    5140 C:\Users\Paul\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`80500000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`e1d00000 (NTFS)

    PhysicalDrive0 Model Number: HitachiHTS543216L9A300, Rev: FB2OC40C

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Acer MBR code detected
    SHA1: 12ADB8D1AD8327A4A2FA5865BC87234485F25003


    Done!

    Is that all you need?
     
  4. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    I still need Combofix log...
     
  5. Paulo1913

    Paulo1913 TS Rookie Topic Starter

    ComboFix 10-12-13.02 - Paul 14/12/2010 20:13:57.1.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.64.1033.18.955.141 [GMT 13:00]
    Running from: c:\users\Paul\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\Paul\AppData\Roaming\.#
    c:\users\Paul\AppData\Roaming\.#\MBX@14C8@1AE1ED0.###
    c:\users\Paul\AppData\Roaming\.#\MBX@5F8@E81ED0.###
    c:\users\Paul\avira_antivir_personal_en.exe
    c:\users\Paul\powersetup.exe
    c:\windows\system32\system

    .
    ((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 )))))))))))))))))))))))))))))))
    .

    2010-12-14 07:33 . 2010-12-14 07:34 -------- d-----w- c:\users\Paul\AppData\Local\temp
    2010-12-14 07:33 . 2010-12-14 07:33 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-12-14 03:31 . 2010-12-14 03:32 -------- d-----w- c:\program files\Clean Disk Security
    2010-12-14 03:29 . 2010-12-14 03:29 -------- d-----w- c:\program files\Disk Investigator
    2010-12-13 23:06 . 2010-12-13 23:06 -------- d-----w- c:\users\Paul\AppData\Roaming\Malwarebytes
    2010-12-13 23:06 . 2010-11-29 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-13 23:06 . 2010-12-13 23:06 -------- d-----w- c:\programdata\Malwarebytes
    2010-12-13 23:05 . 2010-12-13 23:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-13 23:05 . 2010-11-29 04:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-07 07:44 . 2010-12-07 07:44 -------- d-----w- c:\users\Paul\AppData\Roaming\AVG10
    2010-12-07 07:38 . 2010-12-07 07:38 -------- d--h--w- c:\programdata\Common Files
    2010-12-07 04:38 . 2010-12-07 06:01 -------- d-----w- c:\programdata\MFAData
    2010-11-29 02:43 . 2010-11-29 02:43 -------- d-----w- c:\program files\vym
    2010-11-23 18:54 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B291E6C-9A74-4034-971B-A4B007A0B315}]
    2010-01-11 00:18 451808 ----a-w- c:\program files\RadioBar\toolbar.ni.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{5B291E6C-9A74-4034-971B-A4B007A0B315}"= "c:\program files\RadioBar\toolbar.ni.dll" [2010-01-11 451808]

    [HKEY_CLASSES_ROOT\clsid\{5b291e6c-9a74-4034-971b-a4b007a0b315}]
    [HKEY_CLASSES_ROOT\Pugi.PugiObj.1]
    [HKEY_CLASSES_ROOT\TypeLib\{810FCC0F-2CA3-414a-B8C8-550910C8B664}]
    [HKEY_CLASSES_ROOT\Pugi.PugiObj]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{5B291E6C-9A74-4034-971B-A4B007A0B315}"= "c:\program files\RadioBar\toolbar.ni.dll" [2010-01-11 451808]

    [HKEY_CLASSES_ROOT\clsid\{5b291e6c-9a74-4034-971b-a4b007a0b315}]
    [HKEY_CLASSES_ROOT\Pugi.PugiObj.1]
    [HKEY_CLASSES_ROOT\TypeLib\{810FCC0F-2CA3-414a-B8C8-550910C8B664}]
    [HKEY_CLASSES_ROOT\Pugi.PugiObj]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2008-12-19 6703648]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-05 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-05 178712]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-05 154136]
    "PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1037608]
    "LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-02 850440]
    "ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-11-28 417792]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2008-12-19 1833504]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-24 727592]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 136176]
    R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-05-20 3663360]
    R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-11-28 24576]
    S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-03-28 210432]
    S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-05-30 93968]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 09:08]

    2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 09:08]

    2010-05-30 c:\windows\Tasks\Install.job
    - c:\windows\System32\Adobe\Shockwave 11\nssstub.exe [2010-05-30 03:00]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.nz/
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1409&s=2&o=vz32&d=0309&m=extensa_4230
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    Handler: toolbarchrome - {718733BC-AD64-4e5f-AC18-A85FBD75D54D} - c:\program files\RadioBar\toolbar.ni.dll
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-eRecoveryService - (no file)
    SafeBoot-mcmscsvc
    SafeBoot-MCODS



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-14 20:34
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-12-14 20:37:01
    ComboFix-quarantined-files.txt 2010-12-14 07:36

    Pre-Run: 42,894,766,080 bytes free
    Post-Run: 42,852,560,896 bytes free

    - - End Of File - - 2B79C1BCC68C9D21266B90DF5F8212BF
     
  6. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Combofix log looks clean now :)

    How are the issues?

    You can reinstall your AV program now.

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  7. Paulo1913

    Paulo1913 TS Rookie Topic Starter

    Everything is sorted the pop ups have stopped :)

    Thank you very much for your help
     
  8. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    You're very welcome :)
    We still need to finish cleaning process.

    Please post OTL logs.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.