TechSpot

Malware help - 8 step logs attached

Inactive
By JimDav
Nov 27, 2010
Topic Status:
Not open for further replies.
  1. Problems with excessive slowness & crashing / freezing IE.

    I am looking at this problem for a friend.
    Disabled a few suspect start up items: eg 'fdobiwogi'
    Found that
    MBAM & windows defender will not allow updates.
    Registry edit tools disabled

    Avast Antivirus identified & dealt with 1 threat - no improvement
    TFC downloaded & ran OK
    MBAM log:

    Malwarebytes' Anti-Malware 1.20
    Database version: 930
    Windows 6.0.6002 Service Pack 2

    17:54:05 27/11/2010
    mbam-log-11-27-2010 (17-54-05).txt

    Scan type: Quick Scan
    Objects scanned: 37317
    Time elapsed: 4 minute(s), 23 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe (Security.Hijack) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER log:
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-11-27 19:28:35
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HTS543225L9A300 rev.FBEOC40C
    Running: gmer.exe; Driver: C:\Users\SARAHB~1\AppData\Local\Temp\uwlyypow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Windows\system32\drivers\mbam.sys ZwCreateSection [0xB0354700]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8ED30BAE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8ED309D2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8ED30B0C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 215 820EB978 4 Bytes [00, 47, 35, B0]
    PAGE ntkrnlpa.exe!ZwLoadDriver 821AADF0 7 Bytes JMP 8ED30B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8221628F 5 Bytes JMP 8ED2C5D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObInsertObject 8226F063 5 Bytes JMP 8ED2DFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!NtCreateSection 82270905 7 Bytes JMP 8ED309D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 822D090A 7 Bytes JMP 8ED30BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl entry point in "" section [0xB033341C]
    .clc C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl unknown last code section [0xB0334000, 0x1000, 0xE0000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[304] kernel32.dll!SetUnhandledExceptionFilter 761AA84F 4 Bytes [C2, 04, 00, 00]
    .text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtProtectVirtualMemory 77B34D34 5 Bytes JMP 0079000A
    .text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtWriteVirtualMemory 77B35674 5 Bytes JMP 007A000A
    .text C:\Windows\system32\svchost.exe[1216] ntdll.dll!KiUserExceptionDispatcher 77B35DC8 5 Bytes JMP 005A000A
    .text C:\Windows\system32\svchost.exe[1216] ole32.dll!CoCreateInstance 77399F3E 5 Bytes JMP 0097000A
    .text C:\Windows\system32\svchost.exe[1216] USER32.dll!GetCursorPos 77770B88 5 Bytes JMP 01FD000A
    .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1688] kernel32.dll!SetUnhandledExceptionFilter 761AA84F 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2508] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Windows\Explorer.EXE[2816] ntdll.dll!NtProtectVirtualMemory 77B34D34 5 Bytes JMP 0230000A
    .text C:\Windows\Explorer.EXE[2816] ntdll.dll!NtWriteVirtualMemory 77B35674 5 Bytes JMP 0231000A
    .text C:\Windows\Explorer.EXE[2816] ntdll.dll!KiUserExceptionDispatcher 77B35DC8 5 Bytes JMP 01BF000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3792] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4368] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4636] USER32.dll!TrackPopupMenu 777714F3 5 Bytes JMP 66205CF5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4864] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5332] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5412] ntdll.dll!NtProtectVirtualMemory 77B34D34 5 Bytes JMP 0086000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5412] ntdll.dll!NtWriteVirtualMemory 77B35674 5 Bytes JMP 0087000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5412] ntdll.dll!KiUserExceptionDispatcher 77B35DC8 5 Bytes JMP 0085000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[6024] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\system32\services.exe[724] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00010002
    IAT C:\Windows\system32\services.exe[724] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00010000
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74AD7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74B2A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74ADBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74ACF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74AD75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74ACE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74B08395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74ADDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74ACFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74ACFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74AC71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74B5CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74AFC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74ACD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74AC6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74AC687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74AD2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001D90] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002B30] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 864FB3B2
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 864FB3B2
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 864FB3B2
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 864FB3B2
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-0 864FB3B2

    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \Device\Ide\IdeDeviceP0T0L0-1 -> \??\IDE#DiskHitachi_HTS543225L9A300_________________FBEOC40C#5&128fa69d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sectors 488396912 (+255): rootkit-like behavior;

    ---- EOF - GMER 1.0.15 ----



    DDS stuff to follow
  2. JimDav

    JimDav TS Rookie Topic Starter Posts: 38

    DDS txt

    DDS.txt:

    DS (Ver_10-11-27.01) - NTFSx86
    Run by Sarah Brown at 19:44:09.37 on 27/11/2010
    Internet Explorer: 8.0.6001.18975
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.3000.1472 [GMT 0:00]

    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
    C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
    C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Acer\Mobility Center\MobilityService.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\svchost.exe -k HPService
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
    C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
    C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
    C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\RtHDVCpl.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Launch Manager\LManager.exe
    C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
    C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Users\SARAHB~1\AppData\Local\Temp\RtkBtMnt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\igfxext.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\wuauclt.exe
    C:\Users\Sarah Brown\Downloads\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.co.uk/
    uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0809&m=aspire_5735
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0809&m=aspire_5735
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    mURLSearchHooks: H - No File
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: PlaySushi: {21608b66-026f-4dcb-9244-0daca328dced} - c:\program files\playsushi\PSText.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: adfayudhpr Object: {6a59933e-d8a2-4e71-8027-3fa5881ec5c9} - c:\windows\$ntuninstallmtf197$\lfjre.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
    BHO: MediaBar: {abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f} - c:\program files\imeshmediabartb\iMeshMediaBarDx.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.415.1646\swg.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: brumayudhgrm Object: {fbf50663-5574-4494-9419-76158e351ef0} - c:\windows\$ntuninstallmtf197$\cscdn.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
    TB: MediaBar: {abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f} - c:\program files\imeshmediabartb\iMeshMediaBarDx.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    uRun: [ProductReg] "c:\program files\acer\wr_popup\ProductReg.exe"
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
    mRun: [ArcadeDeluxeAgent] "c:\program files\acer arcade deluxe\acer arcade deluxe\ArcadeDeluxeAgent.exe"
    mRun: [CLMLServer] "c:\program files\acer arcade deluxe\acer arcade deluxe\kernel\clml\CLMLSvc.exe"
    mRun: [PlayMovie] "c:\program files\acer arcade deluxe\playmovie\PMVService.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [Skytel] Skytel.exe
    mRun: [LManager] c:\progra~1\launch~1\LManager.exe
    mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
    mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    IE: {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - c:\program files\playsushi\PSText.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: AVGRSSTX.DLL c:\progra~1\google\google~1\GOEC62~1.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\sarahb~1\appdata\roaming\mozilla\firefox\profiles\b9ohoggg.default\
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Extension: XULRunner: {3C16A606-5197-465A-ACF0-CD693D973332} - c:\users\sarah brown\appdata\local\{3C16A606-5197-465A-ACF0-CD693D973332}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\sarahb~1\appdata\roaming\mozilla\firefox\profiles\b9ohoggg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-27 165584]
    R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\playmovie\000.fcl [2008-5-15 61424]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-27 17744]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-11-27 50768]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-27 40384]
    R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
    R2 CLHNService;CLHNService;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\CLHNService.exe [2008-5-15 81504]
    R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-9-3 137144]
    R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-11-4 810144]
    R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2010-7-29 96920]
    R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-5-15 24576]
    R2 MBAMDrvService;MBAMDrvService;c:\windows\system32\drivers\mbam.sys [2010-11-20 17144]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-11-20 122488]
    R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-7 50424]
    R2 NTIPPKernel;NTIPPKernel;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\NTIPPKernel.sys [2008-5-15 122368]
    R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-4 131072]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-27 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-27 40384]
    R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2009-8-3 3658752]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-21 179712]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-2 30192]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    =============== File Associations ===============

    regfile=regedit.exe "%1" %*
    scrfile="%1" %*

    =============== Created Last 30 ================

    2010-11-27 14:10:07 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-11-27 14:09:26 38848 ----a-w- c:\windows\avastSS.scr
    2010-11-27 14:09:18 -------- d-----w- c:\progra~2\Alwil Software
    2010-11-26 22:55:59 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
    2010-11-26 22:55:59 107480 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
    2010-11-26 22:33:03 -------- d-----w- c:\windows\pss
    2010-11-22 20:13:17 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-11-22 20:12:03 -------- d-----w- c:\windows\SHELLNEW
    2010-11-21 17:12:24 -------- d-----w- c:\users\sarahb~1\appdata\roaming\DriverCure
    2010-11-21 17:12:23 -------- d-----w- c:\users\sarahb~1\appdata\roaming\ParetoLogic
    2010-11-21 17:12:12 -------- d-----w- c:\program files\common files\ParetoLogic
    2010-11-21 17:12:11 -------- d-----w- c:\program files\ParetoLogic
    2010-11-21 17:12:11 -------- d-----w- c:\progra~2\ParetoLogic
    2010-11-21 17:06:03 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{5e566945-955a-46dd-b26f-f2ae3af4cf08}\mpengine.dll
    2010-11-21 15:44:00 -------- d-----w- c:\program files\common files\Adobe(937)
    2010-11-21 15:40:32 -------- d-----w- c:\users\sarahb~1\appdata\local\Electronic Arts
    2010-11-20 22:54:05 -------- d-----w- c:\users\sarahb~1\appdata\local\ESET
    2010-11-20 14:51:09 -------- d-----w- c:\program files\ESET
    2010-11-20 13:36:05 -------- d-----w- c:\program files\iPod(991)
    2010-11-20 13:35:59 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-11-20 13:31:50 -------- d-----w- c:\program files\Bonjour(936)
    2010-11-20 13:19:43 -------- d-----w- c:\program files\QuickTime(1124)
    2010-11-20 09:40:55 -------- d-----w- c:\users\sarahb~1\appdata\roaming\IObit
    2010-11-20 09:40:54 -------- d-----w- c:\program files\IObit
    2010-11-20 00:03:39 -------- d-----w- c:\users\sarahb~1\appdata\roaming\Malwarebytes
    2010-11-20 00:03:35 17144 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-20 00:03:34 -------- d-----w- c:\progra~2\Malwarebytes
    2010-11-20 00:03:33 34296 ----a-w- c:\windows\system32\drivers\mbamcatchme.sys
    2010-11-20 00:03:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-19 18:49:01 -------- d-----w- c:\windows\system32\vi-VN
    2010-11-19 18:49:01 -------- d-----w- c:\windows\system32\eu-ES
    2010-11-19 18:49:01 -------- d-----w- c:\windows\system32\ca-ES
    2010-11-19 18:14:09 -------- d-----w- c:\windows\system32\EventProviders
    2010-11-12 17:03:57 0 ----a-w- c:\users\sarahb~1\appdata\local\Rsagikufevori.bin
    2010-11-12 17:03:55 -------- d-----w- c:\users\sarahb~1\appdata\local\{3C16A606-5197-465A-ACF0-CD693D973332}
    2010-11-12 17:02:14 -------- d-----w- c:\users\sarahb~1\appdata\local\Adobe32 ARM
    2010-11-08 17:44:27 -------- d-----w- c:\program files\AV8
    2010-11-06 11:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    2010-10-29 17:37:48 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-10-29 17:37:47 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-10-29 17:37:47 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

    ==================== Find3M ====================

    2010-10-19 10:41:44 222080 ----a-w- c:\windows\system32\MpSigStub.exe
    2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
    2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.0.6002 Disk: Hitachi_HTS543225L9A300 rev.FBEOC40C -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-1

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x864FB566]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86501624]; MOV EAX, [0x865016a0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x82083962] -> \Device\Harddisk0\DR0[0x85F67AC8]
    3 CLASSPNP[0x82BA48B3] -> ntkrnlpa!IofCallDriver[0x82083962] -> [0x85663B98]
    \Driver\atapi[0x857F8B50] -> IRP_MJ_CREATE -> 0x864FB566
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-1 -> \??\IDE#DiskHitachi_HTS543225L9A300_________________FBEOC40C#5&128fa69d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x864FB3B2
    user != kernel MBR !!!
    sectors 488397166 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

    ============= FINISH: 19:45:36.97 ===============
  3. JimDav

    JimDav TS Rookie Topic Starter Posts: 38

    attach txt

    DDS (Ver_10-11-27.01)

    Microsoft® Windows Vista™ Home Basic
    Boot Device: \Device\HarddiskVolume2
    Install Date: 03/08/2009 02:09:30
    System Uptime: 27/11/2010 16:42:00 (3 hours ago)

    Motherboard: Acer | | CathedralPeak
    Processor: Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz | U2E1 | 1000/166mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 112 GiB total, 50.725 GiB free.
    D: is FIXED (NTFS) - 112 GiB total, 111.263 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
    Description: HP Photosmart C4500
    Device ID: ROOT\IMAGE\0000
    Manufacturer: Hewlett-Packard
    Name: HP Photosmart C4500
    PNP Device ID: ROOT\IMAGE\0000
    Service: StillCam

    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: Photosmart C4500 series
    Device ID: ROOT\MULTIFUNCTION\0000
    Manufacturer: HP
    Name: Photosmart C4500 series
    PNP Device ID: ROOT\MULTIFUNCTION\0000
    Service:

    ==== System Restore Points ===================

    RP311: 20/11/2010 11:46:02 - Restore Operation
    RP327: 21/11/2010 16:41:25 - Restore Operation

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    Acer Arcade Deluxe
    Acer eDataSecurity Management
    Acer Empowering Technology
    Acer ePower Management
    Acer eSettings Management
    Acer GameZone Console 2.0.1.1
    Acer GridVista
    Acer Mobility Center Plug-In
    Acer Product Registration
    Acer ScreenSaver
    Acrobat.com
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.1
    Advanced SystemCare 3
    Agatha Christie Death on the Nile
    Agere Systems HDA Modem
    Alice Greenfingers
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    avast! Free Antivirus
    Azada
    Backspin Billiards
    Big Kahuna Reef
    Bonjour
    Bookworm Deluxe
    Bricks of Egypt
    BufferChm
    C4580
    Cake Mania
    CCleaner
    Chicken Invaders 3
    Chuzzle
    Copy
    Destination Component
    DeviceDiscovery
    Diner Dash Flo on the Go
    EA Download Manager
    ESET NOD32 Antivirus
    eSobi v2
    Flip Words 2
    Free Audio CD Burner version 1.4
    Free YouTube to MP3 Converter version 3.8
    Google Desktop
    Google Toolbar for Internet Explorer
    GPBaseService2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Customer Participation Program 12.0
    HP Imaging Device Functions 12.0
    HP Photosmart C4500 All-In-One Driver Software12.0 Rel .4
    HP Photosmart Essential 3.5
    HP Smart Web Printing
    HP Solution Center 12.0
    HP Update
    HPPhotoGadget
    HPPhotoSmartDiscLabelContent1
    HPPhotosmartEssential
    HPProductAssistant
    HPSSupply
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    Java(TM) 6 Update 11
    Jewel Quest Solitaire
    Junk Mail filter update
    Kick N Rush
    Launch Manager
    LightScribe 1.4.142.1
    Mahjong Escape Ancient China
    Mahjongg Artifacts
    Malwarebytes' Anti-Malware
    MarketResearch
    Marvell Miniport Driver
    MediaBar
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Live Add-in 1.3
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Microsoft WSE 3.0 Runtime
    Mozilla Firefox (3.6.12)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Mystery Case Files - Huntsville
    Mystery Solitaire - Secret Island
    Network
    NTI Backup Now 5
    NTI Backup Now Standard
    NTI Media Maker 8
    OGA Notifier 2.0.0048.0
    Orion
    ParetoLogic PC Health Advisor
    PhotoNow!
    Playsushi
    PowerDirector
    PS_AIO_04_C4580_Software_Min
    QuickTime
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Shop for HP Supplies
    Sibelius Scorch (ActiveX Only)
    SmartWebPrinting
    Smilebox
    SolutionCenter
    Spelling Dictionaries Support For Adobe Reader 9
    Status
    Street-Ads Browser Enhancer
    Synaptics Pointing Device Driver
    The Sims™ 3
    The Sims™ 3 Ambitions
    The Sims™ 3 World Adventures
    Toolbox
    TrayApp
    Turbo Pizza
    Uninstall 1.0.0.1
    UnloadSupport
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    WebReg
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    Yahoo! Toolbar
    ZIP Reader 8.00.0018
    Zuma Deluxe

    ==== Event Viewer Messages From Past Week ========

    27/11/2010 17:36:17, Error: Service Control Manager [7024] - The KtmRm for Distributed Transaction Coordinator service terminated with service-specific error 2147942438 (0x80070026).
    27/11/2010 17:34:22, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    27/11/2010 16:37:06, Error: Service Control Manager [7034] - The Agere Modem Call Progress Audio service terminated unexpectedly. It has done this 1 time(s).
    27/11/2010 14:09:31, Error: Service Control Manager [7030] - The ESET Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    27/11/2010 12:24:39, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    27/11/2010 12:24:38, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    27/11/2010 12:24:19, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
    27/11/2010 12:24:19, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    27/11/2010 12:24:19, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    27/11/2010 12:24:19, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
    27/11/2010 12:24:19, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    27/11/2010 12:24:19, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    27/11/2010 12:24:19, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    27/11/2010 12:24:19, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    27/11/2010 12:24:19, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
    27/11/2010 12:24:19, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    27/11/2010 12:24:19, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    27/11/2010 12:24:19, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    27/11/2010 12:24:19, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    27/11/2010 12:24:19, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    27/11/2010 12:24:04, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    27/11/2010 12:24:04, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    27/11/2010 12:24:03, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    27/11/2010 12:23:56, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    27/11/2010 00:28:43, Error: EventLog [6008] - The previous system shutdown at 00:10:09 on 27/11/2010 was unexpected.
    26/11/2010 22:29:21, Error: EventLog [6008] - The previous system shutdown at 22:27:36 on 26/11/2010 was unexpected.
    26/11/2010 22:09:49, Error: EventLog [6008] - The previous system shutdown at 22:08:11 on 26/11/2010 was unexpected.
    26/11/2010 21:56:08, Error: EventLog [6008] - The previous system shutdown at 21:54:37 on 26/11/2010 was unexpected.
    26/11/2010 21:06:51, Error: EventLog [6008] - The previous system shutdown at 20:51:03 on 26/11/2010 was unexpected.
    26/11/2010 20:27:34, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC ehdrv NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
    22/11/2010 20:24:34, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
    22/11/2010 20:24:34, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    22/11/2010 20:24:34, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    21/11/2010 17:17:04, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.106 for the Network Card with network address 001F3B7735D9 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    21/11/2010 17:06:02, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.93.1130.0 Loading engine version: 1.1.6301.0
    21/11/2010 17:03:18, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {10DA4F3C-CC99-4190-BE4D-58330754E882} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    21/11/2010 15:30:14, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 001F3B7735D9 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    21/11/2010 07:59:39, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 001F3B7735D9 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    20/11/2010 17:36:23, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service wercplsupport with arguments "" in order to run the server: {0E9A7BB5-F699-4D66-8A47-B919F5B6A1DB}
    20/11/2010 13:51:30, Error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
    20/11/2010 13:33:26, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    20/11/2010 13:32:11, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    20/11/2010 12:44:57, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    20/11/2010 12:44:57, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the User Profile Service service, but this action failed with the following error: An instance of the service is already running.
    20/11/2010 12:44:57, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.
    20/11/2010 12:43:57, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Update service, but this action failed with the following error: An instance of the service is already running.
    20/11/2010 12:43:57, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Background Intelligent Transfer Service service, but this action failed with the following error: An instance of the service is already running.
    20/11/2010 12:30:02, Error: Service Control Manager [7024] - The AVG Free8 WatchDog service terminated with service-specific error 3758161981 (0xE001003D).
    20/11/2010 12:10:26, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.93.1130.0 Loading engine version: 1.1.6201.0
    20/11/2010 11:07:15, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
    20/11/2010 11:07:15, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    ==== End Of File ===========================
  4. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================================================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  5. JimDav

    JimDav TS Rookie Topic Starter Posts: 38

    Ok done that.
    Problem is that on reboot, it wont get much past password entry before flashing a blue screen (too quick to read) and resetting.

    Starting in safe mode Ok but will not start normally.

    Looking for the log file while in safe mode - will upload soon (if I can!)

    ps this reply from another pc!
  6. JimDav

    JimDav TS Rookie Topic Starter Posts: 38

    got log file but cant think how to get it on here!
    advice?
  7. JimDav

    JimDav TS Rookie Topic Starter Posts: 38

    tdsskiller log

    10/11/27 21:08:23.0262 TDSS rootkit removing tool 2.4.9.0 Nov 26 2010 15:38:31
    2010/11/27 21:08:23.0262 ================================================================================
    2010/11/27 21:08:23.0262 SystemInfo:
    2010/11/27 21:08:23.0263
    2010/11/27 21:08:23.0263 OS Version: 6.0.6002 ServicePack: 2.0
    2010/11/27 21:08:23.0263 Product type: Workstation
    2010/11/27 21:08:23.0263 ComputerName: SARAHBROWN
    2010/11/27 21:08:23.0266 UserName: Sarah Brown
    2010/11/27 21:08:23.0266 Windows directory: C:\Windows
    2010/11/27 21:08:23.0266 System windows directory: C:\Windows
    2010/11/27 21:08:23.0266 Processor architecture: Intel x86
    2010/11/27 21:08:23.0266 Number of processors: 2
    2010/11/27 21:08:23.0266 Page size: 0x1000
    2010/11/27 21:08:23.0266 Boot type: Normal boot
    2010/11/27 21:08:23.0266 ================================================================================
    2010/11/27 21:08:23.0731 Initialize success
    2010/11/27 21:08:28.0102 ================================================================================
    2010/11/27 21:08:28.0102 Scan started
    2010/11/27 21:08:28.0102 Mode: Manual;
    2010/11/27 21:08:28.0102 ================================================================================
    2010/11/27 21:08:28.0960 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
    2010/11/27 21:08:29.0031 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
    2010/11/27 21:08:29.0184 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
    2010/11/27 21:08:29.0224 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
    2010/11/27 21:08:29.0265 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
    2010/11/27 21:08:29.0438 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
    2010/11/27 21:08:29.0657 AgereSoftModem (38325c6aa8eae011897d61ce48ec6435) C:\Windows\system32\DRIVERS\AGRSM.sys
    2010/11/27 21:08:29.0810 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
    2010/11/27 21:08:29.0877 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    2010/11/27 21:08:29.0992 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
    2010/11/27 21:08:30.0067 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
    2010/11/27 21:08:30.0187 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
    2010/11/27 21:08:30.0323 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
    2010/11/27 21:08:30.0391 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
    2010/11/27 21:08:30.0579 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
    2010/11/27 21:08:30.0781 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
    2010/11/27 21:08:30.0858 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\Windows\system32\drivers\aswFsBlk.sys
    2010/11/27 21:08:30.0966 aswMonFlt (bd9119468c32b7ecd1e0544d3f286a73) C:\Windows\system32\drivers\aswMonFlt.sys
    2010/11/27 21:08:31.0030 aswRdr (69823954bbd461a73d69774928c9737e) C:\Windows\system32\drivers\aswRdr.sys
    2010/11/27 21:08:31.0156 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\Windows\system32\drivers\aswSP.sys
    2010/11/27 21:08:31.0249 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\Windows\system32\drivers\aswTdi.sys
    2010/11/27 21:08:31.0382 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
    2010/11/27 21:08:31.0436 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
    2010/11/27 21:08:31.0641 b57nd60x (502f1c30bd50b32d00ce4dcaecc3d3c7) C:\Windows\system32\DRIVERS\b57nd60x.sys
    2010/11/27 21:08:31.0799 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
    2010/11/27 21:08:31.0876 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
    2010/11/27 21:08:32.0017 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
    2010/11/27 21:08:32.0080 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    2010/11/27 21:08:32.0213 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    2010/11/27 21:08:32.0284 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    2010/11/27 21:08:32.0454 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    2010/11/27 21:08:32.0557 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    2010/11/27 21:08:32.0600 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    2010/11/27 21:08:32.0737 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
    2010/11/27 21:08:32.0842 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
    2010/11/27 21:08:32.0925 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
    2010/11/27 21:08:33.0012 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
    2010/11/27 21:08:33.0071 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
    2010/11/27 21:08:33.0235 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
    2010/11/27 21:08:33.0271 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
    2010/11/27 21:08:33.0331 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
    2010/11/27 21:08:33.0454 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
    2010/11/27 21:08:33.0502 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
    2010/11/27 21:08:33.0711 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
    2010/11/27 21:08:33.0880 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
    2010/11/27 21:08:33.0945 DKbFltr (73baf270d24fe726b9cd7f80bb17a23d) C:\Windows\system32\DRIVERS\DKbFltr.sys
    2010/11/27 21:08:34.0116 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
    2010/11/27 21:08:34.0189 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
    2010/11/27 21:08:34.0317 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
    2010/11/27 21:08:34.0384 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
    2010/11/27 21:08:34.0545 DXGKrnl (fb85f7f69e9b109820409243f578cc4d) C:\Windows\System32\drivers\dxgkrnl.sys
    2010/11/27 21:08:34.0715 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
    2010/11/27 21:08:34.0818 eamonm (bf14fbabd52e9522456d3a2f6e7e76e4) C:\Windows\system32\DRIVERS\eamonm.sys
    2010/11/27 21:08:34.0909 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
    2010/11/27 21:08:35.0118 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
    2010/11/27 21:08:35.0195 epfwwfpr (96f9030ca15a8d2e8d44e53c1f0e842d) C:\Windows\system32\DRIVERS\epfwwfpr.sys
    2010/11/27 21:08:35.0327 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
    2010/11/27 21:08:35.0449 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
    2010/11/27 21:08:35.0561 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
    2010/11/27 21:08:35.0623 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
    2010/11/27 21:08:35.0765 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
    2010/11/27 21:08:35.0808 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
    2010/11/27 21:08:35.0853 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
    2010/11/27 21:08:35.0923 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
    2010/11/27 21:08:36.0032 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
    2010/11/27 21:08:36.0077 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
    2010/11/27 21:08:36.0168 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
    2010/11/27 21:08:36.0351 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
    2010/11/27 21:08:36.0420 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
    2010/11/27 21:08:36.0543 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
    2010/11/27 21:08:36.0584 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
    2010/11/27 21:08:36.0652 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
    2010/11/27 21:08:36.0824 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
    2010/11/27 21:08:37.0025 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
    2010/11/27 21:08:37.0118 HSF_DPV (ec36f1d542ed4252390d446bf6d4dfd0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
    2010/11/27 21:08:37.0248 HTTP (0eeeca26c8d4bde2a4664db058a81937) C:\Windows\system32\drivers\HTTP.sys
    2010/11/27 21:08:37.0315 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
    2010/11/27 21:08:37.0482 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
    2010/11/27 21:08:37.0715 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
    2010/11/27 21:08:37.0893 igfx (0627fc0c422cd6e0f23e1b0d1d9f0899) C:\Windows\system32\DRIVERS\igdkmd32.sys
    2010/11/27 21:08:38.0030 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    2010/11/27 21:08:38.0122 int15 (c6e5276c00ebdeb096bb5ef4b797d1b6) C:\Windows\system32\drivers\int15.sys
    2010/11/27 21:08:38.0314 IntcAzAudAddService (23ebcee9aaa4d6c88728791fab462456) C:\Windows\system32\drivers\RTKVHDA.sys
    2010/11/27 21:08:38.0478 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
    2010/11/27 21:08:38.0529 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
    2010/11/27 21:08:38.0636 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    2010/11/27 21:08:38.0816 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
    2010/11/27 21:08:38.0855 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
    2010/11/27 21:08:38.0970 irda (e50a95179211b12946f7e035d60af560) C:\Windows\system32\DRIVERS\irda.sys
    2010/11/27 21:08:39.0040 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
    2010/11/27 21:08:39.0100 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
    2010/11/27 21:08:39.0152 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
    2010/11/27 21:08:39.0234 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    2010/11/27 21:08:39.0318 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    2010/11/27 21:08:39.0374 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
    2010/11/27 21:08:39.0474 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
    2010/11/27 21:08:39.0603 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
    2010/11/27 21:08:39.0750 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
    2010/11/27 21:08:39.0849 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
    2010/11/27 21:08:39.0899 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
    2010/11/27 21:08:39.0988 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
    2010/11/27 21:08:40.0063 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
    2010/11/27 21:08:40.0139 MBAMDrvService (8207bef11a004a2c88023bff6eeb60b3) C:\Windows\system32\drivers\mbam.sys
    2010/11/27 21:08:40.0238 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
    2010/11/27 21:08:40.0323 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
    2010/11/27 21:08:40.0462 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
    2010/11/27 21:08:40.0549 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
    2010/11/27 21:08:40.0601 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
    2010/11/27 21:08:40.0685 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
    2010/11/27 21:08:40.0749 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
    2010/11/27 21:08:40.0803 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
    2010/11/27 21:08:40.0886 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
    2010/11/27 21:08:40.0972 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    2010/11/27 21:08:41.0032 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
    2010/11/27 21:08:41.0121 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
    2010/11/27 21:08:41.0199 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    2010/11/27 21:08:41.0247 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    2010/11/27 21:08:41.0345 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
    2010/11/27 21:08:41.0446 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
    2010/11/27 21:08:41.0585 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
    2010/11/27 21:08:41.0676 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
    2010/11/27 21:08:41.0746 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
    2010/11/27 21:08:41.0861 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
    2010/11/27 21:08:41.0954 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
    2010/11/27 21:08:42.0013 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
    2010/11/27 21:08:42.0102 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
    2010/11/27 21:08:42.0201 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
    2010/11/27 21:08:42.0267 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
    2010/11/27 21:08:42.0409 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
    2010/11/27 21:08:42.0501 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
    2010/11/27 21:08:42.0607 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
    2010/11/27 21:08:42.0681 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
    2010/11/27 21:08:42.0733 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
    2010/11/27 21:08:42.0966 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
    2010/11/27 21:08:43.0107 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
    2010/11/27 21:08:43.0161 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
    2010/11/27 21:08:43.0445 NETw5v32 (e559ea9138c77b5d1fda8c558764a25f) C:\Windows\system32\DRIVERS\NETw5v32.sys
    2010/11/27 21:08:43.0722 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    2010/11/27 21:08:43.0910 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
    2010/11/27 21:08:44.0051 NSCIRDA (6d8d2e5652fc2442c810c5d8be784148) C:\Windows\system32\DRIVERS\nscirda.sys
    2010/11/27 21:08:44.0144 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
    2010/11/27 21:08:44.0319 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
    2010/11/27 21:08:44.0505 NTIDrvr (2757d2ba59aee155209e24942ab127c9) C:\Windows\system32\DRIVERS\NTIDrvr.sys
    2010/11/27 21:08:44.0872 NTIPPKernel (547bfa3591c70674b0bfc99354ab78b3) C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys
    2010/11/27 21:08:45.0020 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    2010/11/27 21:08:45.0133 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\Windows\system32\DRIVERS\NuidFltr.sys
    2010/11/27 21:08:45.0176 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
    2010/11/27 21:08:45.0267 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
    2010/11/27 21:08:45.0355 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
    2010/11/27 21:08:45.0435 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
    2010/11/27 21:08:45.0630 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
    2010/11/27 21:08:45.0838 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
    2010/11/27 21:08:45.0947 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
    2010/11/27 21:08:46.0042 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
    2010/11/27 21:08:46.0215 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
    2010/11/27 21:08:46.0324 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
    2010/11/27 21:08:46.0445 pcmcia (b7c5a8769541900f6dfa6fe0c5e4d513) C:\Windows\system32\DRIVERS\pcmcia.sys
    2010/11/27 21:08:46.0585 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    2010/11/27 21:08:46.0834 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
    2010/11/27 21:08:46.0921 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
    2010/11/27 21:08:47.0044 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
    2010/11/27 21:08:47.0129 PSDFilter (1dcbb35090cc4b2bd3d661e6089523c6) C:\Windows\system32\DRIVERS\psdfilter.sys
    2010/11/27 21:08:47.0167 PSDNServ (e26e46d619469964ac3609620f443867) C:\Windows\system32\DRIVERS\PSDNServ.sys
    2010/11/27 21:08:47.0257 psdvdisk (3e1d134af2806867d06047c4cc33cc65) C:\Windows\system32\DRIVERS\PSDVdisk.sys
    2010/11/27 21:08:47.0393 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
    2010/11/27 21:08:47.0536 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    2010/11/27 21:08:47.0634 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
    2010/11/27 21:08:47.0683 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
    2010/11/27 21:08:47.0780 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
    2010/11/27 21:08:47.0887 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
    2010/11/27 21:08:48.0135 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
    2010/11/27 21:08:48.0326 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
    2010/11/27 21:08:48.0400 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
    2010/11/27 21:08:48.0487 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
    2010/11/27 21:08:48.0579 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
    2010/11/27 21:08:48.0662 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
    2010/11/27 21:08:48.0834 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
    2010/11/27 21:08:48.0978 RTSTOR (9ea88492b1dab90dce43a6f2c0e133bd) C:\Windows\system32\drivers\RTSTOR.SYS
    2010/11/27 21:08:49.0060 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    2010/11/27 21:08:49.0185 sdbus (126ea89bcc413ee45e3004fb0764888f) C:\Windows\system32\DRIVERS\sdbus.sys
    2010/11/27 21:08:49.0284 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    2010/11/27 21:08:49.0400 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
    2010/11/27 21:08:49.0489 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
    2010/11/27 21:08:49.0594 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
    2010/11/27 21:08:49.0754 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
    2010/11/27 21:08:49.0840 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
    2010/11/27 21:08:49.0870 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
    2010/11/27 21:08:49.0922 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
    2010/11/27 21:08:49.0990 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
    2010/11/27 21:08:50.0068 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
    2010/11/27 21:08:50.0137 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
    2010/11/27 21:08:50.0214 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
    2010/11/27 21:08:50.0319 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
    2010/11/27 21:08:50.0428 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
    2010/11/27 21:08:50.0472 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
    2010/11/27 21:08:50.0505 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
    2010/11/27 21:08:50.0686 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
    2010/11/27 21:08:50.0785 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
    2010/11/27 21:08:50.0893 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    2010/11/27 21:08:51.0002 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    2010/11/27 21:08:51.0047 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    2010/11/27 21:08:51.0143 SynTP (4c9bb4b3b9eac26211484c30b914c6dc) C:\Windows\system32\DRIVERS\SynTP.sys
    2010/11/27 21:08:51.0297 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
    2010/11/27 21:08:51.0443 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
    2010/11/27 21:08:51.0563 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
    2010/11/27 21:08:51.0686 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
    2010/11/27 21:08:51.0720 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
    2010/11/27 21:08:51.0768 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
    2010/11/27 21:08:51.0869 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
    2010/11/27 21:08:52.0064 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
    2010/11/27 21:08:52.0130 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
    2010/11/27 21:08:52.0220 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
    2010/11/27 21:08:52.0298 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
    2010/11/27 21:08:52.0401 UBHelper (f763e070843ee2803de1395002b42938) C:\Windows\system32\drivers\UBHelper.sys
    2010/11/27 21:08:52.0493 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
    2010/11/27 21:08:52.0617 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
    2010/11/27 21:08:52.0715 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
    2010/11/27 21:08:52.0805 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    2010/11/27 21:08:52.0851 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    2010/11/27 21:08:52.0939 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
    2010/11/27 21:08:53.0061 USBAAPL (60a68a5ea173a97971ee9f1ff49eb2b3) C:\Windows\system32\Drivers\usbaapl.sys
    2010/11/27 21:08:53.0167 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
    2010/11/27 21:08:53.0253 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    2010/11/27 21:08:53.0378 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
    2010/11/27 21:08:53.0465 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
    2010/11/27 21:08:53.0514 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
    2010/11/27 21:08:53.0627 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
    2010/11/27 21:08:53.0745 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
    2010/11/27 21:08:53.0835 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    2010/11/27 21:08:53.0902 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
    2010/11/27 21:08:53.0999 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
    2010/11/27 21:08:54.0133 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
    2010/11/27 21:08:54.0188 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
    2010/11/27 21:08:54.0235 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
    2010/11/27 21:08:54.0319 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
    2010/11/27 21:08:54.0402 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
    2010/11/27 21:08:54.0447 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
    2010/11/27 21:08:54.0543 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
    2010/11/27 21:08:54.0658 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
    2010/11/27 21:08:54.0762 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
    2010/11/27 21:08:54.0862 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    2010/11/27 21:08:54.0923 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2010/11/27 21:08:54.0948 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2010/11/27 21:08:55.0070 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
    2010/11/27 21:08:55.0163 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
    2010/11/27 21:08:55.0396 winachsf (5c7bdcf5864db00323fe2d90fa26a8a2) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
    2010/11/27 21:08:55.0688 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
    2010/11/27 21:08:55.0862 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
    2010/11/27 21:08:55.0978 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
    2010/11/27 21:08:56.0082 yukonwlh (3e1c915c6291ab5d1cfca680e1bd6bad) C:\Windows\system32\DRIVERS\yk60x86.sys
    2010/11/27 21:08:56.0186 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796} (4d840c6af3c020ed3a35efba9025cf4a) C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl
    2010/11/27 21:08:56.0272 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2010/11/27 21:08:56.0281 ================================================================================
    2010/11/27 21:08:56.0281 Scan finished
    2010/11/27 21:08:56.0281 ================================================================================
    2010/11/27 21:08:56.0312 Detected object count: 1
    2010/11/27 21:09:12.0885 \HardDisk0 - will be cured after reboot
    2010/11/27 21:09:12.0885 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2010/11/27 21:09:19.0471 Deinitialize success
  8. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    You did well :)

    See, if you can boot to normal mode now.

    Both tools listed below can be run from Safe Mode (if needed).


    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ===================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  9. JimDav

    JimDav TS Rookie Topic Starter Posts: 38

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Basic Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: Acer
    BIOS Manufacturer: Phoenix Technologies LTD
    System Manufacturer: Acer
    System Product Name: Aspire 5735
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 114):
    0x82039000 \SystemRoot\system32\ntkrnlpa.exe
    0x82006000 \SystemRoot\system32\hal.dll
    0x80406000 \SystemRoot\system32\kdcom.dll
    0x8040D000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x8047D000 \SystemRoot\system32\PSHED.dll
    0x8048E000 \SystemRoot\system32\BOOTVID.dll
    0x80496000 \SystemRoot\system32\CLFS.SYS
    0x804D7000 \SystemRoot\system32\CI.dll
    0x8060E000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x8068A000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x80697000 \SystemRoot\system32\drivers\acpi.sys
    0x806DD000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x806E6000 \SystemRoot\system32\drivers\msisadrv.sys
    0x806EE000 \SystemRoot\system32\drivers\pci.sys
    0x80715000 \SystemRoot\System32\drivers\partmgr.sys
    0x80724000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x80727000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x80731000 \SystemRoot\system32\drivers\volmgr.sys
    0x80740000 \SystemRoot\System32\drivers\volmgrx.sys
    0x8078A000 \SystemRoot\System32\drivers\mountmgr.sys
    0x8079A000 \SystemRoot\System32\Drivers\UBHelper.sys
    0x807A2000 \SystemRoot\system32\drivers\atapi.sys
    0x807AA000 \SystemRoot\system32\drivers\ataport.SYS
    0x807C8000 \SystemRoot\system32\drivers\msahci.sys
    0x807D2000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x805B7000 \SystemRoot\system32\drivers\fltmgr.sys
    0x807E0000 \SystemRoot\system32\drivers\fileinfo.sys
    0x807F0000 \SystemRoot\system32\DRIVERS\psdfilter.sys
    0x8260D000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x8267E000 \SystemRoot\system32\drivers\ndis.sys
    0x82789000 \SystemRoot\system32\drivers\msrpc.sys
    0x827B4000 \SystemRoot\system32\drivers\NETIO.SYS
    0x89E03000 \SystemRoot\System32\drivers\tcpip.sys
    0x89EED000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8A00A000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8A11A000 \SystemRoot\system32\drivers\volsnap.sys
    0x8A15B000 \SystemRoot\System32\Drivers\mup.sys
    0x8A16A000 \SystemRoot\System32\drivers\ecache.sys
    0x8A191000 \SystemRoot\system32\drivers\disk.sys
    0x8A1A2000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x8A1C3000 \SystemRoot\system32\drivers\crcdisk.sys
    0x8A1EE000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x8A000000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x89F08000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x89F13000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x89F51000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x89F60000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8D80D000 \SystemRoot\system32\DRIVERS\yk60x86.sys
    0x8DA0A000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
    0x8DD91000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8DDA4000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
    0x8DDAE000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8DDB9000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x8DDE9000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8DDEB000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8D859000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8DDF6000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
    0x8DA00000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0x8D871000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x8D87A000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8D8A9000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8D8EA000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8D8F5000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8D90C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8D917000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8D93A000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8D949000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8D95D000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x8D972000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8DDFE000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8D982000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8D9AC000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8D9B6000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8D9C3000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x89FED000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x805E9000 \SystemRoot\system32\drivers\RTSTOR.SYS
    0x8D800000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8D9F8000 \SystemRoot\System32\Drivers\Null.SYS
    0x8A153000 \SystemRoot\System32\Drivers\Beep.SYS
    0x827EF000 \SystemRoot\System32\drivers\vga.sys
    0x8DE09000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8DE2A000 \SystemRoot\System32\drivers\watchdog.sys
    0x8DE36000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8DE3E000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8DE49000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8DE57000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8DE60000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8DE80000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8DE94000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8DEC6000 \SystemRoot\system32\drivers\afd.sys
    0x8DF0E000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0x8DF13000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8DF29000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8DF37000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8DF73000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8DF7D000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8DF94000 \SystemRoot\System32\Drivers\fastfat.SYS
    0x94460000 \SystemRoot\System32\win32k.sys
    0x8DFBC000 \SystemRoot\System32\drivers\Dxapi.sys
    0x94670000 \SystemRoot\System32\drivers\dxg.sys
    0x946A0000 \SystemRoot\System32\TSDDD.dll
    0x8DFC6000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x8DFD3000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x8DFDE000 \SystemRoot\System32\Drivers\dump_msahci.sys
    0x94720000 \SystemRoot\System32\framebuf.dll
    0x96606000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x96630000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x9663A000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x96653000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x96668000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x96687000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x966C0000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x966D8000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x773A0000 \Windows\System32\ntdll.dll

    Processes (total 23):
    0 System Idle Process
    4 System
    352 C:\Windows\System32\smss.exe
    476 csrss.exe
    512 C:\Windows\System32\wininit.exe
    520 csrss.exe
    556 C:\Windows\System32\winlogon.exe
    596 C:\Windows\System32\services.exe
    608 C:\Windows\System32\lsass.exe
    616 C:\Windows\System32\lsm.exe
    760 C:\Windows\System32\svchost.exe
    816 C:\Windows\System32\svchost.exe
    852 C:\Windows\System32\svchost.exe
    936 C:\Windows\System32\svchost.exe
    964 C:\Windows\System32\svchost.exe
    992 C:\Windows\System32\svchost.exe
    1036 C:\Windows\System32\svchost.exe
    1052 C:\Windows\System32\svchost.exe
    1204 C:\Windows\System32\svchost.exe
    1312 C:\Windows\System32\svchost.exe
    1708 C:\Windows\explorer.exe
    524 C:\Program Files\Mozilla Firefox\firefox.exe
    2024 C:\Users\Sarah Brown\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`71100000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001e`55400000 (NTFS)

    PhysicalDrive0 Model Number: HitachiHTS543225L9A300, Rev: FBEOC40C

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: 75374D27B77E61C9316E27BACDEE41C1E2C9874E


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
  10. JimDav

    JimDav TS Rookie Topic Starter Posts: 38

    Combofix log

    ComboFix 10-11-27.01 - Sarah Brown 27/11/2010 22:04:49.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.3000.2530 [GMT 0:00]
    Running from: c:\users\Sarah Brown\Downloads\ComboFix.exe
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\AV8
    c:\users\Sarah Brown\AppData\Local\{3C16A606-5197-465A-ACF0-CD693D973332}
    c:\users\Sarah Brown\AppData\Local\{3C16A606-5197-465A-ACF0-CD693D973332}\chrome.manifest
    c:\users\Sarah Brown\AppData\Local\{3C16A606-5197-465A-ACF0-CD693D973332}\chrome\content\_cfg.js
    c:\users\Sarah Brown\AppData\Local\{3C16A606-5197-465A-ACF0-CD693D973332}\chrome\content\overlay.xul
    c:\users\Sarah Brown\AppData\Local\{3C16A606-5197-465A-ACF0-CD693D973332}\install.rdf
    c:\users\Sarah Brown\AppData\Roaming\Adobe\AdobeUpdate .exe
    c:\users\Sarah Brown\AppData\Roaming\Adobe\plugs
    c:\users\Sarah Brown\AppData\Roaming\Adobe\plugs\KB1838050.exe
    c:\windows\$NtUninstallMTF197$\cscdn.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-27 to 2010-11-27 )))))))))))))))))))))))))))))))
    .

    2010-11-27 22:10 . 2010-11-27 22:10 -------- d-----w- c:\users\Sarah Brown\AppData\Local\temp
    2010-11-27 22:10 . 2010-11-27 22:10 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-11-27 14:10 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-11-27 14:10 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-11-27 14:10 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-11-27 14:10 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-11-27 14:10 . 2010-09-07 15:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-11-27 14:09 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
    2010-11-27 14:09 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\programdata\Alwil Software
    2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\program files\Alwil Software
    2010-11-26 22:56 . 2010-11-26 22:56 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Mozilla
    2010-11-22 20:13 . 2010-11-22 20:13 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-11-22 20:12 . 2010-11-22 20:17 -------- d-----w- c:\windows\SHELLNEW
    2010-11-22 20:10 . 2010-11-22 20:10 -------- d-----r- C:\MSOCache
    2010-11-21 18:09 . 2010-11-21 18:09 -------- d-----w- c:\program files\Common Files\Adobe
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\DriverCure
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\ParetoLogic
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\programdata\ParetoLogic
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\ParetoLogic
    2010-11-21 17:06 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5E566945-955A-46DD-B26F-F2AE3AF4CF08}\mpengine.dll
    2010-11-21 15:40 . 2010-11-21 15:40 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Electronic Arts
    2010-11-20 22:54 . 2010-11-20 22:54 -------- d-----w- c:\users\Sarah Brown\AppData\Local\ESET
    2010-11-20 14:51 . 2010-11-20 22:15 -------- d-----w- c:\program files\ESET
    2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\windows\Sun
    2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\program files\Common Files\Java
    2010-11-20 13:36 . 2010-11-21 17:01 -------- d-----w- c:\program files\iPod(991)
    2010-11-20 13:35 . 2010-11-20 13:37 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-11-20 13:31 . 2010-11-21 17:01 -------- d-----w- c:\program files\Bonjour(936)
    2010-11-20 13:19 . 2010-11-20 13:20 -------- d-----w- c:\program files\QuickTime(1124)
    2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\IObit
    2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\program files\IObit
    2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\Malwarebytes
    2010-11-20 00:03 . 2008-07-07 17:42 17144 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\programdata\Malwarebytes
    2010-11-20 00:03 . 2010-11-21 16:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-20 00:03 . 2008-07-07 17:42 34296 ----a-w- c:\windows\system32\drivers\mbamcatchme.sys
    2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\vi-VN
    2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\eu-ES
    2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\ca-ES
    2010-11-19 18:14 . 2010-11-21 16:58 -------- d-----w- c:\windows\system32\EventProviders
    2010-11-12 17:03 . 2010-11-24 17:58 0 ----a-w- c:\users\Sarah Brown\AppData\Local\Rsagikufevori.bin
    2010-11-12 17:02 . 2010-11-21 16:57 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Adobe32 ARM
    2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
    2010-10-29 17:37 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-10-29 17:37 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-29 17:37 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 10:41 . 2009-10-03 09:57 222080 ----a-w- c:\windows\system32\MpSigStub.exe
    2010-09-13 13:56 . 2010-10-14 16:44 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-09-08 06:01 . 2010-10-14 16:43 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 05:57 . 2010-10-14 16:43 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-08 05:57 . 2010-10-14 16:43 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 05:56 . 2010-10-14 16:43 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-09-08 05:56 . 2010-10-14 16:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-09-08 05:04 . 2010-10-14 16:43 385024 ----a-w- c:\windows\system32\html.iec
    2010-09-08 04:26 . 2010-10-14 16:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-09-08 04:25 . 2010-10-14 16:43 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-09-06 16:20 . 2010-10-14 16:44 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-09-06 16:19 . 2010-10-14 16:44 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-09-06 13:45 . 2010-10-14 16:44 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-09-06 13:45 . 2010-10-14 16:44 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-09-06 13:45 . 2010-10-14 16:44 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-09-03 06:13 . 2010-09-03 06:13 137144 ----a-w- c:\windows\system32\drivers\eamonm.sys
    2010-08-31 15:46 . 2010-10-14 16:43 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 15:46 . 2010-10-14 16:43 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-31 15:44 . 2010-10-14 16:43 531968 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-31 13:27 . 2010-10-14 16:43 2038272 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A59933E-D8A2-4E71-8027-3FA5881EC5C9}]
    2010-11-12 14:41 294912 ----a-w- c:\windows\$NtUninstallMTF197$\lfjre.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}]
    2009-07-31 11:58 91568 ----a-w- c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2009-06-16 16:22 1144712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll" [2009-07-31 91568]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]

    [HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
    @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
    [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
    2008-05-14 16:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe" [2008-11-17 135168]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
    "BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
    "ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
    "CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
    "PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
    "Skytel"="Skytel.exe" [2007-11-21 1826816]
    "LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
    "eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-14 526896]
    "ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 136600]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"="grpconv -o" [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=AVGRSSTX.DLL c:\progra~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-20 23:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 04:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bipro]
    2010-11-12 14:41 294912 ----a-w- c:\windows\$NtUninstallMTF197$\lfjre.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
    2009-09-03 21:17 3342336 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
    2010-11-04 17:15 2219184 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    2010-08-06 12:42 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-05-08 15:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
    2008-08-20 09:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jgeleki]
    2008-01-21 02:34 402432 ----a-w- c:\users\Sarah Brown\AppData\Local\inozevaxik.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
    2009-12-07 04:22 266888 ----a-w- c:\users\Sarah Brown\AppData\Roaming\Smilebox\SmileboxTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    R1 aswSP;aswSP; [x]
    R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-04-18 61424]
    R2 aswFsBlk;aswFsBlk; [x]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
    R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
    R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-09-03 137144]
    R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-11-04 810144]
    R2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-07-29 96920]
    R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
    R2 MBAMDrvService;MBAMDrvService;c:\windows\system32\drivers\mbam.sys [2008-07-07 17144]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-07-07 122488]
    R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
    R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
    R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-06 30192]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - ECACHE

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-27 c:\windows\Tasks\AWC Startup.job
    - c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-11-20 21:39]

    2010-11-27 c:\windows\Tasks\ParetoLogic Registration3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

    2010-11-21 c:\windows\Tasks\ParetoLogic Update Version3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

    2010-11-21 c:\windows\Tasks\PC Health Advisor Defrag.job
    - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

    2010-11-21 c:\windows\Tasks\PC Health Advisor.job
    - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0809&m=aspire_5735
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{FBF50663-5574-4494-9419-76158E351EF0} - c:\windows\$NtUninstallMTF197$\cscdn.dll
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKLM-RunOnce-<NO NAME> - (no file)
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    MSConfigStartUp-Adobe32 ARM - c:\users\Sarah Brown\AppData\Local\Adobe32 ARM\rundll32.exe
    MSConfigStartUp-Fdobiwogi - c:\users\Sarah Brown\AppData\Local\wiexmp.dll
    MSConfigStartUp-gchk - c:\windows\$NtUninstallMTF197$\upg.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-27 22:10
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
    "ImagePath"="%systemroot%\system32\msiexec /V"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
    "ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(1184)
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
    .
    Completion time: 2010-11-27 22:11:24
    ComboFix-quarantined-files.txt 2010-11-27 22:11

    Pre-Run: 57,175,867,392 bytes free
    Post-Run: 57,099,264,000 bytes free

    - - End Of File - - 13BCC7743D66057CE0EEB2E4EF458BB7
  11. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    We have to start with fixing your MBR...

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, run MBRCheck again and post its log.
     
  12. JimDav

    JimDav TS Rookie Topic Starter Posts: 38

    2nd MBRCheck log

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Basic Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: Acer
    BIOS Manufacturer: Phoenix Technologies LTD
    System Manufacturer: Acer
    System Product Name: Aspire 5735
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 114):
    0x8200F000 \SystemRoot\system32\ntkrnlpa.exe
    0x823C8000 \SystemRoot\system32\hal.dll
    0x80400000 \SystemRoot\system32\kdcom.dll
    0x80407000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x80477000 \SystemRoot\system32\PSHED.dll
    0x80488000 \SystemRoot\system32\BOOTVID.dll
    0x80490000 \SystemRoot\system32\CLFS.SYS
    0x804D1000 \SystemRoot\system32\CI.dll
    0x80603000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x8067F000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x8068C000 \SystemRoot\system32\drivers\acpi.sys
    0x806D2000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x806DB000 \SystemRoot\system32\drivers\msisadrv.sys
    0x806E3000 \SystemRoot\system32\drivers\pci.sys
    0x8070A000 \SystemRoot\System32\drivers\partmgr.sys
    0x80719000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x8071C000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x80726000 \SystemRoot\system32\drivers\volmgr.sys
    0x80735000 \SystemRoot\System32\drivers\volmgrx.sys
    0x8077F000 \SystemRoot\System32\drivers\mountmgr.sys
    0x8078F000 \SystemRoot\System32\Drivers\UBHelper.sys
    0x80797000 \SystemRoot\system32\drivers\atapi.sys
    0x8079F000 \SystemRoot\system32\drivers\ataport.SYS
    0x807BD000 \SystemRoot\system32\drivers\msahci.sys
    0x807C7000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x805B1000 \SystemRoot\system32\drivers\fltmgr.sys
    0x807D5000 \SystemRoot\system32\drivers\fileinfo.sys
    0x807E5000 \SystemRoot\system32\DRIVERS\psdfilter.sys
    0x82601000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x82672000 \SystemRoot\system32\drivers\ndis.sys
    0x8277D000 \SystemRoot\system32\drivers\msrpc.sys
    0x827A8000 \SystemRoot\system32\drivers\NETIO.SYS
    0x89E0D000 \SystemRoot\System32\drivers\tcpip.sys
    0x89EF7000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8A009000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8A119000 \SystemRoot\system32\drivers\volsnap.sys
    0x8A15A000 \SystemRoot\System32\Drivers\mup.sys
    0x8A169000 \SystemRoot\System32\drivers\ecache.sys
    0x8A190000 \SystemRoot\system32\drivers\disk.sys
    0x8A1A1000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x8A1C2000 \SystemRoot\system32\drivers\crcdisk.sys
    0x8A1ED000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x8A000000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x89F12000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x89F1D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x89F5B000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x89F6A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8D802000 \SystemRoot\system32\DRIVERS\yk60x86.sys
    0x8DA00000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
    0x8DD87000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8DD9A000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
    0x8DDA4000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8DDAF000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x8DDDF000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8DDE1000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8D84E000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8DDEC000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
    0x8DDF4000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0x8D866000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x8D86F000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8D89E000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8D8DF000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8D8EA000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8D901000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8D90C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8D92F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8D93E000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8D952000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x8D967000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8DDFE000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8D977000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8D9A1000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8D9AB000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8D9B8000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8D9ED000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x827E3000 \SystemRoot\system32\drivers\RTSTOR.SYS
    0x89FF7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8A152000 \SystemRoot\System32\Drivers\Null.SYS
    0x8A1F8000 \SystemRoot\System32\Drivers\Beep.SYS
    0x89E00000 \SystemRoot\System32\drivers\vga.sys
    0x8DE0D000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8DE2E000 \SystemRoot\System32\drivers\watchdog.sys
    0x8DE3A000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8DE42000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8DE4D000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8DE5B000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8DE64000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8DE84000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8DE98000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8DECA000 \SystemRoot\system32\drivers\afd.sys
    0x8DF12000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0x8DF17000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8DF2D000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8DF3B000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8DF77000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8DF81000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8DF98000 \SystemRoot\System32\Drivers\fastfat.SYS
    0x942F0000 \SystemRoot\System32\win32k.sys
    0x8DFC0000 \SystemRoot\System32\drivers\Dxapi.sys
    0x94500000 \SystemRoot\System32\drivers\dxg.sys
    0x94530000 \SystemRoot\System32\TSDDD.dll
    0x8DFCA000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x8DFD7000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x8DFE2000 \SystemRoot\System32\Drivers\dump_msahci.sys
    0x945B0000 \SystemRoot\System32\framebuf.dll
    0x9660D000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x96637000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x96641000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x9665A000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x9666F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x9668E000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x966C7000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x966DF000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x773B0000 \Windows\System32\ntdll.dll

    Processes (total 23):
    0 System Idle Process
    4 System
    352 C:\Windows\System32\smss.exe
    448 csrss.exe
    484 C:\Windows\System32\wininit.exe
    492 csrss.exe
    528 C:\Windows\System32\winlogon.exe
    568 C:\Windows\System32\services.exe
    580 C:\Windows\System32\lsass.exe
    588 C:\Windows\System32\lsm.exe
    728 C:\Windows\System32\svchost.exe
    784 C:\Windows\System32\svchost.exe
    824 C:\Windows\System32\svchost.exe
    912 C:\Windows\System32\svchost.exe
    936 C:\Windows\System32\svchost.exe
    960 C:\Windows\System32\svchost.exe
    1008 C:\Windows\System32\svchost.exe
    1024 C:\Windows\System32\svchost.exe
    1188 C:\Windows\System32\svchost.exe
    1292 C:\Windows\System32\svchost.exe
    1648 C:\Windows\explorer.exe
    1152 C:\Windows\System32\igfxsrvc.exe
    1644 C:\Users\Sarah Brown\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`71100000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001e`55400000 (NTFS)

    PhysicalDrive0 Model Number: HitachiHTS543225L9A300, Rev: FBEOC40C

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
  13. JimDav

    JimDav TS Rookie Topic Starter Posts: 38

    PS still wont start in normal mode - only safe mode (with networking)

    Any help on that problem too??
  14. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    One step at a time...
    MBRCheck log looks good. Good job on that :)

    Uninstall Ask Toolbar, known adware.

    You're running two AV programs, Avast and NOD32.
    One of them has to go. Your choice.
    You must do it now.
    Let me know, which one you keep.

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\users\Sarah Brown\AppData\Local\Rsagikufevori.bin
    c:\windows\$NtUninstallMTF197$\lfjre.dll
    c:\users\Sarah Brown\AppData\Local\inozevaxik.dll
    
    
    DirLook::
    c:\windows\SHELLNEW
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A59933E-D8A2-4E71-8027-3FA5881EC5C9}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ProductReg"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bipro]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jgeleki]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  15. JimDav

    JimDav TS Rookie Topic Starter Posts: 38

    Cannot use uninstaller in safe mode.
    Am I OK to proceed with the rest of these instructions until I can restart normally/
    I dont think NOD32 or ASK are running anyway/

    Jim
  16. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Go ahead....
  17. JimDav

    JimDav TS Rookie Topic Starter Posts: 38

    combofix again

    ComboFix 10-11-27.01 - Sarah Brown 27/11/2010 23:24:50.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.3000.2490 [GMT 0:00]
    Running from: c:\users\Sarah Brown\Desktop\ComboFix.exe
    Command switches used :: c:\users\Sarah Brown\Desktop\Logs\CFScript.txt
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    * Created a new restore point

    FILE ::
    "c:\users\Sarah Brown\AppData\Local\inozevaxik.dll"
    "c:\users\Sarah Brown\AppData\Local\Rsagikufevori.bin"
    "c:\windows\$NtUninstallMTF197$\lfjre.dll"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\Sarah Brown\AppData\Local\inozevaxik.dll
    c:\users\Sarah Brown\AppData\Local\Rsagikufevori.bin
    c:\windows\$NtUninstallMTF197$\lfjre.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-27 to 2010-11-27 )))))))))))))))))))))))))))))))
    .

    2010-11-27 23:30 . 2010-11-27 23:30 -------- d-----w- c:\users\Sarah Brown\AppData\Local\temp
    2010-11-27 23:30 . 2010-11-27 23:30 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-11-27 14:10 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-11-27 14:10 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-11-27 14:10 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-11-27 14:10 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-11-27 14:10 . 2010-09-07 15:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-11-27 14:09 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
    2010-11-27 14:09 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\programdata\Alwil Software
    2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\program files\Alwil Software
    2010-11-26 22:56 . 2010-11-26 22:56 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Mozilla
    2010-11-22 20:13 . 2010-11-22 20:13 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-11-22 20:12 . 2010-11-22 20:17 -------- d-----w- c:\windows\SHELLNEW
    2010-11-22 20:10 . 2010-11-22 20:10 -------- d-----r- C:\MSOCache
    2010-11-21 18:09 . 2010-11-21 18:09 -------- d-----w- c:\program files\Common Files\Adobe
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\DriverCure
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\ParetoLogic
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\programdata\ParetoLogic
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\ParetoLogic
    2010-11-21 17:06 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5E566945-955A-46DD-B26F-F2AE3AF4CF08}\mpengine.dll
    2010-11-21 15:40 . 2010-11-21 15:40 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Electronic Arts
    2010-11-20 22:54 . 2010-11-20 22:54 -------- d-----w- c:\users\Sarah Brown\AppData\Local\ESET
    2010-11-20 14:51 . 2010-11-20 22:15 -------- d-----w- c:\program files\ESET
    2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\windows\Sun
    2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\program files\Common Files\Java
    2010-11-20 13:36 . 2010-11-21 17:01 -------- d-----w- c:\program files\iPod(991)
    2010-11-20 13:35 . 2010-11-20 13:37 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-11-20 13:31 . 2010-11-21 17:01 -------- d-----w- c:\program files\Bonjour(936)
    2010-11-20 13:19 . 2010-11-20 13:20 -------- d-----w- c:\program files\QuickTime(1124)
    2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\IObit
    2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\program files\IObit
    2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\Malwarebytes
    2010-11-20 00:03 . 2008-07-07 17:42 17144 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\programdata\Malwarebytes
    2010-11-20 00:03 . 2010-11-21 16:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-20 00:03 . 2008-07-07 17:42 34296 ----a-w- c:\windows\system32\drivers\mbamcatchme.sys
    2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\vi-VN
    2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\eu-ES
    2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\ca-ES
    2010-11-19 18:14 . 2010-11-21 16:58 -------- d-----w- c:\windows\system32\EventProviders
    2010-11-12 17:02 . 2010-11-21 16:57 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Adobe32 ARM
    2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
    2010-10-29 17:37 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-10-29 17:37 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-29 17:37 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 10:41 . 2009-10-03 09:57 222080 ----a-w- c:\windows\system32\MpSigStub.exe
    2010-09-13 13:56 . 2010-10-14 16:44 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-09-08 06:01 . 2010-10-14 16:43 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 05:57 . 2010-10-14 16:43 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-08 05:57 . 2010-10-14 16:43 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 05:56 . 2010-10-14 16:43 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-09-08 05:56 . 2010-10-14 16:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-09-08 05:04 . 2010-10-14 16:43 385024 ----a-w- c:\windows\system32\html.iec
    2010-09-08 04:26 . 2010-10-14 16:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-09-08 04:25 . 2010-10-14 16:43 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-09-06 16:20 . 2010-10-14 16:44 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-09-06 16:19 . 2010-10-14 16:44 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-09-06 13:45 . 2010-10-14 16:44 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-09-06 13:45 . 2010-10-14 16:44 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-09-06 13:45 . 2010-10-14 16:44 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-09-03 06:13 . 2010-09-03 06:13 137144 ----a-w- c:\windows\system32\drivers\eamonm.sys
    2010-08-31 15:46 . 2010-10-14 16:43 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 15:46 . 2010-10-14 16:43 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-31 15:44 . 2010-10-14 16:43 531968 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-31 13:27 . 2010-10-14 16:43 2038272 ----a-w- c:\windows\system32\win32k.sys
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\windows\SHELLNEW ----

    2006-09-22 00:32 . 2006-09-22 00:32 27140 ----a-w- c:\windows\SHELLNEW\PWRPNT12.PPTX
    2006-09-22 00:25 . 2006-09-22 00:25 8714 ----a-w- c:\windows\SHELLNEW\EXCEL12.XLSX
    2005-12-13 19:15 . 2005-12-13 19:15 59904 ----a-w- c:\windows\SHELLNEW\MSPUB.PUB


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}]
    2009-07-31 11:58 91568 ----a-w- c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2009-06-16 16:22 1144712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBF50663-5574-4494-9419-76158E351EF0}]
    c:\windows\$NtUninstallMTF197$\cscdn.dll [BU]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll" [2009-07-31 91568]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]

    [HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
    @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
    [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
    2008-05-14 16:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
    "BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
    "ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
    "CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
    "PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
    "Skytel"="Skytel.exe" [2007-11-21 1826816]
    "LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
    "eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-14 526896]
    "ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 136600]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"="grpconv -o" [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=AVGRSSTX.DLL c:\progra~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-20 23:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 04:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe32 ARM]
    c:\users\Sarah Brown\AppData\Local\Adobe32 ARM\rundll32.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
    2009-09-03 21:17 3342336 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
    2010-11-04 17:15 2219184 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fdobiwogi]
    c:\users\Sarah Brown\AppData\Local\wiexmp.dll [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gchk]
    c:\windows\$NtUninstallMTF197$\upg.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    2010-08-06 12:42 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-05-08 15:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
    2008-08-20 09:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
    2009-12-07 04:22 266888 ----a-w- c:\users\Sarah Brown\AppData\Roaming\Smilebox\SmileboxTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    R1 aswSP;aswSP; [x]
    R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-04-18 61424]
    R2 aswFsBlk;aswFsBlk; [x]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
    R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
    R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-09-03 137144]
    R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-11-04 810144]
    R2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-07-29 96920]
    R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
    R2 MBAMDrvService;MBAMDrvService;c:\windows\system32\drivers\mbam.sys [2008-07-07 17144]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-07-07 122488]
    R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
    R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
    R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-06 30192]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - ECACHE

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-27 c:\windows\Tasks\AWC Startup.job
    - c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-11-20 21:39]

    2010-11-27 c:\windows\Tasks\ParetoLogic Registration3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

    2010-11-21 c:\windows\Tasks\ParetoLogic Update Version3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

    2010-11-21 c:\windows\Tasks\PC Health Advisor Defrag.job
    - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

    2010-11-21 c:\windows\Tasks\PC Health Advisor.job
    - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0809&m=aspire_5735
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKLM-RunOnce-<NO NAME> - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-27 23:30
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
    "ImagePath"="%systemroot%\system32\msiexec /V"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
    "ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(1120)
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
    .
    Completion time: 2010-11-27 23:31:13
    ComboFix-quarantined-files.txt 2010-11-27 23:31
    ComboFix2.txt 2010-11-27 22:11

    Pre-Run: 57,004,593,152 bytes free
    Post-Run: 56,965,840,896 bytes free

    - - End Of File - - 1E9FB04E98AC9DB3974A7AC467630433
  18. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\$NtUninstallMTF197$\cscdn.dll
    c:\users\Sarah Brown\AppData\Local\wiexmp.dll
    c:\windows\$NtUninstallMTF197$\upg.exe
    
    
    Folder::
    c:\program files\Ask.com
    
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBF50663-5574-4494-9419-76158E351EF0}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fdobiwogi]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gchk]
    
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  19. JimDav

    JimDav TS Rookie Topic Starter Posts: 38

    logs

    ComboFix 10-11-27.01 - Sarah Brown 28/11/2010 0:00.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.3000.2512 [GMT 0:00]
    Running from: c:\users\Sarah Brown\Desktop\ComboFix.exe
    Command switches used :: c:\users\Sarah Brown\Desktop\CFScript.txt
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
    .

    2010-11-28 00:05 . 2010-11-28 00:05 -------- d-----w- c:\users\Sarah Brown\AppData\Local\temp
    2010-11-28 00:05 . 2010-11-28 00:05 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-11-27 14:10 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-11-27 14:10 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-11-27 14:10 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-11-27 14:10 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-11-27 14:10 . 2010-09-07 15:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-11-27 14:09 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
    2010-11-27 14:09 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\programdata\Alwil Software
    2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\program files\Alwil Software
    2010-11-26 22:56 . 2010-11-26 22:56 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Mozilla
    2010-11-22 20:13 . 2010-11-22 20:13 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-11-22 20:12 . 2010-11-22 20:17 -------- d-----w- c:\windows\SHELLNEW
    2010-11-22 20:10 . 2010-11-22 20:10 -------- d-----r- C:\MSOCache
    2010-11-21 18:09 . 2010-11-21 18:09 -------- d-----w- c:\program files\Common Files\Adobe
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\DriverCure
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\ParetoLogic
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\programdata\ParetoLogic
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\ParetoLogic
    2010-11-21 17:06 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5E566945-955A-46DD-B26F-F2AE3AF4CF08}\mpengine.dll
    2010-11-21 15:40 . 2010-11-21 15:40 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Electronic Arts
    2010-11-20 22:54 . 2010-11-20 22:54 -------- d-----w- c:\users\Sarah Brown\AppData\Local\ESET
    2010-11-20 14:51 . 2010-11-20 22:15 -------- d-----w- c:\program files\ESET
    2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\windows\Sun
    2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\program files\Common Files\Java
    2010-11-20 13:36 . 2010-11-21 17:01 -------- d-----w- c:\program files\iPod(991)
    2010-11-20 13:35 . 2010-11-20 13:37 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-11-20 13:31 . 2010-11-21 17:01 -------- d-----w- c:\program files\Bonjour(936)
    2010-11-20 13:19 . 2010-11-20 13:20 -------- d-----w- c:\program files\QuickTime(1124)
    2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\IObit
    2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\program files\IObit
    2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\Malwarebytes
    2010-11-20 00:03 . 2008-07-07 17:42 17144 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\programdata\Malwarebytes
    2010-11-20 00:03 . 2010-11-21 16:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-20 00:03 . 2008-07-07 17:42 34296 ----a-w- c:\windows\system32\drivers\mbamcatchme.sys
    2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\vi-VN
    2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\eu-ES
    2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\ca-ES
    2010-11-19 18:14 . 2010-11-21 16:58 -------- d-----w- c:\windows\system32\EventProviders
    2010-11-12 17:02 . 2010-11-21 16:57 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Adobe32 ARM
    2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
    2010-10-29 17:37 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-10-29 17:37 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-29 17:37 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 10:41 . 2009-10-03 09:57 222080 ----a-w- c:\windows\system32\MpSigStub.exe
    2010-09-13 13:56 . 2010-10-14 16:44 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-09-08 06:01 . 2010-10-14 16:43 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 05:57 . 2010-10-14 16:43 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-08 05:57 . 2010-10-14 16:43 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 05:56 . 2010-10-14 16:43 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-09-08 05:56 . 2010-10-14 16:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-09-08 05:04 . 2010-10-14 16:43 385024 ----a-w- c:\windows\system32\html.iec
    2010-09-08 04:26 . 2010-10-14 16:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-09-08 04:25 . 2010-10-14 16:43 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-09-06 16:20 . 2010-10-14 16:44 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-09-06 16:19 . 2010-10-14 16:44 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-09-06 13:45 . 2010-10-14 16:44 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-09-06 13:45 . 2010-10-14 16:44 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-09-06 13:45 . 2010-10-14 16:44 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-09-03 06:13 . 2010-09-03 06:13 137144 ----a-w- c:\windows\system32\drivers\eamonm.sys
    2010-08-31 15:46 . 2010-10-14 16:43 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 15:46 . 2010-10-14 16:43 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-31 15:44 . 2010-10-14 16:43 531968 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-31 13:27 . 2010-10-14 16:43 2038272 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}]
    2009-07-31 11:58 91568 ----a-w- c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2009-06-16 16:22 1144712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBF50663-5574-4494-9419-76158E351EF0}]
    c:\windows\$NtUninstallMTF197$\cscdn.dll [BU]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll" [2009-07-31 91568]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]

    [HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
    @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
    [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
    2008-05-14 16:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
    "BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
    "ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
    "CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
    "PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
    "Skytel"="Skytel.exe" [2007-11-21 1826816]
    "LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
    "eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-14 526896]
    "ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 136600]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"="grpconv -o" [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=AVGRSSTX.DLL c:\progra~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-20 23:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 04:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe32 ARM]
    c:\users\Sarah Brown\AppData\Local\Adobe32 ARM\rundll32.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
    2009-09-03 21:17 3342336 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
    2010-11-04 17:15 2219184 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fdobiwogi]
    c:\users\Sarah Brown\AppData\Local\wiexmp.dll [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gchk]
    c:\windows\$NtUninstallMTF197$\upg.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    2010-08-06 12:42 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-05-08 15:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
    2008-08-20 09:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
    2009-12-07 04:22 266888 ----a-w- c:\users\Sarah Brown\AppData\Roaming\Smilebox\SmileboxTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    R1 aswSP;aswSP; [x]
    R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-04-18 61424]
    R2 aswFsBlk;aswFsBlk; [x]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
    R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
    R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-09-03 137144]
    R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-11-04 810144]
    R2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-07-29 96920]
    R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
    R2 MBAMDrvService;MBAMDrvService;c:\windows\system32\drivers\mbam.sys [2008-07-07 17144]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-07-07 122488]
    R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
    R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
    R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-06 30192]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - ECACHE

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-27 c:\windows\Tasks\AWC Startup.job
    - c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-11-20 21:39]

    2010-11-27 c:\windows\Tasks\ParetoLogic Registration3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

    2010-11-21 c:\windows\Tasks\ParetoLogic Update Version3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

    2010-11-21 c:\windows\Tasks\PC Health Advisor Defrag.job
    - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

    2010-11-21 c:\windows\Tasks\PC Health Advisor.job
    - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0809&m=aspire_5735
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{6A59933E-D8A2-4E71-8027-3FA5881EC5C9} - c:\windows\$NtUninstallMTF197$\lfjre.dll
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKLM-RunOnce-<NO NAME> - (no file)
    MSConfigStartUp-bipro - c:\windows\$NtUninstallMTF197$\lfjre.dll
    MSConfigStartUp-Jgeleki - c:\users\Sarah Brown\AppData\Local\inozevaxik.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-28 00:05
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
    "ImagePath"="%systemroot%\system32\msiexec /V"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
    "ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(1392)
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
    .
    Completion time: 2010-11-28 00:06:52
    ComboFix-quarantined-files.txt 2010-11-28 00:06
    ComboFix2.txt 2010-11-27 23:31
    ComboFix3.txt 2010-11-27 22:11

    Pre-Run: 57,007,890,432 bytes free
    Post-Run: 56,917,528,576 bytes free

    - - End Of File - - 9F90023AE424F66FDC7A83E1F73C6DD0
  20. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    You didn't run my script.
    Please, redo.
  21. JimDav

    JimDav TS Rookie Topic Starter Posts: 38

    Sorry, thought I did!! Trying again - back in a few mins.
  22. JimDav

    JimDav TS Rookie Topic Starter Posts: 38

    is this better?

    ComboFix 10-11-27.01 - Sarah Brown 28/11/2010 0:22.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.3000.2359 [GMT 0:00]
    Running from: c:\users\Sarah Brown\Desktop\ComboFix.exe
    Command switches used :: c:\users\Sarah Brown\Desktop\CFScript.txt
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    * Created a new restore point

    FILE ::
    "c:\users\Sarah Brown\AppData\Local\wiexmp.dll"
    "c:\windows\$NtUninstallMTF197$\cscdn.dll"
    "c:\windows\$NtUninstallMTF197$\upg.exe"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Ask.com
    c:\program files\Ask.com\config.xml
    c:\program files\Ask.com\GenericAskToolbar.dll
    c:\program files\Ask.com\mupcfg.xml
    c:\program files\Ask.com\SaUpdate.exe
    c:\program files\Ask.com\UpdateTask.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
    .

    2010-11-28 00:25 . 2010-11-28 00:25 -------- d-----w- c:\users\Sarah Brown\AppData\Local\temp
    2010-11-28 00:25 . 2010-11-28 00:25 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-11-27 14:10 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-11-27 14:10 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-11-27 14:10 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-11-27 14:10 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-11-27 14:10 . 2010-09-07 15:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-11-27 14:09 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
    2010-11-27 14:09 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\programdata\Alwil Software
    2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\program files\Alwil Software
    2010-11-26 22:56 . 2010-11-26 22:56 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Mozilla
    2010-11-22 20:13 . 2010-11-22 20:13 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-11-22 20:12 . 2010-11-22 20:17 -------- d-----w- c:\windows\SHELLNEW
    2010-11-22 20:10 . 2010-11-22 20:10 -------- d-----r- C:\MSOCache
    2010-11-21 18:09 . 2010-11-21 18:09 -------- d-----w- c:\program files\Common Files\Adobe
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\DriverCure
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\ParetoLogic
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\programdata\ParetoLogic
    2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\ParetoLogic
    2010-11-21 17:06 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5E566945-955A-46DD-B26F-F2AE3AF4CF08}\mpengine.dll
    2010-11-21 15:40 . 2010-11-21 15:40 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Electronic Arts
    2010-11-20 22:54 . 2010-11-20 22:54 -------- d-----w- c:\users\Sarah Brown\AppData\Local\ESET
    2010-11-20 14:51 . 2010-11-20 22:15 -------- d-----w- c:\program files\ESET
    2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\windows\Sun
    2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\program files\Common Files\Java
    2010-11-20 13:36 . 2010-11-21 17:01 -------- d-----w- c:\program files\iPod(991)
    2010-11-20 13:35 . 2010-11-20 13:37 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-11-20 13:31 . 2010-11-21 17:01 -------- d-----w- c:\program files\Bonjour(936)
    2010-11-20 13:19 . 2010-11-20 13:20 -------- d-----w- c:\program files\QuickTime(1124)
    2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\IObit
    2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\program files\IObit
    2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\Malwarebytes
    2010-11-20 00:03 . 2008-07-07 17:42 17144 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\programdata\Malwarebytes
    2010-11-20 00:03 . 2010-11-21 16:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-20 00:03 . 2008-07-07 17:42 34296 ----a-w- c:\windows\system32\drivers\mbamcatchme.sys
    2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\vi-VN
    2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\eu-ES
    2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\ca-ES
    2010-11-19 18:14 . 2010-11-21 16:58 -------- d-----w- c:\windows\system32\EventProviders
    2010-11-12 17:02 . 2010-11-21 16:57 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Adobe32 ARM
    2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
    2010-10-29 17:37 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-10-29 17:37 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-29 17:37 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 10:41 . 2009-10-03 09:57 222080 ----a-w- c:\windows\system32\MpSigStub.exe
    2010-09-13 13:56 . 2010-10-14 16:44 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-09-08 06:01 . 2010-10-14 16:43 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 05:57 . 2010-10-14 16:43 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-08 05:57 . 2010-10-14 16:43 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 05:56 . 2010-10-14 16:43 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-09-08 05:56 . 2010-10-14 16:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-09-08 05:04 . 2010-10-14 16:43 385024 ----a-w- c:\windows\system32\html.iec
    2010-09-08 04:26 . 2010-10-14 16:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-09-08 04:25 . 2010-10-14 16:43 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-09-06 16:20 . 2010-10-14 16:44 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-09-06 16:19 . 2010-10-14 16:44 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-09-06 13:45 . 2010-10-14 16:44 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-09-06 13:45 . 2010-10-14 16:44 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-09-06 13:45 . 2010-10-14 16:44 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-09-03 06:13 . 2010-09-03 06:13 137144 ----a-w- c:\windows\system32\drivers\eamonm.sys
    2010-08-31 15:46 . 2010-10-14 16:43 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 15:46 . 2010-10-14 16:43 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-31 15:44 . 2010-10-14 16:43 531968 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-31 13:27 . 2010-10-14 16:43 2038272 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}]
    2009-07-31 11:58 91568 ----a-w- c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll" [2009-07-31 91568]

    [HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
    @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
    [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
    2008-05-14 16:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
    "BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
    "ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
    "CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
    "PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
    "Skytel"="Skytel.exe" [2007-11-21 1826816]
    "LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
    "eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-14 526896]
    "ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 136600]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"="grpconv -o" [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=AVGRSSTX.DLL c:\progra~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-20 23:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 04:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe32 ARM]
    c:\users\Sarah Brown\AppData\Local\Adobe32 ARM\rundll32.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
    2009-09-03 21:17 3342336 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
    2010-11-04 17:15 2219184 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    2010-08-06 12:42 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-05-08 15:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
    2008-08-20 09:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
    2009-12-07 04:22 266888 ----a-w- c:\users\Sarah Brown\AppData\Roaming\Smilebox\SmileboxTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    R1 aswSP;aswSP; [x]
    R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-04-18 61424]
    R2 aswFsBlk;aswFsBlk; [x]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
    R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
    R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-09-03 137144]
    R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-11-04 810144]
    R2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-07-29 96920]
    R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
    R2 MBAMDrvService;MBAMDrvService;c:\windows\system32\drivers\mbam.sys [2008-07-07 17144]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-07-07 122488]
    R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
    R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
    R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-06 30192]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - ECACHE

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-27 c:\windows\Tasks\AWC Startup.job
    - c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-11-20 21:39]

    2010-11-27 c:\windows\Tasks\ParetoLogic Registration3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

    2010-11-21 c:\windows\Tasks\ParetoLogic Update Version3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

    2010-11-21 c:\windows\Tasks\PC Health Advisor Defrag.job
    - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

    2010-11-21 c:\windows\Tasks\PC Health Advisor.job
    - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0809&m=aspire_5735
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-RunOnce-<NO NAME> - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-28 00:25
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
    "ImagePath"="%systemroot%\system32\msiexec /V"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
    "ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(1972)
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
    .
    Completion time: 2010-11-28 00:26:26
    ComboFix-quarantined-files.txt 2010-11-28 00:26
    ComboFix2.txt 2010-11-28 00:06
    ComboFix3.txt 2010-11-27 23:31
    ComboFix4.txt 2010-11-27 22:11

    Pre-Run: 56,935,456,768 bytes free
    Post-Run: 56,914,579,456 bytes free

    - - End Of File - - FECFFC7AF8691999A1DCA885CAE11CEF
  23. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Looks good now.

    Try to restart in normal mode.
  24. JimDav

    JimDav TS Rookie Topic Starter Posts: 38

    Still no luck with normal starting
    Any help on how to fix?
    Youve been amazing so far!

    Jim
  25. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Let's try something...

    While in safe mode....

    Go Start>Run (Start Search in Vista), type in:
    msconfig
    Click OK (hit Enter in Vista).

    Click on Startup tab.
    Click Disable all
    IMPORTANT! In case of laptop, make sure, you do NOT disable any keyboard, or touchpad entries.

    Click Services tab.
    Put checkmark in Hide all Microsoft services
    Click Disable all.

    Click OK.
    Restart computer in Normal Mode.

    NOTE. If you use different firewall, than Windows firewall, turn Windows firewall on, just for this test, since your regular firewall won't be running.
    If you use Windows firewall, you're fine.

    Try to restart in normal mode now.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.