Inactive Malware help - 8 step logs attached

Status
Not open for further replies.

JimDav

Posts: 36   +0
Problems with excessive slowness & crashing / freezing IE.

I am looking at this problem for a friend.
Disabled a few suspect start up items: eg 'fdobiwogi'
Found that
MBAM & windows defender will not allow updates.
Registry edit tools disabled

Avast Antivirus identified & dealt with 1 threat - no improvement
TFC downloaded & ran OK
MBAM log:

Malwarebytes' Anti-Malware 1.20
Database version: 930
Windows 6.0.6002 Service Pack 2

17:54:05 27/11/2010
mbam-log-11-27-2010 (17-54-05).txt

Scan type: Quick Scan
Objects scanned: 37317
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER log:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-27 19:28:35
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HTS543225L9A300 rev.FBEOC40C
Running: gmer.exe; Driver: C:\Users\SARAHB~1\AppData\Local\Temp\uwlyypow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Windows\system32\drivers\mbam.sys ZwCreateSection [0xB0354700]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8ED30BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8ED309D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8ED30B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 215 820EB978 4 Bytes [00, 47, 35, B0]
PAGE ntkrnlpa.exe!ZwLoadDriver 821AADF0 7 Bytes JMP 8ED30B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8221628F 5 Bytes JMP 8ED2C5D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 8226F063 5 Bytes JMP 8ED2DFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!NtCreateSection 82270905 7 Bytes JMP 8ED309D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 822D090A 7 Bytes JMP 8ED30BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl entry point in "" section [0xB033341C]
.clc C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl unknown last code section [0xB0334000, 0x1000, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[304] kernel32.dll!SetUnhandledExceptionFilter 761AA84F 4 Bytes [C2, 04, 00, 00]
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtProtectVirtualMemory 77B34D34 5 Bytes JMP 0079000A
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtWriteVirtualMemory 77B35674 5 Bytes JMP 007A000A
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!KiUserExceptionDispatcher 77B35DC8 5 Bytes JMP 005A000A
.text C:\Windows\system32\svchost.exe[1216] ole32.dll!CoCreateInstance 77399F3E 5 Bytes JMP 0097000A
.text C:\Windows\system32\svchost.exe[1216] USER32.dll!GetCursorPos 77770B88 5 Bytes JMP 01FD000A
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1688] kernel32.dll!SetUnhandledExceptionFilter 761AA84F 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\Mozilla Firefox\firefox.exe[2508] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Windows\Explorer.EXE[2816] ntdll.dll!NtProtectVirtualMemory 77B34D34 5 Bytes JMP 0230000A
.text C:\Windows\Explorer.EXE[2816] ntdll.dll!NtWriteVirtualMemory 77B35674 5 Bytes JMP 0231000A
.text C:\Windows\Explorer.EXE[2816] ntdll.dll!KiUserExceptionDispatcher 77B35DC8 5 Bytes JMP 01BF000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3792] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4368] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4636] USER32.dll!TrackPopupMenu 777714F3 5 Bytes JMP 66205CF5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4864] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5332] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5412] ntdll.dll!NtProtectVirtualMemory 77B34D34 5 Bytes JMP 0086000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5412] ntdll.dll!NtWriteVirtualMemory 77B35674 5 Bytes JMP 0087000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5412] ntdll.dll!KiUserExceptionDispatcher 77B35DC8 5 Bytes JMP 0085000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[6024] ntdll.dll!LdrLoadDll 77AF9390 5 Bytes JMP 00FD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[724] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00010002
IAT C:\Windows\system32\services.exe[724] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00010000
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74AD7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74B2A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74ADBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74ACF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74AD75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74ACE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74B08395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74ADDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74ACFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74ACFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74AC71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74B5CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74AFC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74ACD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74AC6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74AC687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74AD2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001D90] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002B30] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 864FB3B2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 864FB3B2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 864FB3B2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 864FB3B2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-0 864FB3B2

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP0T0L0-1 -> \??\IDE#DiskHitachi_HTS543225L9A300_________________FBEOC40C#5&128fa69d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 488396912 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----



DDS stuff to follow
 
DDS txt

DDS.txt:

DS (Ver_10-11-27.01) - NTFSx86
Run by Sarah Brown at 19:44:09.37 on 27/11/2010
Internet Explorer: 8.0.6001.18975
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.3000.1472 [GMT 0:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\SARAHB~1\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Sarah Brown\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0809&m=aspire_5735
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0809&m=aspire_5735
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PlaySushi: {21608b66-026f-4dcb-9244-0daca328dced} - c:\program files\playsushi\PSText.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: adfayudhpr Object: {6a59933e-d8a2-4e71-8027-3fa5881ec5c9} - c:\windows\$ntuninstallmtf197$\lfjre.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: MediaBar: {abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f} - c:\program files\imeshmediabartb\iMeshMediaBarDx.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.415.1646\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: brumayudhgrm Object: {fbf50663-5574-4494-9419-76158e351ef0} - c:\windows\$ntuninstallmtf197$\cscdn.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: MediaBar: {abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f} - c:\program files\imeshmediabartb\iMeshMediaBarDx.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ProductReg] "c:\program files\acer\wr_popup\ProductReg.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [ArcadeDeluxeAgent] "c:\program files\acer arcade deluxe\acer arcade deluxe\ArcadeDeluxeAgent.exe"
mRun: [CLMLServer] "c:\program files\acer arcade deluxe\acer arcade deluxe\kernel\clml\CLMLSvc.exe"
mRun: [PlayMovie] "c:\program files\acer arcade deluxe\playmovie\PMVService.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - c:\program files\playsushi\PSText.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: AVGRSSTX.DLL c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\sarahb~1\appdata\roaming\mozilla\firefox\profiles\b9ohoggg.default\
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: XULRunner: {3C16A606-5197-465A-ACF0-CD693D973332} - c:\users\sarah brown\appdata\local\{3C16A606-5197-465A-ACF0-CD693D973332}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\sarahb~1\appdata\roaming\mozilla\firefox\profiles\b9ohoggg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-27 165584]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\playmovie\000.fcl [2008-5-15 61424]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-27 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-11-27 50768]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-27 40384]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 CLHNService;CLHNService;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\CLHNService.exe [2008-5-15 81504]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-9-3 137144]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-11-4 810144]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2010-7-29 96920]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-5-15 24576]
R2 MBAMDrvService;MBAMDrvService;c:\windows\system32\drivers\mbam.sys [2010-11-20 17144]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-11-20 122488]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-7 50424]
R2 NTIPPKernel;NTIPPKernel;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\NTIPPKernel.sys [2008-5-15 122368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-4 131072]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-27 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-27 40384]
R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2009-8-3 3658752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-21 179712]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-2 30192]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2010-11-27 14:10:07 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-11-27 14:09:26 38848 ----a-w- c:\windows\avastSS.scr
2010-11-27 14:09:18 -------- d-----w- c:\progra~2\Alwil Software
2010-11-26 22:55:59 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2010-11-26 22:55:59 107480 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2010-11-26 22:33:03 -------- d-----w- c:\windows\pss
2010-11-22 20:13:17 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-11-22 20:12:03 -------- d-----w- c:\windows\SHELLNEW
2010-11-21 17:12:24 -------- d-----w- c:\users\sarahb~1\appdata\roaming\DriverCure
2010-11-21 17:12:23 -------- d-----w- c:\users\sarahb~1\appdata\roaming\ParetoLogic
2010-11-21 17:12:12 -------- d-----w- c:\program files\common files\ParetoLogic
2010-11-21 17:12:11 -------- d-----w- c:\program files\ParetoLogic
2010-11-21 17:12:11 -------- d-----w- c:\progra~2\ParetoLogic
2010-11-21 17:06:03 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{5e566945-955a-46dd-b26f-f2ae3af4cf08}\mpengine.dll
2010-11-21 15:44:00 -------- d-----w- c:\program files\common files\Adobe(937)
2010-11-21 15:40:32 -------- d-----w- c:\users\sarahb~1\appdata\local\Electronic Arts
2010-11-20 22:54:05 -------- d-----w- c:\users\sarahb~1\appdata\local\ESET
2010-11-20 14:51:09 -------- d-----w- c:\program files\ESET
2010-11-20 13:36:05 -------- d-----w- c:\program files\iPod(991)
2010-11-20 13:35:59 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-11-20 13:31:50 -------- d-----w- c:\program files\Bonjour(936)
2010-11-20 13:19:43 -------- d-----w- c:\program files\QuickTime(1124)
2010-11-20 09:40:55 -------- d-----w- c:\users\sarahb~1\appdata\roaming\IObit
2010-11-20 09:40:54 -------- d-----w- c:\program files\IObit
2010-11-20 00:03:39 -------- d-----w- c:\users\sarahb~1\appdata\roaming\Malwarebytes
2010-11-20 00:03:35 17144 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-20 00:03:34 -------- d-----w- c:\progra~2\Malwarebytes
2010-11-20 00:03:33 34296 ----a-w- c:\windows\system32\drivers\mbamcatchme.sys
2010-11-20 00:03:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-19 18:49:01 -------- d-----w- c:\windows\system32\vi-VN
2010-11-19 18:49:01 -------- d-----w- c:\windows\system32\eu-ES
2010-11-19 18:49:01 -------- d-----w- c:\windows\system32\ca-ES
2010-11-19 18:14:09 -------- d-----w- c:\windows\system32\EventProviders
2010-11-12 17:03:57 0 ----a-w- c:\users\sarahb~1\appdata\local\Rsagikufevori.bin
2010-11-12 17:03:55 -------- d-----w- c:\users\sarahb~1\appdata\local\{3C16A606-5197-465A-ACF0-CD693D973332}
2010-11-12 17:02:14 -------- d-----w- c:\users\sarahb~1\appdata\local\Adobe32 ARM
2010-11-08 17:44:27 -------- d-----w- c:\program files\AV8
2010-11-06 11:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2010-10-29 17:37:48 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-29 17:37:47 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-29 17:37:47 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

==================== Find3M ====================

2010-10-19 10:41:44 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_HTS543225L9A300 rev.FBEOC40C -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-1

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x864FB566]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86501624]; MOV EAX, [0x865016a0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82083962] -> \Device\Harddisk0\DR0[0x85F67AC8]
3 CLASSPNP[0x82BA48B3] -> ntkrnlpa!IofCallDriver[0x82083962] -> [0x85663B98]
\Driver\atapi[0x857F8B50] -> IRP_MJ_CREATE -> 0x864FB566
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-1 -> \??\IDE#DiskHitachi_HTS543225L9A300_________________FBEOC40C#5&128fa69d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x864FB3B2
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 19:45:36.97 ===============
 
attach txt

DDS (Ver_10-11-27.01)

Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume2
Install Date: 03/08/2009 02:09:30
System Uptime: 27/11/2010 16:42:00 (3 hours ago)

Motherboard: Acer | | CathedralPeak
Processor: Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz | U2E1 | 1000/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 112 GiB total, 50.725 GiB free.
D: is FIXED (NTFS) - 112 GiB total, 111.263 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: HP Photosmart C4500
Device ID: ROOT\IMAGE\0000
Manufacturer: Hewlett-Packard
Name: HP Photosmart C4500
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart C4500 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C4500 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

==== System Restore Points ===================

RP311: 20/11/2010 11:46:02 - Restore Operation
RP327: 21/11/2010 16:41:25 - Restore Operation

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Acer Arcade Deluxe
Acer eDataSecurity Management
Acer Empowering Technology
Acer ePower Management
Acer eSettings Management
Acer GameZone Console 2.0.1.1
Acer GridVista
Acer Mobility Center Plug-In
Acer Product Registration
Acer ScreenSaver
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.1
Advanced SystemCare 3
Agatha Christie Death on the Nile
Agere Systems HDA Modem
Alice Greenfingers
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
avast! Free Antivirus
Azada
Backspin Billiards
Big Kahuna Reef
Bonjour
Bookworm Deluxe
Bricks of Egypt
BufferChm
C4580
Cake Mania
CCleaner
Chicken Invaders 3
Chuzzle
Copy
Destination Component
DeviceDiscovery
Diner Dash Flo on the Go
EA Download Manager
ESET NOD32 Antivirus
eSobi v2
Flip Words 2
Free Audio CD Burner version 1.4
Free YouTube to MP3 Converter version 3.8
Google Desktop
Google Toolbar for Internet Explorer
GPBaseService2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Participation Program 12.0
HP Imaging Device Functions 12.0
HP Photosmart C4500 All-In-One Driver Software12.0 Rel .4
HP Photosmart Essential 3.5
HP Smart Web Printing
HP Solution Center 12.0
HP Update
HPPhotoGadget
HPPhotoSmartDiscLabelContent1
HPPhotosmartEssential
HPProductAssistant
HPSSupply
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 11
Jewel Quest Solitaire
Junk Mail filter update
Kick N Rush
Launch Manager
LightScribe 1.4.142.1
Mahjong Escape Ancient China
Mahjongg Artifacts
Malwarebytes' Anti-Malware
MarketResearch
Marvell Miniport Driver
MediaBar
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.6.12)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mystery Case Files - Huntsville
Mystery Solitaire - Secret Island
Network
NTI Backup Now 5
NTI Backup Now Standard
NTI Media Maker 8
OGA Notifier 2.0.0048.0
Orion
ParetoLogic PC Health Advisor
PhotoNow!
Playsushi
PowerDirector
PS_AIO_04_C4580_Software_Min
QuickTime
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Shop for HP Supplies
Sibelius Scorch (ActiveX Only)
SmartWebPrinting
Smilebox
SolutionCenter
Spelling Dictionaries Support For Adobe Reader 9
Status
Street-Ads Browser Enhancer
Synaptics Pointing Device Driver
The Sims™ 3
The Sims™ 3 Ambitions
The Sims™ 3 World Adventures
Toolbox
TrayApp
Turbo Pizza
Uninstall 1.0.0.1
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
WebReg
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Yahoo! Toolbar
ZIP Reader 8.00.0018
Zuma Deluxe

==== Event Viewer Messages From Past Week ========

27/11/2010 17:36:17, Error: Service Control Manager [7024] - The KtmRm for Distributed Transaction Coordinator service terminated with service-specific error 2147942438 (0x80070026).
27/11/2010 17:34:22, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
27/11/2010 16:37:06, Error: Service Control Manager [7034] - The Agere Modem Call Progress Audio service terminated unexpectedly. It has done this 1 time(s).
27/11/2010 14:09:31, Error: Service Control Manager [7030] - The ESET Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
27/11/2010 12:24:39, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
27/11/2010 12:24:38, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
27/11/2010 12:24:19, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
27/11/2010 12:24:19, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
27/11/2010 12:24:19, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
27/11/2010 12:24:19, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
27/11/2010 12:24:19, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
27/11/2010 12:24:19, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
27/11/2010 12:24:19, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
27/11/2010 12:24:19, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
27/11/2010 12:24:19, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
27/11/2010 12:24:19, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
27/11/2010 12:24:19, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
27/11/2010 12:24:19, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
27/11/2010 12:24:19, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
27/11/2010 12:24:19, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
27/11/2010 12:24:04, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
27/11/2010 12:24:04, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
27/11/2010 12:24:03, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
27/11/2010 12:23:56, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
27/11/2010 00:28:43, Error: EventLog [6008] - The previous system shutdown at 00:10:09 on 27/11/2010 was unexpected.
26/11/2010 22:29:21, Error: EventLog [6008] - The previous system shutdown at 22:27:36 on 26/11/2010 was unexpected.
26/11/2010 22:09:49, Error: EventLog [6008] - The previous system shutdown at 22:08:11 on 26/11/2010 was unexpected.
26/11/2010 21:56:08, Error: EventLog [6008] - The previous system shutdown at 21:54:37 on 26/11/2010 was unexpected.
26/11/2010 21:06:51, Error: EventLog [6008] - The previous system shutdown at 20:51:03 on 26/11/2010 was unexpected.
26/11/2010 20:27:34, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC ehdrv NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
22/11/2010 20:24:34, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
22/11/2010 20:24:34, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
22/11/2010 20:24:34, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
21/11/2010 17:17:04, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.106 for the Network Card with network address 001F3B7735D9 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
21/11/2010 17:06:02, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.93.1130.0 Loading engine version: 1.1.6301.0
21/11/2010 17:03:18, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {10DA4F3C-CC99-4190-BE4D-58330754E882} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
21/11/2010 15:30:14, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 001F3B7735D9 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
21/11/2010 07:59:39, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 001F3B7735D9 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
20/11/2010 17:36:23, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service wercplsupport with arguments "" in order to run the server: {0E9A7BB5-F699-4D66-8A47-B919F5B6A1DB}
20/11/2010 13:51:30, Error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
20/11/2010 13:33:26, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
20/11/2010 13:32:11, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
20/11/2010 12:44:57, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
20/11/2010 12:44:57, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the User Profile Service service, but this action failed with the following error: An instance of the service is already running.
20/11/2010 12:44:57, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.
20/11/2010 12:43:57, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Update service, but this action failed with the following error: An instance of the service is already running.
20/11/2010 12:43:57, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Background Intelligent Transfer Service service, but this action failed with the following error: An instance of the service is already running.
20/11/2010 12:30:02, Error: Service Control Manager [7024] - The AVG Free8 WatchDog service terminated with service-specific error 3758161981 (0xE001003D).
20/11/2010 12:10:26, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.93.1130.0 Loading engine version: 1.1.6201.0
20/11/2010 11:07:15, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
20/11/2010 11:07:15, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=====================================================================

Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
Ok done that.
Problem is that on reboot, it wont get much past password entry before flashing a blue screen (too quick to read) and resetting.

Starting in safe mode Ok but will not start normally.

Looking for the log file while in safe mode - will upload soon (if I can!)

ps this reply from another pc!
 
tdsskiller log

10/11/27 21:08:23.0262 TDSS rootkit removing tool 2.4.9.0 Nov 26 2010 15:38:31
2010/11/27 21:08:23.0262 ================================================================================
2010/11/27 21:08:23.0262 SystemInfo:
2010/11/27 21:08:23.0263
2010/11/27 21:08:23.0263 OS Version: 6.0.6002 ServicePack: 2.0
2010/11/27 21:08:23.0263 Product type: Workstation
2010/11/27 21:08:23.0263 ComputerName: SARAHBROWN
2010/11/27 21:08:23.0266 UserName: Sarah Brown
2010/11/27 21:08:23.0266 Windows directory: C:\Windows
2010/11/27 21:08:23.0266 System windows directory: C:\Windows
2010/11/27 21:08:23.0266 Processor architecture: Intel x86
2010/11/27 21:08:23.0266 Number of processors: 2
2010/11/27 21:08:23.0266 Page size: 0x1000
2010/11/27 21:08:23.0266 Boot type: Normal boot
2010/11/27 21:08:23.0266 ================================================================================
2010/11/27 21:08:23.0731 Initialize success
2010/11/27 21:08:28.0102 ================================================================================
2010/11/27 21:08:28.0102 Scan started
2010/11/27 21:08:28.0102 Mode: Manual;
2010/11/27 21:08:28.0102 ================================================================================
2010/11/27 21:08:28.0960 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2010/11/27 21:08:29.0031 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2010/11/27 21:08:29.0184 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2010/11/27 21:08:29.0224 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2010/11/27 21:08:29.0265 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2010/11/27 21:08:29.0438 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2010/11/27 21:08:29.0657 AgereSoftModem (38325c6aa8eae011897d61ce48ec6435) C:\Windows\system32\DRIVERS\AGRSM.sys
2010/11/27 21:08:29.0810 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2010/11/27 21:08:29.0877 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/11/27 21:08:29.0992 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2010/11/27 21:08:30.0067 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2010/11/27 21:08:30.0187 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2010/11/27 21:08:30.0323 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2010/11/27 21:08:30.0391 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
2010/11/27 21:08:30.0579 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2010/11/27 21:08:30.0781 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2010/11/27 21:08:30.0858 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\Windows\system32\drivers\aswFsBlk.sys
2010/11/27 21:08:30.0966 aswMonFlt (bd9119468c32b7ecd1e0544d3f286a73) C:\Windows\system32\drivers\aswMonFlt.sys
2010/11/27 21:08:31.0030 aswRdr (69823954bbd461a73d69774928c9737e) C:\Windows\system32\drivers\aswRdr.sys
2010/11/27 21:08:31.0156 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\Windows\system32\drivers\aswSP.sys
2010/11/27 21:08:31.0249 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\Windows\system32\drivers\aswTdi.sys
2010/11/27 21:08:31.0382 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/11/27 21:08:31.0436 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2010/11/27 21:08:31.0641 b57nd60x (502f1c30bd50b32d00ce4dcaecc3d3c7) C:\Windows\system32\DRIVERS\b57nd60x.sys
2010/11/27 21:08:31.0799 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/11/27 21:08:31.0876 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2010/11/27 21:08:32.0017 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/11/27 21:08:32.0080 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/11/27 21:08:32.0213 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/11/27 21:08:32.0284 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/11/27 21:08:32.0454 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/11/27 21:08:32.0557 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/11/27 21:08:32.0600 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/11/27 21:08:32.0737 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/11/27 21:08:32.0842 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/11/27 21:08:32.0925 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2010/11/27 21:08:33.0012 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2010/11/27 21:08:33.0071 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2010/11/27 21:08:33.0235 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/11/27 21:08:33.0271 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2010/11/27 21:08:33.0331 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2010/11/27 21:08:33.0454 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2010/11/27 21:08:33.0502 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2010/11/27 21:08:33.0711 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2010/11/27 21:08:33.0880 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2010/11/27 21:08:33.0945 DKbFltr (73baf270d24fe726b9cd7f80bb17a23d) C:\Windows\system32\DRIVERS\DKbFltr.sys
2010/11/27 21:08:34.0116 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
2010/11/27 21:08:34.0189 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2010/11/27 21:08:34.0317 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
2010/11/27 21:08:34.0384 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/11/27 21:08:34.0545 DXGKrnl (fb85f7f69e9b109820409243f578cc4d) C:\Windows\System32\drivers\dxgkrnl.sys
2010/11/27 21:08:34.0715 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/11/27 21:08:34.0818 eamonm (bf14fbabd52e9522456d3a2f6e7e76e4) C:\Windows\system32\DRIVERS\eamonm.sys
2010/11/27 21:08:34.0909 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2010/11/27 21:08:35.0118 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2010/11/27 21:08:35.0195 epfwwfpr (96f9030ca15a8d2e8d44e53c1f0e842d) C:\Windows\system32\DRIVERS\epfwwfpr.sys
2010/11/27 21:08:35.0327 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2010/11/27 21:08:35.0449 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2010/11/27 21:08:35.0561 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2010/11/27 21:08:35.0623 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2010/11/27 21:08:35.0765 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/11/27 21:08:35.0808 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/11/27 21:08:35.0853 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/11/27 21:08:35.0923 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2010/11/27 21:08:36.0032 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/11/27 21:08:36.0077 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2010/11/27 21:08:36.0168 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2010/11/27 21:08:36.0351 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2010/11/27 21:08:36.0420 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/11/27 21:08:36.0543 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/11/27 21:08:36.0584 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/11/27 21:08:36.0652 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2010/11/27 21:08:36.0824 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2010/11/27 21:08:37.0025 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2010/11/27 21:08:37.0118 HSF_DPV (ec36f1d542ed4252390d446bf6d4dfd0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
2010/11/27 21:08:37.0248 HTTP (0eeeca26c8d4bde2a4664db058a81937) C:\Windows\system32\drivers\HTTP.sys
2010/11/27 21:08:37.0315 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2010/11/27 21:08:37.0482 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/11/27 21:08:37.0715 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2010/11/27 21:08:37.0893 igfx (0627fc0c422cd6e0f23e1b0d1d9f0899) C:\Windows\system32\DRIVERS\igdkmd32.sys
2010/11/27 21:08:38.0030 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/11/27 21:08:38.0122 int15 (c6e5276c00ebdeb096bb5ef4b797d1b6) C:\Windows\system32\drivers\int15.sys
2010/11/27 21:08:38.0314 IntcAzAudAddService (23ebcee9aaa4d6c88728791fab462456) C:\Windows\system32\drivers\RTKVHDA.sys
2010/11/27 21:08:38.0478 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2010/11/27 21:08:38.0529 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2010/11/27 21:08:38.0636 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/11/27 21:08:38.0816 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2010/11/27 21:08:38.0855 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/11/27 21:08:38.0970 irda (e50a95179211b12946f7e035d60af560) C:\Windows\system32\DRIVERS\irda.sys
2010/11/27 21:08:39.0040 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/11/27 21:08:39.0100 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2010/11/27 21:08:39.0152 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/11/27 21:08:39.0234 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/11/27 21:08:39.0318 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/11/27 21:08:39.0374 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/11/27 21:08:39.0474 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/11/27 21:08:39.0603 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2010/11/27 21:08:39.0750 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/11/27 21:08:39.0849 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2010/11/27 21:08:39.0899 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2010/11/27 21:08:39.0988 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2010/11/27 21:08:40.0063 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/11/27 21:08:40.0139 MBAMDrvService (8207bef11a004a2c88023bff6eeb60b3) C:\Windows\system32\drivers\mbam.sys
2010/11/27 21:08:40.0238 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2010/11/27 21:08:40.0323 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2010/11/27 21:08:40.0462 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/11/27 21:08:40.0549 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/11/27 21:08:40.0601 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/11/27 21:08:40.0685 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2010/11/27 21:08:40.0749 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/11/27 21:08:40.0803 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2010/11/27 21:08:40.0886 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/11/27 21:08:40.0972 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/11/27 21:08:41.0032 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2010/11/27 21:08:41.0121 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/11/27 21:08:41.0199 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/11/27 21:08:41.0247 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/11/27 21:08:41.0345 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
2010/11/27 21:08:41.0446 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2010/11/27 21:08:41.0585 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/11/27 21:08:41.0676 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/11/27 21:08:41.0746 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/11/27 21:08:41.0861 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/11/27 21:08:41.0954 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/11/27 21:08:42.0013 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2010/11/27 21:08:42.0102 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/11/27 21:08:42.0201 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/11/27 21:08:42.0267 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2010/11/27 21:08:42.0409 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2010/11/27 21:08:42.0501 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2010/11/27 21:08:42.0607 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/11/27 21:08:42.0681 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/11/27 21:08:42.0733 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/11/27 21:08:42.0966 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/11/27 21:08:43.0107 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/11/27 21:08:43.0161 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2010/11/27 21:08:43.0445 NETw5v32 (e559ea9138c77b5d1fda8c558764a25f) C:\Windows\system32\DRIVERS\NETw5v32.sys
2010/11/27 21:08:43.0722 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/11/27 21:08:43.0910 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2010/11/27 21:08:44.0051 NSCIRDA (6d8d2e5652fc2442c810c5d8be784148) C:\Windows\system32\DRIVERS\nscirda.sys
2010/11/27 21:08:44.0144 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/11/27 21:08:44.0319 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2010/11/27 21:08:44.0505 NTIDrvr (2757d2ba59aee155209e24942ab127c9) C:\Windows\system32\DRIVERS\NTIDrvr.sys
2010/11/27 21:08:44.0872 NTIPPKernel (547bfa3591c70674b0bfc99354ab78b3) C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys
2010/11/27 21:08:45.0020 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/11/27 21:08:45.0133 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\Windows\system32\DRIVERS\NuidFltr.sys
2010/11/27 21:08:45.0176 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/11/27 21:08:45.0267 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2010/11/27 21:08:45.0355 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2010/11/27 21:08:45.0435 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2010/11/27 21:08:45.0630 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/11/27 21:08:45.0838 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/11/27 21:08:45.0947 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2010/11/27 21:08:46.0042 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/11/27 21:08:46.0215 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2010/11/27 21:08:46.0324 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
2010/11/27 21:08:46.0445 pcmcia (b7c5a8769541900f6dfa6fe0c5e4d513) C:\Windows\system32\DRIVERS\pcmcia.sys
2010/11/27 21:08:46.0585 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/11/27 21:08:46.0834 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/11/27 21:08:46.0921 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2010/11/27 21:08:47.0044 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2010/11/27 21:08:47.0129 PSDFilter (1dcbb35090cc4b2bd3d661e6089523c6) C:\Windows\system32\DRIVERS\psdfilter.sys
2010/11/27 21:08:47.0167 PSDNServ (e26e46d619469964ac3609620f443867) C:\Windows\system32\DRIVERS\PSDNServ.sys
2010/11/27 21:08:47.0257 psdvdisk (3e1d134af2806867d06047c4cc33cc65) C:\Windows\system32\DRIVERS\PSDVdisk.sys
2010/11/27 21:08:47.0393 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2010/11/27 21:08:47.0536 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/11/27 21:08:47.0634 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/11/27 21:08:47.0683 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/11/27 21:08:47.0780 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/11/27 21:08:47.0887 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/11/27 21:08:48.0135 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2010/11/27 21:08:48.0326 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2010/11/27 21:08:48.0400 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/11/27 21:08:48.0487 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2010/11/27 21:08:48.0579 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/11/27 21:08:48.0662 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2010/11/27 21:08:48.0834 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/11/27 21:08:48.0978 RTSTOR (9ea88492b1dab90dce43a6f2c0e133bd) C:\Windows\system32\drivers\RTSTOR.SYS
2010/11/27 21:08:49.0060 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/11/27 21:08:49.0185 sdbus (126ea89bcc413ee45e3004fb0764888f) C:\Windows\system32\DRIVERS\sdbus.sys
2010/11/27 21:08:49.0284 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/11/27 21:08:49.0400 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2010/11/27 21:08:49.0489 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2010/11/27 21:08:49.0594 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/11/27 21:08:49.0754 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2010/11/27 21:08:49.0840 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2010/11/27 21:08:49.0870 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2010/11/27 21:08:49.0922 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/11/27 21:08:49.0990 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2010/11/27 21:08:50.0068 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2010/11/27 21:08:50.0137 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2010/11/27 21:08:50.0214 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2010/11/27 21:08:50.0319 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/11/27 21:08:50.0428 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2010/11/27 21:08:50.0472 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2010/11/27 21:08:50.0505 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2010/11/27 21:08:50.0686 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
2010/11/27 21:08:50.0785 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/11/27 21:08:50.0893 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/11/27 21:08:51.0002 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/11/27 21:08:51.0047 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/11/27 21:08:51.0143 SynTP (4c9bb4b3b9eac26211484c30b914c6dc) C:\Windows\system32\DRIVERS\SynTP.sys
2010/11/27 21:08:51.0297 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2010/11/27 21:08:51.0443 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2010/11/27 21:08:51.0563 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2010/11/27 21:08:51.0686 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/11/27 21:08:51.0720 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/11/27 21:08:51.0768 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2010/11/27 21:08:51.0869 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2010/11/27 21:08:52.0064 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/11/27 21:08:52.0130 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/11/27 21:08:52.0220 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2010/11/27 21:08:52.0298 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2010/11/27 21:08:52.0401 UBHelper (f763e070843ee2803de1395002b42938) C:\Windows\system32\drivers\UBHelper.sys
2010/11/27 21:08:52.0493 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2010/11/27 21:08:52.0617 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2010/11/27 21:08:52.0715 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2010/11/27 21:08:52.0805 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/11/27 21:08:52.0851 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/11/27 21:08:52.0939 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/11/27 21:08:53.0061 USBAAPL (60a68a5ea173a97971ee9f1ff49eb2b3) C:\Windows\system32\Drivers\usbaapl.sys
2010/11/27 21:08:53.0167 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/11/27 21:08:53.0253 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/11/27 21:08:53.0378 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/11/27 21:08:53.0465 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2010/11/27 21:08:53.0514 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2010/11/27 21:08:53.0627 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2010/11/27 21:08:53.0745 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2010/11/27 21:08:53.0835 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/11/27 21:08:53.0902 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/11/27 21:08:53.0999 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2010/11/27 21:08:54.0133 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/11/27 21:08:54.0188 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/11/27 21:08:54.0235 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2010/11/27 21:08:54.0319 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2010/11/27 21:08:54.0402 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2010/11/27 21:08:54.0447 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/11/27 21:08:54.0543 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2010/11/27 21:08:54.0658 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2010/11/27 21:08:54.0762 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2010/11/27 21:08:54.0862 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/11/27 21:08:54.0923 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/11/27 21:08:54.0948 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/11/27 21:08:55.0070 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2010/11/27 21:08:55.0163 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/11/27 21:08:55.0396 winachsf (5c7bdcf5864db00323fe2d90fa26a8a2) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
2010/11/27 21:08:55.0688 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/11/27 21:08:55.0862 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/11/27 21:08:55.0978 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/11/27 21:08:56.0082 yukonwlh (3e1c915c6291ab5d1cfca680e1bd6bad) C:\Windows\system32\DRIVERS\yk60x86.sys
2010/11/27 21:08:56.0186 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796} (4d840c6af3c020ed3a35efba9025cf4a) C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl
2010/11/27 21:08:56.0272 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/11/27 21:08:56.0281 ================================================================================
2010/11/27 21:08:56.0281 Scan finished
2010/11/27 21:08:56.0281 ================================================================================
2010/11/27 21:08:56.0312 Detected object count: 1
2010/11/27 21:09:12.0885 \HardDisk0 - will be cured after reboot
2010/11/27 21:09:12.0885 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/11/27 21:09:19.0471 Deinitialize success
 
You did well :)

See, if you can boot to normal mode now.

Both tools listed below can be run from Safe Mode (if needed).


Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

===================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.pif
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Basic Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Acer
BIOS Manufacturer: Phoenix Technologies LTD
System Manufacturer: Acer
System Product Name: Aspire 5735
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 114):
0x82039000 \SystemRoot\system32\ntkrnlpa.exe
0x82006000 \SystemRoot\system32\hal.dll
0x80406000 \SystemRoot\system32\kdcom.dll
0x8040D000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8047D000 \SystemRoot\system32\PSHED.dll
0x8048E000 \SystemRoot\system32\BOOTVID.dll
0x80496000 \SystemRoot\system32\CLFS.SYS
0x804D7000 \SystemRoot\system32\CI.dll
0x8060E000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8068A000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80697000 \SystemRoot\system32\drivers\acpi.sys
0x806DD000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806E6000 \SystemRoot\system32\drivers\msisadrv.sys
0x806EE000 \SystemRoot\system32\drivers\pci.sys
0x80715000 \SystemRoot\System32\drivers\partmgr.sys
0x80724000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80727000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x80731000 \SystemRoot\system32\drivers\volmgr.sys
0x80740000 \SystemRoot\System32\drivers\volmgrx.sys
0x8078A000 \SystemRoot\System32\drivers\mountmgr.sys
0x8079A000 \SystemRoot\System32\Drivers\UBHelper.sys
0x807A2000 \SystemRoot\system32\drivers\atapi.sys
0x807AA000 \SystemRoot\system32\drivers\ataport.SYS
0x807C8000 \SystemRoot\system32\drivers\msahci.sys
0x807D2000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x805B7000 \SystemRoot\system32\drivers\fltmgr.sys
0x807E0000 \SystemRoot\system32\drivers\fileinfo.sys
0x807F0000 \SystemRoot\system32\DRIVERS\psdfilter.sys
0x8260D000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8267E000 \SystemRoot\system32\drivers\ndis.sys
0x82789000 \SystemRoot\system32\drivers\msrpc.sys
0x827B4000 \SystemRoot\system32\drivers\NETIO.SYS
0x89E03000 \SystemRoot\System32\drivers\tcpip.sys
0x89EED000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8A00A000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8A11A000 \SystemRoot\system32\drivers\volsnap.sys
0x8A15B000 \SystemRoot\System32\Drivers\mup.sys
0x8A16A000 \SystemRoot\System32\drivers\ecache.sys
0x8A191000 \SystemRoot\system32\drivers\disk.sys
0x8A1A2000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x8A1C3000 \SystemRoot\system32\drivers\crcdisk.sys
0x8A1EE000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8A000000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x89F08000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x89F13000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x89F51000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x89F60000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8D80D000 \SystemRoot\system32\DRIVERS\yk60x86.sys
0x8DA0A000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
0x8DD91000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8DDA4000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
0x8DDAE000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8DDB9000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8DDE9000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8DDEB000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8D859000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8DDF6000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
0x8DA00000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8D871000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8D87A000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8D8A9000 \SystemRoot\system32\DRIVERS\storport.sys
0x8D8EA000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8D8F5000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8D90C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8D917000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8D93A000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8D949000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8D95D000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8D972000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8DDFE000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8D982000 \SystemRoot\system32\DRIVERS\ks.sys
0x8D9AC000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8D9B6000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8D9C3000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x89FED000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x805E9000 \SystemRoot\system32\drivers\RTSTOR.SYS
0x8D800000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8D9F8000 \SystemRoot\System32\Drivers\Null.SYS
0x8A153000 \SystemRoot\System32\Drivers\Beep.SYS
0x827EF000 \SystemRoot\System32\drivers\vga.sys
0x8DE09000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8DE2A000 \SystemRoot\System32\drivers\watchdog.sys
0x8DE36000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8DE3E000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8DE49000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8DE57000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8DE60000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8DE80000 \SystemRoot\system32\DRIVERS\smb.sys
0x8DE94000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8DEC6000 \SystemRoot\system32\drivers\afd.sys
0x8DF0E000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x8DF13000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8DF29000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8DF37000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8DF73000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8DF7D000 \SystemRoot\System32\Drivers\dfsc.sys
0x8DF94000 \SystemRoot\System32\Drivers\fastfat.SYS
0x94460000 \SystemRoot\System32\win32k.sys
0x8DFBC000 \SystemRoot\System32\drivers\Dxapi.sys
0x94670000 \SystemRoot\System32\drivers\dxg.sys
0x946A0000 \SystemRoot\System32\TSDDD.dll
0x8DFC6000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8DFD3000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8DFDE000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x94720000 \SystemRoot\System32\framebuf.dll
0x96606000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x96630000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9663A000 \SystemRoot\system32\DRIVERS\bowser.sys
0x96653000 \SystemRoot\System32\drivers\mpsdrv.sys
0x96668000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x96687000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x966C0000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x966D8000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x773A0000 \Windows\System32\ntdll.dll

Processes (total 23):
0 System Idle Process
4 System
352 C:\Windows\System32\smss.exe
476 csrss.exe
512 C:\Windows\System32\wininit.exe
520 csrss.exe
556 C:\Windows\System32\winlogon.exe
596 C:\Windows\System32\services.exe
608 C:\Windows\System32\lsass.exe
616 C:\Windows\System32\lsm.exe
760 C:\Windows\System32\svchost.exe
816 C:\Windows\System32\svchost.exe
852 C:\Windows\System32\svchost.exe
936 C:\Windows\System32\svchost.exe
964 C:\Windows\System32\svchost.exe
992 C:\Windows\System32\svchost.exe
1036 C:\Windows\System32\svchost.exe
1052 C:\Windows\System32\svchost.exe
1204 C:\Windows\System32\svchost.exe
1312 C:\Windows\System32\svchost.exe
1708 C:\Windows\explorer.exe
524 C:\Program Files\Mozilla Firefox\firefox.exe
2024 C:\Users\Sarah Brown\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`71100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001e`55400000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS543225L9A300, Rev: FBEOC40C

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 75374D27B77E61C9316E27BACDEE41C1E2C9874E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
 
Combofix log

ComboFix 10-11-27.01 - Sarah Brown 27/11/2010 22:04:49.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.3000.2530 [GMT 0:00]
Running from: c:\users\Sarah Brown\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AV8
c:\users\Sarah Brown\AppData\Local\{3C16A606-5197-465A-ACF0-CD693D973332}
c:\users\Sarah Brown\AppData\Local\{3C16A606-5197-465A-ACF0-CD693D973332}\chrome.manifest
c:\users\Sarah Brown\AppData\Local\{3C16A606-5197-465A-ACF0-CD693D973332}\chrome\content\_cfg.js
c:\users\Sarah Brown\AppData\Local\{3C16A606-5197-465A-ACF0-CD693D973332}\chrome\content\overlay.xul
c:\users\Sarah Brown\AppData\Local\{3C16A606-5197-465A-ACF0-CD693D973332}\install.rdf
c:\users\Sarah Brown\AppData\Roaming\Adobe\AdobeUpdate .exe
c:\users\Sarah Brown\AppData\Roaming\Adobe\plugs
c:\users\Sarah Brown\AppData\Roaming\Adobe\plugs\KB1838050.exe
c:\windows\$NtUninstallMTF197$\cscdn.dll

.
((((((((((((((((((((((((( Files Created from 2010-10-27 to 2010-11-27 )))))))))))))))))))))))))))))))
.

2010-11-27 22:10 . 2010-11-27 22:10 -------- d-----w- c:\users\Sarah Brown\AppData\Local\temp
2010-11-27 22:10 . 2010-11-27 22:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-27 14:10 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-27 14:10 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-11-27 14:10 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-27 14:10 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-27 14:10 . 2010-09-07 15:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-11-27 14:09 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-11-27 14:09 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\programdata\Alwil Software
2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\program files\Alwil Software
2010-11-26 22:56 . 2010-11-26 22:56 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Mozilla
2010-11-22 20:13 . 2010-11-22 20:13 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-11-22 20:12 . 2010-11-22 20:17 -------- d-----w- c:\windows\SHELLNEW
2010-11-22 20:10 . 2010-11-22 20:10 -------- d-----r- C:\MSOCache
2010-11-21 18:09 . 2010-11-21 18:09 -------- d-----w- c:\program files\Common Files\Adobe
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\DriverCure
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\ParetoLogic
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\programdata\ParetoLogic
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\ParetoLogic
2010-11-21 17:06 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5E566945-955A-46DD-B26F-F2AE3AF4CF08}\mpengine.dll
2010-11-21 15:40 . 2010-11-21 15:40 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Electronic Arts
2010-11-20 22:54 . 2010-11-20 22:54 -------- d-----w- c:\users\Sarah Brown\AppData\Local\ESET
2010-11-20 14:51 . 2010-11-20 22:15 -------- d-----w- c:\program files\ESET
2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\windows\Sun
2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\program files\Common Files\Java
2010-11-20 13:36 . 2010-11-21 17:01 -------- d-----w- c:\program files\iPod(991)
2010-11-20 13:35 . 2010-11-20 13:37 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-11-20 13:31 . 2010-11-21 17:01 -------- d-----w- c:\program files\Bonjour(936)
2010-11-20 13:19 . 2010-11-20 13:20 -------- d-----w- c:\program files\QuickTime(1124)
2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\IObit
2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\program files\IObit
2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\Malwarebytes
2010-11-20 00:03 . 2008-07-07 17:42 17144 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\programdata\Malwarebytes
2010-11-20 00:03 . 2010-11-21 16:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-20 00:03 . 2008-07-07 17:42 34296 ----a-w- c:\windows\system32\drivers\mbamcatchme.sys
2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\vi-VN
2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\eu-ES
2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\ca-ES
2010-11-19 18:14 . 2010-11-21 16:58 -------- d-----w- c:\windows\system32\EventProviders
2010-11-12 17:03 . 2010-11-24 17:58 0 ----a-w- c:\users\Sarah Brown\AppData\Local\Rsagikufevori.bin
2010-11-12 17:02 . 2010-11-21 16:57 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Adobe32 ARM
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2010-10-29 17:37 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-29 17:37 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-29 17:37 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 10:41 . 2009-10-03 09:57 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56 . 2010-10-14 16:44 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-14 16:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-14 16:43 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-14 16:43 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-14 16:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-14 16:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-14 16:43 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-14 16:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-14 16:43 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-14 16:44 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-14 16:44 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-14 16:44 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-14 16:44 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-14 16:44 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-09-03 06:13 . 2010-09-03 06:13 137144 ----a-w- c:\windows\system32\drivers\eamonm.sys
2010-08-31 15:46 . 2010-10-14 16:43 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-14 16:43 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-14 16:43 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-14 16:43 2038272 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A59933E-D8A2-4E71-8027-3FA5881EC5C9}]
2010-11-12 14:41 294912 ----a-w- c:\windows\$NtUninstallMTF197$\lfjre.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}]
2009-07-31 11:58 91568 ----a-w- c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-06-16 16:22 1144712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll" [2009-07-31 91568]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]

[HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-14 16:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe" [2008-11-17 135168]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-14 526896]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=AVGRSSTX.DLL c:\progra~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 23:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 04:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bipro]
2010-11-12 14:41 294912 ----a-w- c:\windows\$NtUninstallMTF197$\lfjre.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2009-09-03 21:17 3342336 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2010-11-04 17:15 2219184 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-08-06 12:42 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 09:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jgeleki]
2008-01-21 02:34 402432 ----a-w- c:\users\Sarah Brown\AppData\Local\inozevaxik.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
2009-12-07 04:22 266888 ----a-w- c:\users\Sarah Brown\AppData\Roaming\Smilebox\SmileboxTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R1 aswSP;aswSP; [x]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-04-18 61424]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-09-03 137144]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-11-04 810144]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-07-29 96920]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
R2 MBAMDrvService;MBAMDrvService;c:\windows\system32\drivers\mbam.sys [2008-07-07 17144]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-07-07 122488]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-06 30192]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-11-27 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-11-20 21:39]

2010-11-27 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

2010-11-21 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

2010-11-21 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-11-21 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0809&m=aspire_5735
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

BHO-{FBF50663-5574-4494-9419-76158E351EF0} - c:\windows\$NtUninstallMTF197$\cscdn.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-RunOnce-<NO NAME> - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-Adobe32 ARM - c:\users\Sarah Brown\AppData\Local\Adobe32 ARM\rundll32.exe
MSConfigStartUp-Fdobiwogi - c:\users\Sarah Brown\AppData\Local\wiexmp.dll
MSConfigStartUp-gchk - c:\windows\$NtUninstallMTF197$\upg.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-27 22:10
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1184)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
Completion time: 2010-11-27 22:11:24
ComboFix-quarantined-files.txt 2010-11-27 22:11

Pre-Run: 57,175,867,392 bytes free
Post-Run: 57,099,264,000 bytes free

- - End Of File - - 13BCC7743D66057CE0EEB2E4EF458BB7
 
We have to start with fixing your MBR...

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

  • Place a blank CD in your CD drive.
  • Double click on NTBR_CD.exe file and a folder of the same name will appear.
  • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
  • Follow the prompts to burn the CD.
  • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
  • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
  • Insert the newly created CD into your infected PC and reboot your computer.
  • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
  • Read the warning and then continue as prompted.
  • You first need to select your keyboard layout - press Enter for English.
  • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
  • On the following screen enter 5 to select Install Standard MBR code.
  • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
  • When asked to confirm please do so.
  • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
  • Eject the disc and then press ctrl+alt+del to reboot the PC.
Once rebooted, run MBRCheck again and post its log.
 
2nd MBRCheck log

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Basic Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Acer
BIOS Manufacturer: Phoenix Technologies LTD
System Manufacturer: Acer
System Product Name: Aspire 5735
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 114):
0x8200F000 \SystemRoot\system32\ntkrnlpa.exe
0x823C8000 \SystemRoot\system32\hal.dll
0x80400000 \SystemRoot\system32\kdcom.dll
0x80407000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80477000 \SystemRoot\system32\PSHED.dll
0x80488000 \SystemRoot\system32\BOOTVID.dll
0x80490000 \SystemRoot\system32\CLFS.SYS
0x804D1000 \SystemRoot\system32\CI.dll
0x80603000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8067F000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8068C000 \SystemRoot\system32\drivers\acpi.sys
0x806D2000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806DB000 \SystemRoot\system32\drivers\msisadrv.sys
0x806E3000 \SystemRoot\system32\drivers\pci.sys
0x8070A000 \SystemRoot\System32\drivers\partmgr.sys
0x80719000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8071C000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x80726000 \SystemRoot\system32\drivers\volmgr.sys
0x80735000 \SystemRoot\System32\drivers\volmgrx.sys
0x8077F000 \SystemRoot\System32\drivers\mountmgr.sys
0x8078F000 \SystemRoot\System32\Drivers\UBHelper.sys
0x80797000 \SystemRoot\system32\drivers\atapi.sys
0x8079F000 \SystemRoot\system32\drivers\ataport.SYS
0x807BD000 \SystemRoot\system32\drivers\msahci.sys
0x807C7000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x805B1000 \SystemRoot\system32\drivers\fltmgr.sys
0x807D5000 \SystemRoot\system32\drivers\fileinfo.sys
0x807E5000 \SystemRoot\system32\DRIVERS\psdfilter.sys
0x82601000 \SystemRoot\System32\Drivers\ksecdd.sys
0x82672000 \SystemRoot\system32\drivers\ndis.sys
0x8277D000 \SystemRoot\system32\drivers\msrpc.sys
0x827A8000 \SystemRoot\system32\drivers\NETIO.SYS
0x89E0D000 \SystemRoot\System32\drivers\tcpip.sys
0x89EF7000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8A009000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8A119000 \SystemRoot\system32\drivers\volsnap.sys
0x8A15A000 \SystemRoot\System32\Drivers\mup.sys
0x8A169000 \SystemRoot\System32\drivers\ecache.sys
0x8A190000 \SystemRoot\system32\drivers\disk.sys
0x8A1A1000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x8A1C2000 \SystemRoot\system32\drivers\crcdisk.sys
0x8A1ED000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8A000000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x89F12000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x89F1D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x89F5B000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x89F6A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8D802000 \SystemRoot\system32\DRIVERS\yk60x86.sys
0x8DA00000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
0x8DD87000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8DD9A000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
0x8DDA4000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8DDAF000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8DDDF000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8DDE1000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8D84E000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8DDEC000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
0x8DDF4000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8D866000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8D86F000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8D89E000 \SystemRoot\system32\DRIVERS\storport.sys
0x8D8DF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8D8EA000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8D901000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8D90C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8D92F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8D93E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8D952000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8D967000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8DDFE000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8D977000 \SystemRoot\system32\DRIVERS\ks.sys
0x8D9A1000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8D9AB000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8D9B8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8D9ED000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x827E3000 \SystemRoot\system32\drivers\RTSTOR.SYS
0x89FF7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8A152000 \SystemRoot\System32\Drivers\Null.SYS
0x8A1F8000 \SystemRoot\System32\Drivers\Beep.SYS
0x89E00000 \SystemRoot\System32\drivers\vga.sys
0x8DE0D000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8DE2E000 \SystemRoot\System32\drivers\watchdog.sys
0x8DE3A000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8DE42000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8DE4D000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8DE5B000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8DE64000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8DE84000 \SystemRoot\system32\DRIVERS\smb.sys
0x8DE98000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8DECA000 \SystemRoot\system32\drivers\afd.sys
0x8DF12000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x8DF17000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8DF2D000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8DF3B000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8DF77000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8DF81000 \SystemRoot\System32\Drivers\dfsc.sys
0x8DF98000 \SystemRoot\System32\Drivers\fastfat.SYS
0x942F0000 \SystemRoot\System32\win32k.sys
0x8DFC0000 \SystemRoot\System32\drivers\Dxapi.sys
0x94500000 \SystemRoot\System32\drivers\dxg.sys
0x94530000 \SystemRoot\System32\TSDDD.dll
0x8DFCA000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8DFD7000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8DFE2000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x945B0000 \SystemRoot\System32\framebuf.dll
0x9660D000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x96637000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x96641000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9665A000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9666F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9668E000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x966C7000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x966DF000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x773B0000 \Windows\System32\ntdll.dll

Processes (total 23):
0 System Idle Process
4 System
352 C:\Windows\System32\smss.exe
448 csrss.exe
484 C:\Windows\System32\wininit.exe
492 csrss.exe
528 C:\Windows\System32\winlogon.exe
568 C:\Windows\System32\services.exe
580 C:\Windows\System32\lsass.exe
588 C:\Windows\System32\lsm.exe
728 C:\Windows\System32\svchost.exe
784 C:\Windows\System32\svchost.exe
824 C:\Windows\System32\svchost.exe
912 C:\Windows\System32\svchost.exe
936 C:\Windows\System32\svchost.exe
960 C:\Windows\System32\svchost.exe
1008 C:\Windows\System32\svchost.exe
1024 C:\Windows\System32\svchost.exe
1188 C:\Windows\System32\svchost.exe
1292 C:\Windows\System32\svchost.exe
1648 C:\Windows\explorer.exe
1152 C:\Windows\System32\igfxsrvc.exe
1644 C:\Users\Sarah Brown\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`71100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001e`55400000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS543225L9A300, Rev: FBEOC40C

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
 
PS still wont start in normal mode - only safe mode (with networking)

Any help on that problem too??
 
One step at a time...
MBRCheck log looks good. Good job on that :)

Uninstall Ask Toolbar, known adware.

You're running two AV programs, Avast and NOD32.
One of them has to go. Your choice.
You must do it now.
Let me know, which one you keep.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\users\Sarah Brown\AppData\Local\Rsagikufevori.bin
c:\windows\$NtUninstallMTF197$\lfjre.dll
c:\users\Sarah Brown\AppData\Local\inozevaxik.dll


DirLook::
c:\windows\SHELLNEW

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A59933E-D8A2-4E71-8027-3FA5881EC5C9}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ProductReg"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bipro]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jgeleki]


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Cannot use uninstaller in safe mode.
Am I OK to proceed with the rest of these instructions until I can restart normally/
I dont think NOD32 or ASK are running anyway/

Jim
 
combofix again

ComboFix 10-11-27.01 - Sarah Brown 27/11/2010 23:24:50.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.3000.2490 [GMT 0:00]
Running from: c:\users\Sarah Brown\Desktop\ComboFix.exe
Command switches used :: c:\users\Sarah Brown\Desktop\Logs\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\users\Sarah Brown\AppData\Local\inozevaxik.dll"
"c:\users\Sarah Brown\AppData\Local\Rsagikufevori.bin"
"c:\windows\$NtUninstallMTF197$\lfjre.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Sarah Brown\AppData\Local\inozevaxik.dll
c:\users\Sarah Brown\AppData\Local\Rsagikufevori.bin
c:\windows\$NtUninstallMTF197$\lfjre.dll

.
((((((((((((((((((((((((( Files Created from 2010-10-27 to 2010-11-27 )))))))))))))))))))))))))))))))
.

2010-11-27 23:30 . 2010-11-27 23:30 -------- d-----w- c:\users\Sarah Brown\AppData\Local\temp
2010-11-27 23:30 . 2010-11-27 23:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-27 14:10 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-27 14:10 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-11-27 14:10 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-27 14:10 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-27 14:10 . 2010-09-07 15:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-11-27 14:09 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-11-27 14:09 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\programdata\Alwil Software
2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\program files\Alwil Software
2010-11-26 22:56 . 2010-11-26 22:56 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Mozilla
2010-11-22 20:13 . 2010-11-22 20:13 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-11-22 20:12 . 2010-11-22 20:17 -------- d-----w- c:\windows\SHELLNEW
2010-11-22 20:10 . 2010-11-22 20:10 -------- d-----r- C:\MSOCache
2010-11-21 18:09 . 2010-11-21 18:09 -------- d-----w- c:\program files\Common Files\Adobe
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\DriverCure
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\ParetoLogic
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\programdata\ParetoLogic
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\ParetoLogic
2010-11-21 17:06 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5E566945-955A-46DD-B26F-F2AE3AF4CF08}\mpengine.dll
2010-11-21 15:40 . 2010-11-21 15:40 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Electronic Arts
2010-11-20 22:54 . 2010-11-20 22:54 -------- d-----w- c:\users\Sarah Brown\AppData\Local\ESET
2010-11-20 14:51 . 2010-11-20 22:15 -------- d-----w- c:\program files\ESET
2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\windows\Sun
2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\program files\Common Files\Java
2010-11-20 13:36 . 2010-11-21 17:01 -------- d-----w- c:\program files\iPod(991)
2010-11-20 13:35 . 2010-11-20 13:37 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-11-20 13:31 . 2010-11-21 17:01 -------- d-----w- c:\program files\Bonjour(936)
2010-11-20 13:19 . 2010-11-20 13:20 -------- d-----w- c:\program files\QuickTime(1124)
2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\IObit
2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\program files\IObit
2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\Malwarebytes
2010-11-20 00:03 . 2008-07-07 17:42 17144 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\programdata\Malwarebytes
2010-11-20 00:03 . 2010-11-21 16:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-20 00:03 . 2008-07-07 17:42 34296 ----a-w- c:\windows\system32\drivers\mbamcatchme.sys
2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\vi-VN
2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\eu-ES
2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\ca-ES
2010-11-19 18:14 . 2010-11-21 16:58 -------- d-----w- c:\windows\system32\EventProviders
2010-11-12 17:02 . 2010-11-21 16:57 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Adobe32 ARM
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2010-10-29 17:37 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-29 17:37 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-29 17:37 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 10:41 . 2009-10-03 09:57 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56 . 2010-10-14 16:44 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-14 16:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-14 16:43 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-14 16:43 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-14 16:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-14 16:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-14 16:43 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-14 16:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-14 16:43 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-14 16:44 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-14 16:44 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-14 16:44 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-14 16:44 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-14 16:44 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-09-03 06:13 . 2010-09-03 06:13 137144 ----a-w- c:\windows\system32\drivers\eamonm.sys
2010-08-31 15:46 . 2010-10-14 16:43 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-14 16:43 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-14 16:43 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-14 16:43 2038272 ----a-w- c:\windows\system32\win32k.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\SHELLNEW ----

2006-09-22 00:32 . 2006-09-22 00:32 27140 ----a-w- c:\windows\SHELLNEW\PWRPNT12.PPTX
2006-09-22 00:25 . 2006-09-22 00:25 8714 ----a-w- c:\windows\SHELLNEW\EXCEL12.XLSX
2005-12-13 19:15 . 2005-12-13 19:15 59904 ----a-w- c:\windows\SHELLNEW\MSPUB.PUB


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}]
2009-07-31 11:58 91568 ----a-w- c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-06-16 16:22 1144712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBF50663-5574-4494-9419-76158E351EF0}]
c:\windows\$NtUninstallMTF197$\cscdn.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll" [2009-07-31 91568]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]

[HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-14 16:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-14 526896]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=AVGRSSTX.DLL c:\progra~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 23:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 04:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe32 ARM]
c:\users\Sarah Brown\AppData\Local\Adobe32 ARM\rundll32.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2009-09-03 21:17 3342336 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2010-11-04 17:15 2219184 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fdobiwogi]
c:\users\Sarah Brown\AppData\Local\wiexmp.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gchk]
c:\windows\$NtUninstallMTF197$\upg.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-08-06 12:42 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 09:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
2009-12-07 04:22 266888 ----a-w- c:\users\Sarah Brown\AppData\Roaming\Smilebox\SmileboxTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R1 aswSP;aswSP; [x]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-04-18 61424]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-09-03 137144]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-11-04 810144]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-07-29 96920]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
R2 MBAMDrvService;MBAMDrvService;c:\windows\system32\drivers\mbam.sys [2008-07-07 17144]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-07-07 122488]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-06 30192]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-11-27 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-11-20 21:39]

2010-11-27 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

2010-11-21 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

2010-11-21 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-11-21 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0809&m=aspire_5735
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-27 23:30
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1120)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
Completion time: 2010-11-27 23:31:13
ComboFix-quarantined-files.txt 2010-11-27 23:31
ComboFix2.txt 2010-11-27 22:11

Pre-Run: 57,004,593,152 bytes free
Post-Run: 56,965,840,896 bytes free

- - End Of File - - 1E9FB04E98AC9DB3974A7AC467630433
 
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\windows\$NtUninstallMTF197$\cscdn.dll
c:\users\Sarah Brown\AppData\Local\wiexmp.dll
c:\windows\$NtUninstallMTF197$\upg.exe


Folder::
c:\program files\Ask.com


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBF50663-5574-4494-9419-76158E351EF0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fdobiwogi]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gchk]


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
logs

ComboFix 10-11-27.01 - Sarah Brown 28/11/2010 0:00.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.3000.2512 [GMT 0:00]
Running from: c:\users\Sarah Brown\Desktop\ComboFix.exe
Command switches used :: c:\users\Sarah Brown\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
.

2010-11-28 00:05 . 2010-11-28 00:05 -------- d-----w- c:\users\Sarah Brown\AppData\Local\temp
2010-11-28 00:05 . 2010-11-28 00:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-27 14:10 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-27 14:10 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-11-27 14:10 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-27 14:10 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-27 14:10 . 2010-09-07 15:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-11-27 14:09 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-11-27 14:09 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\programdata\Alwil Software
2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\program files\Alwil Software
2010-11-26 22:56 . 2010-11-26 22:56 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Mozilla
2010-11-22 20:13 . 2010-11-22 20:13 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-11-22 20:12 . 2010-11-22 20:17 -------- d-----w- c:\windows\SHELLNEW
2010-11-22 20:10 . 2010-11-22 20:10 -------- d-----r- C:\MSOCache
2010-11-21 18:09 . 2010-11-21 18:09 -------- d-----w- c:\program files\Common Files\Adobe
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\DriverCure
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\ParetoLogic
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\programdata\ParetoLogic
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\ParetoLogic
2010-11-21 17:06 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5E566945-955A-46DD-B26F-F2AE3AF4CF08}\mpengine.dll
2010-11-21 15:40 . 2010-11-21 15:40 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Electronic Arts
2010-11-20 22:54 . 2010-11-20 22:54 -------- d-----w- c:\users\Sarah Brown\AppData\Local\ESET
2010-11-20 14:51 . 2010-11-20 22:15 -------- d-----w- c:\program files\ESET
2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\windows\Sun
2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\program files\Common Files\Java
2010-11-20 13:36 . 2010-11-21 17:01 -------- d-----w- c:\program files\iPod(991)
2010-11-20 13:35 . 2010-11-20 13:37 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-11-20 13:31 . 2010-11-21 17:01 -------- d-----w- c:\program files\Bonjour(936)
2010-11-20 13:19 . 2010-11-20 13:20 -------- d-----w- c:\program files\QuickTime(1124)
2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\IObit
2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\program files\IObit
2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\Malwarebytes
2010-11-20 00:03 . 2008-07-07 17:42 17144 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\programdata\Malwarebytes
2010-11-20 00:03 . 2010-11-21 16:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-20 00:03 . 2008-07-07 17:42 34296 ----a-w- c:\windows\system32\drivers\mbamcatchme.sys
2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\vi-VN
2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\eu-ES
2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\ca-ES
2010-11-19 18:14 . 2010-11-21 16:58 -------- d-----w- c:\windows\system32\EventProviders
2010-11-12 17:02 . 2010-11-21 16:57 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Adobe32 ARM
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2010-10-29 17:37 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-29 17:37 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-29 17:37 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 10:41 . 2009-10-03 09:57 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56 . 2010-10-14 16:44 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-14 16:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-14 16:43 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-14 16:43 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-14 16:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-14 16:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-14 16:43 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-14 16:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-14 16:43 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-14 16:44 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-14 16:44 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-14 16:44 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-14 16:44 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-14 16:44 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-09-03 06:13 . 2010-09-03 06:13 137144 ----a-w- c:\windows\system32\drivers\eamonm.sys
2010-08-31 15:46 . 2010-10-14 16:43 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-14 16:43 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-14 16:43 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-14 16:43 2038272 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}]
2009-07-31 11:58 91568 ----a-w- c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-06-16 16:22 1144712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBF50663-5574-4494-9419-76158E351EF0}]
c:\windows\$NtUninstallMTF197$\cscdn.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll" [2009-07-31 91568]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]

[HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-16 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-14 16:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-14 526896]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=AVGRSSTX.DLL c:\progra~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 23:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 04:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe32 ARM]
c:\users\Sarah Brown\AppData\Local\Adobe32 ARM\rundll32.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2009-09-03 21:17 3342336 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2010-11-04 17:15 2219184 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fdobiwogi]
c:\users\Sarah Brown\AppData\Local\wiexmp.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gchk]
c:\windows\$NtUninstallMTF197$\upg.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-08-06 12:42 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 09:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
2009-12-07 04:22 266888 ----a-w- c:\users\Sarah Brown\AppData\Roaming\Smilebox\SmileboxTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R1 aswSP;aswSP; [x]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-04-18 61424]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-09-03 137144]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-11-04 810144]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-07-29 96920]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
R2 MBAMDrvService;MBAMDrvService;c:\windows\system32\drivers\mbam.sys [2008-07-07 17144]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-07-07 122488]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-06 30192]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-11-27 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-11-20 21:39]

2010-11-27 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

2010-11-21 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

2010-11-21 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-11-21 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0809&m=aspire_5735
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

BHO-{6A59933E-D8A2-4E71-8027-3FA5881EC5C9} - c:\windows\$NtUninstallMTF197$\lfjre.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-RunOnce-<NO NAME> - (no file)
MSConfigStartUp-bipro - c:\windows\$NtUninstallMTF197$\lfjre.dll
MSConfigStartUp-Jgeleki - c:\users\Sarah Brown\AppData\Local\inozevaxik.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-28 00:05
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1392)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
Completion time: 2010-11-28 00:06:52
ComboFix-quarantined-files.txt 2010-11-28 00:06
ComboFix2.txt 2010-11-27 23:31
ComboFix3.txt 2010-11-27 22:11

Pre-Run: 57,007,890,432 bytes free
Post-Run: 56,917,528,576 bytes free

- - End Of File - - 9F90023AE424F66FDC7A83E1F73C6DD0
 
is this better?

ComboFix 10-11-27.01 - Sarah Brown 28/11/2010 0:22.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.3000.2359 [GMT 0:00]
Running from: c:\users\Sarah Brown\Desktop\ComboFix.exe
Command switches used :: c:\users\Sarah Brown\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\users\Sarah Brown\AppData\Local\wiexmp.dll"
"c:\windows\$NtUninstallMTF197$\cscdn.dll"
"c:\windows\$NtUninstallMTF197$\upg.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Ask.com
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\GenericAskToolbar.dll
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\UpdateTask.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
.

2010-11-28 00:25 . 2010-11-28 00:25 -------- d-----w- c:\users\Sarah Brown\AppData\Local\temp
2010-11-28 00:25 . 2010-11-28 00:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-27 14:10 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-27 14:10 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-11-27 14:10 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-27 14:10 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-27 14:10 . 2010-09-07 15:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-11-27 14:09 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-11-27 14:09 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\programdata\Alwil Software
2010-11-27 14:09 . 2010-11-27 14:09 -------- d-----w- c:\program files\Alwil Software
2010-11-26 22:56 . 2010-11-26 22:56 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Mozilla
2010-11-22 20:13 . 2010-11-22 20:13 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-11-22 20:12 . 2010-11-22 20:17 -------- d-----w- c:\windows\SHELLNEW
2010-11-22 20:10 . 2010-11-22 20:10 -------- d-----r- C:\MSOCache
2010-11-21 18:09 . 2010-11-21 18:09 -------- d-----w- c:\program files\Common Files\Adobe
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\DriverCure
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\ParetoLogic
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\programdata\ParetoLogic
2010-11-21 17:12 . 2010-11-21 17:12 -------- d-----w- c:\program files\ParetoLogic
2010-11-21 17:06 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5E566945-955A-46DD-B26F-F2AE3AF4CF08}\mpengine.dll
2010-11-21 15:40 . 2010-11-21 15:40 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Electronic Arts
2010-11-20 22:54 . 2010-11-20 22:54 -------- d-----w- c:\users\Sarah Brown\AppData\Local\ESET
2010-11-20 14:51 . 2010-11-20 22:15 -------- d-----w- c:\program files\ESET
2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\windows\Sun
2010-11-20 14:09 . 2010-11-20 14:09 -------- d-----w- c:\program files\Common Files\Java
2010-11-20 13:36 . 2010-11-21 17:01 -------- d-----w- c:\program files\iPod(991)
2010-11-20 13:35 . 2010-11-20 13:37 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-11-20 13:31 . 2010-11-21 17:01 -------- d-----w- c:\program files\Bonjour(936)
2010-11-20 13:19 . 2010-11-20 13:20 -------- d-----w- c:\program files\QuickTime(1124)
2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\IObit
2010-11-20 09:40 . 2010-11-20 09:40 -------- d-----w- c:\program files\IObit
2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\users\Sarah Brown\AppData\Roaming\Malwarebytes
2010-11-20 00:03 . 2008-07-07 17:42 17144 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-20 00:03 . 2010-11-20 00:03 -------- d-----w- c:\programdata\Malwarebytes
2010-11-20 00:03 . 2010-11-21 16:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-20 00:03 . 2008-07-07 17:42 34296 ----a-w- c:\windows\system32\drivers\mbamcatchme.sys
2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\vi-VN
2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\eu-ES
2010-11-19 18:49 . 2010-11-21 16:59 -------- d-----w- c:\windows\system32\ca-ES
2010-11-19 18:14 . 2010-11-21 16:58 -------- d-----w- c:\windows\system32\EventProviders
2010-11-12 17:02 . 2010-11-21 16:57 -------- d-----w- c:\users\Sarah Brown\AppData\Local\Adobe32 ARM
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2010-10-29 17:37 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-29 17:37 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-29 17:37 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 10:41 . 2009-10-03 09:57 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56 . 2010-10-14 16:44 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-14 16:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-14 16:43 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-14 16:43 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-14 16:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-14 16:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-14 16:43 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-14 16:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-14 16:43 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-14 16:44 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-14 16:44 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-14 16:44 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-14 16:44 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-14 16:44 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-09-03 06:13 . 2010-09-03 06:13 137144 ----a-w- c:\windows\system32\drivers\eamonm.sys
2010-08-31 15:46 . 2010-10-14 16:43 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-14 16:43 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-14 16:43 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-14 16:43 2038272 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}]
2009-07-31 11:58 91568 ----a-w- c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll" [2009-07-31 91568]

[HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-14 16:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-14 526896]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=AVGRSSTX.DLL c:\progra~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 23:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 04:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe32 ARM]
c:\users\Sarah Brown\AppData\Local\Adobe32 ARM\rundll32.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2009-09-03 21:17 3342336 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2010-11-04 17:15 2219184 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-08-06 12:42 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 09:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
2009-12-07 04:22 266888 ----a-w- c:\users\Sarah Brown\AppData\Roaming\Smilebox\SmileboxTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R1 aswSP;aswSP; [x]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-04-18 61424]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-09-03 137144]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-11-04 810144]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-07-29 96920]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
R2 MBAMDrvService;MBAMDrvService;c:\windows\system32\drivers\mbam.sys [2008-07-07 17144]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-07-07 122488]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-06 30192]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-11-27 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-11-20 21:39]

2010-11-27 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

2010-11-21 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

2010-11-21 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-11-21 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0809&m=aspire_5735
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Sarah Brown\AppData\Roaming\Mozilla\Firefox\Profiles\b9ohoggg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-28 00:25
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1972)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
Completion time: 2010-11-28 00:26:26
ComboFix-quarantined-files.txt 2010-11-28 00:26
ComboFix2.txt 2010-11-28 00:06
ComboFix3.txt 2010-11-27 23:31
ComboFix4.txt 2010-11-27 22:11

Pre-Run: 56,935,456,768 bytes free
Post-Run: 56,914,579,456 bytes free

- - End Of File - - FECFFC7AF8691999A1DCA885CAE11CEF
 
Let's try something...

While in safe mode....

Go Start>Run (Start Search in Vista), type in:
msconfig
Click OK (hit Enter in Vista).

Click on Startup tab.
Click Disable all
IMPORTANT! In case of laptop, make sure, you do NOT disable any keyboard, or touchpad entries.

Click Services tab.
Put checkmark in Hide all Microsoft services
Click Disable all.

Click OK.
Restart computer in Normal Mode.

NOTE. If you use different firewall, than Windows firewall, turn Windows firewall on, just for this test, since your regular firewall won't be running.
If you use Windows firewall, you're fine.

Try to restart in normal mode now.
 
Status
Not open for further replies.
Back