# alureon.h virus



## link2998 (Sep 10, 2010)

here are my log files as called for:

C:\Users\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80208
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80208
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80208
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:51223
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: FCTBPos00Pos - {AAAC503B-6F0F-4F48-8055-289B8A5EF5C0} - C:\Program Files\Causes\Toolbar.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0314.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0314.0\npwinext.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Causes - {5D51B4F2-CC28-4488-9AB3-BE7E40EB3293} - C:\Program Files\Causes\Toolbar.dll
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [FBSSA] C:\Program Files\SGPSA\ie3sh.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'Default user')
O4 - Startup: setup_9.0.0.722_09.09.2010_16-24[1].lnk = C:\Users\Administrator\Desktop\Virus Removal Tool\setup_9.0.0.722_09.09.2010_16-24[1]\startup.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.14,93.188.166.53
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 13599 bytes

DDS (Ver_09-09-29.01) - NTFSx86 
Run by Administrator at 15:47:09.05 on Fri 09/10/2010
Internet Explorer: 8.0.6001.18943
Microsoft® Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.1791.644 [GMT -4:00]
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\SGPSA\ie3sh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Users\Administrator\Desktop\Virus Removal Tool\setup_9.0.0.722_09.09.2010_16-24[1]\setup_9.0.0.722_09.09.2010_16-24[1].exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Administrator\Desktop\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Administrator\Desktop\dds.com
C:\Windows\system32\SearchFilterHost.exe
============== Pseudo HJT Report ===============
uSearch Page = 
uStart Page = hxxp://m.www.yahoo.com/
uSearch Bar = 
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:51223
mSearchAssistant = 
mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80208
uURLSearchHooks: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Freecause Toolbar BHO: {aaac503b-6f0f-4f48-8055-289b8a5ef5c0} - c:\program files\causes\Toolbar.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0314.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
BHO: Search Assistant: {f0626a63-410b-45e2-99a1-3f2475b2d695} - c:\program files\sgpsa\BHO.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0314.0\npwinext.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Causes: {5d51b4f2-cc28-4488-9ab3-be7e40eb3293} - c:\program files\causes\Toolbar.dll
TB: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [Performance Center] c:\program files\ascentive\performance center\APCMain.exe -m
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [FBSSA] c:\program files\sgpsa\ie3sh.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [Exetender] "c:\program files\free ride games\GPlayer.exe /runonstartup"
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\setup_~1.lnk - c:\users\administrator\desktop\virus removal tool\setup_9.0.0.722_09.09.2010_16-24[1]\startup.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: &Search
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
============= SERVICES / DRIVERS ===============
R0 28279082;28279082 Boot Guard Driver;c:\windows\system32\drivers\28279082.sys [2010-9-9 37392]
R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-9-17 133152]
R1 28279081;28279081;c:\windows\system32\drivers\28279081.sys [2010-9-9 128016]
R1 setup_9.0.0.722_09.09.2010_16-24[1]drv;setup_9.0.0.722_09.09.2010_16-24[1]drv;c:\windows\system32\drivers\2827908.sys [2010-9-9 311312]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2008-3-16 269448]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2010-5-14 249136]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-8-18 1529728]
R2 X4HS32Ex;X4HS32Ex;c:\program files\free ride games\X4HS32Ex.sys [2009-12-11 53280]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [2009-1-17 110592]
S3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-3-16 30752]
S3 usbanyka;USB Web Camera;c:\windows\system32\drivers\usbanyka.sys [2009-12-25 17536]
S3 ute5nti4;AVZ Kernel Driver;c:\windows\system32\drivers\ute5nti4.sys [2010-9-9 7168]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2010-09-10 15:38 --d----- C:\_OTL
2010-09-10 15:11 --d----- c:\users\admini~1\appdata\roaming\Malwarebytes
2010-09-10 15:11 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-10 15:11 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-09-10 15:11 --d----- c:\programdata\Malwarebytes
2010-09-10 15:11 --d----- c:\program files\Malwarebytes' Anti-Malware
2010-09-10 15:11 --d----- c:\progra~2\Malwarebytes
2010-09-10 14:56 --d----- C:\ComboFix
2010-09-09 20:23 --d----- c:\program files\Microsoft Security Essentials
2010-09-09 20:15 --d----- C:\WINSSLog
2010-09-09 20:00 196,608 a------- c:\windows\SPInstall.etl
2010-09-09 19:31 --d----- c:\program files\MSE Update Utility
2010-09-09 18:13 2,037,760 a------- c:\windows\system32\win32k.sys
2010-09-09 18:13 36,864 a------- c:\windows\system32\rtutils.dll
2010-09-09 18:10 3,600,768 a------- c:\windows\system32\ntkrnlpa.exe
2010-09-09 18:10 3,548,040 a------- c:\windows\system32\ntoskrnl.exe
2010-09-09 18:10 1,248,768 a------- c:\windows\system32\msxml3.dll
2010-09-09 18:10 302,080 a------- c:\windows\system32\drivers\srv.sys
2010-09-09 18:10 144,896 a------- c:\windows\system32\drivers\srv2.sys
2010-09-09 18:10 905,088 a------- c:\windows\system32\drivers\tcpip.sys
2010-09-09 18:05 --d----- c:\programdata\PC Tools
2010-09-09 18:05 --d----- c:\program files\Spyware Doctor
2010-09-09 18:05 --d----- c:\progra~2\PC Tools
2010-09-09 18:04 --d----- c:\users\admini~1\appdata\roaming\GetRightToGo
2010-09-09 15:14 --d----- c:\program files\Sophos
2010-09-09 14:32 --d----- C:\TDSSKiller_Quarantine
2010-09-09 14:07 7,168 a------- c:\windows\system32\drivers\ute5nti4.sys
2010-09-09 14:02 19,944 a------- c:\windows\system32\drivers\atapi.kav
2010-09-09 14:00 --d----- c:\programdata\Kaspersky Lab
2010-09-09 14:00 --d----- c:\progra~2\Kaspersky Lab
2010-09-09 13:59 311,312 a------- c:\windows\system32\drivers\2827908.sys
2010-09-09 13:59 128,016 a------- c:\windows\system32\drivers\28279081.sys
2010-09-09 13:59 37,392 a------- c:\windows\system32\drivers\28279082.sys
2010-09-09 13:13 --d----- c:\users\admini~1\appdata\roaming\Xfire
2010-09-08 10:47 56 a---h--- c:\windows\system32\ezsidmv.dat
2010-09-08 10:44 --d--r-- c:\program files\Skype
2010-09-08 10:44 --d----- c:\programdata\Skype
2010-09-04 17:27 --d----- c:\windows\pss
2010-09-04 16:30 --d----- c:\program files\CCleaner
2010-09-04 16:27 --d----- c:\programdata\Symantec
2010-09-04 16:27 --d----- c:\progra~2\Symantec
2010-09-03 08:40 --d----- c:\program files\iPod
2010-09-03 08:34 --d----- c:\program files\ReXplorer
2010-09-02 07:35 --d----- c:\programdata\Sun
2010-09-02 07:34 423,656 a------- c:\windows\system32\deployJava1.dll
==================== Find3M ====================
2010-09-09 14:48 19,944 a------- c:\windows\system32\drivers\atapi.sys
2010-09-09 10:56 96,672 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-09-03 08:37 143,360 a------- c:\windows\inf\infstrng.dat
2010-09-03 08:37 86,016 a------- c:\windows\inf\infstor.dat
2010-09-03 08:37 51,200 a------- c:\windows\inf\infpub.dat
2010-06-26 02:05 916,480 a------- c:\windows\system32\wininet.dll
2010-06-26 02:02 109,056 a------- c:\windows\system32\iesysprep.dll
2010-06-26 02:02 71,680 a------- c:\windows\system32\iesetup.dll
2010-06-26 00:25 133,632 a------- c:\windows\system32\ieUnatt.exe
2010-01-24 07:56 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2010-06-07 00:14 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
2010-06-07 00:14 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
2010-06-07 00:14 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2010-06-02 07:01 245,760 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-17 20:20 245,760 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
============= FINISH: 15:48:58.21 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-10 16:26:07
Windows 6.0.6002 Service Pack 2
Running: ep5q865k.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\kftcrkob.sys

---- System - GMER 1.0.15 ----
INT 0x82 ? 85258BF8
INT 0x83 ? 865D2F00
INT 0x93 ? 865D2F00
---- Kernel code sections - GMER 1.0.15 ----
? System32\drivers\ogysr.sys The system cannot find the path specified. !
? System32\Drivers\spez.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8C26541B 5 Bytes JMP 865D24E0 
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8CC0F340, 0x3DB197, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\Explorer.EXE[484] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C5 76C4B37C 4 Bytes [50, 26, 00, 10] {PUSH EAX; ADD ES:[EAX], DL}
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!SetWindowsHookExW 769E87AD 5 Bytes JMP 6B109AD5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!CallNextHookEx 769E8E3B 5 Bytes JMP 6B0FD135 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!UnhookWindowsHookEx 769E98DB 5 Bytes JMP 6B074666 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!CreateWindowExW 769F1305 5 Bytes JMP 6B10DB24 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!DialogBoxParamW 76A110B0 5 Bytes JMP 6B035501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!DialogBoxIndirectParamW 76A12EF5 5 Bytes JMP 6B204B4F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!DialogBoxParamA 76A28152 5 Bytes JMP 6B204AEC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!DialogBoxIndirectParamA 76A2847D 5 Bytes JMP 6B204BB2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!MessageBoxIndirectA 76A3D4D9 5 Bytes JMP 6B204A81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!MessageBoxIndirectW 76A3D5D3 5 Bytes JMP 6B204A16 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!MessageBoxExA 76A3D639 5 Bytes JMP 6B2049B4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] USER32.dll!MessageBoxExW 76A3D65D 5 Bytes JMP 6B204952 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C5 76C4B37C 4 Bytes [50, 26, A1, 09]
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] ole32.dll!OleLoadFromStream 76571E12 5 Bytes JMP 6B204ED0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] ole32.dll!CoCreateInstance 765A9EA6 5 Bytes JMP 6B10DB80 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] ws2_32.dll!closesocket  77DF330C 5 Bytes JMP 654F41DF C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] ws2_32.dll!recv 77DF343A 5 Bytes JMP 654F4549 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] ws2_32.dll!socket 77DF36D1 5 Bytes JMP 654F354C C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] ws2_32.dll!connect 77DF40D9 5 Bytes JMP 654F35DC C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] ws2_32.dll!getaddrinfo 77DF418A 5 Bytes JMP 654F3704 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3692] ws2_32.dll!send 77DF659B 5 Bytes JMP 654F3B92 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!SetWindowsHookExW 769E87AD 5 Bytes JMP 6B109AD5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!CallNextHookEx 769E8E3B 5 Bytes JMP 6B0FD135 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!UnhookWindowsHookEx 769E98DB 5 Bytes JMP 6B074666 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!CreateWindowExW 769F1305 5 Bytes JMP 6B10DB24 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!DialogBoxParamW 76A110B0 5 Bytes JMP 6B035501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!DialogBoxIndirectParamW 76A12EF5 5 Bytes JMP 6B204B4F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!DialogBoxParamA 76A28152 5 Bytes JMP 6B204AEC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!DialogBoxIndirectParamA 76A2847D 5 Bytes JMP 6B204BB2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!MessageBoxIndirectA 76A3D4D9 5 Bytes JMP 6B204A81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!MessageBoxIndirectW 76A3D5D3 5 Bytes JMP 6B204A16 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!MessageBoxExA 76A3D639 5 Bytes JMP 6B2049B4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] USER32.dll!MessageBoxExW 76A3D65D 5 Bytes JMP 6B204952 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C5 76C4B37C 4 Bytes [50, 26, 6E, 07] {PUSH EAX; OUTS DX, BYTE ES:[ESI]; POP ES}
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] ole32.dll!OleLoadFromStream 76571E12 5 Bytes JMP 6B204ED0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] ole32.dll!CoCreateInstance 765A9EA6 5 Bytes JMP 6B10DB80 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] ws2_32.dll!closesocket 77DF330C 5 Bytes JMP 654F41DF C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] ws2_32.dll!recv 77DF343A 5 Bytes JMP 654F4549 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] ws2_32.dll!socket 77DF36D1 5 Bytes JMP 654F354C C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] ws2_32.dll!connect 77DF40D9 5 Bytes JMP 654F35DC C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] ws2_32.dll!getaddrinfo 77DF418A 5 Bytes JMP 654F3704 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3800] ws2_32.dll!send 77DF659B 5 Bytes JMP 654F3B92 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Windows\system32\NOTEPAD.EXE[4224] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C5 76C4B37C 4 Bytes [50, 26, 00, 10] {PUSH EAX; ADD ES:[EAX], DL}
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!CreateWindowExW 769F1305 5 Bytes JMP 6B10DB24 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!DialogBoxParamW 76A110B0 5 Bytes JMP 6B035501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!DialogBoxIndirectParamW 76A12EF5 5 Bytes JMP 6B204B4F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!DialogBoxParamA 76A28152 5 Bytes JMP 6B204AEC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!DialogBoxIndirectParamA 76A2847D 5 Bytes JMP 6B204BB2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!MessageBoxIndirectA 76A3D4D9 5 Bytes JMP 6B204A81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!MessageBoxIndirectW 76A3D5D3 5 Bytes JMP 6B204A16 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!MessageBoxExA  76A3D639 5 Bytes JMP 6B2049B4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5604] USER32.dll!MessageBoxExW 76A3D65D 5 Bytes JMP 6B204952 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] USER32.dll!SetWindowsHookExW 769E87AD 5 Bytes JMP 6B109AD5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] USER32.dll!CallNextHookEx 769E8E3B 5 Bytes JMP 6B0FD135 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] USER32.dll!UnhookWindowsHookEx 769E98DB 5 Bytes JMP 6B074666 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] USER32.dll!CreateWindowExW 769F1305 5 Bytes JMP 6B10DB24 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] USER32.dll!DialogBoxParamW 76A110B0 5 Bytes JMP 6B035501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] USER32.dll!DialogBoxIndirectParamW 76A12EF5 5 Bytes JMP 6B204B4F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] USER32.dll!DialogBoxParamA 76A28152 5 Bytes JMP 6B204AEC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] USER32.dll!DialogBoxIndirectParamA 76A2847D 5 Bytes JMP 6B204BB2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] USER32.dll!MessageBoxIndirectA 76A3D4D9 5 Bytes JMP 6B204A81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] USER32.dll!MessageBoxIndirectW 76A3D5D3 5 Bytes JMP 6B204A16 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] USER32.dll!MessageBoxExA 76A3D639 5 Bytes JMP 6B2049B4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] USER32.dll!MessageBoxExW 76A3D65D 5 Bytes JMP 6B204952 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C5 76C4B37C 4 Bytes [50, 26, D7, 0A]
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] ole32.dll!OleLoadFromStream 76571E12 5 Bytes JMP 6B204ED0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] ole32.dll!CoCreateInstance 765A9EA6 5 Bytes JMP 6B10DB80 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] ws2_32.dll!closesocket 77DF330C 5 Bytes JMP 654F41DF C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] ws2_32.dll!recv 77DF343A 5 Bytes JMP 654F4549 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] ws2_32.dll!socket 77DF36D1 5 Bytes JMP 654F354C C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] ws2_32.dll!connect 77DF40D9 5 Bytes JMP 654F35DC C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] ws2_32.dll!getaddrinfo 77DF418A 5 Bytes JMP 654F3704 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5700] ws2_32.dll!send 77DF659B 5 Bytes JMP 654F3B92 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8525E1F8
Device \Driver\volmgr \Device\VolMgrControl 8525B1F8
Device \Driver\usbohci \Device\USBPDO-0 866191F8
Device \Driver\usbehci \Device\USBPDO-1 8661C1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{4B89E525-B2FE-4E02-B769-D671257BBDE6} 878A11F8
Device \Driver\USBSTOR \Device\00000070 86611500
Device \Driver\volmgr \Device\HarddiskVolume1 8525B1F8
Device \Driver\USBSTOR \Device\00000071 86611500
Device \Driver\volmgr \Device\HarddiskVolume2 8525B1F8
Device \Driver\cdrom \Device\CdRom0 866431F8
Device \Driver\USBSTOR \Device\00000072 86611500
Device \Driver\volmgr \Device\HarddiskVolume3 8525B1F8
Device \Driver\USBSTOR \Device\00000073 86611500
Device \Driver\volmgr \Device\HarddiskVolume4 8525B1F8
Device \Driver\volmgr \Device\HarddiskVolume5 8525B1F8
Device \Driver\volmgr \Device\HarddiskVolume6 8525B1F8
Device \Driver\volmgr \Device\HarddiskVolume7 8525B1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 878A11F8
Device \Driver\Smb \Device\NetbiosSmb 878D31F8
Device \Driver\nvstor32 \Device\RaidPort0 8525D1F8
Device \Driver\iScsiPrt \Device\RaidPort1 866FC1F8
Device \Driver\nvstor32 \Device\0000005e 8525D1F8
Device \Driver\nvstor32 \Device\0000005f 8525D1F8
Device \Driver\usbohci \Device\USBFDO-0  866191F8
Device \Driver\usbehci \Device\USBFDO-1 8661C1F8
Device \Driver\USBSTOR \Device\0000006f 86611500
Device \FileSystem\cdfs \Cdfs A6AA41F8
---- EOF - GMER 1.0.15 ----


----------



## emeraldnzl (Nov 3, 2007)

Hello link2998,

Download *OTL* to your Desktop

 Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
 Under the Custom Scan box paste this in


```
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
```

 Click the *Run Scan* button. Do not change any settings unless otherwise told to do so.

o When the scan completes, it will open two notepad windows. *OTL.Txt and Extras.Txt*. These are saved in the same location as OTL.
o Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post back here.

*So when you return please post
the two OTL logs - OTL.txt and Extras.txt
*
Note: Unless otherwise instructed always post the logs in the forum. If reports don't fit on one post. It might be necessary to break the logs up to get them on the forum. Just use as many posts as you need, that's fine.


----------



## link2998 (Sep 10, 2010)

sorry but both porgrams froze. I gave RKunhooker all night to finish the scan but it didn't. The next day OTL froze on zntport. Thanks for your patience.


----------



## emeraldnzl (Nov 3, 2007)

Hello link2998,

Let's see if we can do this another way.

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below. *

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: FCTBPos00Pos - {AAAC503B-6F0F-4F48-8055-289B8A5EF5C0} - C:\Program Files\Causes\Toolbar.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Causes - {5D51B4F2-CC28-4488-9AB3-BE7E40EB3293} - C:\Program Files\Causes\Toolbar.dll
O4 - HKLM\..\Run: [FBSSA] C:\Program Files\SGPSA\ie3sh.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu

*Close all windows other than HijackThis, then click Fix checked.

Close HijackThis.

*Next*

Please *download* the *OTM by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTM.exe* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
*Copy the lines in the codebox below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):


```
killallprocesses

:Files
c:\program files\sgpsa\BHO.dll
c:\program files\ascentive\performance center\APCMain.exe -m
C:\Program Files\AskBarDis
C:\PROGRA~1\Crawler
C:\Program Files\Causes
C:\Program Files\SGPSA

:commands
[purity]
[emptytemp]
[Reboot]
```

 Return to OTM, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.

Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM.*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.* In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter **.log* and press the Enter key, navigate to the *C:\_OTM\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

*So when you return please post
OTM log
HijackThis log
*


----------



## link2998 (Sep 10, 2010)

Heelo emrld, this is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:28:13 AM, on 9/13/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\SGPSA\ie3sh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Administrator\Desktop\Virus Removal Tool\setup_9.0.0.722_09.09.2010_16-24[1]\setup_9.0.0.722_09.09.2010_16-24[1].exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Administrator\Desktop\HijackThis.exe
C:\ProgramData\Yahoo!\YUPDATER\YUPDATER.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80208
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80208
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80208
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:51223
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: FCTBPos00Pos - {AAAC503B-6F0F-4F48-8055-289B8A5EF5C0} - C:\Program Files\Causes\Toolbar.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0314.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0314.0\npwinext.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Causes - {5D51B4F2-CC28-4488-9AB3-BE7E40EB3293} - C:\Program Files\Causes\Toolbar.dll
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [FBSSA] C:\Program Files\SGPSA\ie3sh.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'Default user')
O4 - Startup: setup_9.0.0.722_09.09.2010_16-24[1].lnk = C:\Users\Administrator\Desktop\Virus Removal Tool\setup_9.0.0.722_09.09.2010_16-24[1]\startup.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.14,93.188.166.53
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: F02C1AF0 - Unknown owner - C:\Windows\system32\F02C1AF0.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 13672 bytes

and here's the OTM log:

All processes killed
Error: Unable to interpret <killallprocesses> in the current context!
========== FILES ==========
c:\program files\sgpsa\BHO.dll moved successfully.
File/Folder c:\program files\ascentive\performance center\APCMain.exe -m not found.
C:\Program Files\AskBarDis\bar\Settings folder moved successfully.
C:\Program Files\AskBarDis\bar\bin folder moved successfully.
C:\Program Files\AskBarDis\bar folder moved successfully.
C:\Program Files\AskBarDis folder moved successfully.
C:\PROGRA~1\Crawler\Toolbar\Update folder moved successfully.
C:\PROGRA~1\Crawler\Toolbar\TBR5LanguageAct folder moved successfully.
C:\PROGRA~1\Crawler\Toolbar\Languages folder moved successfully.
C:\PROGRA~1\Crawler\Toolbar\Cache\SMILEYS folder moved successfully.
C:\PROGRA~1\Crawler\Toolbar\Cache folder moved successfully.
C:\PROGRA~1\Crawler\Toolbar folder moved successfully.
C:\PROGRA~1\Crawler\Smileys folder moved successfully.
C:\PROGRA~1\Crawler\Shared folder moved successfully.
C:\PROGRA~1\Crawler\Download folder moved successfully.
C:\PROGRA~1\Crawler folder moved successfully.
C:\Program Files\Causes\skins\radio\gray03 folder moved successfully.
C:\Program Files\Causes\skins\radio folder moved successfully.
C:\Program Files\Causes\skins folder moved successfully.
C:\Program Files\Causes\images\weather\png folder moved successfully.
C:\Program Files\Causes\images\weather folder moved successfully.
C:\Program Files\Causes\images\ticker folder moved successfully.
C:\Program Files\Causes\images\msgbox folder moved successfully.
C:\Program Files\Causes\images folder moved successfully.
C:\Program Files\Causes folder moved successfully.
C:\Program Files\SGPSA folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 2537429 bytes
->Temporary Internet Files folder emptied: 29005620 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 2408 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Richard F. Bahr III
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: RICHAR~1~BAH
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 37586 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 30.00 mb

OTM by OldTimer - Version 3.1.16.0 log created on 09132010_103450
Files moved on Reboot...
File move failed. C:\Windows\temp\CLDigitalHome\CLMS_AGENT_LOG1.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\CLDigitalHome\PCMMediaServer.log scheduled to be moved on reboot.
Registry entries deleted on Reboot...


----------



## emeraldnzl (Nov 3, 2007)

Hello link2998,

Please download ComboFix from one of these locations:

*Link 1*
*Link 2*

** IMPORTANT !!! Save ComboFix.exe to your Desktop*
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.








Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:










Click on Yes, to continue scanning for malware.

***Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall***

When finished, it will produce a log for you. Please include the *C:\ComboFix.txt* in your next reply.


----------



## link2998 (Sep 10, 2010)

When i run combofix (even if I chose run as administrator) it says error and shows a screen that I think says something about needing permissions (it closes to fast to be sure). Then it reboots.


----------



## link2998 (Sep 10, 2010)

I think the error code is Oxc000012(there might be more zeros).


----------



## emeraldnzl (Nov 3, 2007)

Hmm... let's try this:

Please download ComboFix from *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop***

If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

During the download, rename *Combofix* to *Combo-Fix* as follows:



















It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers.
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combo-Fix.exe* & follow the prompts.
When finished, it will produce a report for you. 
Please post the *"C:\Combo-Fix.txt" * for further review.
***Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall***


----------



## link2998 (Sep 10, 2010)

Same error. This time I saw that it said: "Access Denied" and something about using command-line to complete the task. Sorry.


----------



## emeraldnzl (Nov 3, 2007)

Go to Start > Run, copy and paste the following in the runbox, including the quotation marks and click OK:

*"%Userprofile%\Desktop\Combo-fix" /Killall*

Let it run.

When finished, it will produce a log for you. Please include the *C:\ComboFix.txt* in your next reply.


----------



## link2998 (Sep 10, 2010)

Same problem.


----------



## emeraldnzl (Nov 3, 2007)

Download *Rogue Kill*

Double-click on *rkill.com* to run it. You will probably need to run this program a few times to stop the malware process running. The malware will probably complain about being stopped but please ignore this. *Do not reboot your computer after running rkill as the malware programs will start again*.

*Then..*

Use the command in my last post again. I am assuming you followed the instruction to save it to your desktop.

If you still have problems come back.


----------



## link2998 (Sep 10, 2010)

After I ran rkill a few times I ran combo-fix which gave the same error and rebooted the computer.

Then I tried rkill again and got this log:

This log file is located at C:\rkill.log. 
Please post this only if requested to by the person helping you. 
Otherwise you can close this log when you wish. 
Ran as Administrator on 09/14/2010 at 18:32:16. 

Services Stopped:

Processes terminated by Rkill or while it was running: 

C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Users\Administrator\Desktop\rkill.com

Rkill completed on 09/14/2010 at 18:32:57.


----------



## emeraldnzl (Nov 3, 2007)

Okay one last thing to try before moving on.

See if you can run ComboFix from Safe Mode

*Boot into Safe Mode:*

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, tap F8 continually.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


----------



## link2998 (Sep 10, 2010)

I get the same error.


----------



## emeraldnzl (Nov 3, 2007)

Time to try something else.

Please run a free online scan with the *ESET Online Scanner*
*Note*_: ESET was designed to run with Internet Explorer, compatibility with other browsers has been added recently but if you find difficulty, go to using Internet Explorer_
Click the green ESET Online Scanner box
Tick the box next to *YES, I accept the Terms of Use*
You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
Click *Start* and if your security program asks you if you want to allow the program, click yes.
If you anti-virus is active you may see a panel appear warning you that this may affect performance. Disabling the programs listed may speed things along.
Make sure that the options *Remove found threats* and *Scan archives * are checked (do not worry about advanced settings)
Click *Scan* (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use *Notepad* to open the logfile located at C:\Program Files\EsetOnlineScanner\*log.txt* (open Notepad > File > Open and navigate to the log.txt)
Copy and paste that log as a reply to this topic


----------



## link2998 (Sep 10, 2010)

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=fe46dee2feb7564fae9fca6c3a69f676
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-15 12:28:44
# local_time=2010-09-14 08:28:44 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1029 16777214 0 1 29377214 29377214 0 0
# compatibility_mode=5892 16776574 100 100 19358615 121112953 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=204890
# found=2
# cleaned=2
# scan_time=5099
C:\Program Files\RegistryFix8\RegFix8.exe Win32/Adware.ErrorClean application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\System32\AscConTest.dll Win32/Adware.Ascentive application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


----------



## emeraldnzl (Nov 3, 2007)

Please download *MBRCheck.exe* to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:



> Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type *N* and press *Enter*. A report will be produced on the desktop. Post that report in your next reply.


----------



## link2998 (Sep 10, 2010)

MBRCheck, version 1.2.3
(c) 2010, AD
Command-line: 
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: ACER
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: ACER
System Product Name: Aspire M1641
Logical Drives Mask: 0x000001fc
Kernel Drivers (total 155):
0x82413000 \SystemRoot\system32\ntkrnlpa.exe
0x827CC000 \SystemRoot\system32\hal.dll
0x80603000 \SystemRoot\system32\kdcom.dll
0x8060A000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8067A000 \SystemRoot\system32\PSHED.dll
0x8068B000 \SystemRoot\system32\BOOTVID.dll
0x80693000 \SystemRoot\system32\CLFS.SYS
0x806D4000 \SystemRoot\system32\CI.dll
0x82A09000 \SystemRoot\system32\drivers\Wdf01000.sys
0x82A85000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x82A92000 \SystemRoot\System32\Drivers\spzo.sys
0x82B93000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x82B9C000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x807B4000 \SystemRoot\system32\drivers\acpi.sys
0x82BC2000 \SystemRoot\system32\drivers\msisadrv.sys
0x82BCA000 \SystemRoot\system32\drivers\pci.sys
0x82BF1000 \SystemRoot\System32\drivers\partmgr.sys
0x83008000 \SystemRoot\system32\drivers\volmgr.sys
0x83017000 \SystemRoot\System32\drivers\volmgrx.sys
0x83061000 \SystemRoot\system32\drivers\nvrd32.sys
0x83085000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x830A6000 \SystemRoot\system32\drivers\pciide.sys
0x830AD000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x830BB000 \SystemRoot\System32\drivers\mountmgr.sys
0x830CB000 \SystemRoot\system32\drivers\nvraid.sys
0x830E6000 \SystemRoot\system32\drivers\atapi.kav
0x830EE000 \SystemRoot\system32\drivers\ataport.SYS
0x8310C000 \SystemRoot\system32\drivers\nvstor32.sys
0x83131000 \SystemRoot\system32\drivers\storport.sys
0x83172000 \SystemRoot\system32\drivers\fltmgr.sys
0x831A4000 \SystemRoot\system32\drivers\fileinfo.sys
0x831B4000 \SystemRoot\system32\DRIVERS\psdfilter.sys
0x8320F000 \SystemRoot\System32\Drivers\ksecdd.sys
0x83280000 \SystemRoot\system32\drivers\ndis.sys
0x8338B000 \SystemRoot\system32\drivers\msrpc.sys
0x833B6000 \SystemRoot\system32\drivers\NETIO.SYS
0x87C0B000 \SystemRoot\System32\Drivers\Ntfs.sys
0x87D1B000 \SystemRoot\SYSTEM32\DRIVERS\WD.SYS
0x87D23000 \SystemRoot\system32\drivers\volsnap.sys
0x87D5C000 \SystemRoot\System32\Drivers\spldr.sys
0x87D64000 \SystemRoot\System32\Drivers\mup.sys
0x87D73000 \SystemRoot\System32\drivers\ecache.sys
0x87D9A000 \SystemRoot\system32\drivers\disk.sys
0x87DAB000 \SystemRoot\system32\drivers\crcdisk.sys
0x87DB4000 \SystemRoot\system32\DRIVERS\28279082.sys
0x87C00000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x833F1000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x83200000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x831BD000 \SystemRoot\system32\DRIVERS\serial.sys
0x831D7000 \SystemRoot\system32\DRIVERS\serenum.sys
0x831E1000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x831F4000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x87DFD000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0x8C004000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8C00E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8C04C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8C05B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8C0E8000 \SystemRoot\system32\DRIVERS\smserial.sys
0x8C801000 \SystemRoot\system32\drivers\modem.sys
0x8C80E000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8C81E000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8C82C000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8C844000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
0x8C846000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8C84C000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8CA0C000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8D48A000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x8D48C000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8D52D000 \SystemRoot\System32\drivers\watchdog.sys
0x8D539000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8D542000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8D571000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8D57C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8D593000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8D59E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8D5C1000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8D5D0000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8D5E4000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8C94C000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8CA00000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8D5F9000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8C95C000 \SystemRoot\system32\DRIVERS\ks.sys
0x8C986000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8C990000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8C99D000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8C9D2000 \SystemRoot\system32\drivers\MODEMCSA.sys
0x8C9DC000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8D603000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8D804000 \SystemRoot\system32\drivers\portcls.sys
0x8D831000 \SystemRoot\system32\drivers\drmk.sys
0x8D856000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x8D879000 \SystemRoot\system32\DRIVERS\2827908.sys
0x8D8C9000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8D8D2000 \SystemRoot\System32\Drivers\Null.SYS
0x8D8D9000 \SystemRoot\System32\Drivers\Beep.SYS
0x8D8E9000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8D8F0000 \SystemRoot\System32\drivers\vga.sys
0x8D8FC000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8D91D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8D925000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x8D93A000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8D93C000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8D944000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8D94F000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8D95D000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8DC0F000 \SystemRoot\System32\drivers\tcpip.sys
0x8DCF9000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8DD14000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8DD2A000 \SystemRoot\system32\DRIVERS\smb.sys
0x8DD3E000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8DD70000 \SystemRoot\system32\drivers\afd.sys
0x8DDB8000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8DDCE000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8DDDC000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8D966000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8DDEF000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8D9A2000 \SystemRoot\System32\Drivers\dfsc.sys
0x8DE03000 \SystemRoot\system32\DRIVERS\28279081.sys
0x8E323000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8E33A000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8E343000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8E353000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8E35C000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8E369000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x8E373000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0x95E90000 \SystemRoot\System32\win32k.sys
0x8E398000 \SystemRoot\System32\drivers\Dxapi.sys
0x8E3A2000 \SystemRoot\system32\DRIVERS\monitor.sys
0x960B0000 \SystemRoot\System32\TSDDD.dll
0x960D0000 \SystemRoot\System32\cdd.dll
0x8E3B1000 \SystemRoot\system32\drivers\luafv.sys
0x81E09000 \SystemRoot\system32\drivers\spsys.sys
0x81EB9000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x81EC9000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x81EDC000 \SystemRoot\system32\drivers\HTTP.sys
0x81F49000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x81F66000 \SystemRoot\system32\DRIVERS\bowser.sys
0x81F7F000 \SystemRoot\System32\drivers\mpsdrv.sys
0x81F94000 \SystemRoot\system32\drivers\mrxdav.sys
0x81FB5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x8D9B9000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x81FD4000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x8E3CC000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9B605000 \SystemRoot\System32\DRIVERS\srv.sys
0x9B653000 \??\C:\Acer\Empowering Technology\eRecovery\int15.sys
0x9B65A000 \SystemRoot\system32\drivers\peauth.sys
0x9B738000 \SystemRoot\system32\DRIVERS\PSDNServ.sys
0x9B741000 \SystemRoot\system32\DRIVERS\PSDVdisk.sys
0x9B753000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9B75D000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9B769000 \??\C:\Windows\system32\drivers\tvicport.sys
0x9B76C000 \??\C:\Program Files\Free Ride Games\X4HS32Ex.Sys
0x9B77C000 \??\C:\Windows\system32\drivers\zntport.sys
0x9B77D000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77860000 \Windows\System32\ntdll.dll
Processes (total 71):
0 System Idle Process
4 System
464 C:\Windows\System32\smss.exe
532 csrss.exe
584 C:\Windows\System32\wininit.exe
596 csrss.exe
628 C:\Windows\System32\services.exe
640 C:\Windows\System32\lsass.exe
652 C:\Windows\System32\lsm.exe
728 C:\Windows\System32\winlogon.exe
840 C:\Windows\System32\svchost.exe
888 C:\Windows\System32\nvvsvc.exe
916 C:\Windows\System32\svchost.exe
952 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
1148 C:\Windows\System32\svchost.exe
1188 C:\Windows\System32\svchost.exe
1200 C:\Windows\System32\svchost.exe
1296 C:\Windows\System32\audiodg.exe
1320 C:\Windows\System32\svchost.exe
1340 C:\Windows\System32\SLsvc.exe
1380 C:\Windows\System32\svchost.exe
1464 C:\Windows\System32\nvvsvc.exe
1600 C:\Windows\System32\svchost.exe
1776 C:\Windows\System32\spoolsv.exe
1804 C:\Windows\System32\svchost.exe
296 C:\Windows\System32\dwm.exe
312 C:\Windows\System32\taskeng.exe
452 C:\Windows\explorer.exe
1068 C:\Windows\System32\taskeng.exe
912 C:\Windows\RtHDVCpl.exe
1092 C:\Acer\Empowering Technology\SysMonitor.exe
1096 C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
2020 C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
2068 C:\Windows\System32\nvraidservice.exe
2132 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
2156 C:\Program Files\iTunes\iTunesHelper.exe
2164 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
2184 C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
2200 C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
2252 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2272 C:\Program Files\Bonjour\mDNSResponder.exe
2340 C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
2524 C:\Program Files\Microsoft Security Essentials\msseces.exe
2616 C:\Program Files\Windows Sidebar\sidebar.exe
2668 C:\Windows\ehome\ehtray.exe
2684 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
2720 C:\Program Files\Skype\Phone\Skype.exe
2828 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2888 C:\Program Files\Common Files\Motive\McciCMService.exe
3004 C:\Windows\System32\svchost.exe
3056 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
3092 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
3160 C:\Windows\System32\svchost.exe
3220 C:\Windows\System32\svchost.exe
3252 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
3316 C:\Windows\System32\SearchIndexer.exe
3376 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
3444 C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
3528 C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
3840 WmiPrvSE.exe
3888 C:\Windows\ehome\ehmsas.exe
2024 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
2968 WmiPrvSE.exe
4032 C:\Program Files\iPod\bin\iPodService.exe
2092 C:\Windows\System32\wbem\unsecapp.exe
5164 C:\Program Files\Skype\Plugin Manager\skypePM.exe
5484 C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
5356 C:\Windows\System32\wuauclt.exe
5284 C:\Windows\System32\SearchProtocolHost.exe
1356 C:\Windows\System32\SearchFilterHost.exe
4184 C:\Users\Administrator\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`70a00000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`e2200000 (NTFS)
PhysicalDrive0 Model Number: WDC WD1600AAJS-22WAA, Rev: 58.0
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: FE9DEC202C68225A60BA224B3417475E24A6D7EA

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: 
Done!


----------



## emeraldnzl (Nov 3, 2007)

Run MBRCheck and this time when finished

Enter 'Y' and hit ENTER

Select [3] Windows Vista

Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

Please reboot your computer to complete the fix.

*After that*

See if you can run OTL.


Close all windows and open *OTL* again. 
Click *Run Scan* and let the program run uninterrupted
It will produce a log for you. Post the log here.


----------



## link2998 (Sep 10, 2010)

mbrcheck didn't give me option [3] windows vista. Instead I got:

"options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:"

so I had to chose 3

heres the log:

MBRCheck, version 1.2.3
(c) 2010, AD
Command-line: 
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: ACER
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: ACER
System Product Name: Aspire M1641
Logical Drives Mask: 0x0000001c
Kernel Drivers (total 155):
0x82413000 \SystemRoot\system32\ntkrnlpa.exe
0x827CC000 \SystemRoot\system32\hal.dll
0x80603000 \SystemRoot\system32\kdcom.dll
0x8060A000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8067A000 \SystemRoot\system32\PSHED.dll
0x8068B000 \SystemRoot\system32\BOOTVID.dll
0x80693000 \SystemRoot\system32\CLFS.SYS
0x806D4000 \SystemRoot\system32\CI.dll
0x82A09000 \SystemRoot\system32\drivers\Wdf01000.sys
0x82A85000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x82A92000 \SystemRoot\System32\Drivers\spzo.sys
0x82B93000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x82B9C000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x807B4000 \SystemRoot\system32\drivers\acpi.sys
0x82BC2000 \SystemRoot\system32\drivers\msisadrv.sys
0x82BCA000 \SystemRoot\system32\drivers\pci.sys
0x82BF1000 \SystemRoot\System32\drivers\partmgr.sys
0x83008000 \SystemRoot\system32\drivers\volmgr.sys
0x83017000 \SystemRoot\System32\drivers\volmgrx.sys
0x83061000 \SystemRoot\system32\drivers\nvrd32.sys
0x83085000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x830A6000 \SystemRoot\system32\drivers\pciide.sys
0x830AD000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x830BB000 \SystemRoot\System32\drivers\mountmgr.sys
0x830CB000 \SystemRoot\system32\drivers\nvraid.sys
0x830E6000 \SystemRoot\system32\drivers\atapi.kav
0x830EE000 \SystemRoot\system32\drivers\ataport.SYS
0x8310C000 \SystemRoot\system32\drivers\nvstor32.sys
0x83131000 \SystemRoot\system32\drivers\storport.sys
0x83172000 \SystemRoot\system32\drivers\fltmgr.sys
0x831A4000 \SystemRoot\system32\drivers\fileinfo.sys
0x831B4000 \SystemRoot\system32\DRIVERS\psdfilter.sys
0x8320F000 \SystemRoot\System32\Drivers\ksecdd.sys
0x83280000 \SystemRoot\system32\drivers\ndis.sys
0x8338B000 \SystemRoot\system32\drivers\msrpc.sys
0x833B6000 \SystemRoot\system32\drivers\NETIO.SYS
0x87C0B000 \SystemRoot\System32\Drivers\Ntfs.sys
0x87D1B000 \SystemRoot\SYSTEM32\DRIVERS\WD.SYS
0x87D23000 \SystemRoot\system32\drivers\volsnap.sys
0x87D5C000 \SystemRoot\System32\Drivers\spldr.sys
0x87D64000 \SystemRoot\System32\Drivers\mup.sys
0x87D73000 \SystemRoot\System32\drivers\ecache.sys
0x87D9A000 \SystemRoot\system32\drivers\disk.sys
0x87DAB000 \SystemRoot\system32\drivers\crcdisk.sys
0x87DB4000 \SystemRoot\system32\DRIVERS\28279082.sys
0x87C00000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x833F1000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x83200000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x831BD000 \SystemRoot\system32\DRIVERS\serial.sys
0x831D7000 \SystemRoot\system32\DRIVERS\serenum.sys
0x831E1000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x831F4000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x87DFD000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0x8C004000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8C00E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8C04C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8C05B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8C0E8000 \SystemRoot\system32\DRIVERS\smserial.sys
0x8C801000 \SystemRoot\system32\drivers\modem.sys
0x8C80E000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8C81E000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8C82C000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8C844000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
0x8C846000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8C84C000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8CA0C000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8D48A000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x8D48C000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8D52D000 \SystemRoot\System32\drivers\watchdog.sys
0x8D539000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8D542000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8D571000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8D57C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8D593000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8D59E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8D5C1000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8D5D0000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8D5E4000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8C94C000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8CA00000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8D5F9000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8C95C000 \SystemRoot\system32\DRIVERS\ks.sys
0x8C986000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8C990000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8C99D000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8C9D2000 \SystemRoot\system32\drivers\MODEMCSA.sys
0x8C9DC000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8D603000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8D804000 \SystemRoot\system32\drivers\portcls.sys
0x8D831000 \SystemRoot\system32\drivers\drmk.sys
0x8D856000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x8D879000 \SystemRoot\system32\DRIVERS\2827908.sys
0x8D8C9000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8D8D2000 \SystemRoot\System32\Drivers\Null.SYS
0x8D8D9000 \SystemRoot\System32\Drivers\Beep.SYS
0x8D8E9000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8D8F0000 \SystemRoot\System32\drivers\vga.sys
0x8D8FC000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8D91D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8D93A000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8D93C000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8D944000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8D94F000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8D95D000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8DC0F000 \SystemRoot\System32\drivers\tcpip.sys
0x8DCF9000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8DD14000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8DD2A000 \SystemRoot\system32\DRIVERS\smb.sys
0x8DD3E000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8DD70000 \SystemRoot\system32\drivers\afd.sys
0x8DDB8000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8DDCE000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8DDDC000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8D966000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8DDEF000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8D9A2000 \SystemRoot\System32\Drivers\dfsc.sys
0x8DE03000 \SystemRoot\system32\DRIVERS\28279081.sys
0x8E323000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8E33A000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8E343000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8E353000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8E35C000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8E369000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x8E373000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0x95E90000 \SystemRoot\System32\win32k.sys
0x8E398000 \SystemRoot\System32\drivers\Dxapi.sys
0x8E3A2000 \SystemRoot\system32\DRIVERS\monitor.sys
0x960B0000 \SystemRoot\System32\TSDDD.dll
0x960D0000 \SystemRoot\System32\cdd.dll
0x8E3B1000 \SystemRoot\system32\drivers\luafv.sys
0x81E09000 \SystemRoot\system32\drivers\spsys.sys
0x81EB9000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x81EC9000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x81EDC000 \SystemRoot\system32\drivers\HTTP.sys
0x81F49000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x81F66000 \SystemRoot\system32\DRIVERS\bowser.sys
0x81F7F000 \SystemRoot\System32\drivers\mpsdrv.sys
0x81F94000 \SystemRoot\system32\drivers\mrxdav.sys
0x81FB5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x8D9B9000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x81FD4000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x8E3CC000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9B605000 \SystemRoot\System32\DRIVERS\srv.sys
0x9B653000 \??\C:\Acer\Empowering Technology\eRecovery\int15.sys
0x9B65A000 \SystemRoot\system32\drivers\peauth.sys
0x9B738000 \SystemRoot\system32\DRIVERS\PSDNServ.sys
0x9B741000 \SystemRoot\system32\DRIVERS\PSDVdisk.sys
0x9B753000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9B75D000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9B769000 \??\C:\Windows\system32\drivers\tvicport.sys
0x9B76C000 \??\C:\Program Files\Free Ride Games\X4HS32Ex.Sys
0x9B77C000 \??\C:\Windows\system32\drivers\zntport.sys
0x9B77D000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x9B793000 \SystemRoot\system32\DRIVERS\MpNWMon.sys
0x77860000 \Windows\System32\ntdll.dll
Processes (total 70):
0 System Idle Process
4 System
464 C:\Windows\System32\smss.exe
532 csrss.exe
584 C:\Windows\System32\wininit.exe
596 csrss.exe
628 C:\Windows\System32\services.exe
640 C:\Windows\System32\lsass.exe
652 C:\Windows\System32\lsm.exe
728 C:\Windows\System32\winlogon.exe
840 C:\Windows\System32\svchost.exe
888 C:\Windows\System32\nvvsvc.exe
916 C:\Windows\System32\svchost.exe
952 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
1148 C:\Windows\System32\svchost.exe
1188 C:\Windows\System32\svchost.exe
1200 C:\Windows\System32\svchost.exe
1296 C:\Windows\System32\audiodg.exe
1320 C:\Windows\System32\svchost.exe
1340 C:\Windows\System32\SLsvc.exe
1380 C:\Windows\System32\svchost.exe
1464 C:\Windows\System32\nvvsvc.exe
1600 C:\Windows\System32\svchost.exe
1776 C:\Windows\System32\spoolsv.exe
1804 C:\Windows\System32\svchost.exe
296 C:\Windows\System32\dwm.exe
312 C:\Windows\System32\taskeng.exe
452 C:\Windows\explorer.exe
1068 C:\Windows\System32\taskeng.exe
912 C:\Windows\RtHDVCpl.exe
1092 C:\Acer\Empowering Technology\SysMonitor.exe
1096 C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
2020 C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
2068 C:\Windows\System32\nvraidservice.exe
2132 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
2156 C:\Program Files\iTunes\iTunesHelper.exe
2164 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
2184 C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
2200 C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
2252 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2272 C:\Program Files\Bonjour\mDNSResponder.exe
2340 C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
2524 C:\Program Files\Microsoft Security Essentials\msseces.exe
2668 C:\Windows\ehome\ehtray.exe
2828 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2888 C:\Program Files\Common Files\Motive\McciCMService.exe
3004 C:\Windows\System32\svchost.exe
3056 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
3092 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
3160 C:\Windows\System32\svchost.exe
3220 C:\Windows\System32\svchost.exe
3252 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
3316 C:\Windows\System32\SearchIndexer.exe
3376 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
3444 C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
3528 C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
3840 WmiPrvSE.exe
3888 C:\Windows\ehome\ehmsas.exe
2024 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
2968 WmiPrvSE.exe
4032 C:\Program Files\iPod\bin\iPodService.exe
2092 C:\Windows\System32\wbem\unsecapp.exe
3996 C:\Windows\System32\wuauclt.exe
5120 C:\Windows\System32\SearchProtocolHost.exe
3276 C:\Program Files\Internet Explorer\iexplore.exe
3492 C:\Program Files\Internet Explorer\iexplore.exe
620 C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
1360 C:\Windows\System32\SearchFilterHost.exe
4964 C:\Windows\System32\SearchProtocolHost.exe
4976 C:\Users\Administrator\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`70a00000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`e2200000 (NTFS)
PhysicalDrive0 Model Number: WDC WD1600AAJS-22WAA, Rev: 58.0
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: FE9DEC202C68225A60BA224B3417475E24A6D7EA

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: 
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice: 
Done!


----------



## emeraldnzl (Nov 3, 2007)

Okay you will have to delete your copy of MBRCheck and download a new version.

Please download *MBRCheck.exe* to your Desktop. Run the application.

If an infection is found, you will be presented with the following dialog:



> Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Enter 'Y' and hit ENTER

Select [3] Windows Vista

Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

Please reboot your computer to complete the fix.


----------



## link2998 (Sep 10, 2010)

Sorry, but I got the same. Here's the log:

MBRCheck, version 1.2.3
(c) 2010, AD
Command-line: 
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: ACER
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: ACER
System Product Name: Aspire M1641
Logical Drives Mask: 0x0000001c
Kernel Drivers (total 155):
0x82413000 \SystemRoot\system32\ntkrnlpa.exe
0x827CC000 \SystemRoot\system32\hal.dll
0x80603000 \SystemRoot\system32\kdcom.dll
0x8060A000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8067A000 \SystemRoot\system32\PSHED.dll
0x8068B000 \SystemRoot\system32\BOOTVID.dll
0x80693000 \SystemRoot\system32\CLFS.SYS
0x806D4000 \SystemRoot\system32\CI.dll
0x82A09000 \SystemRoot\system32\drivers\Wdf01000.sys
0x82A85000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x82A92000 \SystemRoot\System32\Drivers\spzo.sys
0x82B93000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x82B9C000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x807B4000 \SystemRoot\system32\drivers\acpi.sys
0x82BC2000 \SystemRoot\system32\drivers\msisadrv.sys
0x82BCA000 \SystemRoot\system32\drivers\pci.sys
0x82BF1000 \SystemRoot\System32\drivers\partmgr.sys
0x83008000 \SystemRoot\system32\drivers\volmgr.sys
0x83017000 \SystemRoot\System32\drivers\volmgrx.sys
0x83061000 \SystemRoot\system32\drivers\nvrd32.sys
0x83085000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x830A6000 \SystemRoot\system32\drivers\pciide.sys
0x830AD000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x830BB000 \SystemRoot\System32\drivers\mountmgr.sys
0x830CB000 \SystemRoot\system32\drivers\nvraid.sys
0x830E6000 \SystemRoot\system32\drivers\atapi.kav
0x830EE000 \SystemRoot\system32\drivers\ataport.SYS
0x8310C000 \SystemRoot\system32\drivers\nvstor32.sys
0x83131000 \SystemRoot\system32\drivers\storport.sys
0x83172000 \SystemRoot\system32\drivers\fltmgr.sys
0x831A4000 \SystemRoot\system32\drivers\fileinfo.sys
0x831B4000 \SystemRoot\system32\DRIVERS\psdfilter.sys
0x8320F000 \SystemRoot\System32\Drivers\ksecdd.sys
0x83280000 \SystemRoot\system32\drivers\ndis.sys
0x8338B000 \SystemRoot\system32\drivers\msrpc.sys
0x833B6000 \SystemRoot\system32\drivers\NETIO.SYS
0x87C0B000 \SystemRoot\System32\Drivers\Ntfs.sys
0x87D1B000 \SystemRoot\SYSTEM32\DRIVERS\WD.SYS
0x87D23000 \SystemRoot\system32\drivers\volsnap.sys
0x87D5C000 \SystemRoot\System32\Drivers\spldr.sys
0x87D64000 \SystemRoot\System32\Drivers\mup.sys
0x87D73000 \SystemRoot\System32\drivers\ecache.sys
0x87D9A000 \SystemRoot\system32\drivers\disk.sys
0x87DAB000 \SystemRoot\system32\drivers\crcdisk.sys
0x87DB4000 \SystemRoot\system32\DRIVERS\28279082.sys
0x87C00000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x833F1000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x83200000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x831BD000 \SystemRoot\system32\DRIVERS\serial.sys
0x831D7000 \SystemRoot\system32\DRIVERS\serenum.sys
0x831E1000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x831F4000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x87DFD000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0x8C004000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8C00E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8C04C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8C05B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8C0E8000 \SystemRoot\system32\DRIVERS\smserial.sys
0x8C801000 \SystemRoot\system32\drivers\modem.sys
0x8C80E000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8C81E000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8C82C000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8C844000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
0x8C846000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8C84C000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8CA0C000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8D48A000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x8D48C000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8D52D000 \SystemRoot\System32\drivers\watchdog.sys
0x8D539000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8D542000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8D571000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8D57C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8D593000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8D59E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8D5C1000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8D5D0000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8D5E4000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8C94C000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8CA00000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8D5F9000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8C95C000 \SystemRoot\system32\DRIVERS\ks.sys
0x8C986000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8C990000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8C99D000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8C9D2000 \SystemRoot\system32\drivers\MODEMCSA.sys
0x8C9DC000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8D603000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8D804000 \SystemRoot\system32\drivers\portcls.sys
0x8D831000 \SystemRoot\system32\drivers\drmk.sys
0x8D856000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x8D879000 \SystemRoot\system32\DRIVERS\2827908.sys
0x8D8C9000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8D8D2000 \SystemRoot\System32\Drivers\Null.SYS
0x8D8D9000 \SystemRoot\System32\Drivers\Beep.SYS
0x8D8E9000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8D8F0000 \SystemRoot\System32\drivers\vga.sys
0x8D8FC000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8D91D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8D93A000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8D93C000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8D944000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8D94F000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8D95D000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8DC0F000 \SystemRoot\System32\drivers\tcpip.sys
0x8DCF9000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8DD14000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8DD2A000 \SystemRoot\system32\DRIVERS\smb.sys
0x8DD3E000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8DD70000 \SystemRoot\system32\drivers\afd.sys
0x8DDB8000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8DDCE000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8DDDC000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8D966000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8DDEF000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8D9A2000 \SystemRoot\System32\Drivers\dfsc.sys
0x8DE03000 \SystemRoot\system32\DRIVERS\28279081.sys
0x8E323000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8E33A000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8E343000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8E353000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8E35C000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8E369000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x8E373000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0x95E90000 \SystemRoot\System32\win32k.sys
0x8E398000 \SystemRoot\System32\drivers\Dxapi.sys
0x8E3A2000 \SystemRoot\system32\DRIVERS\monitor.sys
0x960B0000 \SystemRoot\System32\TSDDD.dll
0x960D0000 \SystemRoot\System32\cdd.dll
0x8E3B1000 \SystemRoot\system32\drivers\luafv.sys
0x81E09000 \SystemRoot\system32\drivers\spsys.sys
0x81EB9000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x81EC9000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x81EDC000 \SystemRoot\system32\drivers\HTTP.sys
0x81F49000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x81F66000 \SystemRoot\system32\DRIVERS\bowser.sys
0x81F7F000 \SystemRoot\System32\drivers\mpsdrv.sys
0x81F94000 \SystemRoot\system32\drivers\mrxdav.sys
0x81FB5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x8D9B9000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x81FD4000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x8E3CC000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9B605000 \SystemRoot\System32\DRIVERS\srv.sys
0x9B653000 \??\C:\Acer\Empowering Technology\eRecovery\int15.sys
0x9B65A000 \SystemRoot\system32\drivers\peauth.sys
0x9B738000 \SystemRoot\system32\DRIVERS\PSDNServ.sys
0x9B741000 \SystemRoot\system32\DRIVERS\PSDVdisk.sys
0x9B753000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9B75D000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9B769000 \??\C:\Windows\system32\drivers\tvicport.sys
0x9B76C000 \??\C:\Program Files\Free Ride Games\X4HS32Ex.Sys
0x9B77C000 \??\C:\Windows\system32\drivers\zntport.sys
0x9B77D000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x9B793000 \SystemRoot\system32\DRIVERS\MpNWMon.sys
0x77860000 \Windows\System32\ntdll.dll
Processes (total 70):
0 System Idle Process
4 System
464 C:\Windows\System32\smss.exe
532 csrss.exe
584 C:\Windows\System32\wininit.exe
596 csrss.exe
628 C:\Windows\System32\services.exe
640 C:\Windows\System32\lsass.exe
652 C:\Windows\System32\lsm.exe
728 C:\Windows\System32\winlogon.exe
840 C:\Windows\System32\svchost.exe
888 C:\Windows\System32\nvvsvc.exe
916 C:\Windows\System32\svchost.exe
952 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
1148 C:\Windows\System32\svchost.exe
1188 C:\Windows\System32\svchost.exe
1200 C:\Windows\System32\svchost.exe
1296 C:\Windows\System32\audiodg.exe
1320 C:\Windows\System32\svchost.exe
1340 C:\Windows\System32\SLsvc.exe
1380 C:\Windows\System32\svchost.exe
1464 C:\Windows\System32\nvvsvc.exe
1600 C:\Windows\System32\svchost.exe
1776 C:\Windows\System32\spoolsv.exe
1804 C:\Windows\System32\svchost.exe
296 C:\Windows\System32\dwm.exe
312 C:\Windows\System32\taskeng.exe
452 C:\Windows\explorer.exe
1068 C:\Windows\System32\taskeng.exe
912 C:\Windows\RtHDVCpl.exe
1092 C:\Acer\Empowering Technology\SysMonitor.exe
1096 C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
2020 C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
2068 C:\Windows\System32\nvraidservice.exe
2132 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
2156 C:\Program Files\iTunes\iTunesHelper.exe
2164 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
2184 C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
2200 C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
2252 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2272 C:\Program Files\Bonjour\mDNSResponder.exe
2340 C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
2524 C:\Program Files\Microsoft Security Essentials\msseces.exe
2668 C:\Windows\ehome\ehtray.exe
2828 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2888 C:\Program Files\Common Files\Motive\McciCMService.exe
3004 C:\Windows\System32\svchost.exe
3056 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
3092 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
3160 C:\Windows\System32\svchost.exe
3220 C:\Windows\System32\svchost.exe
3252 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
3316 C:\Windows\System32\SearchIndexer.exe
3376 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
3444 C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
3528 C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
3840 WmiPrvSE.exe
3888 C:\Windows\ehome\ehmsas.exe
2024 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
2968 WmiPrvSE.exe
4032 C:\Program Files\iPod\bin\iPodService.exe
2092 C:\Windows\System32\wbem\unsecapp.exe
3996 C:\Windows\System32\wuauclt.exe
3336 C:\Windows\System32\SearchProtocolHost.exe
3756 C:\Program Files\Internet Explorer\iexplore.exe
2768 C:\Program Files\Internet Explorer\iexplore.exe
5920 C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
3484 C:\Program Files\Internet Explorer\iexplore.exe
5484 C:\Windows\System32\SearchFilterHost.exe
4052 C:\Users\Administrator\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`70a00000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`e2200000 (NTFS)
PhysicalDrive0 Model Number: WDC WD1600AAJS-22WAA, Rev: 58.0
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: FE9DEC202C68225A60BA224B3417475E24A6D7EA

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: 
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice: 
Done!


----------



## emeraldnzl (Nov 3, 2007)

Hello link2998,

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:

```
:filefind
*MBR*
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found at on your Desktop entitled *SystemLook.txt*


----------



## link2998 (Sep 10, 2010)

SystemLook 04.09.10 by jpshortstuff
Log created at 11:36 on 15/09/2010 by Administrator
Administrator - Elevation successful
========== filefind ==========
Searching for "*MBR*"
C:\Acer\Empowering Technology\eRecovery\MBRwrWin.exe --a---- 200704 bytes [13:53 19/09/2008] [22:17 07/12/2006] DF024533734BD9899C61CF76ED571E6B
C:\Acer\Empowering Technology\eRecovery\RTMBR2.bin --a---- 512 bytes [13:53 19/09/2008] [21:14 11/11/2006] A2300A68BB40D2BE206EDE2F3B8F938E
C:\Combo-Fix\mbr.cfxxe --a---- 77312 bytes [21:12 14/09/2010] [10:11 25/10/2009] C5EC72A20B4C98DB5314E6C46765B148
C:\Combo-Fix\mbr.chk --a---- 2141 bytes [21:12 14/09/2010] [15:30 29/08/2010] 41F8EBCF1F2D68C0BD8644E328CB58C8
C:\Combo-Fix18356C\mbr.cfxxe --a---- 77312 bytes [21:14 14/09/2010] [10:11 25/10/2009] C5EC72A20B4C98DB5314E6C46765B148
C:\Combo-Fix18356C\mbr.chk --a---- 2141 bytes [21:14 14/09/2010] [15:30 29/08/2010] 41F8EBCF1F2D68C0BD8644E328CB58C8
C:\Combo-Fix24865C\mbr.cfxxe --a---- 77312 bytes [21:42 14/09/2010] [10:11 25/10/2009] C5EC72A20B4C98DB5314E6C46765B148
C:\Combo-Fix24865C\mbr.chk --a---- 2141 bytes [21:42 14/09/2010] [15:30 29/08/2010] 41F8EBCF1F2D68C0BD8644E328CB58C8
C:\Combo-Fix25822C\mbr.cfxxe --a---- 77312 bytes [22:28 14/09/2010] [10:11 25/10/2009] C5EC72A20B4C98DB5314E6C46765B148
C:\Combo-Fix25822C\mbr.chk --a---- 2141 bytes [22:28 14/09/2010] [15:30 29/08/2010] 41F8EBCF1F2D68C0BD8644E328CB58C8
C:\Combo-Fix6469C\mbr.cfxxe --a---- 77312 bytes [22:50 14/09/2010] [10:11 25/10/2009] C5EC72A20B4C98DB5314E6C46765B148
C:\Combo-Fix6469C\mbr.chk --a---- 2141 bytes [22:50 14/09/2010] [15:30 29/08/2010] 41F8EBCF1F2D68C0BD8644E328CB58C8
C:\Program Files\Acer Arcade Live\Acer HomeMedia\Customizations\Cyberlink\Layout\DMS\DMSItemBrowsing.xml --a---- 1585 bytes [19:46 16/03/2008] [23:05 30/01/2008] 6204B74B0EA4660CDF1B6E01B0BFBE5E
C:\Program Files\Acer Arcade Live\Acer HomeMedia\Presentation\Module\DMS\DMSItemBrowsing.kc --a---- 7745 bytes [19:46 16/03/2008] [23:07 30/01/2008] AEF33F260D2EF87D7CC10741A2F8F3B4
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Customizations\Cyberlink\Layout\DMS\DMSItemBrowsing.xml --a---- 1648 bytes [19:47 16/03/2008] [01:47 26/01/2008] 35BB4AC10300CF51A621562A709547A3
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Presentation\Module\DMS\DMSItemBrowsing.kc --a---- 8699 bytes [19:47 16/03/2008] [01:49 26/01/2008] BE98F2F41CCE414A486581A89E58EABE
C:\Program Files\Acer GameZone\Agatha Christie Death on the Nile\gameres\rooms\bar\images\#i_umbrella.png --a---- 28488 bytes [19:49 16/03/2008] [19:49 16/03/2008] D8466E3CA13F78139437E42574C028E0
C:\Program Files\Acer GameZone\Agatha Christie Death on the Nile\gameres\rooms\bar\images\#s_umbrella.png --a---- 18733 bytes [19:49 16/03/2008] [19:49 16/03/2008] 2666A00BD11B02B43DC5F914DB717C67
C:\Program Files\Acer GameZone\Agatha Christie Death on the Nile\gameres\rooms\mechanic\images\#i_umbrella.png --a---- 29261 bytes [19:49 16/03/2008] [19:49 16/03/2008] BF2766CD4442EEF0D5A82D89C2220EC8
C:\Program Files\Acer GameZone\Agatha Christie Death on the Nile\gameres\rooms\mechanic\images\#s_umbrella.png --a---- 34363 bytes [19:49 16/03/2008] [19:49 16/03/2008] 40024D53A037826EC565A5C4946CBF29
C:\Program Files\Acer GameZone\Jewel Quest Solitaire\audio\JQAmbRural.ogg --a---- 129641 bytes [12:38 20/11/2007] [12:38 20/11/2007] 9BD7238DAE0BAA9454A23A950E540B09
C:\Program Files\Acer GameZone\Zuma Deluxe\images\baBombRed.gif --a---- 679 bytes [13:14 20/11/2007] [13:14 20/11/2007] 44425AA15265905EC7227304DDC6E547
C:\Program Files\Java\jre1.6.0_01\lib\zi\America\Cambridge_Bay --a---- 1096 bytes [08:00 01/09/2010] [08:00 01/09/2010] 9E3053C380148B0C966BBF307600A51A
C:\Program Files\Java\jre6\lib\zi\America\Cambridge_Bay --a---- 1076 bytes [10:15 07/10/2009] [10:15 07/10/2009] 89DE3D027493B9DBE3298A06FEF9A89D
C:\Program Files\Microsoft Works\1033\WkThmBro.fmt -ra---- 13081 bytes [20:26 16/03/2008] [01:04 06/01/2005] C3428B41F774851DC1DB13B0716CCFB7
C:\Program Files\Safari\Safari.resources\CoverflowScrollThumbRight-Pressed.png --a---- 530 bytes [01:24 04/06/2010] [01:24 04/06/2010] EEB0DE51863002864465626C78DC8028
C:\Program Files\Safari\Safari.resources\CoverflowScrollThumbRight.png --a---- 523 bytes [01:24 04/06/2010] [01:24 04/06/2010] 2D0A6A54464FD2D8415968F39FEF0C5F
C:\Program Files\VideoLAN\VLC\lua\playlist\lelombrik.lua --a---- 1662 bytes [21:17 26/07/2009] [21:17 26/07/2009] 2EA40082837A1CBE1567335AB8839EAD
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\MBRCheck_09.14.10_21.16.31.lnk --a---- 592 bytes [01:16 15/09/2010] [02:25 15/09/2010] 8C7284C34056657A77ABB5047C9F8A15
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\MBRCheck_09.14.10_22.27.54.lnk --a---- 592 bytes [02:29 15/09/2010] [02:29 15/09/2010] C4F7F42FDD5BC145205C2788F7E8158C
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\MBRCheck_09.14.10_22.48.24.lnk --a---- 592 bytes [02:48 15/09/2010] [02:48 15/09/2010] AA621C5297D42B0F82566E7E37BD8638
C:\Users\Administrator\Application Data\Microsoft\Windows\Recent\MBRCheck_09.14.10_21.16.31.lnk --a---- 592 bytes [01:16 15/09/2010] [02:25 15/09/2010] 8C7284C34056657A77ABB5047C9F8A15
C:\Users\Administrator\Application Data\Microsoft\Windows\Recent\MBRCheck_09.14.10_22.27.54.lnk --a---- 592 bytes [02:29 15/09/2010] [02:29 15/09/2010] C4F7F42FDD5BC145205C2788F7E8158C
C:\Users\Administrator\Application Data\Microsoft\Windows\Recent\MBRCheck_09.14.10_22.48.24.lnk --a---- 592 bytes [02:48 15/09/2010] [02:48 15/09/2010] AA621C5297D42B0F82566E7E37BD8638
C:\Users\Administrator\Desktop\MBRCheck.exe --a---- 80384 bytes [02:46 15/09/2010] [02:48 15/09/2010] CB2D120A4B72422A8141192831B1F500
C:\Users\Administrator\Desktop\MBRCheck_09.14.10_22.48.24.txt --a---- 12975 bytes [02:48 15/09/2010] [02:48 15/09/2010] 809C94A2508346D0DD4C6F4DE513B825
C:\Users\Administrator\Recent\MBRCheck_09.14.10_21.16.31.lnk --a---- 592 bytes [01:16 15/09/2010] [02:25 15/09/2010] 8C7284C34056657A77ABB5047C9F8A15
C:\Users\Administrator\Recent\MBRCheck_09.14.10_22.27.54.lnk --a---- 592 bytes [02:29 15/09/2010] [02:29 15/09/2010] C4F7F42FDD5BC145205C2788F7E8158C
C:\Users\Administrator\Recent\MBRCheck_09.14.10_22.48.24.lnk --a---- 592 bytes [02:48 15/09/2010] [02:48 15/09/2010] AA621C5297D42B0F82566E7E37BD8638
C:\Users\Richard F. Bahr III\AppData\Roaming\Microsoft\Windows\Recent\01 Encore Performance of Phil Imbrogno.mp3 (2).lnk --a---- 964 bytes [02:42 07/01/2010] [02:42 07/01/2010] FB8E6E5D2B492A7DAB36D0958613E626
C:\Users\Richard F. Bahr III\AppData\Roaming\Microsoft\Windows\Recent\01 Encore Performance of Phil Imbrogno.mp3.lnk --a---- 964 bytes [02:37 07/01/2010] [02:37 07/01/2010] 55F7372AB521FDF324310EF1E024409D
C:\Users\Richard F. Bahr III\AppData\Roaming\Microsoft\Windows\Recent\02 Encore Performance of Phil Imbrogno.lnk --a---- 964 bytes [01:07 06/01/2010] [01:10 06/01/2010] F48945A114C8B5AFB72A7BEA8B216A81
C:\Users\Richard F. Bahr III\AppData\Roaming\Microsoft\Windows\Recent\Encore Performance of Phil Imbrogno.lnk --a---- 627 bytes [01:09 06/01/2010] [02:42 07/01/2010] 726247D4CED7047A017140AF3086A180
C:\Users\Richard F. Bahr III\AppData\Roaming\Microsoft\Windows\Recent\Encore Performance of Phil Imbrogno.mp3.lnk --a---- 981 bytes [02:34 07/01/2010] [02:34 07/01/2010] ADB1D905A8A60D138C9E9890C76099AF
C:\Users\Richard F. Bahr III\Application Data\Microsoft\Windows\Recent\01 Encore Performance of Phil Imbrogno.mp3 (2).lnk --a---- 964 bytes [02:42 07/01/2010] [02:42 07/01/2010] FB8E6E5D2B492A7DAB36D0958613E626
C:\Users\Richard F. Bahr III\Application Data\Microsoft\Windows\Recent\01 Encore Performance of Phil Imbrogno.mp3.lnk --a---- 964 bytes [02:37 07/01/2010] [02:37 07/01/2010] 55F7372AB521FDF324310EF1E024409D
C:\Users\Richard F. Bahr III\Application Data\Microsoft\Windows\Recent\02 Encore Performance of Phil Imbrogno.lnk --a---- 964 bytes [01:07 06/01/2010] [01:10 06/01/2010] F48945A114C8B5AFB72A7BEA8B216A81
C:\Users\Richard F. Bahr III\Application Data\Microsoft\Windows\Recent\Encore Performance of Phil Imbrogno.lnk --a---- 627 bytes [01:09 06/01/2010] [02:42 07/01/2010] 726247D4CED7047A017140AF3086A180
C:\Users\Richard F. Bahr III\Application Data\Microsoft\Windows\Recent\Encore Performance of Phil Imbrogno.mp3.lnk --a---- 981 bytes [02:34 07/01/2010] [02:34 07/01/2010] ADB1D905A8A60D138C9E9890C76099AF
C:\Users\Richard F. Bahr III\Recent\01 Encore Performance of Phil Imbrogno.mp3 (2).lnk --a---- 964 bytes [02:42 07/01/2010] [02:42 07/01/2010] FB8E6E5D2B492A7DAB36D0958613E626
C:\Users\Richard F. Bahr III\Recent\01 Encore Performance of Phil Imbrogno.mp3.lnk --a---- 964 bytes [02:37 07/01/2010] [02:37 07/01/2010] 55F7372AB521FDF324310EF1E024409D
C:\Users\Richard F. Bahr III\Recent\02 Encore Performance of Phil Imbrogno.lnk --a---- 964 bytes [01:07 06/01/2010] [01:10 06/01/2010] F48945A114C8B5AFB72A7BEA8B216A81
C:\Users\Richard F. Bahr III\Recent\Encore Performance of Phil Imbrogno.lnk --a---- 627 bytes [01:09 06/01/2010] [02:42 07/01/2010] 726247D4CED7047A017140AF3086A180
C:\Users\Richard F. Bahr III\Recent\Encore Performance of Phil Imbrogno.mp3.lnk --a---- 981 bytes [02:34 07/01/2010] [02:34 07/01/2010] ADB1D905A8A60D138C9E9890C76099AF
C:\Windows\Fonts\cambria.ttc --a---- 1090432 bytes [06:27 02/11/2006] [07:00 28/04/2010] 524B34C83D901627FFA94535596C87D2
C:\Windows\Fonts\cambriab.ttf --a---- 328500 bytes [06:27 02/11/2006] [07:00 28/04/2010] 77D47DBBAB6C42879ACAEBB3B9438C9B
C:\Windows\Fonts\cambriai.ttf --a---- 336764 bytes [06:27 02/11/2006] [07:00 28/04/2010] A34F34C368366F749DC1E64074853D5A
C:\Windows\Fonts\cambriaz.ttf --a---- 325976 bytes [06:27 02/11/2006] [07:00 28/04/2010] 135F6C2686B5DE7C4022EF94322D7F96
C:\Windows\Prefetch\MBRWRWIN.EXE-2144233B.pf --a---- 10566 bytes [18:51 09/09/2010] [15:26 10/09/2010] 4D02C8032AF169C74ABBFB6B71A48594
C:\Windows\System32\OEM\audit\diagmbr.txt --a---- 512 bytes [21:30 17/09/2008] [13:59 19/09/2008] B6A3F447BB34B47DAFDF68C6EB14B9FF
C:\Windows\winsxs\Manifests\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6000.16386_none_f06adcda072586e8.manifest --a---- 5639 bytes [10:21 02/11/2006] [10:18 02/11/2006] 3A42CAA738C3D04CAFD1518D69CE762F
C:\Windows\winsxs\Manifests\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6001.18426_none_f2920852041b5c44.manifest ------- 6350 bytes [06:50 28/04/2010] [00:00 17/02/2010] CC335B2368A9A6420C0F702F2F44EC93
C:\Windows\winsxs\Manifests\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6001.22635_none_f30fd6cd1d41fbcf.manifest ------- 6350 bytes [06:50 28/04/2010] [21:48 16/02/2010] F42AD91D95B8343C8FDF6D9AA984D34F
C:\Windows\winsxs\Manifests\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6002.18208_none_f4901c8c012fa95b.manifest ------- 6350 bytes [06:50 28/04/2010] [23:22 16/02/2010] 854EE097D41D89069956398B3E8B0A1C
C:\Windows\winsxs\Manifests\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6002.22340_none_f4e677571a74ee31.manifest ------- 6350 bytes [06:50 28/04/2010] [21:10 16/02/2010] A8A68F1445D791217F87B044FE1ACEA9
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6000.16386_none_f06adcda072586e8\cambria.ttc --a---- 1090432 bytes [06:27 02/11/2006] [02:10 03/10/2006] 524B34C83D901627FFA94535596C87D2
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6000.16386_none_f06adcda072586e8\cambriab.ttf --a---- 328500 bytes [06:27 02/11/2006] [02:10 03/10/2006] 77D47DBBAB6C42879ACAEBB3B9438C9B
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6000.16386_none_f06adcda072586e8\cambriai.ttf --a---- 336764 bytes [06:27 02/11/2006] [02:10 03/10/2006] A34F34C368366F749DC1E64074853D5A
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6000.16386_none_f06adcda072586e8\cambriaz.ttf --a---- 325976 bytes [06:27 02/11/2006] [02:10 03/10/2006] 135F6C2686B5DE7C4022EF94322D7F96
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6001.18426_none_f2920852041b5c44\cambria.ttc --a---- 1090432 bytes [06:27 02/11/2006] [02:10 03/10/2006] 524B34C83D901627FFA94535596C87D2
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6001.18426_none_f2920852041b5c44\cambriab.ttf --a---- 328500 bytes [06:27 02/11/2006] [02:10 03/10/2006] 77D47DBBAB6C42879ACAEBB3B9438C9B
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6001.18426_none_f2920852041b5c44\cambriai.ttf --a---- 336764 bytes [06:27 02/11/2006] [02:10 03/10/2006] A34F34C368366F749DC1E64074853D5A
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6001.18426_none_f2920852041b5c44\cambriaz.ttf --a---- 325976 bytes [06:27 02/11/2006] [02:10 03/10/2006] 135F6C2686B5DE7C4022EF94322D7F96
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6001.22635_none_f30fd6cd1d41fbcf\cambria.ttc --a---- 1090432 bytes [06:27 02/11/2006] [02:10 03/10/2006] 524B34C83D901627FFA94535596C87D2
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6001.22635_none_f30fd6cd1d41fbcf\cambriab.ttf --a---- 328500 bytes [06:27 02/11/2006] [02:10 03/10/2006] 77D47DBBAB6C42879ACAEBB3B9438C9B
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6001.22635_none_f30fd6cd1d41fbcf\cambriai.ttf --a---- 336764 bytes [06:27 02/11/2006] [02:10 03/10/2006] A34F34C368366F749DC1E64074853D5A
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6001.22635_none_f30fd6cd1d41fbcf\cambriaz.ttf --a---- 325976 bytes [06:27 02/11/2006] [02:10 03/10/2006] 135F6C2686B5DE7C4022EF94322D7F96
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6002.18208_none_f4901c8c012fa95b\cambria.ttc --a---- 1090432 bytes [06:27 02/11/2006] [02:10 03/10/2006] 524B34C83D901627FFA94535596C87D2
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6002.18208_none_f4901c8c012fa95b\cambriab.ttf --a---- 328500 bytes [06:27 02/11/2006] [02:10 03/10/2006] 77D47DBBAB6C42879ACAEBB3B9438C9B
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6002.18208_none_f4901c8c012fa95b\cambriai.ttf --a---- 336764 bytes [06:27 02/11/2006] [02:10 03/10/2006] A34F34C368366F749DC1E64074853D5A
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6002.18208_none_f4901c8c012fa95b\cambriaz.ttf --a---- 325976 bytes [06:27 02/11/2006] [02:10 03/10/2006] 135F6C2686B5DE7C4022EF94322D7F96
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6002.22340_none_f4e677571a74ee31\cambria.ttc --a---- 1090432 bytes [06:27 02/11/2006] [02:10 03/10/2006] 524B34C83D901627FFA94535596C87D2
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6002.22340_none_f4e677571a74ee31\cambriab.ttf --a---- 328500 bytes [06:27 02/11/2006] [02:10 03/10/2006] 77D47DBBAB6C42879ACAEBB3B9438C9B
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6002.22340_none_f4e677571a74ee31\cambriai.ttf --a---- 336764 bytes [06:27 02/11/2006] [02:10 03/10/2006] A34F34C368366F749DC1E64074853D5A
C:\Windows\winsxs\x86_microsoft-windows-font-truetype-cambria_31bf3856ad364e35_6.0.6002.22340_none_f4e677571a74ee31\cambriaz.ttf --a---- 325976 bytes [06:27 02/11/2006] [02:10 03/10/2006] 135F6C2686B5DE7C4022EF94322D7F96
-= EOF =-


----------



## emeraldnzl (Nov 3, 2007)

Please double-click *OTM.exe* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).

 *Save* it to your *desktop*.
 Please double-click *OTM.exe* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
*Copy the lines in the codebox below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):


```
:Files
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\MBRCheck_09 .14.10_21.16.31.lnk
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\MBRCheck_09 .14.10_22.27.54.lnk
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\MBRCheck_09 .14.10_22.48.24.lnk
C:\Users\Administrator\Application Data\Microsoft\Windows\Recent\MBRCheck_09.14.10_21.16.31.lnk
C:\Users\Administrator\Application Data\Microsoft\Windows\Recent\MBRCheck_09.14.10_22.27.54.lnk
C:\Users\Administrator\Application Data\Microsoft\Windows\Recent\MBRCheck_09.14.10_22.48.24.lnk
C:\Users\Administrator\Desktop\MBRCheck.exe
C:\Users\Administrator\Desktop\MBRCheck_09.14.10_22.48.24.txt
C:\Users\Administrator\Recent\MBRCheck_09.14.10_21.16.31.lnk
C:\Users\Administrator\Recent\MBRCheck_09.14.10_22.27.54.lnk
C:\Users\Administrator\Recent\MBRCheck_09.14.10_22.48.24.lnk

:commands
[Reboot]
```

 Return to OTM, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.

Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM.*

*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.* In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter **.log* and press the Enter key, navigate to the *C:\_OTM\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Make sure you allow your computer to reboot after running the OTM one. It should by default but if it doesn't please do it.

*After that*

Please download MBRCheck.exe to your Desktop.


Double click to run it
It will prompt you with some text
Left click on title bar (where program name and path is written)
From menu chose *Edit* > *Select All*
Click *Enter* key on keyboard to copy selected text
paste that text back here

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Enter 'Y' and hit ENTER

Select [3] Windows Vista

Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

Please reboot your computer to complete the fix.

Come back here and tell me how it went.


----------



## link2998 (Sep 10, 2010)

Hi Emrld, 
Heres the OTM log:

========== FILES ==========
File/Folder C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\MBRCheck_09 .14.10_21.16.31.lnk not found.
File/Folder C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\MBRCheck_09 .14.10_22.27.54.lnk not found.
File/Folder C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\MBRCheck_09 .14.10_22.48.24.lnk not found.
File/Folder C:\Users\Administrator\Application Data\Microsoft\Windows\Recent\MBRCheck_09.14.10_21.16.31.lnk not found.
File/Folder C:\Users\Administrator\Application Data\Microsoft\Windows\Recent\MBRCheck_09.14.10_22.27.54.lnk not found.
File/Folder C:\Users\Administrator\Application Data\Microsoft\Windows\Recent\MBRCheck_09.14.10_22.48.24.lnk not found.
File/Folder C:\Users\Administrator\Desktop\MBRCheck.exe not found.
File/Folder C:\Users\Administrator\Desktop\MBRCheck_09.14.10_22.48.24.txt not found.
File/Folder C:\Users\Administrator\Recent\MBRCheck_09.14.10_21.16.31.lnk not found.
File/Folder C:\Users\Administrator\Recent\MBRCheck_09.14.10_22.27.54.lnk not found.
File/Folder C:\Users\Administrator\Recent\MBRCheck_09.14.10_22.48.24.lnk not found.
========== COMMANDS ==========

OTM by OldTimer - Version 3.1.16.0 log created on 09152010_161350

Now I'll continue to the rest of your instructions.


----------



## link2998 (Sep 10, 2010)

Here's the MBRCheck text copied:

MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: ACER
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: ACER
System Product Name: Aspire M1641
Logical Drives Mask: 0x000001fc
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`70a00000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`e2200000 (NTFS)
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: FE9DEC202C68225A60BA224B3417475E24A6D7EA

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

I'll continue with your instructions.


----------



## link2998 (Sep 10, 2010)

It still gives me a different set of options. Here's what it looks like:

MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: ACER
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: ACER
System Product Name: Aspire M1641
Logical Drives Mask: 0x000001fc
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`70a00000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`e2200000 (NTFS)
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: FE9DEC202C68225A60BA224B3417475E24A6D7EA

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: Y
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice: 3

Done!
Press ENTER to exit...


----------



## emeraldnzl (Nov 3, 2007)

Okay my bad, I have overlooked that there is an in between option.

Please run it again but this time enter [2]

We want to restore your MBR

Then you should be offered a choice of MBR Codes. This is where you need to enter [3] Windows Vista

Type 'YES' and hit ENTER

Reboot your machine.

Tell me how you get on.


----------



## link2998 (Sep 10, 2010)

this is what i get:

MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: ACER
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: ACER
System Product Name: Aspire M1641
Logical Drives Mask: 0x000001fc
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`70a00000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`e2200000 (NTFS)
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: FE9DEC202C68225A60BA224B3417475E24A6D7EA

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: y
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice: 2
Enter the physical disk number to fix (0-99, -1 to cancel): -1

Done!
Press ENTER to exit...


----------



## emeraldnzl (Nov 3, 2007)

Okay my apologies, I should have elaborated.

When it said enter physical disk number

Enter "0" this equates to C drive.

Then you should be offered a choice of MBR Codes. This is where you need to enter [3] Windows Vista

Type *'YES'* and hit *ENTER *to continue

Successfully wrote new MBR code!

Reboot your machine.


----------



## link2998 (Sep 10, 2010)

Hello emrld,

this is what happened after I rebooted:

"Nvidia Boot Agent 249.052

[Copyrights]

CLIENT MAC ADDR: 00 21 85 3D F0 DA GUID: 00211853D-F0DA-2008-0919-043921000000"

then came this first:

"DHCP.......[cycles through slashes to show a moving wheel]"

then after a while:

"PXE-E53:No boot filename recieved
PXE-M0F: Exiting NVIDIA BOOT AGENT

Reboot and select proper Boot device or Insert Boot Media in Selected Boot device and Press a Key."

I tried going into the BIOS to choose the hard drive to boot from but no luck. I am now posting from a different computer. Can you help me boot sucessfully and continue?


----------



## emeraldnzl (Nov 3, 2007)

Hello link2998,

I believe this


> "PXE-E53:No boot filename recieved


 means your computer is attempting to boot from a network server.

Check your BIOS and make sure "PXE booting" is not an option in the boot menu. If it is, remove it. Also looking at an item posted at another forum I see that there are some motherboards that have this feature in the BIOS that requires you "Un-check" them to disable.

Try that and let me know if it works.

Also do you have your Windows CD for that machine?


----------



## link2998 (Sep 10, 2010)

there is no "PXE booting" option in the BIOS, but there is:

"First Boot Device [SATA:3M-WDC WD1600]
Second Boot Device [CD/DVD:3S-ATAPI DV]
Third Boot Device [USB:Generic USB SD]"

its an american megatrends bios(v02.61)


----------



## link2998 (Sep 10, 2010)

also, alas I don't have the disk. Didn't come with my comp. I should have made a boot disk but I didn't.
Actually the system bios version is 08.00.15. The "SMBIOS Version is 2.5.


----------



## emeraldnzl (Nov 3, 2007)

My apologies for the delay, I have been researching this.

The solutions I have been looking at are outside my knowledge so I am going to ask for help. 

Hopefully someone with a bit more nouce than I will respond. Might be a wee while as we work in different time zones.


----------



## link2998 (Sep 10, 2010)

ok, I'll wait. thnx.


----------



## Elvandil (Aug 1, 2003)

Could you please tell us again the make and model of your computer?


----------



## emeraldnzl (Nov 3, 2007)

Hello link2998,

Let's see whether this will be a solution for you.

Note: for this approach you will need two flash drives or some such. One will be reformatted so don't use that one with anything you need to keep on it.

Please do the following:

To start:

Download EasyBCD and save it to a separate USB drive (not the one you will use for Live Linux USB Creator)...

Download Live Linux USB Creator and save it to your desktop.

*Next*


Insert your USB drive
Press *Start* > *My Computer* > right click your USB drive > choose *Format* > *Quick format*
Double click the *Live Linux USB Creator* that you just downloaded
Press *Run* then *OK*
It will install a little bootable USB automatically
After it has completed do not choose to reboot the clean computer simply close the installer
Remove the USB and insert it in the infected computer
Boot the computer
Press F12 and choose to boot from the USB
Follow the prompts

Once you are able to boot into windows insert the USB with the EasyBCD and save it to your desktop.

Double click to run EasyBCD

Follow the options that EasyBCD presents to repair *MBR*.

Come back and tell me how you got on.


----------



## link2998 (Sep 10, 2010)

hello elvandil:

my comp. that I can't boot is an acer aspire m1641

hello emrld,

I will try what u suggested.


----------



## emeraldnzl (Nov 3, 2007)

Good luck.

Late here so I will be off to bed.

Catch you tomorrow.


----------



## link2998 (Sep 10, 2010)

while I'm waiting for the second flash drive(to buy) I have a question if you don't mind:

what's an MBR(in short) and what does MBR stand for? Is it related to the boot sector or something(i barely know what the boot sector is)?


----------



## emeraldnzl (Nov 3, 2007)

MBR stands for Master Boot Record.

This link has information about it.

http://en.wikipedia.org/wiki/Master_boot_record

Some of the recent types of infection have been targeting the mbr. Usually it is a simple matter of re writing the mbr to it's default to clear the infection but some of the latest infections are stopping the rewrite and causing problems.

When we scanned your computer it showed an infected mbr hence the actions we took to fix it.

Again if we had a Vista installation disk for that computer it would be easy enough to fix but so many machines come without the installation CD so with the help of Elvandil I have put together the solution you see.



> while I'm waiting for the second flash drive(to buy) I have a question if you don't mind:


I guess an alternative might be to burn the EasyBCD to a CD and transfer it using that to the broken machine?


----------



## link2998 (Sep 10, 2010)

I tried booting with the usb but i got:

"unable to find a medium with a live file system"

or smething like that and the comp. is giving call trace lists.


----------



## emeraldnzl (Nov 3, 2007)

I believe there are some models of computers that can have a problem with some Linux distros (distribution). 

I don't know if that is your machines problem or if it is something else. 

I am asking the techs here.


----------



## link2998 (Sep 10, 2010)

Is there a way to download windows boot files to the flash and boot that way?


----------



## emeraldnzl (Nov 3, 2007)

There are two answers to that:

1. There is a way using WAIK (Windows Automated Installation Kit) but it is not a simple procedure and I do not know how to instruct you with that.

I did think about it as a possibility when I discussed it with techs here. It is technical solution with room for error (while my understanding is that it can be used it is really designed for pre installation of Windows) causing loss of data. 

I think there are simpler solutions. All of which have not been exhausted yet.

2. To my knowledge other ways are illegal.

Turning to your problem with the response you got when trying to boot with the usb. I have carried out some research and found a number of reasons why this might be happening but I have preferred to wait for someone with more technical knowledge than I have to give an opinion. 

One thing does occur. Have you tried using a different port?


----------



## link2998 (Sep 10, 2010)

i tried 2 other usb ports. same.


----------



## emeraldnzl (Nov 3, 2007)

Okay let's wait and see if we get a reply to my question.


----------



## link2998 (Sep 10, 2010)

As a sidethought, since your in New Zealand, when do you think I should check for your posts(what time frame)?


----------



## link2998 (Sep 10, 2010)

As a sidethought, since your in New Zealand, when do you think I should check for your posts(what time frame)?


----------



## link2998 (Sep 10, 2010)

As a sidethought, since your in New Zealand, when do you think I should check for your posts(what time frame)?


----------



## link2998 (Sep 10, 2010)

By the way: since your in New Zealand, what time frame should I check for your posts?


----------



## link2998 (Sep 10, 2010)

By the way, since your in New Zealand, when should i check for your posts and when not?


----------



## link2998 (Sep 10, 2010)

sorry for the multiple posts, got server errors.


----------



## emeraldnzl (Nov 3, 2007)

Hello link2998,



> sorry for the multiple posts, got server errors.


No problem.



> By the way, since your in New Zealand, when should i check for your posts and when not?


Go to the link below and check out Auckland. That is the time I am on.

http://www.timeanddate.com/worldclock/

Not getting any joy with an answer for that last problem.

Time to move on:

I think we are now left with two choices.

1) the actions listed below. If that doesn't work you are left with choice 2.

2) for you to approach your computer supplier for a Vista installation CD for that machine. They should be able to provide one for you quite cheaply. I believe there is a requirement to provide you with some means of restoring your computer when you have a pre-installed computer supplied without a disk.

Alternatively, you may be able to use a friend's disk provided that it is an unbranded and generic OEM installation disk for the same same edition of Vista and using your product key.

For instructions on how to fix mbr using the Vista Installation disk go to the link below:

http://support.microsoft.com/kb/927392

*Now here are instructions for choice 1.*

Please to the following:

The downloads are iso's, so they need to be burned *as images*. If you just burn them to CD, they won't do anything.

To start:

Download Standalone ISO Burner (Be sure to check the "Finalize" box.)

Download EasyBCD and save it to a flash drive or some such for transfer to the broken computer.

After that:

Here are two CD images. Using the Standalone ISO Burner burn them to CD, remember to burn *as images* (both work on most machines, but others require the one either with or without floppy emulation) and booting with one. The partitions on the drive will be shown in Linux format (hda, sda, etc.) and you can boot directly to the partition from there. If you don't know which to choose, try one. If it doesn't work, try another.

Download Boot Loader CD Image

After getting into Windows, you can run EasyBCD to repair the MBR.

Go to the link below for information about EasyBCD.

http://en.wikipedia.org/wiki/EasyBCD


----------



## link2998 (Sep 10, 2010)

I get:

*** boot error *** 
bootsector drive error

for hda partition 1-4 and it freezes when i select floppy. With usb(with the flash linux booter in) i get:

......................................................................................................................................

and it freezes.


----------



## link2998 (Sep 10, 2010)

i have no friend with vista and I dont know my own windows key. I called acers number and I dont think i can get help from them.


----------



## link2998 (Sep 10, 2010)

why wont it boot from an existing partition?


----------



## link2998 (Sep 10, 2010)

its not detecting any partitions. are u sure the boot manager detects windows partitions?


----------



## emeraldnzl (Nov 3, 2007)

So it is booting from the CD?

The reason I ask is that it shouldn't need to use the machine to boot up or am I getting confused?

One thing occurs to me:

Is your computer configured to boot from CD first?

If not then use these instructions:

*To set your computer BIOS to boot from a CD*

1. Restart your computer. Watch the start-up instructions that are displayed on-screen.

A message will be displayed instructing you to press a named key (often F2, F12, or Delete) to go into settings/setup/configuration. (The key and the message will vary according to the type of computer that you are running.)

Press this key to enter the BIOS setup mode.

(If your computer is particularly fast, it may remove the message before you have the chance to press the key; in this case, try pressing the key once a second, starting the moment you reboot.)

Some examples:
 On a Dell computer, you should hit F2 to enter the BIOS.
 Other computers may require you to hit the DEL (Delete) button to enter the BIOS.
 On newer computers, you may be able to hit F12 to select a temporary boot device rather than changing the permanent boot sequence in the BIOS itself. If your computer offers this option, simply select the CD or DVD drive containing the antivirus CD as your temporary boot device, and skip steps 2 and 3.
2. In the BIOS window, find the area that controls the boot sequence and rearrange the list of devices so that your CD or DVD drive is checked before your hard drive.


For most situations, a suitable sequence is:
1. A (Floppy)
2. CDROM (or DVDROM)
3. HD1 (or C).
 If your drives are listed in this order, then when you keep the CD in your CD or DVD drive during a reboot, your computer will be told to run and check for viruses on your system. (If the hard drive is listed earlier than the CD drive, your computer will not detect the CDs presence and will simply boot into Windows.)

3. Save the settings and exit.

4. When your computer reboots, it will check the CD or DVD drive containing the disk before it checks the hard drive.

_Thanks to Cities site University of Illinois for these instructions _

After that try booting from the CD again and come back and tell me how you got on.


----------



## link2998 (Sep 10, 2010)

its booting, but to boot manager called "plop boot manager v5.0.7 20091220". I tried both images and hda partitions 1-4. with the floppy emulation it freezes on hda partition 2. I dont get it. I'll switch back to non-emulating and wait for instructions. (It is booting from cd first)


----------



## emeraldnzl (Nov 3, 2007)

I will see what I can find out.


----------



## link2998 (Sep 10, 2010)

if i could at least boot to dos i could use fixmbr, right?


----------



## emeraldnzl (Nov 3, 2007)

Are you saying you can access a command prompt?

I should add that fixmbr by itself does not work in Vista. It does work in XP however.

In Vista you run fixmbr though the Bootrec.exe tool.

To run the Bootrec.exe tool you must start Windows RE. To start Windows RE you must have the Vista installation disk.


----------



## link2998 (Sep 10, 2010)

im sorry, I should have been more clear. I can't acces dos, but I thought i could make a dos boot cd if theres something like that free for vista. I borrowed a comp. with win 7 but making a boot disc from 7 won't work for vista will it?


----------



## emeraldnzl (Nov 3, 2007)

Okay I have managed to find something.

It is a test as far as I am concerned as I haven't tried it before but then I haven't tried the ones we have been using recently either

Anyway here it is:

Download Testdisk for CD and burn to CD.

or

Testdisk for USB and save to flash drive or somesuch.

Transfer to the broken computer.

Start TestDisk.

The first screen will present log options - press Enter to continue.










TestDisk will scan the system and show drive information.
If more than 1 drive, select the correct drive, make sure *[Proceed]* is selected then press Enter to continue.










Select *[Intel]* partiton and press Enter to continue.










Select *[MBR Code]* and press Enter to continue.










Type *Y* when prompted to write a new mbr code to the first sector, then confirm at the next screen by typing *Y* again.










Press *Q* repeatedly until TestDisk exits then reboot.


----------



## link2998 (Sep 10, 2010)

I cant boot so I cant transfer the exe to the broken computer yet. sorry.


----------



## link2998 (Sep 10, 2010)

If all else fails, I think I found a way to get ahold of another vista installation disk(tomorrowish), but do you need to use a vista key just to boot or is it illegal to boot from someone elses inst. disk?


----------



## emeraldnzl (Nov 3, 2007)

My understanding is that if it is your key then it's ok. The key should be somewhere on your laptop... I think on the bottom.


----------



## link2998 (Sep 10, 2010)

I found it. thnx. Incidentally its a desktop. is there anything we can try in the meantime?


----------



## emeraldnzl (Nov 3, 2007)

> Incidentally its a desktop


Oh dear, thought it was a laptop. Anyway you found it and that is what matters.



> is there anything we can try in the meantime?


I am just about out of ideas for now but I will keep looking and tell you if I find anything. Really though options are getting very slim.

The other thing that niggles at the back of my mind is that I don't think this should have happened when you used MBRCheck to fix that infection. So I do wonder if something else isn't going on.

For example, maybe something else happened and we need to use the disk to repair whatever that was.


----------



## link2998 (Sep 10, 2010)

ok,thnx for holding on with me. il plan to be back on at about 12:00p your time. gota go to bed now, cya.


----------



## emeraldnzl (Nov 3, 2007)

Sleep well.

Catch you tomorrow.


----------



## link2998 (Sep 10, 2010)

sorry, but got to wait 1 more day for inst disk........


----------



## emeraldnzl (Nov 3, 2007)

That's fine, I will catch you then.


----------



## link2998 (Sep 10, 2010)

yet another day must pass before i can get my hands on an inst disk...


----------



## emeraldnzl (Nov 3, 2007)

No problem. I'm not going anywhere lol.


----------



## link2998 (Sep 10, 2010)

Hello, 
Finally got the disk. Now I ran the auto-repair option and i think the mbr is repaired. now when i boot from the hd it says "invalid partition table". Tried the auto-repair on that but it doesn't work. I can get to a command-line prompt if I need to. What should I do?


----------



## emeraldnzl (Nov 3, 2007)

Hi link2998,

Check out the link below and in particular post # 2.

http://www.vistax64.com/vista-installation-setup/76982-invalid-partition-table-bootup.html

First thing it suggests to do is run Startup Repair two or three times.

Try the solution there and tell me how you get on.


----------



## link2998 (Sep 10, 2010)

when I type "bootrec.exe /FixBoot", I get "Element not found.". With ScanOs nothing is detected (I get "Total Identified Windows Installations: 0"). Should I try RebuildBcd?


----------



## link2998 (Sep 10, 2010)

by the way, There are no operating systems listed for repair.


----------



## emeraldnzl (Nov 3, 2007)

Hello link2998,



> Should I try RebuildBcd?


I am not a techie so am not the right person to answer that question. I don't think rebuilding Bcd is simple.

I don't have the technical expertise to help you with this.

I would ask a moderator to transfer this thread to a technical area but it is far too long for that.

My advice is for you to open a new topic in the Vista Forum - link below - and state the error messages you are getting.

Explain that when an attempt was made to rewrite your machines infected MBR it got messed up. Then say what you have done to attempt to fix it:



> I ran the auto-repair option and i think the mbr is repaired. now when i boot from the hd it says "invalid partition table". Tried the auto-repair on that but it doesn't work.
> 
> when I type "bootrec.exe /FixBoot", I get "Element not found."


Here is the link to the Vista Forum.

http://forums.techguy.org/75-windows-vista/

I am sorry not to have a solution and I will keep looking for an answer. At the same time it would be irresponsible on me not to send you where I think you will have a better chance of getting the right help.


----------



## link2998 (Sep 10, 2010)

ok, thanks. The comp. im on is borrowed so in a day or so il do that. thanks for your help.


----------

