TFC was directed but didn't surprisingly make much difference

__________________

Steve, here are some suggestions and questions based on the HijackThis log you left:

1. Platform: Windows Vista: you're not current on updates. Vista has SP2 out:
Visit the Microsoft Download Site. You should get All updates marked Critical and the current SP updates: Vista SP2

2. Do you have 2 homepages set up to just display a blank page? Okay if you do- if not. this is malware:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

3. This is running from the temp file. Why? What is it 'rerouting?
C:\Users\comet792\AppData\Local\Temp\RtkBtMnt.exe> > Realtek HD Audio Data Rerouter

4. You have a lot of processes starting on boot and running in the background. They don't need to be using your resources when you aren't using them: a few examples:
Windows Media Player
QuickTime
Office
Autoupdates: the only autoupdate you need is for your antivirus.
Do you have security scans set on startup? Stop them.

5. You have Symantec AV running. You should run the Norton Removal Tool to uninstall it. It shouldn't be running with the Kaspersky.
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab

6. There are multiple Acer entries. Have you ever taken the time to check these out and see if you use them? If you don't, they should be stopped and uninstalled.

7. You my have some conflicts with all the real time security you're running. Contrary to what you might think, "more" can sometimes leave you more vulnerable.

8. Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

Please leave the Combofix report to be reviewed.
.
My apology if any of this conflicts with the other replies

__________________
wave:Computer Support and Help
Virus & Malware Removal
Tutorials on "How To...."
Stop Nuisance Startups

Olie, I didn't read through everything. But I did apologize if I was covering something already given.

__________________
wave:Computer Support and Help
Virus & Malware Removal
Tutorials on "How To...."
Stop Nuisance Startups

It's not a problem at all Bobbye, I was merely establishing my surprise at how little difference it made .

I was expecting someone to take a closer look at the HJT log anyhow, as to be honest I did minimal research seeing as though I can fully act on the results. So I shall leave you to work your magic

__________________

Hi,
I ran TFC, error checked and defragged! - still a little early to say if performance has actually improved - but, high hopes!

I am still undecided about the LUA v Admin Logs, since yesterday i attempted to create another account, make it admin rights, then i changed my usual account from admin to Limited User, but this morning when i booted up the laptop, it automatically went to the login screen and asked for a password which i dont have!
I ended up having to restore to previous state to access windows and my usual acc..

Also, it seems very tedious to have to 'Run with Administrator Rights' every time you execute a program ... hmmm ... undecided!

Thanks so much for all your time and assistance!

I think permissions is a tricky area which it suited to different people. I hoever would always say run on an account that uses limited rights but then again im not following my own advise by running an account with full priveledges so its something to keep thinking about.

Just for my own interest and to help tidy the thread a little can you post another HJT log so we can see what is still running and what isn't.
Also don't forget to follow Bobbyes instructions. When a request to run Combofix is made (in most cases anyhow) there will be a reason for it - a reason to which action must be taken

__________________

you seemed to start off right.
Create the new user id, set the rights (adm vs lua) and set a new password. log off and then log in on the new ID to create the profile and perms on that directory.

On the OLD ADMIN, keep the password (or at least set one) and then change the rights.

That profile area will be set to the original perms (eg administor) and now you have changed the user to LUA, so you will need to fix the NTFS perms

Using an ADMIN, right-click the users top directory->properties->security tab (XP can get here, but the HOME ed will need to boot Safe Mode)

You will see

• Admin => has Full Control
• SYSTEM => has full control

Click the ADD button and enter the new login name and click Check Names and then OK
Now you [x] Full Control and click apply; the perms will be corrected to
allow NewUser full access to files under that profile

The programs in \Program Files have <everyone> Read & Execute,
so none of those should be doing that .. if so, we can fix them all at one time. Anything install in the original ADMIN profile area will not be accessible and should be reinstalled in \Program Files or All Users\Shared

The only time you should need ADMIN rights are to

1. change major configuration settings (eg run->services.msc)
2. to install or undate software

There is a short list of software that installs in \Program Files and still needs Admin rights (a sign of poor program design) such as Quicken.
and there is a fix for those too.

This is doable and worth some time to make it work ...

__________________
J. O. Beard; you + tech-101.com => synergism. Secure your system now

In response to bobbye:

#1 I have tried installing the SP1 +2 several times without success!

#2 In my ... Internet Properties ... homepage window there is only one entry "about:blank"

#3 I have been aware of this item for a long time but i have no idea what to do with it, and i dont use a router.

#4 All done (no scans on startup).

#5 Norton Removed (think it sneaked on whilst doing a java update!).

#6 I have checked out the Acer Prodcuts installed - guess i was just hanging on to them, perhaps its time to remove them i never use them!

#7 I have kaspersky 2010 and resident protection from Spybot, that is all i am aware is running, and i was under the impression that those two get on okay!

#8 Combofix to follow....

Thanks for now!

ComboFix 10-03-20.01 - comet792 21/03/2010 1:01.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.2038.969 [GMT 0:00]
Running from: c:\users\Steve\Desktop\ComboFix.exe.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Internet Security *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Connect.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.

2010-03-21 01:15 . 2010-03-21 01:15 -------- d-----w- c:\users\comet792\AppData\Local\temp
2010-03-21 00:59 . 2010-03-21 01:00 -------- d-----w- C:\32788R22FWJFW
2010-03-18 15:53 . 2010-03-18 15:53 -------- d-----w- c:\users\comet792\AppData\Roaming\Uniblue
2010-03-16 17:27 . 2010-03-16 17:27 -------- d-----w- c:\users\comet792\AppData\Roaming\Registry Mechanic
2010-03-14 12:08 . 2010-02-20 23:54 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-14 12:08 . 2010-02-20 21:30 396800 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-14 12:07 . 2010-02-20 23:51 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-03-08 12:30 . 2010-01-20 12:13 52224 ----a-w- c:\users\comet792\AppData\Roaming\Mozilla\Firefox\ Profiles\e6wbbylt.default\extensions\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}\components\FFExternalAlert.dll
2010-03-08 12:30 . 2010-01-20 12:13 101376 ----a-w- c:\users\comet792\AppData\Roaming\Mozilla\Firefox\ Profiles\e6wbbylt.default\extensions\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}\components\RadioWMPCore.dll
2010-03-02 20:46 . 2010-03-02 20:46 -------- d-----w- c:\program files\Common Files\Java
2010-02-26 11:02 . 2010-02-12 10:49 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-02-25 15:35 . 2010-01-23 08:05 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-25 15:29 . 2010-01-25 12:58 473088 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-25 15:29 . 2010-01-25 12:58 154624 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-25 15:29 . 2010-01-25 12:58 154112 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-25 15:29 . 2010-01-25 12:58 472576 ----a-w- c:\windows\system32\secproc.dll
2010-02-25 15:29 . 2010-01-25 12:56 312320 ----a-w- c:\windows\system32\msdrm.dll
2010-02-25 15:29 . 2010-01-25 08:36 435712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-25 15:29 . 2010-01-25 08:36 515584 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-25 15:29 . 2010-01-25 08:36 431104 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-25 15:29 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-03-21 00:12 . 2009-03-31 20:39 -------- d-----w- c:\programdata\Kaspersky Lab
2010-03-19 09:45 . 2009-05-23 23:22 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-03-19 09:45 . 2008-03-21 12:22 -------- d-----w- c:\program files\VistaCodecPack
2010-03-19 09:45 . 2008-10-28 21:49 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-03-19 09:44 . 2007-12-02 14:29 -------- d-----w- c:\program files\AC3Filter
2010-03-16 17:54 . 2008-07-02 10:42 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-15 16:08 . 2008-10-29 03:54 -------- d-----w- c:\program files\DivX
2010-03-15 16:07 . 2009-12-11 22:56 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-14 12:58 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-04 11:15 . 2009-12-12 00:21 117760 ----a-w- c:\users\comet792\AppData\Roaming\SUPERAntiSpyware .com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-02 20:41 . 2008-01-13 13:25 -------- d-----w- c:\program files\Java
2010-02-24 13:51 . 2007-07-25 21:39 181968 ----a-w- c:\users\comet792\AppData\Local\GDIPFONTCACHEV1.DA T
2010-02-24 10:16 . 2009-10-03 14:52 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-29 00:42 . 2010-01-29 00:42 -------- d-----w- c:\users\comet792\AppData\Roaming\Birdstep Technology
2010-01-29 00:40 . 2009-12-29 21:21 70667 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2010-01-29 00:38 . 2010-01-29 00:38 -------- d-----w- c:\program files\3 Mobile Broadband
2010-01-29 00:38 . 2007-03-22 10:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-29 00:22 . 2009-12-29 21:23 -------- d-----w- c:\programdata\Birdstep Technology
2010-01-23 12:25 . 2010-01-23 12:25 -------- d-----w- c:\programdata\Norton
2010-01-21 12:00 . 2009-04-06 12:28 -------- d-----w- c:\programdata\NOS
2010-01-21 11:59 . 2008-04-11 09:47 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 09:47 . 2009-04-03 07:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-21 09:40 . 2010-01-21 09:40 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-01-21 09:23 . 2009-04-03 07:25 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-20 19:13 . 2010-01-20 19:13 -------- d-----w- c:\users\comet792\AppData\Roaming\ErrorExpert
2010-01-16 13:23 . 2010-01-05 12:23 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 16:07 . 2009-12-06 19:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-12-06 19:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 17:24 . 2009-12-20 11:44 52224 ----a-w- c:\users\comet792\AppData\Roaming\SUPERAntiSpyware .com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-28 12:36 . 2010-02-11 09:32 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35 . 2010-02-11 09:32 1327616 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:34 . 2010-02-11 09:32 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:34 . 2010-02-11 09:32 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:34 . 2010-02-11 09:32 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:34 . 2010-02-11 09:32 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:33 . 2010-02-11 09:32 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:32 . 2010-02-11 09:32 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:30 . 2010-02-11 09:32 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-12-28 12:30 . 2010-02-11 09:32 65024 ----a-w- c:\windows\system32\avicap32.dll
2007-12-02 14:28 . 2007-12-02 14:28 56 --sha-r- c:\windows\System32\80DD1BCD09.sys
2007-12-02 14:28 . 2007-12-02 14:28 1890 --sha-w- c:\windows\System32\KGyGaAvL.sys
2009-09-25 13:58 . 2009-09-25 13:58 604140 --sha-w- c:\windows\System32\drivers\ISwift3.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-13 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 4390912]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp. exe" [2006-11-05 57344]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-12-08 614400]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2008-02-11 133656]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-02-07 464168]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\eNetHook.dl l c:\progra~2\AVP9\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
backup=c:\windows\pss\Empowering Technology Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1826586744-1077541265-2520487687-1000]
"EnableNotificationsRef"=dword:00000001

R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-01-26 50688]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [x]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-17 21:29]

2010-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-17 21:29]

2010-03-20 c:\windows\Tasks\User_Feed_Synchronization-{DC2ADB6A-E91B-4D92-88E7-CA416BED718C}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uLocal Page = \blank.htm
mStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: {85E06065-2E78-45DF-B3C6-18C96EDF5A4A} = 217.171.132.1 217.171.135.1
FF - ProfilePath - c:\users\comet792\AppData\Roaming\Mozilla\Firefox\ Profiles\e6wbbylt.default\
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - prefs.js: browser.startup.homepage - hxxp://www.three.co.uk/static/html/mobile_broadband_dongle_login/index.html
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\compone nts\KavLinkFilter.dll
FF - component: c:\users\comet792\AppData\Roaming\Mozilla\Firefox\ Profiles\e6wbbylt.default\extensions\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}\components\FFExternalAlert.dll
FF - component: c:\users\comet792\AppData\Roaming\Mozilla\Firefox\ Profiles\e6wbbylt.default\extensions\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.d ll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.d ll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug. dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabl ed", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

AddRemove-{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - c:\program files\NOS\bin\getPlus_HelperSvc.exe



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 01:15
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\System32\eNetHook.dll

- - - - - - - > 'lsass.exe'(720)
c:\windows\System32\eNetHook.dll
.
Completion time: 2010-03-21 01:24:13
ComboFix-quarantined-files.txt 2010-03-21 01:24

Pre-Run: 24,151,670,784 bytes free
Post-Run: 23,785,684,992 bytes free

- - End Of File - - 0C48F944F7BD9DD880FA483AA9E3C560



....... HIjack log will follow

Latest HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:50:27, on 21/03/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16982)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Users\comet792\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Windows Sidebar\sidebar.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\3 Mobile Broadband\3Connect\AutoUpdateSrv.exe
C:\Program Files\3 Mobile Broadband\3Connect\WilogApp.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\windows defender\MSASCui.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avp] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{85E06065-2E78-45DF-B3C6-18C96EDF5A4A}: NameServer = 217.171.132.1 217.171.135.1
O20 - AppInit_DLLs: C:\Windows\System32\eNetHook.dll C:\PROGRA~2\AVP9\mzvkbd3.dll,C:\PROGRA~2\AVP9\kloe hk.dll
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1c99146f071b4f1) (gupdate1c99146f071b4f1) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\Windows\SYSTEM32\LxrSII1s.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8764 bytes


Thanks for now ....