Slow computer and Firefox popup

[tamwood]

Hi,

My husband said his computer was much slower than normal today, so I took a look at it and found that 99% of Windows Updates have failed in the past year. I tried things that I found in Microsoft Answers but nothing worked so I posted a message there and hope that someone can help me with that (I ran their utility - Fixit - and when it was done, I tested it and clicked that it still failed - and that took me to a page that said 'this page has expired.' !!!) My point is, this computer is vulnerable.

While I was looking at his computer, about 30 seconds after MS Fixit finished, Firefox popped up with two tabs. The first one was a Startnow (www.startnow.com) tab with Bing and it looked like the Bing equivalent of a Google search page. This was quickly followed by Thank you! Special Savings tab: http://www.specialsavings.com/forum/...ucts/done.html. It was thanking him for installing something. The site is called Deal Finders and it's a coupon clipping site that He said that he has never had popups and although he installed Firefox a very long time ago, he does not use it, and that he didn't recognize the two sites at all. This is not a Firefox add-in but I don't know enough about Firefox to look at other things. I checked Program in Control Panel but it didn't indicate an installation there.

I ran MBAM and it said everything was fine, I ran a quick MSE scan, and I cleaned out the temp files, history, etc. I went to msconfig and unclicked things that he doesn't need loaded on startup, and went into task manager and shut down things he didn't need. I did all of this before he got the popups. Right now, I'm doing a defrag. But I don't know what to do next to make sure he's okay.

He has Windows Vista Home Premium SP1 (because SP2 was one of the failed updates), uses IE7 (same thing), and for virus/malware he has Microsoft Security Essentials with Windows Firewall.

Thanks for your help. Sorry this is so long. Please let me know what information you need.

[Jintan]

Welcome to CTH tamwood,

Let's see what all is there.


The system is Vista, so when running any of the scan files we use, be sure to right click the file, then select "Run as administrator" to start the scan/tool.

And To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"



To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

-------

Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please.

-----------

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-----------

Download aswMBR ( 511KB ) to your desktop.

• Double click the aswMBR.exe icon to run it
• If you can have an open Internet connection, and allow it to download the latest Avast engine detections.
• If avast! antivirus is already installed, just do the next step.
• Click the Scan button to start the scan
• On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

A lot, but comprehensive, and will make sure we get a good view of everything.

[tamwood]

Thanks, will do.

[Jintan]

Post when ready.

[tamwood]

I did OTL twice but it did not create an Extras.txt file. Also, twice, when I ran aswMBR, it created a BSOD and restarted the computer before it was done. I was not able to get the BSOD info before it disappeared. I ran it one more time and it finished without a problem and I was able to save the log file. I just wanted you to know about it.
-------------------------------------------

OTL logfile created on: 3/19/2012 12:30:07 AM - Run 5
OTL by OldTimer - Version 3.2.39.1 Folder = D:\Virus
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.93 Gb Total Physical Memory | 1.04 Gb Available Physical Memory | 53.88% Memory free
4.09 Gb Paging File | 2.96 Gb Available in Paging File | 72.41% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.44 Gb Total Space | 51.78 Gb Free Space | 46.47% Space Free | Partition Type: NTFS
Drive D: | 111.44 Gb Total Space | 100.37 Gb Free Space | 90.07% Space Free | Partition Type: NTFS

Computer Name: ASPIRE | User Name: leigh | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/17 22:52:54 | 000,594,432 | ---- | M] (OldTimer Tools) -- D:\Virus\OTL.exe
PRC - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/11/23 17:52:06 | 000,038,144 | ---- | M] (RingCentral, Inc.) -- C:\Program Files\RingCentral\eXtreme Fax\RCHotKey.exe
PRC - [2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/08/01 13:51:42 | 000,405,504 | ---- | M] (Acer Inc.) -- C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
PRC - [2008/07/29 20:53:00 | 000,500,784 | ---- | M] (Egis Incorporated) -- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
PRC - [2008/07/29 20:52:50 | 000,526,896 | ---- | M] (Egis Incorporated) -- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
PRC - [2008/07/02 14:35:52 | 000,850,440 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
PRC - [2008/06/02 12:25:40 | 000,024,576 | ---- | M] () -- C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
PRC - [2008/03/18 14:27:12 | 000,013,312 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2008/01/16 22:35:02 | 000,081,504 | ---- | M] () -- C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
PRC - [2007/12/06 19:15:28 | 000,110,592 | ---- | M] () -- C:\ACER\Mobility Center\MobilityService.exe


========== Modules (No Company Name) ==========

MOD - [2010/11/20 01:57:10 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem.Runtime.Remo#\07932234c4cdc31042eeacc9f81d8fda \System.Runtime.Remoting.ni.dll
MOD - [2010/08/12 09:49:54 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem.ServiceProce#\e6220b10333c1b184103c97e09a9a144 \System.ServiceProcess.ni.dll
MOD - [2010/08/12 09:47:21 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem.Xml\5c64322812ad3369c7618e5f52d13a72\System.Xm l.ni.dll
MOD - [2010/08/12 09:46:55 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem.Windows.Forms\19f5c72f22f18275e3fa45a2a8e04140 \System.Windows.Forms.ni.dll
MOD - [2010/08/12 09:46:43 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem.Drawing\618be9fca90bc21db0010bae1e84dad4\Syste m.Drawing.ni.dll
MOD - [2010/08/12 09:45:30 | 007,949,824 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem\e757b4f83931d47c785b0aaacf7cce81\System.ni.dll
MOD - [2010/08/12 09:45:06 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\msc orlib\fb0a3a6e527462455beda91d7ea58de5\mscorlib.ni .dll
MOD - [2009/09/04 08:19:30 | 000,644,096 | ---- | M] () -- C:\Program Files\IZArc\IZArcCM.dll
MOD - [2008/08/18 22:06:15 | 000,036,864 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\Framework.Utility\3.0 .3009.0__4df5dcab8860d239\Framework.Utility.dll
MOD - [2008/08/18 22:06:14 | 000,061,440 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\Framework.Library\3.0 .3009.0__3036420f80dd6947\Framework.Library.dll
MOD - [2008/08/18 22:06:14 | 000,009,216 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\Framework.Model.Contr ollerInterface\3.0.3009.0__d842b71b4d6ed079\Framew ork.Model.ControllerInterface.dll
MOD - [2008/07/29 20:52:38 | 000,227,888 | ---- | M] () -- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ShowErrMsg.dll
MOD - [2003/06/07 16:30:08 | 000,057,344 | ---- | M] () -- C:\Program Files\Launch Manager\PowerUtl.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/04/27 15:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/07/29 20:53:00 | 000,500,784 | ---- | M] (Egis Incorporated) [Auto | Running] -- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe -- (eDataSecurity Service)
SRV - [2008/06/02 12:25:40 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Program Files\Acer\Empowering Technology\Service\ETService.exe -- (ETService)
SRV - [2008/03/18 14:27:12 | 000,013,312 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/16 22:35:02 | 000,081,504 | ---- | M] () [Auto | Running] -- C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe -- (CLHNService)
SRV - [2007/12/06 19:15:28 | 000,110,592 | ---- | M] () [Auto | Running] -- C:\ACER\Mobility Center\MobilityService.exe -- (MobilityService)
SRV - [2005/11/17 15:18:52 | 001,527,900 | ---- | M] (MAGIX®) [On_Demand | Stopped] -- d:\Program Files\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\leigh\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2012/03/18 23:51:33 | 000,029,904 | ---- | M] () [Kernel | System | Stopped] -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BE2CCF8B-F01D-4686-823C-E80B3AD617BF}\MpKsldeadcdf4.sys -- (MpKsldeadcdf4)
DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/04/27 15:25:24 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/04/18 13:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2009/07/09 13:45:36 | 000,116,064 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\jmcr.sys -- (JMCR)
DRV - [2008/07/18 20:05:10 | 000,061,424 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Running] -- C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl -- ({49DE1C67-83F8-4102-99E0-C16DCC7EEC796})
DRV - [2008/06/10 21:54:36 | 000,123,904 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/06/02 12:20:12 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (int15)
DRV - [2008/02/29 18:13:38 | 001,202,560 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2008/02/19 01:09:40 | 000,166,960 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/01/16 22:35:08 | 000,122,368 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Running] -- C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys -- (NTIPPKernel)
DRV - [2006/11/03 00:27:36 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Program Files\Launch Manager\DPortIO.sys -- (DritekPortIO)
DRV - [2002/06/03 21:38:38 | 000,311,684 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\P1001Vid.sys -- (P1001VID) Creative WebCam (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=...m=aspire_4730z
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source? }
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.micros oft:{language}:{referrer:source?}&ie={inputEncodin g}&oe={outputEncoding}&rlz=1I7ACAW


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com [binary data]
IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/
IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 2
IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\..\SearchScopes,DefaultScope = {105E99FF-8B9A-4492-B155-06194B9056D2}
IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\..\SearchScopes\{105E99FF-8B9A-4492-B155-06194B9056D2}: "URL" = http://www.bing.com/search?FORM=IPGTDF&PC=IPGTDF&q={searchTerms}&src=I E-SearchBox
IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\..\SearchScopes\{A59C167F-298F-30E1-8F0D-B7ED3F450647}: "URL" = http://www.startnow.com/s/?q={searchTerms}&src=defsearch&provider=Bing&provi der_code=Z057&partner_id=333&product_id=519&affili ate_id=&channel=DPGL15&toolbar_id=200&toolbar_vers ion=2.0&install_country=US&install_date=20110614&u ser_guid=6CB80A9C18B74B239F200E853263ADCA&machine_ id=0494027f837940b47fed5c153607ef6e&browser=IE&os= win&os_version=6.0-x86-SP1
IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\..\SearchScopes\{C9BF099A-5362-4E59-8BE3-8AA955FFCBD9}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language }:{referrer:source?}&ie={inputEncoding}&oe={output Encoding}&sourceid=ie7&rlz=1I7ACAW
IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.startup.homepage: "http://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z057&pa rtner_id=333&product_id=519&affiliate_id=&channel= DPGL15&toolbar_id=200&toolbar_version=2.0&install_ country=US&install_date=20110614&user_guid=6CB80A9 C18B74B239F200E853263ADCA&machine_id=0494027f83794 0b47fed5c153607ef6e&browser=FF&os=win&os_version=6 .0-x86-SP1"
FF - prefs.js..keyword.URL: "http://www.startnow.com/s/?src=addrbar&provider=Bing&provider_code=Z057&part ner_id=333&product_id=519&affiliate_id=&channel=DP GL15&toolbar_id=200&toolbar_version=2.0&install_co untry=US&install_date=20110614&user_guid=6CB80A9C1 8B74B239F200E853263ADCA&machine_id=0494027f837940b 47fed5c153607ef6e&browser=FF&os=win&os_version=6.0-x86-SP1&q="
FF - prefs.js..network.proxy.type: 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extens ions\\superfish@superfish.com: C:\ProgramDataMozilla\Extensions\superfish@superfi sh.com [2012/03/15 17:34:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extens ions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2012/01/20 16:24:26 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extens ions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2012/01/20 16:24:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: d:\Program Files\Mozilla Firefox\components [2012/01/20 16:23:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: d:\Program Files\Mozilla Firefox\plugins [2012/02/06 14:17:04 | 000,000,000 | ---D | M]

[2011/06/12 17:47:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\leigh\AppData\Roaming\mozilla\Extensions
[2010/06/11 11:28:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\leigh\AppData\Roaming\mozilla\Extensions\ mozswing@mozswing.org
[2012/02/06 15:41:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\leigh\AppData\Roaming\mozilla\Firefox\Pro files\7vfnswoq.default\extensions
[2012/02/06 15:41:42 | 000,000,000 | ---D | M] (Microsoft Choice Guard) -- C:\Users\leigh\AppData\Roaming\mozilla\Firefox\Pro files\7vfnswoq.default\extensions\ChoiceGuard@Micr osoft
[2011/06/14 16:49:25 | 000,002,265 | ---- | M] () -- C:\Users\leigh\AppData\Roaming\Mozilla\Firefox\Pro files\7vfnswoq.default\searchplugins\bing-zugo.xml
[2011/06/12 17:47:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/06/12 17:22:12 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2010/12/14 22:59:38 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/06/12 16:00:28 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2012/03/15 17:34:39 | 000,000,000 | ---D | M] (Window Shopper - Powered by Superfish) -- C:\PROGRAMDATAMOZILLA\EXTENSIONS\SUPERFISH@SUPERFI SH.COM
[2009/09/02 09:11:35 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2012/02/06 14:17:09 | 000,000,000 | ---D | M] (Java Console) -- D:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
[2011/05/04 04:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/10/22 23:19:13 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (Egis)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKU\S-1-5-21-2835799940-606296060-655187663-1000\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe ()
O4 - HKLM..\Run: [Acer Product Registration] C:\Program Files\Acer\Acer Registration\ACE1.exe (Leader Technologies)
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
O4 - HKLM..\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe (Acer Inc.)
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2835799940-606296060-655187663-1000..\Run: [RCHotKey] C:\Program Files\RingCentral\eXtreme Fax\RCHotKey.exe (RingCentral, Inc.)
O4 - HKU\S-1-5-21-2835799940-606296060-655187663-1000..\Run: [RCUI] C:\Program Files\RingCentral\eXtreme Fax\RCUI.exe (RingCentral, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2835799940-606296060-655187663-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2835799940-606296060-655187663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDrives = 0
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-2835799940-606296060-655187663-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/pr.../ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} http://cabby.markur.com/activex/AMC.cab (AxisMediaControlEmb Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 24.247.15.53 66.189.0.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfac es\{0E4514BD-028B-40B4-B9F3-884926C28168}: DhcpNameServer = 192.168.1.1 24.247.15.53 66.189.0.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfac es\{C966F92B-F884-40CE-8096-7E5FAFC26918}: DhcpNameServer = 172.16.2.5 172.18.82.11 4.2.2.2
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3 .dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\leigh\Pictures\Ski Trip 2010\on top of blue heven looking at eagle eye restaurant.jpg
O24 - Desktop BackupWallPaper: C:\Users\leigh\Pictures\Ski Trip 2010\on top of blue heven looking at eagle eye restaurant.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/15 23:51:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Defraggler
[2012/03/15 23:51:50 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
[2012/03/15 17:26:09 | 000,000,000 | ---D | C] -- C:\Users\leigh\AppData\Local\ElevatedDiagnostics

========== Files - Modified Within 30 Days ==========

[2012/03/19 00:17:29 | 002,701,242 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/03/19 00:17:28 | 000,853,960 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/03/19 00:11:16 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml
[2012/03/19 00:11:11 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/19 00:11:10 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/19 00:10:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/19 00:10:36 | 2072,035,328 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/19 00:10:34 | 273,906,273 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/03/19 00:01:05 | 000,000,256 | ---- | M] () -- C:\Windows\tasks\HP Photo Creations Messager.job
[2012/03/15 23:51:52 | 000,001,706 | ---- | M] () -- C:\Users\Public\Desktop\Defraggler.lnk
[2012/03/15 17:22:12 | 000,000,808 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/03/15 16:38:06 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/20 11:12:20 | 000,000,942 | ---- | M] () -- C:\Users\leigh\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk

========== Files Created - No Company Name ==========

[2012/03/15 23:51:52 | 000,001,706 | ---- | C] () -- C:\Users\Public\Desktop\Defraggler.lnk
[2012/03/15 16:38:06 | 000,000,910 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/20 16:15:03 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini
[2011/12/19 19:55:27 | 000,000,227 | ---- | C] () -- C:\Windows\PowerReg.dat
[2011/12/19 19:55:25 | 000,045,568 | ---- | C] () -- C:\Windows\UniFish3.exe
[2011/06/12 17:23:52 | 000,000,048 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2011/06/12 17:00:01 | 000,000,223 | ---- | C] () -- C:\Windows\System32\P1001Twn.ini
[2011/06/08 17:57:22 | 001,929,576 | ---- | C] () -- C:\Windows\System32\HPScanTRDrv_DJ3050A_J611.dll
[2011/03/03 11:12:16 | 001,503,232 | ---- | C] () -- C:\Windows\System32\ptj.exe
[2011/03/03 11:12:16 | 001,103,360 | ---- | C] () -- C:\Windows\System32\cidfont.dll
[2011/03/03 11:12:12 | 004,369,408 | ---- | C] () -- C:\Windows\System32\pdftk.exe
[2011/03/03 11:12:12 | 000,235,008 | ---- | C] () -- C:\Windows\System32\office.exe
[2011/02/11 19:40:40 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
[2010/08/25 20:30:02 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2010/08/25 20:30:00 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2010/08/25 20:30:00 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2010/08/25 19:57:00 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2010/06/30 18:32:50 | 000,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2010/06/07 23:53:12 | 000,120,200 | ---- | C] () -- C:\Windows\System32\DLLDEV32i.dll
[2010/06/07 23:45:50 | 000,006,211 | ---- | C] () -- C:\Windows\mgxoschk.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:73933431
@Alternate Data Stream - 114 bytes -> C:\ProgramData\Temp:AB689DEA
@Alternate Data Stream - 111 bytes -> C:\ProgramData\Temp:4220A65C
@Alternate Data Stream - 100 bytes -> C:\ProgramData\Temp:753F86A9

< End of report >

[tamwood]

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-18 01:05:40
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543225L9A300 rev.FBEOC40C
Running: hmmwzjh2.exe; Driver: C:\Users\leigh\AppData\Local\Temp\pgtdrpod.sys


---- Kernel code sections - GMER 1.0.15 ----

C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl entry point in "" section [0xA91AF41C]
.clc C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl unknown last code section [0xA91B0000, 0x1000, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[3264] SHELL32.dll!InitNetworkAddressControl + 2939 7632006C 4 Bytes [00, 26, 00, 10] {ADD [ESI], AH; ADD [EAX], DL}

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73EF8864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73F39855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73EFB984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73EEFB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73EF7A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73EEEA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73F2B12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73EFBC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73EF0756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73EF06BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73EE71B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73F7D9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73F17329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73EEE109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73EE697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73EE69A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73EF2475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001D90] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002B30] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [6708F563] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

[tamwood]

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-19 12:51:57
-----------------------------
12:51:57.754 OS Version: Windows 6.0.6001 Service Pack 1
12:51:57.754 Number of processors: 2 586 0xF0D
12:51:57.756 ComputerName: ASPIRE UserName: leigh
12:51:59.526 Initialize success
12:52:59.905 AVAST engine defs: 12031700
12:54:39.577 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
12:54:39.581 Disk 0 Vendor: Hitachi_HTS543225L9A300 FBEOC40C Size: 238475MB BusType: 3
12:54:39.601 Disk 0 MBR read successfully
12:54:39.607 Disk 0 MBR scan
12:54:39.637 Disk 0 unknown MBR code
12:54:39.644 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10244 MB offset 63
12:54:39.666 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 114116 MB offset 20981760
12:54:39.700 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 114113 MB offset 254691328
12:54:39.719 Disk 0 scanning sectors +488394752
12:54:39.828 Disk 0 scanning C:\Windows\system32\drivers
12:54:53.975 Service scanning
12:55:13.295 Service MpKsl04d4cb26 C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{39AF48C5-35EA-4E7E-9C64-A120B8EC7A24}\MpKsl04d4cb26.sys **LOCKED** 32
12:55:13.778 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
12:55:31.930 Modules scanning
12:55:45.756 Disk 0 trace - called modules:
12:55:45.842 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS PCIIDEX.SYS msahci.sys
12:55:45.854 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8554d780]
12:55:45.866 3 CLASSPNP.SYS[833a6745] -> nt!IofCallDriver -> [0x85381918]
12:55:45.878 5 acpi.sys[806996a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x846128e0]
12:55:46.933 AVAST engine scan C:\Windows
12:55:51.950 AVAST engine scan C:\Windows\system32
12:59:37.998 AVAST engine scan C:\Windows\system32\drivers
12:59:51.419 AVAST engine scan C:\Users\leigh
13:01:52.835 Disk 0 MBR has been saved successfully to "D:\Virus\MBR.dat"
13:01:52.852 The log file has been saved successfully to "D:\Virus\aswMBR.txt"
13:04:32.605 AVAST engine scan C:\ProgramData
13:06:58.152 Scan finished successfully
13:07:32.819 Disk 0 MBR has been saved successfully to "D:\Virus\MBR.dat"
13:07:32.832 The log file has been saved successfully to "D:\Virus\aswMBR2.txt"

[Jintan]

Once we finish our repairs here you do need to update to Service Pack 2, but not just yet.

Really would like to see some of what that second OTL log would have shown though.

Download HijackThis from Here. Then click on the downloaded file, and install HijackThis.

In HijackThis, click Config - Misc Tools - Open Uninstall Manager.

Click on Save List, then save that to a location you can locate again (such as the desktop). Copy/paste the contents of that back here please.