HijackThis log - please help

KEM

ComboFix ran, rebooted, finished running and produced its log. I then tried to re-enable Defender (successfully) and Avira but no umbrella appears bottom right.
Should I reboot now and see what happens?

Browntoa

if you want , was interested to see if it was back

Riks the expert in these so I'll leave the review to him

KEM

I'll try a reboot and see what happens.

KEM

Rebooted and Avira back working again and loads of icons in the tray at the bottom right again.

Not sure what to do now - has ComboFix fixed anything or will I have to do anything more to sort things out?

Browntoa

worse case Rik will get you too make up a samll txt file to run using combofix

aliEnRIK

Open notepad and copy/paste the text in RED below

File::
c:\users\Robert\AppData\Roaming\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_16496df1.exe
c:\users\Robert\AppData\Roaming\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_69525f90.exe
c:\users\Robert\AppData\Roaming\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_4ae13d6c.exe
c:\users\Robert\AppData\Roaming\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_2cd672ae.exe
c:\users\Robert\AppData\Roaming\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_294823.exe
c:\users\Robert\AppData\Roaming\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_18be6784.exe



Save this as "CFScript" (FULL file will be 'CFScript.txt')

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

aliEnRIK

Download SPYBOT (Make sure you click 'DOWNLOAD LATEST VERSION' ~ make sure TEA TIMER is UNTICKED on installation)
http://www.filehippo.com/download_spybot_search_destroy/
UPDATE and IMMUNISE (Make sure it reads ZERO unprotected) and SCAN

KEM

Have run the text file in ComboFix and here is the latest log (although my son decided to install an msn add-on this morning while I was out despite me telling him not to install anything!!):

ComboFix 10-01-15.05 - Robert 17/01/2010 12:43:07.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3293.2238 [GMT 0:00]
Running from: c:\users\Robert\Desktop\ComboFix.exe
Command switches used :: c:\users\Robert\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Robert\AppData\Roaming\Microsoft\Installe r\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_16496df1.exe"
"c:\users\Robert\AppData\Roaming\Microsoft\Installe r\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_18be6784.exe"
"c:\users\Robert\AppData\Roaming\Microsoft\Installe r\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_294823.exe"
"c:\users\Robert\AppData\Roaming\Microsoft\Installe r\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_2cd672ae.exe"
"c:\users\Robert\AppData\Roaming\Microsoft\Installe r\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_4ae13d6c.exe"
"c:\users\Robert\AppData\Roaming\Microsoft\Installe r\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_69525f90.exe"
.

((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2010-01-17 12:52 . 2010-01-17 12:52

---

d

---

w- c:\users\Robert\AppData\Local\temp
2010-01-17 12:52 . 2010-01-17 12:52

---

d

---

w- c:\users\Public\AppData\Local\temp
2010-01-17 12:52 . 2010-01-17 12:52

---

d

---

w- c:\users\Default\AppData\Local\temp
2010-01-17 11:28 . 2010-01-17 11:28

---

d

---

w- c:\programdata\Messenger Plus!
2010-01-17 11:26 . 2010-01-17 11:26

---

d

---

w- c:\program files\Circl Developement
2010-01-17 11:26 . 2010-01-17 11:26

---

d

---

w- c:\program files\Messenger Plus! Live
2010-01-16 15:28 . 2010-01-16 15:28

---

d

---

w- c:\program files\Trend Micro
2010-01-14 17:51 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-14 17:51 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-10 17:55 . 2010-01-10 17:55

---

d

---

w- c:\users\Robert\AppData\Roaming\JoCar Consulting
2010-01-10 17:53 . 2010-01-10 17:53

---

d

---

w- c:\program files\BricxCC
2010-01-10 17:53 . 2010-01-10 17:53 796672 ----a-w- c:\windows\GPInstall.exe
2010-01-09 15:41 . 2010-01-09 15:41

---

d

---

w- c:\program files\LEGO Software
2010-01-09 15:40 . 2010-01-09 15:40

---

d

---

w- C:\VXIPNP
2010-01-09 15:40 . 2010-01-09 15:40

---

d

---

w- c:\program files\National Instruments

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-14 18:19 . 2009-05-17 17:11

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 18:18 . 2009-09-06 16:06 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-14 18:16 . 2008-07-11 13:33

---

d

---

w- c:\programdata\Microsoft Help
2010-01-14 18:13 . 2006-11-02 11:18

---

d

---

w- c:\program files\Windows Mail
2010-01-12 18:14 . 2009-05-11 15:01

---

d

---

w- c:\program files\Google
2010-01-12 18:02 . 2008-07-11 12:52

---

d--h--w- c:\program files\InstallShield Installation Information
2010-01-12 18:02 . 2008-07-11 13:48

---

d

---

w- c:\program files\eSobi
2010-01-12 17:42 . 2008-07-11 13:16

---

d

---

w- c:\program files\Acer GameZone
2010-01-07 16:07 . 2009-05-17 17:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-05-17 17:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 18:39 . 2008-07-11 12:53 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-12-08 17:25 . 2009-05-12 15:32

---

d

---

w- c:\users\Robert\AppData\Roaming\CyberLink
2009-12-08 17:21 . 2009-12-08 17:21 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-07 16:30 . 2009-05-17 16:35 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-06 11:33 . 2009-05-20 16:17

---

d

---

w- c:\program files\Java
2009-11-21 06:40 . 2009-12-09 11:13 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 11:13 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 11:13 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 11:13 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-18 17:41 . 2009-11-18 17:41

---

d

---

w- c:\program files\Windows Portable Devices
2009-11-18 17:41 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 17:40 . 2009-11-18 17:40 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-09 19:50 . 2008-10-09 17:45 107920 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-11-09 19:21 . 2009-11-09 19:21 3310 ----a-r- c:\users\Robert\AppData\Roaming\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_16496df1.exe
2009-11-09 19:21 . 2009-11-09 19:21 1078 ----a-r- c:\users\Robert\AppData\Roaming\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_69525f90.exe
2009-11-09 19:21 . 2009-11-09 19:21 1078 ----a-r- c:\users\Robert\AppData\Roaming\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_4ae13d6c.exe
2009-11-09 19:21 . 2009-11-09 19:21 1078 ----a-r- c:\users\Robert\AppData\Roaming\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_2cd672ae.exe
2009-11-09 19:21 . 2009-11-09 19:21 1078 ----a-r- c:\users\Robert\AppData\Roaming\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_294823.exe
2009-11-09 19:21 . 2009-11-09 19:21 1078 ----a-r- c:\users\Robert\AppData\Roaming\Microsoft\Installer\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_18be6784.exe
2009-11-09 12:31 . 2009-12-09 11:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-09 11:22 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-09 11:22 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-02 20:42 . 2009-10-03 09:11 195456

---

w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 19:28 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-28 15:11 . 2009-10-02 14:47 2064760 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll
2009-10-28 15:11 . 2009-10-02 14:47 364917 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aegen.dll
2009-10-22 16:50 . 2009-10-02 14:47 487804 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aescript.dll
2009-10-22 16:50 . 2009-10-02 14:47 422263 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aepack.dll
2009-10-19 20:15 . 2009-11-06 17:17 127800 ----a-w- c:\users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\x1zugjt3.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 00:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-08-01 405504]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-30 526896]
"eAudio"="c:\program files\Acer\Empowering Technology\eAudio\eAudio.exe" [2008-05-30 544768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-06-17 817672]
"ZPdtWzdVitaKey MC3000"="c:\program files\Acer\Acer Bio Protection\PdtWzd.exe" [2008-10-09 3673600]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"WheelMouse"="c:\advanc~1\wh_exec.exe" [2009-05-07 151552]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BatteryAlarm.exe [2009-6-21 93184]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2008-10-09 18:11 3116032 ----a-w- c:\program files\Acer\Acer Bio Protection\WinNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\spba]
2008-03-25 22:24 567560 ----a-w- c:\program files\Common Files\SPBA\homefus2.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Photags AutoDetect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Photags AutoDetect.lnk
backup=c:\windows\pss\Photags AutoDetect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Robert^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcadeDeluxeAgent]
2008-07-24 14:54 147456

---

w- c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BkupTray]
2008-04-26 04:36 28672 ----a-w- c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2008-07-24 14:54 167936

---

w- c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
2008-10-17 13:54 167936

---

w- c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]
2008-01-29 08:03 303104 ----a-w- c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):88,8b,55,3e,fa,02,ca,01

R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\System32\drivers\AlfaFF.sys [09/10/2008 18:11 43184]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};Power Control [2009/05/12 17:14];c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [12/05/2009 16:13 87536]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [17/05/2009 16:35 108289]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [03/03/2008 20:11 16384]
R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [09/10/2008 18:24 81504]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [11/07/2008 13:04 24576]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [26/04/2008 04:36 45056]
R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [09/10/2008 18:24 122368]
R3 usbfilter;AMD USB Filter Driver;c:\windows\System32\drivers\usbfilter.sys [09/10/2008 17:38 22072]
R3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\System32\drivers\whfltr2k.sys [18/05/2009 15:50 6784]
R3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [28/03/2007 14:51 43008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [20/07/2009 16:09 133104]
S2 IGBASVC;iGroupTec Service;c:\program files\Acer\Acer Bio Protection\BASVC.exe [09/10/2008 18:11 3521024]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [26/04/2008 04:36 131072]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\System32\drivers\fantom.sys [10/03/2006 15:55 39424]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [21/01/2008 02:23 21504]
S3 whmice2k;Advanced Wheel Mouse Upper Filter Driver;c:\windows\System32\drivers\whmice2k.sys [18/05/2009 15:50 6885]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-20 16:09]

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-20 16:09]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vp32&d=1008&m=aspire_6530g
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vp32&d=1008&m=aspire_6530g
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\x1zugjt3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\x1zugjt3.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 12:52
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.

---

LOCKED REGISTRY KEYS

---

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'Explorer.exe'(1696)
c:\advanced wheel mouse\wh_hook.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\windows\System32\SysHook.dll
.
Completion time: 2010-01-17 12:55:24
ComboFix-quarantined-files.txt 2010-01-17 12:55
ComboFix2.txt 2010-01-16 16:37

Pre-Run: 71,657,787,392 bytes free
Post-Run: 71,630,897,152 bytes free

- - End Of File - - 0E927BC046346FE3874326F8A6E5BFF1

KEM

Will download and run SpyBot now.

aliEnRIK

Its not removed those files

Goto the location if gives and try to manually remove them ~
c:\users\Robert\AppData\Roaming\Microsoft\Installe r\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_16496df1.exe
c:\users\Robert\AppData\Roaming\Microsoft\Installe r\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_69525f90.exe
c:\users\Robert\AppData\Roaming\Microsoft\Installe r\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_4ae13d6c.exe
c:\users\Robert\AppData\Roaming\Microsoft\Installe r\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_2cd672ae.exe
c:\users\Robert\AppData\Roaming\Microsoft\Installe r\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_294823.exe
c:\users\Robert\AppData\Roaming\Microsoft\Installe r\{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}\_18be6784.exe