NTOSKRNL-HOOK Generic Rootkit.d!rootkit

[Psychoca]

I appear to have picked up this NTOSKRNL-HOOK Generic Rootkit.d!rootkit virus whilst sufing the net yesterday. My computer is/should be protected by the McAfee Security Center, however, it hasn't stopped this one and clogged my computer.

Whenever I try to start Windows normally, I get the Blue Screen error, I cannot turn off the restore system points either. I have run the virus scanner numerous times, which has alledgedly removed the infection, however, it normally reappears after the restart.

I have done the reports that you have requested, which now follow.

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

[Psychoca]

Apologies for delay, please see attached file as asked for.

ComboFix 09-04-28.02 - Psychoca 29/04/2009 1:44.2 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.3000.2599 [GMT 1:00]
Running from: c:\users\Psychoca\Desktop\CF.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\recycler\S-3-1-78-100007327-100029198-100010583-4544.com
c:\users\Psychoca\AppData\Roaming\.#
c:\windows\system32\drivers\gxvxcvovbdkvxppvtprxchxdtwxeeimfjpspq.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcrrvnrsbynwtepbtiycclidsbbodfvubh.dll
D:\Autorun.inf
d:\recycler\S-3-1-78-100007327-100029198-100010583-4544.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS
-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-28 20:04 . 2009-04-28 20:59 -------- d-----w c:\windows\acerTemp
2009-04-28 09:33 . 2009-04-28 09:33 -------- d--h--w c:\windows\PIF
2009-04-27 20:53 . 2009-04-27 20:53 -------- d-----w c:\users\Psychoca\Option
2009-04-27 20:33 . 2009-04-27 20:33 -------- d-----w c:\progra~2\Arcade Lab
2009-04-27 20:33 . 2009-04-27 20:33 -------- d-----w c:\users\All Users\Arcade Lab
2009-04-16 10:22 . 2009-04-16 10:22 -------- d-----w c:\program files\Common Files\Bcgsoft
2009-04-15 17:50 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll
2009-04-15 17:50 . 2009-03-03 04:39 551424 ----a-w c:\windows\system32\rpcss.dll
2009-04-15 17:50 . 2009-03-03 04:46 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-04-15 17:50 . 2009-03-03 04:46 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-04-15 17:50 . 2009-03-03 03:04 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-04-15 17:50 . 2009-03-03 04:39 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-04-15 17:50 . 2009-03-03 04:39 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-04-15 17:50 . 2009-03-03 04:37 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-04-15 17:50 . 2009-03-03 04:37 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-04-15 17:50 . 2009-03-03 04:37 54784 ----a-w c:\windows\system32\iasads.dll
2009-04-15 17:50 . 2009-03-03 02:38 17408 ----a-w c:\windows\system32\iashost.exe
2009-04-15 17:49 . 2009-02-13 08:49 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-04-15 17:49 . 2009-02-13 08:49 72704 ----a-w c:\windows\system32\secur32.dll
2009-04-15 17:49 . 2009-03-17 03:38 13824 ----a-w c:\windows\system32\apilogen.dll
2009-04-15 17:49 . 2009-03-17 03:38 24064 ----a-w c:\windows\system32\amxread.dll
2009-04-15 17:46 . 2008-06-06 03:27 562176 ----a-w c:\windows\system32\msdtcprx.dll
2009-04-15 17:46 . 2008-06-06 03:27 38912 ----a-w c:\windows\system32\xolehlp.dll
2009-04-14 20:01 . 2009-04-14 20:01 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-14 20:00 . 2009-04-28 20:46 -------- d-----w c:\program files\Norton Security Scan
2009-04-14 17:08 . 2009-04-14 17:08 -------- d-----w c:\progra~2\SpinTop Games
2009-04-14 17:08 . 2009-04-14 17:08 -------- d-----w c:\users\All Users\SpinTop Games
2009-04-14 16:58 . 2009-04-14 16:58 -------- d-----w c:\windows\system32\Adobe
2009-04-14 15:25 . 2009-04-14 15:43 -------- d-----w c:\users\Psychoca\AppData\Local\Microsoft Games
2009-04-06 20:05 . 2009-04-28 21:59 1356 ----a-w c:\users\Psychoca\AppData\Local\d3d9caps.dat
2009-04-06 15:49 . 2009-04-29 00:36 -------- d-----w c:\users\Psychoca\Tracing
2009-04-06 15:49 . 2009-04-06 15:49 -------- d-----w c:\program files\Microsoft
2009-04-06 15:48 . 2009-04-06 15:48 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-06 15:48 . 2009-04-06 15:48 -------- d-----w c:\program files\Windows Live
2009-04-06 15:42 . 2009-04-06 15:42 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-05 13:09 . 2009-04-05 13:09 -------- d-----w c:\users\Psychoca\AppData\Local\Mozilla
2009-04-03 22:44 . 2009-04-05 23:00 -------- d-----w c:\users\Psychoca\AppData\Local\Adobe
2009-04-03 22:21 . 2009-04-03 22:21 -------- d-----w c:\users\Psychoca\AppData\Roaming\PeerNetworking
2009-04-03 20:49 . 2009-04-03 20:49 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-03 20:49 . 2009-04-03 20:49 -------- d-----w c:\program files\Java
2009-04-03 20:41 . 2008-10-22 01:22 2048 ----a-w c:\windows\system32\tzres.dll
2009-04-03 20:33 . 2008-06-20 01:14 97800 ----a-w c:\windows\system32\infocardapi.dll
2009-04-03 20:33 . 2008-06-20 01:14 105016 ----a-w c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-04-03 20:33 . 2008-06-20 01:14 622080 ----a-w c:\windows\system32\icardagt.exe
2009-04-03 20:33 . 2008-06-20 01:14 11264 ----a-w c:\windows\system32\icardres.dll
2009-04-03 20:33 . 2008-06-20 01:14 43544 ----a-w c:\windows\system32\PresentationHostProxy.dll
2009-04-03 20:33 . 2008-06-20 01:14 781344 ----a-w c:\windows\system32\PresentationNative_v0300.dll
2009-04-03 20:33 . 2008-06-20 01:14 326160 ----a-w c:\windows\system32\PresentationHost.exe
2009-04-03 20:28 . 2008-07-27 18:03 96760 ----a-w c:\windows\system32\dfshim.dll
2009-04-03 20:28 . 2008-07-27 18:03 282112 ----a-w c:\windows\system32\mscoree.dll
2009-04-03 20:28 . 2008-07-27 18:03 41984 ----a-w c:\windows\system32\netfxperf.dll
2009-04-03 20:28 . 2008-07-27 18:03 158720 ----a-w c:\windows\system32\mscorier.dll
2009-04-03 20:28 . 2008-07-27 18:03 83968 ----a-w c:\windows\system32\mscories.dll
2009-04-03 20:27 . 2009-04-03 20:27 -------- d-----w c:\program files\MSXML 4.0
2009-04-03 20:26 . 2008-11-01 03:44 28672 ----a-w c:\windows\system32\Apphlpdm.dll
2009-04-03 20:26 . 2008-11-01 01:21 4240384 ----a-w c:\windows\system32\GameUXLegacyGDFs.dll
2009-04-03 20:26 . 2008-08-28 03:40 425472 ----a-w c:\windows\system32\PhotoMetadataHandler.dll
2009-04-03 20:26 . 2008-08-28 03:40 347136 ----a-w c:\windows\system32\WindowsCodecsExt.dll
2009-04-03 20:26 . 2008-08-28 03:40 712704 ----a-w c:\windows\system32\WindowsCodecs.dll
2009-04-03 20:26 . 2008-08-12 03:39 443392 ----a-w c:\windows\system32\win32spl.dll
2009-04-03 20:25 . 2008-10-21 05:25 296960 ----a-w c:\windows\system32\gdi32.dll
2009-04-03 20:25 . 2008-10-29 06:29 2927104 ----a-w c:\windows\explorer.exe
2009-04-03 20:25 . 2008-09-18 04:56 147456 ----a-w c:\windows\system32\Faultrep.dll
2009-04-03 20:25 . 2008-09-18 04:56 125952 ----a-w c:\windows\system32\wersvc.dll
2009-04-03 20:25 . 2008-10-22 03:57 241152 ----a-w c:\windows\system32\PortableDeviceApi.dll
2009-04-03 20:25 . 2008-09-05 05:14 1191936 ----a-w c:\windows\system32\msxml3.dll
2009-04-03 20:25 . 2008-11-27 04:43 268288 ----a-w c:\windows\system32\schannel.dll
2009-04-03 20:25 . 2008-12-16 02:42 288768 ----a-w c:\windows\system32\drivers\srv.sys
2009-04-03 20:25 . 2008-12-16 05:31 7680 ----a-w c:\windows\system32\spwmp.dll
2009-04-03 20:24 . 2008-12-16 05:31 4096 ----a-w c:\windows\system32\dxmasf.dll
2009-04-03 20:24 . 2008-12-16 03:29 8147456 ----a-w c:\windows\system32\wmploc.DLL
2009-04-03 20:24 . 2008-08-27 01:05 212480 ----a-w c:\windows\system32\drivers\mrxsmb10.sys
2009-04-03 20:24 . 2008-06-23 01:59 2868736 ----a-w c:\windows\system32\mf.dll
2009-04-03 20:24 . 2008-06-23 01:59 996352 ----a-w c:\windows\system32\WMNetMgr.dll
2009-04-03 20:24 . 2008-06-23 01:58 94720 ----a-w c:\windows\system32\logagent.exe
2009-04-03 20:24 . 2008-10-21 05:25 1645568 ----a-w c:\windows\system32\connect.dll
2009-04-03 20:21 . 2009-02-09 03:10 2033152 ----a-w c:\windows\system32\win32k.sys
2009-04-03 20:21 . 2008-09-10 03:40 1334272 ----a-w c:\windows\system32\msxml6.dll
2009-04-03 20:15 . 2008-10-16 21:09 43544 ----a-w c:\windows\system32\wups2.dll
2009-04-03 20:15 . 2008-10-16 21:09 51224 ----a-w c:\windows\system32\wuauclt.exe
2009-04-03 20:15 . 2008-10-16 20:56 1524736 ----a-w c:\windows\system32\wucltux.dll
2009-04-03 20:15 . 2008-10-16 21:13 1809944 ----a-w c:\windows\system32\wuaueng.dll
2009-04-03 20:15 . 2008-10-16 21:08 34328 ----a-w c:\windows\system32\wups.dll
2009-04-03 20:15 . 2008-10-16 20:55 83456 ----a-w c:\windows\system32\wudriver.dll
2009-04-03 20:15 . 2008-10-16 21:12 561688 ----a-w c:\windows\system32\wuapi.dll
2009-04-03 20:14 . 2008-10-16 13:08 162064 ----a-w c:\windows\system32\wuwebv.dll
2009-04-03 20:14 . 2008-10-16 12:56 31232 ----a-w c:\windows\system32\wuapp.exe
2009-04-03 20:04 . 2009-04-03 20:04 -------- d-----w c:\users\Psychoca\AppData\Local\CyberLink
2009-04-03 20:04 . 2009-04-03 20:04 -------- d-----w c:\users\Psychoca\AppData\Local\SoftDMA
2009-04-03 20:04 . 2009-04-03 20:04 -------- d-----w c:\users\Psychoca\AppData\Local\Acer Arcade Deluxe
2009-04-03 20:04 . 2009-04-03 20:04 -------- d-----w c:\users\Psychoca\AppData\Roaming\CyberLink
2009-04-03 20:02 . 2009-04-03 20:02 -------- d-----w c:\users\Psychoca\AppData\Roaming\eSobi
2009-04-03 19:59 . 1999-05-25 13:14 113956 ----a-w c:\windows\system32\eosih.dll
2009-04-03 19:59 . 1998-10-27 09:08 317952 ----a-w c:\windows\system32\ROBOEX32.DLL
2009-04-03 19:59 . 2006-10-16 19:19 194362 ----a-w c:\windows\system32\drivers\windrvr6.sys
2009-04-03 19:57 . 2009-04-16 14:04 -------- d-----w C:\FUTURA 3
2009-04-03 17:03 . 2009-04-27 20:36 -------- d---a-w c:\progra~2\TEMP
2009-04-03 17:03 . 2009-04-27 20:36 -------- d---a-w c:\users\All Users\TEMP
2009-04-03 16:57 . 2009-04-03 20:09 -------- d-----w c:\users\Psychoca\AppData\Local\PlayMovie
2009-04-03 16:56 . 2009-04-03 20:09 -------- d-----w c:\users\Psychoca\AppData\Local\PowerCinema
2009-04-03 16:56 . 2009-04-03 16:56 71280 ----a-w c:\users\Psychoca\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-03 16:56 . 2009-04-03 16:56 -------- d-----r c:\users\Psychoca\Searches
2009-04-03 16:56 . 2009-04-03 16:56 -------- d-----r c:\users\Psychoca\Music
2009-04-03 16:56 . 2009-04-03 22:13 -------- d-----r c:\users\Psychoca\Pictures
2009-04-03 16:56 . 2009-04-03 16:56 -------- d-----r c:\users\Psychoca\Videos
2009-04-03 16:56 . 2009-04-15 23:23 -------- d-----r c:\users\Psychoca\Contacts
2009-04-03 16:55 . 2009-04-11 23:26 -------- d-----w c:\users\Psychoca\AppData\Local\Google
2009-04-03 16:55 . 2009-04-03 20:15 -------- d-----w c:\users\All Users\Google
2009-04-03 16:54 . 2009-04-03 22:36 -------- d-----w c:\program files\Google
2009-04-03 16:48 . 2009-04-03 16:48 -------- d-----r c:\windows\system32\config\systemprofile\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 17:47 . 2008-05-15 05:26 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-27 15:40 . 2008-05-15 05:29 -------- d-----w c:\program files\McAfee
2009-04-16 09:34 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-07 08:44 . 2008-05-15 05:33 -------- d-----w c:\program files\Microsoft Works
2009-04-03 20:00 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-04-03 20:00 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstrng.dat
2009-04-03 20:00 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-04-03 16:57 . 2008-05-15 05:50 -------- d-----w c:\program files\Acer
2009-03-25 10:06 . 2008-05-15 05:30 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 10:06 . 2008-05-15 05:30 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 10:06 . 2008-05-15 05:30 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 10:06 . 2008-05-15 05:30 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 10:05 . 2008-05-15 05:30 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-17 03:38 . 2009-04-15 17:49 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-03 04:40 . 2009-04-15 23:17 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:37 . 2009-04-15 23:17 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 02:28 . 2009-04-15 23:17 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-02-06 17:52 . 2009-02-06 17:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2008-01-21 02:57 . 2006-11-02 12:48 174 --sha-w c:\program files\desktop.ini
2008-12-21 17:02 . 2008-12-21 17:01 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 01:05 121392 ----a-w c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D1E749E8-1CEC-42A6-A482-8E26BA47788F}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{46CF3DE6-7CED-455F-BF34-3CB090160DC7}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F158F2D0-605A-4BD0-A632-7B1567DE160F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B39A49E9-AADB-4276-A93B-4A234B3D69D2}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{27480808-AC70-4095-8647-9F9FE9589456}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{3E14A432-0D12-40F1-A325-D652791133CC}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{9AAC521E-278C-470D-9755-3E2B45AEE29F}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{2B96FE96-251A-4DAB-904E-9BFAF0F46EB3}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{C440B538-21A8-4860-9EA7-0FF7F6CC79F2}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{9757E8EB-4726-419A-840D-8142ABA407DC}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{8B533F48-8C72-4A62-8CDE-5FFA8F8686E5}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{BF14971B-1CE3-40B5-92B9-16EAC521A9D0}"= c:\program files\Acer Arcade Deluxe\PlayMovie\PlayMovie.exe:Acer Play Movie
"{78C0F7ED-AD03-4524-AA58-B94ADDC54609}"= c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe:Acer Play Movie Resident Program
"{DAB44904-2ABE-423A-AC76-35882E87E0F6}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:Acer HomeMedia

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-11 210216]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-04-03 24064]
S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [2008-07-01 388096]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{944ef136-cf7a-11dd-917e-806e6f6e6963}]
\shell\AutoRun\command - E:\FuturaStart.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=1208&m=aspire_5735
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=1208&m=aspire_5735
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Psychoca\AppData\Roaming\Mozilla\Firefox\Profiles\gry8spgt.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 01:46
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_USERS\SYSTEM\ControlSet001\Services\gxvxcserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gxvxcpvxtbeyluvwtofhteioyltopswejqxtc.sys"

[HKEY_USERS\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_USERS\SYSTEM\ControlSet003\Services\gxvxcserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gxvxcpvxtbeyluvwtofhteioyltopswejqxtc.sys"
.
Completion time: 2009-04-29 1:46
ComboFix-quarantined-files.txt 2009-04-29 00:46

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 87,088,087,040 bytes free

272 --- E O F --- 2009-04-15 23:55

[chemist]

Hello, Psychoca. Please tell us how your system is behaving. Is Normal Mode working now?

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.

• Right-click ATF-Cleaner.exe and choose Run as Administrator to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Ensure your external and/or USB drives are inserted during the scan.

In Microsoft Windows Vista, you must open the Web browser via a right-click using the Run as Administrator command.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at any Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected.
• It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior

[Psychoca]

Many apologies for the delay, but, everything appears to be fine on my computer and Kaspersky didn't report anything untoward on the computer either.

Many thanks for your help.

[chemist]

Congratulations. Well done! Your logs appear clean. You should be good to go.

Please disable McAfee before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /u

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

• How Did I Get Infected In The First Place? by TonyKlein
• How to Prevent Malware by miekiemoes

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

• SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  
• IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
  
• MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here

Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.