UACd.sys Virus and Vista services not starting

[vlogg5]

Hi,
I client of mine keeps her Vista computer on all the time. Her power went out. She rebooted her computer and now most of her services, when I boot into regular (not Safe Mode), don't start. Even the automatic ones. I can't start these services. The error message is "Can't start service in Safe Mode". The computer is behaving as though "Safe Mode" "Minimal" has been chosen in the General Section of msconfig.
1) She was running an outdated version of AVG.

2)I set up her HDD as a slave and, following your guidlines, I did several antivirus scans (Ccleaner, Super and MBAM) and they found (removed?) the UACd.sys trojan and something to do with flash player. I ran Avenger and it seemed to get rid of the UACd.sys trojan.

3) F8 into the real safe mode works fine.

4)I have run TDSKiller and Combofix (see the logs below).

5) There are no restore points on the computer.

6) It appears to me that, upon normal startup, the "Safe Boot - Minimal" is running even though, thru msconfig, "Normal" is checked off.

7) Combo fix has a few registry entries that refer to "Safemode .... @=service". Is that normal?

Here are the 2 log files. I had to run Combofix and TDSSKillerwhile supposdly running Norton and actually running Windows Live One care because none of the settings I try and save in msconfig will save.

TDSSKiller didn't find anything but Combo deleted some files. Also, I notice that at the very end of the Combo log that there is a locked Registry Key that seems important (locked to users, everyone) but available to "@Allowed: (B 1 2 3 4 5) (S-1-5-20)" ? The user name of this Vista computer in "User".
I should ad that these scans were NOT done using F8 (safe mode) but I notice a lot of ComboFix safe mode entries and the computer only seems to be loading the services that safe mode would.
Thanks

2010/08/04 16:16:28.0445      TDSS rootkit removing tool 2.4.1.0 Aug  4 2010 15:06:41
2010/08/04 16:16:28.0445      ================================================================================
2010/08/04 16:16:28.0445      SystemInfo:
2010/08/04 16:16:28.0445     
2010/08/04 16:16:28.0445      OS Version: 6.0.6001 ServicePack: 1.0
2010/08/04 16:16:28.0445      Product type: Workstation
2010/08/04 16:16:28.0445      ComputerName: USER-PC
2010/08/04 16:16:28.0445      UserName: User
2010/08/04 16:16:28.0445      Windows directory: C:\Windows
2010/08/04 16:16:28.0445      System windows directory: C:\Windows
2010/08/04 16:16:28.0445      Processor architecture: Intel x86
2010/08/04 16:16:28.0445      Number of processors: 2
2010/08/04 16:16:28.0445      Page size: 0x1000
2010/08/04 16:16:28.0445      Boot type: Normal boot
2010/08/04 16:16:28.0445      ================================================================================
2010/08/04 16:16:29.0335      Initialize success
2010/08/04 16:16:33.0921      ================================================================================
2010/08/04 16:16:33.0921      Scan started
2010/08/04 16:16:33.0921      Mode: Manual;
2010/08/04 16:16:33.0921      ================================================================================
2010/08/04 16:16:35.0980      ACPI            (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
2010/08/04 16:16:36.0058      adp94xx         (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2010/08/04 16:16:36.0105      adpahci         (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2010/08/04 16:16:36.0136      adpu160m        (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2010/08/04 16:16:36.0183      adpu320         (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2010/08/04 16:16:36.0323      AFD             (763e172a55177e478cb419f88fd0ba03) C:\Windows\system32\drivers\afd.sys
2010/08/04 16:16:36.0433      agp440          (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2010/08/04 16:16:36.0542      aic78xx         (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/08/04 16:16:36.0635      aliide          (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2010/08/04 16:16:36.0713      amdagp          (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2010/08/04 16:16:36.0791      amdide          (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2010/08/04 16:16:36.0869      AmdK7           (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2010/08/04 16:16:36.0932      AmdK8           (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
2010/08/04 16:16:37.0041      arc             (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2010/08/04 16:16:37.0119      arcsas          (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2010/08/04 16:16:37.0228      AsyncMac        (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/08/04 16:16:37.0322      atapi           (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
2010/08/04 16:16:37.0525      AvgLdx86        (b8c187439d27aba430dd69fdcf1fa657) C:\Windows\system32\Drivers\avgldx86.sys
2010/08/04 16:16:37.0696      AvgMfx86        (53b3f979930a786a614d29cafe99f645) C:\Windows\system32\Drivers\avgmfx86.sys
2010/08/04 16:16:37.0837      AvgTdiX         (22e3b793c3e61720f03d3a22351af410) C:\Windows\system32\Drivers\avgtdix.sys
2010/08/04 16:16:37.0993      Beep            (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/08/04 16:16:38.0164      bowser          (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/08/04 16:16:38.0258      BrFiltLo        (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/08/04 16:16:38.0320      BrFiltUp        (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/08/04 16:16:38.0367      Brserid         (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/08/04 16:16:38.0414      BrSerWdm        (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/08/04 16:16:38.0461      BrUsbMdm        (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/08/04 16:16:38.0476      BrUsbSer        (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/08/04 16:16:38.0523      BTHMODEM        (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/08/04 16:16:38.0601      cdfs            (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/08/04 16:16:38.0663      cdrom           (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
2010/08/04 16:16:38.0726      circlass        (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2010/08/04 16:16:38.0866      CLFS            (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
2010/08/04 16:16:38.0960      cmdide          (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2010/08/04 16:16:39.0022      Compbatt        (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
2010/08/04 16:16:39.0131      crcdisk         (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2010/08/04 16:16:39.0225      Crusoe          (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2010/08/04 16:16:39.0443      DfsC            (9e635ae5e8ad93e2b5989e2e23679f97) C:\Windows\system32\Drivers\dfsc.sys
2010/08/04 16:16:39.0755      disk            (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
2010/08/04 16:16:40.0239      drmkaud         (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/08/04 16:16:40.0348      DXGKrnl         (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
2010/08/04 16:16:40.0535      E1G60           (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/08/04 16:16:40.0676      Ecache          (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
2010/08/04 16:16:40.0847      elxstor         (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2010/08/04 16:16:41.0081      exfat           (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
2010/08/04 16:16:41.0206      fastfat         (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
2010/08/04 16:16:41.0315      fdc             (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2010/08/04 16:16:41.0409      FileInfo        (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/08/04 16:16:41.0518      Filetrace       (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/08/04 16:16:41.0596      flpydisk        (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/08/04 16:16:41.0690      FltMgr          (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
2010/08/04 16:16:41.0768      Fs_Rec          (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/08/04 16:16:41.0846      gagp30kx        (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2010/08/04 16:16:41.0955      GEARAspiWDM     (f2f431d1573ee632975c524418655b84) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2010/08/04 16:16:42.0127      HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2010/08/04 16:16:42.0189      HDAudBus        (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/08/04 16:16:42.0236      HidBth          (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/08/04 16:16:42.0314      HidIr           (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/08/04 16:16:42.0376      HidUsb          (3c64042b95e583b366ba4e5d2450235e) C:\Windows\system32\drivers\hidusb.sys
2010/08/04 16:16:42.0532      HpCISSs         (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2010/08/04 16:16:42.0657      HSF_DP          (88749fbf8beb18c90e7d6626c8c1910b) C:\Windows\system32\DRIVERS\HSX_DP.sys
2010/08/04 16:16:42.0782      HSXHWBS2        (fe440536bd98af772130dc3a6fe1915f) C:\Windows\system32\DRIVERS\HSXHWBS2.sys
2010/08/04 16:16:42.0891      HTTP            (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys
2010/08/04 16:16:43.0000      i2omp           (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2010/08/04 16:16:43.0109      i8042prt        (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/08/04 16:16:43.0219      iaStorV         (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2010/08/04 16:16:43.0328      iirsp           (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/08/04 16:16:43.0499      IntcAzAudAddService (edc37b918e583a5a813c53d4f5588255) C:\Windows\system32\drivers\RTKVHDA.sys
2010/08/04 16:16:43.0718      intelide        (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
2010/08/04 16:16:43.0796      intelppm        (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
2010/08/04 16:16:43.0889      IpFilterDriver  (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/08/04 16:16:43.0999      IPMIDRV         (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2010/08/04 16:16:44.0061      IPNAT           (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/08/04 16:16:44.0139      IRENUM          (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/08/04 16:16:44.0186      isapnp          (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2010/08/04 16:16:44.0248      iScsiPrt        (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/08/04 16:16:44.0279      iteatapi        (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/08/04 16:16:44.0357      iteraid         (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/08/04 16:16:44.0435      kbdclass        (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/08/04 16:16:44.0545      kbdhid          (d2600cb17b7408b4a83f231dc9a11ac3) C:\Windows\system32\drivers\kbdhid.sys
2010/08/04 16:16:44.0669      KSecDD          (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
2010/08/04 16:16:44.0810      lltdio          (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/08/04 16:16:44.0935      LSI_FC          (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2010/08/04 16:16:44.0982      LSI_SAS         (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2010/08/04 16:16:45.0044      LSI_SCSI        (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2010/08/04 16:16:45.0122      luafv           (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/08/04 16:16:45.0231      mdmxsdk         (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2010/08/04 16:16:45.0356      megasas         (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2010/08/04 16:16:45.0434      Modem           (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/08/04 16:16:45.0496      monitor         (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/08/04 16:16:45.0606      mouclass        (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/08/04 16:16:45.0668      mouhid          (a3a6dff7e9e757db3df51a833bc28885) C:\Windows\system32\drivers\mouhid.sys
2010/08/04 16:16:45.0746      MountMgr        (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/08/04 16:16:45.0793      MpFilter        (8bf5b8c88b83afa326ef090d8b5a77c6) C:\Windows\system32\DRIVERS\MpFilter.sys
2010/08/04 16:16:45.0980      mpio            (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2010/08/04 16:16:46.0089      mpsdrv          (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/08/04 16:16:46.0152      Mraid35x        (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/08/04 16:16:46.0214      MREMP50         (80b2ec735495823ae5771a5f603e73bd) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2010/08/04 16:16:46.0261      MRESP50         (37d7c22f7e26da90e2d2d260e5d27846) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2010/08/04 16:16:46.0386      MRxDAV          (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
2010/08/04 16:16:46.0464      mrxsmb          (7afc42e60432fd1014f5342f2b1b1f74) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/08/04 16:16:46.0495      mrxsmb10        (8a75752ae17924f65452746674b14b78) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/08/04 16:16:46.0588      mrxsmb20        (f4d0f3252e651f02be64984ffa738394) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/08/04 16:16:46.0635      msahci          (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2010/08/04 16:16:46.0698      msdsm           (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2010/08/04 16:16:46.0760      Msfs            (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/08/04 16:16:46.0807      MSFWDrv         (3a6b23341e250f9a9759e3e6b462a699) C:\Windows\system32\DRIVERS\msfwdrv.sys
2010/08/04 16:16:46.0854      MSFWHLPR        (357eba1d9693ac45887c534667a9fc58) C:\Windows\system32\DRIVERS\msfwhlpr.sys
2010/08/04 16:16:46.0932      msisadrv        (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/08/04 16:16:47.0025      MSKSSRV         (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/08/04 16:16:47.0072      MSPCLOCK        (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/08/04 16:16:47.0103      MSPQM           (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/08/04 16:16:47.0150      MsRPC           (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
2010/08/04 16:16:47.0197      mssmbios        (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/08/04 16:16:47.0244      MSTEE           (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/08/04 16:16:47.0306      Mup             (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
2010/08/04 16:16:47.0384      NativeWifiP     (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
2010/08/04 16:16:47.0478      NDIS            (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys
2010/08/04 16:16:47.0524      NdisTapi        (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/08/04 16:16:47.0602      Ndisuio         (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/08/04 16:16:47.0649      NdisWan         (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/08/04 16:16:47.0727      NDProxy         (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/08/04 16:16:47.0805      NetBIOS         (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/08/04 16:16:47.0883      netbt           (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
2010/08/04 16:16:48.0008      nfrd960         (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/08/04 16:16:48.0102      Npfs            (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
2010/08/04 16:16:48.0164      nsiproxy        (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/08/04 16:16:48.0258      Ntfs            (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
2010/08/04 16:16:48.0382      ntrigdigi       (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/08/04 16:16:48.0445      Null            (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/08/04 16:16:48.0570      NVENETFD        (74c825c573aa6e115590d94e7bf86901) C:\Windows\system32\DRIVERS\nvmfdx32.sys
2010/08/04 16:16:48.0850      nvlddmkm        (e633e4e0e6a65fea569dc2773f1c6d58) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2010/08/04 16:16:49.0147      nvraid          (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2010/08/04 16:16:49.0225      nvstor          (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2010/08/04 16:16:49.0303      nvstor32        (a1ce1a6fd74c046f029448fcfa5e386d) C:\Windows\system32\DRIVERS\nvstor32.sys
2010/08/04 16:16:49.0381      nv_agp          (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2010/08/04 16:16:49.0521      ohci1394        (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/08/04 16:16:49.0615      Parport         (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/08/04 16:16:49.0662      partmgr         (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
2010/08/04 16:16:49.0693      Parvdm          (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/08/04 16:16:49.0755      pci             (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
2010/08/04 16:16:49.0818      pciide          (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
2010/08/04 16:16:49.0911      pcmcia          (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2010/08/04 16:16:50.0317      PEAUTH          (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/08/04 16:16:50.0738      PptpMiniport    (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/08/04 16:16:50.0785      Processor       (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2010/08/04 16:16:50.0878      Ps2             (390c204ced3785609ab24e9c52054a84) C:\Windows\system32\DRIVERS\PS2.sys
2010/08/04 16:16:50.0941      PSched          (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
2010/08/04 16:16:51.0003      PxHelp20        (d86b4a68565e444d76457f14172c875a) C:\Windows\system32\Drivers\PxHelp20.sys
2010/08/04 16:16:51.0081      ql2300          (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2010/08/04 16:16:51.0190      ql40xx          (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/08/04 16:16:51.0315      QWAVEdrv        (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/08/04 16:16:51.0378      RasAcd          (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/08/04 16:16:51.0440      Rasl2tp         (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/08/04 16:16:51.0518      RasPppoe        (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/08/04 16:16:51.0565      RasSstp         (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
2010/08/04 16:16:51.0612      rdbss           (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
2010/08/04 16:16:51.0721      RDPCDD          (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/08/04 16:16:51.0814      rdpdr           (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2010/08/04 16:16:51.0892      RDPENCDD        (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/08/04 16:16:52.0017      RDPWD           (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
2010/08/04 16:16:52.0142      rspndr          (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/08/04 16:16:52.0220      SASDIFSV        (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/08/04 16:16:52.0267      SASENUM         (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2010/08/04 16:16:52.0298      SASKUTIL        (81c02ea5f88ca4125e579384dfd75e3a) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2010/08/04 16:16:52.0392      sbp2port        (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/08/04 16:16:52.0501      secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/08/04 16:16:52.0579      Serenum         (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2010/08/04 16:16:52.0626      Serial          (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2010/08/04 16:16:52.0688      sermouse        (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/08/04 16:16:52.0797      sffdisk         (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2010/08/04 16:16:52.0875      sffp_mmc        (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2010/08/04 16:16:52.0938      sffp_sd         (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2010/08/04 16:16:53.0016      sfloppy         (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/08/04 16:16:53.0109      sisagp          (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2010/08/04 16:16:53.0172      SiSRaid2        (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2010/08/04 16:16:53.0234      SiSRaid4        (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2010/08/04 16:16:53.0312      Smb             (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys
2010/08/04 16:16:53.0406      spldr           (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/08/04 16:16:53.0530      srv             (8e5fc19b3b38364c5f44ccecec5248e9) C:\Windows\system32\DRIVERS\srv.sys
2010/08/04 16:16:53.0640      srv2            (4ceeb95e0b79e48b81f2da0a6c24c64b) C:\Windows\system32\DRIVERS\srv2.sys
2010/08/04 16:16:53.0733      srvnet          (f9c65e1e00a6bbf7c57d9b8ea068c525) C:\Windows\system32\DRIVERS\srvnet.sys
2010/08/04 16:16:53.0858      swenum          (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/08/04 16:16:53.0920      Symc8xx         (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/08/04 16:16:53.0983      Sym_hi          (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/08/04 16:16:54.0045      Sym_u3          (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/08/04 16:16:54.0186      Tcpip           (2eae4500984c2f8dacfb977060300a15) C:\Windows\system32\drivers\tcpip.sys
2010/08/04 16:16:54.0295      Tcpip6          (2eae4500984c2f8dacfb977060300a15) C:\Windows\system32\DRIVERS\tcpip.sys
2010/08/04 16:16:54.0388      tcpipreg        (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
2010/08/04 16:16:54.0435      TDPIPE          (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/08/04 16:16:54.0498      TDTCP           (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/08/04 16:16:54.0576      tdx             (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys
2010/08/04 16:16:54.0654      TermDD          (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
2010/08/04 16:16:54.0763      tssecsrv        (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/08/04 16:16:54.0794      tunmp           (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/08/04 16:16:54.0856      tunnel          (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys
2010/08/04 16:16:54.0888      uagp35          (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2010/08/04 16:16:54.0950      udfs            (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
2010/08/04 16:16:55.0012      uliagpkx        (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2010/08/04 16:16:55.0059      uliahci         (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2010/08/04 16:16:55.0090      UlSata          (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/08/04 16:16:55.0137      ulsata2         (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/08/04 16:16:55.0184      umbus           (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/08/04 16:16:55.0246      USBAAPL         (7c9f1503245402b01c79bdfa8731cb2a) C:\Windows\system32\Drivers\usbaapl.sys
2010/08/04 16:16:55.0293      usbccgp         (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/08/04 16:16:55.0324      usbcir          (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/08/04 16:16:55.0387      usbehci         (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
2010/08/04 16:16:55.0434      usbhub          (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
2010/08/04 16:16:55.0496      usbohci         (7bdb7b0e7d45ac0402d78b90789ef47c) C:\Windows\system32\DRIVERS\usbohci.sys
2010/08/04 16:16:55.0527      usbprint        (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2010/08/04 16:16:55.0574      usbscan         (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2010/08/04 16:16:55.0652      USBSTOR         (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/08/04 16:16:55.0714      usbuhci         (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/08/04 16:16:55.0870      vga             (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/08/04 16:16:55.0948      VgaSave         (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/08/04 16:16:56.0011      viaagp          (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2010/08/04 16:16:56.0073      ViaC7           (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2010/08/04 16:16:56.0151      viaide          (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2010/08/04 16:16:56.0214      volmgr          (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/08/04 16:16:56.0276      volmgrx         (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
2010/08/04 16:16:56.0323      volsnap         (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys
2010/08/04 16:16:56.0448      vsmraid         (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2010/08/04 16:16:56.0572      WacomPen        (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/08/04 16:16:56.0650      Wanarp          (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/04 16:16:56.0697      Wanarpv6        (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/04 16:16:56.0775      Wd              (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2010/08/04 16:16:56.0869      Wdf01000        (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/08/04 16:16:57.0025      winachsf        (72cc6a8ca7891031d6380db5025c773c) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2010/08/04 16:16:57.0228      WmiAcpi         (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2010/08/04 16:16:57.0321      WpdUsb          (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
2010/08/04 16:16:57.0384      ws2ifsl         (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/08/04 16:16:57.0493      WUDFRd          (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/08/04 16:16:57.0586      XAudio          (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
2010/08/04 16:16:57.0633      ================================================================================
2010/08/04 16:16:57.0633      Scan finished
2010/08/04 16:16:57.0633      ================================================================================

Combo
ComboFix 10-08-04.04 - User 04/08/2010  16:28:47.1.2 - x86 NETWORK
Running from: c:\users\User\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Windows Live OneCare *On-access scanning enabled* (Outdated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Windows Live OneCare *enabled* (Outdated) {CC7E50BA-BA8C-4DDE-B5AC-EA53BC38D01B}
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
c:\program files\Common Files\Uninstall
c:\windows\system32\gotomon.log
c:\windows\winhelp.ini

.
(((((((((((((((((((((((((   Files Created from 2010-07-04 to 2010-08-04  )))))))))))))))))))))))))))))))
.

2010-08-02 20:01 . 2010-08-02 20:01      --------      d-----w-      c:\users\User\AppData\Local\AVG Security Toolbar
2010-08-02 19:10 . 2010-08-02 19:10      12536      ----a-w-      c:\windows\system32\avgrsstx.dll
2010-08-02 19:10 . 2010-08-02 19:10      243024      ----a-w-      c:\windows\system32\drivers\avgtdix.sys
2010-08-02 19:10 . 2010-08-02 19:10      216400      ----a-w-      c:\windows\system32\drivers\avgldx86.sys
2010-08-02 19:10 . 2010-08-02 19:10      29584      ----a-w-      c:\windows\system32\drivers\avgmfx86.sys
2010-08-02 19:10 . 2010-08-02 19:10      --------      d-----w-      c:\windows\system32\drivers\Avg
2010-08-02 19:10 . 2010-08-02 19:12      --------      d-----w-      c:\programdata\AVG Security Toolbar
2010-08-02 19:07 . 2010-08-02 19:07      --------      d-----w-      c:\program files\AVG
2010-08-02 19:07 . 2010-08-02 19:07      --------      d-----w-      c:\programdata\avg9
2010-07-29 20:29 . 2009-09-10 20:54      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-29 20:29 . 2009-09-10 20:53      19160      ----a-w-      c:\windows\system32\drivers\mbam.sys
2010-07-28 23:45 . 2010-02-22 21:58      111472      ----a-w-      c:\windows\system32\gotomon.dll
2010-07-28 23:45 . 2010-07-28 23:45      --------      d-----w-      c:\programdata\CitrixLogs
2010-07-28 23:45 . 2010-07-28 23:45      --------      d-----w-      c:\program files\Citrix

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-29 20:29 . 2009-07-11 22:22      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2010-07-28 23:45 . 2007-02-26 11:50      --------      d--h--w-      c:\program files\InstallShield Installation Information
2010-07-28 23:45 . 2009-07-11 19:00      7046096      ----a-w-      c:\users\User\gosetup.exe
2010-07-28 22:02 . 2007-05-04 23:43      104968      ----a-w-      c:\users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-28 20:16 . 2009-10-13 23:09      8702      ----a-w-      c:\programdata\Intuit\QuickBooks 2010\qbbackup.sys
2010-07-27 22:37 . 2008-05-07 17:17      --------      d-----w-      c:\program files\TELUS
2010-07-27 22:32 . 2008-05-07 17:17      --------      d-----w-      c:\program files\Common Files\Motive
2010-07-05 14:20 . 2009-08-20 13:08      4790      ----a-w-      c:\programdata\Intuit\QuickBooks 2009\qbbackup.sys
2010-07-02 20:05 . 2008-04-09 20:36      5215      ----a-w-      c:\programdata\Intuit\QuickBooks 2008\qbbackup.sys
2010-06-16 08:49 . 2010-01-06 17:53      869720      ----a-w-      c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB19\Patch\qbpatch.exe
2010-06-09 09:13 . 2007-02-26 12:09      --------      d-----w-      c:\programdata\Microsoft Help
2010-05-26 16:16 . 2010-06-09 08:04      34304      ----a-w-      c:\windows\system32\atmlib.dll
2010-05-26 14:25 . 2010-06-09 08:04      289792      ----a-w-      c:\windows\system32\atmfd.dll
2010-05-19 18:08 . 2007-05-18 03:34      32204      ----a-w-      c:\users\User\AppData\Roaming\wklnhst.dat
2009-08-20 12:59 . 2009-08-20 12:59      156672      ----a-w-      c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-05-05 01:03 . 2007-05-05 01:03      22      --sha-w-      c:\windows\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 16:25      2117704      ----a-w-      c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-07 81920]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-07 8466432]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-26 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2006-11-20 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-5-13 155648]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-4-23 984408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05      356352      ----a-w-      c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-08-02 19:09      2065760      ----a-w-      c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33      125952      ----a-w-      c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-08-20 12:59      240640      ----a-w-      c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 20:53      1312080      ----a-w-      c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 18:54      5674352      ----a-w-      c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneCareUI]
2008-06-25 12:48      67112      ----a-w-      c:\program files\Microsoft Windows OneCare Live\winssnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 23:18      413696      ----a-w-      c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-19 07:33      1233920      ----a-w-      c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TelusWCC_McciTrayApp]
2006-03-10 18:01      543232      ----a-w-      c:\program files\TELUS\TELUS Wireless Connection Manager\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38      1008184      ----a-w-      c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-990125176-944587770-2669064476-1000]
"EnableNotificationsRef"=dword:00000001

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-06-23 7408]
R4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-04-19 430152]
R4 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-08-02 921440]
R4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-08-02 308136]
R4 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2008-06-25 28200]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-08-02 216400]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-08-02 243024]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-06-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-06-23 72944]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD24
*Deregistered* - klmd24
.
Contents of the 'Scheduled Tasks' folder

2010-07-31 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]

2010-07-11 c:\windows\Tasks\HPCeeScheduleForUser.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2007-02-26 23:04]

2010-08-04 c:\windows\Tasks\User_Feed_Synchronization-{587B1253-BAD8-4DD6-AF62-A8FE1A6DE9A8}.job
- c:\windows\system32\msfeedssync.exe [2010-06-09 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: {63F5866B-A7C5-40B4-9A89-0CCA99726C8D} - hxxps://secure.logmeinrescue.com/Customer/x86/RescueDownloader.cab[/font]
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\smx7430q.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
MSConfigStartUp-TELUS_McciTrayApp - c:\program files\TELUS\TELUS Support Centre\bin\McciTrayApp.exe
MSConfigStartUp-TEPA - c:\program files\TELUS\eProtect Advisor\TEPA.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-04 16:42
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000020
.
Completion time: 2010-08-04  16:47:22
ComboFix-quarantined-files.txt  2010-08-04 22:47

Pre-Run: 173,447,487,488 bytes free

[tapere]

I've got exactly the same problem - happened following a regular  (power off) shutdown and start-up. In msconfig if I set Normal start up,  safe mode boot automatically gets set.  If I clear safe mode boot then selective start up automatically gets set.  I've run Symantec stinger which found and removed Exploit CVE and FalseAlert DZ but makes no difference. This must be malware as I can't access virus protection sites (e.g. McAfee, Symantec etc) - I have tried to stop the dnscache service in command mode using "net stop dnscache" but this fails. Any attempts to start services hang.

[vlogg5]

I believe the UACd.sys virus has made permanent changes to services permissions (DCOM?).

[SuperDave]

vlogg5. Sorry for being so late in getting to your thread. Everyone is so busy and it seems everyone's computer is infected. Do you still need help?

[vlogg5]

No problem.
I have done a lot of digging and this is the first virus (UACd.sys or possibly one of the others found) that has  stumped me. I believe it has changed the registry so that services don't start. I believe the computer is clean now but I don't mind starting at the beg.
I am a repair person. I have UBCD4Win, another Vista O\S (ie can run the infected externally), etc. available.
Any help would be appreciated.
Thks

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

The first thing I will need you to do is to go to this link and follow the directions precisely. If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line. If you can't run any step, just jump to the next one. Please let me know how you are doing or have any questions. Initially, I will need the SuperAntiSpyware, MBAM and HJT logs. Please post any logs that you can generate.

[vlogg5]

SuperDave,
The client needs her computer back for a few days (Quickbooks).
I will follow the procedures as outlined and get back to you when
I get it back.
Thanks

[vlogg5]

SuperDave,
I am an MCSE and computer repair person.
One question for you? Is there a or are there a few trojans out there that even after fixed leave a lasting negative impact Vista or XP' ability to start up services? The two infected computers I have run across will run ok in safe mode but won't load most default services in a normal start even though I have removed the trojans.
Thanks for your help re: this thread but I have decided to just reinstall the OS.
Regards,
vlogg5
 

[SuperDave]

Most malware are like cancer. They don't like to reside in only one place . They spread their disease throughout the whole system thereby ensuring their survival. Simply deleting a few malicious files doesn't eradicate the disease. They especially like to install copies of themselves in System Restore where they can be resurrected when someone tries to do a Restore. 

[vlogg5]

Thanks Dave.
1 more question.
#1 I am in the process of trying to run thru your virus deletion instructions (infected PC is a Compaq Vista Home Premium) but I can't install or run any of the programs in regular mode.
Which would you suggest: a) Run Super, etc. on the infected HDD attached as a slave or b) Run the programs in Safe mode? Safe mode works fine.
Thansks,
vlogg5

[SuperDave]

You can run all kinds of scans on the slaved hardrive. That would be the way to go. If you have other problems you should start a new thread.

[vlogg5]

Thanks SuperDave for your help.
I am creating a Vista Home Premium from a torrent download and will be doing a repair install.
Again,
Thanks

[vlogg5]

Please ignore my previous post. Obviously I need to get the computer virus free before I do a repair install.
I am running Super and Mbam with the HDD installed as a slave and will be posting the logs.
I cannot run HijackThis starting the PC in regular mode.
Any suggestions? A Safe mode scan probably won't help much but would you you like that scan anyway?
Thanks

[SuperDave]

Forget about HJT. It's just a diagnostic tool. You will need to run a couple of AV scans using different AV's plus SAS and MBAM. You can even run MRT. Just click Start, Run and type MRT.exe. Click on Custom Scan and select the slave drive.You need to run scans that will remove malware from the harddrive. We can run other scans once you are able to boot from the harddrive.

[vlogg5]

I have run MBAm, Super and MRT (quick). What is "SAS"?
Thanks