J.C.

I really apreciate your help but i already solved this. This is what i did Created a third partition with the exact size of PQSERVICE (4997MB) Copied PQSERVICE partition into the new partition Formatted PQSERVICE partition Copied the files again into PQSERVICE partition from the temporary created partition and deleted this one Resized C:/ partition Repaired MBR from Acer original file stored on PQSERVICE Reinstalled from eRecovery Now everything is runnig just fine!

My only hard disk has 2 partitions C:/ and PQSERVICE which is the recovery partition and is also hidden, so what can i do if the recovery partition is infected? Since every time i reinstall windows from that partition it will also copy the virus over and over again? Heres the log file, and again thanks for your time! ComboFix ComboFix 10-05-17.01 - Perez 05/18/2010 21:33:43.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.584 [GMT -6:00] Running from: c:\documents and settings\Perez\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 ))))))))))))))))))))))))))))))) . 2010-05-18 23:24 . 2010-05-18 23:24 -------- d-sh--w- c:\documents and settings\Perez\IECompatCache 2010-05-18 17:28 . 2010-05-18 17:28 -------- d-----w- c:\windows\system32\XPSViewer 2010-05-18 17:28 . 2010-05-18 17:28 -------- d-----w- c:\program files\MSBuild 2010-05-18 17:27 . 2010-05-18 17:27 -------- d-----w- c:\program files\Reference Assemblies 2010-05-18 17:27 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll 2010-05-18 17:27 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2010-05-18 17:27 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2010-05-18 17:27 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2010-05-18 17:27 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe 2010-05-18 17:27 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2010-05-18 17:27 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2010-05-18 17:27 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2010-05-18 17:27 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2010-05-18 17:27 . 2010-05-18 17:27 -------- d-----w- C:\18c83ea38e4aed1e31 2010-05-18 07:42 . 2010-05-18 07:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2010-05-18 07:41 . 2010-05-18 07:41 -------- d-sh--w- c:\documents and settings\Perez\PrivacIE 2010-05-18 07:39 . 2010-05-18 07:39 -------- d-sh--w- c:\documents and settings\Perez\IETldCache 2010-05-18 07:26 . 2010-05-18 07:26 -------- d-----w- c:\program files\MSXML 4.0 2010-05-18 07:22 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2010-05-18 07:22 . 2010-02-25 06:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll 2010-05-18 07:22 . 2010-02-25 06:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll 2010-05-18 07:22 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2010-05-18 07:22 . 2010-02-25 06:24 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll 2010-05-18 07:22 . 2010-02-25 17:54 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll 2010-05-18 07:22 . 2010-05-18 07:22 -------- d-----w- c:\windows\ie8updates 2010-05-18 07:22 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll 2010-05-18 07:20 . 2010-05-18 07:22 -------- dc-h--w- c:\windows\ie8 2010-05-18 06:12 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys 2010-05-18 06:12 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys 2010-05-18 06:09 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys 2010-05-18 05:47 . 2010-02-16 14:08 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe 2010-05-18 05:47 . 2010-02-17 15:10 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe 2010-05-18 05:47 . 2010-02-16 13:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe 2010-05-18 05:30 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll 2010-05-18 05:06 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll 2010-05-18 05:06 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll 2010-05-18 04:42 . 2010-05-18 04:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-05-18 04:42 . 2010-05-18 04:42 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-05-18 04:42 . 2010-05-18 04:42 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-05-18 04:42 . 2010-05-19 03:23 -------- d-----w- c:\windows\system32\drivers\Avg 2010-05-18 04:41 . 2010-05-18 04:41 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-05-18 04:37 . 2010-05-18 04:37 -------- d-----w- c:\program files\AVG 2010-05-18 04:37 . 2010-05-18 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2010-05-18 02:35 . 2010-05-18 02:35 -------- d-----w- c:\documents and settings\Perez\Application Data\Malwarebytes 2010-05-18 02:35 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-18 02:35 . 2010-05-18 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-05-18 02:35 . 2010-05-18 02:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-18 02:35 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-17 23:38 . 2010-05-17 23:38 60592 ----a-w- c:\documents and settings\Perez\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-05-17 23:33 . 2010-05-17 23:33 -------- d-----w- c:\documents and settings\Perez\Local Settings\Application Data\Google 2010-05-17 23:30 . 2007-04-13 17:51 321024 ----a-w- c:\windows\system32\ERUpdateHidden.EXE 2010-05-17 23:30 . 2006-03-30 19:06 258048 ----a-w- c:\windows\system32\CheckD2DSystem.exe 2010-05-17 23:30 . 2006-03-23 18:02 258048 ----a-w- c:\windows\system32\Uninstall_eRecovery.exe 2010-05-17 23:30 . 2005-12-09 15:12 16384 ----a-w- c:\windows\system32\ClearEvent.exe 2010-05-17 23:30 . 2004-11-03 15:06 159744 ----a-w- c:\windows\system32\CloseProcessWindow.dll 2010-05-17 23:29 . 2010-05-17 23:29 125 ----a-w- c:\windows\xUninstall.bat 2010-05-17 23:29 . 2010-05-17 23:29 -------- d-----w- c:\windows\JMCR_DIR 2010-05-17 23:29 . 2008-07-08 01:16 96856 ----a-w- c:\windows\system32\drivers\jmcr.sys 2010-05-17 23:29 . 2008-05-14 10:53 110080 ----a-w- c:\windows\system32\JmCrIcon.dll 2010-05-17 23:27 . 2010-05-17 23:27 -------- d-----w- c:\program files\Common Files\CrystalEye 2010-05-17 23:26 . 2008-06-13 23:43 4342912 ----a-w- c:\windows\system32\acer.exe 2010-05-17 23:26 . 2007-04-19 19:41 83554304 ----a-w- c:\windows\system32\acer.scr 2010-05-17 23:26 . 2010-05-17 23:26 -------- d-----w- c:\program files\Acer Incorporated 2010-05-17 23:26 . 2010-05-17 23:27 -------- d-----w- c:\windows\ACER 2010-05-17 23:25 . 2010-05-17 23:25 110576 ----a-w- c:\documents and settings\All Users\Application Data\Partner\partner.exe 2010-05-17 23:25 . 2010-05-17 23:25 157168 ----a-w- c:\documents and settings\All Users\Application Data\Partner\partner.dll 2010-05-17 23:25 . 2010-05-17 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Partner 2010-05-17 23:25 . 2010-05-18 03:48 -------- d-----w- c:\program files\Google 2010-05-17 23:25 . 2010-05-17 23:25 -------- d-----w- c:\program files\Launch Manager 2010-05-17 23:18 . 2008-04-14 06:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys 2010-05-17 23:18 . 2008-04-15 03:00 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys 2010-05-17 23:18 . 2008-04-15 03:00 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys 2010-05-17 23:18 . 2008-04-14 06:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys 2010-05-17 23:18 . 2008-04-14 06:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS 2010-05-17 23:18 . 2010-05-17 23:01 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\InstallShield 2010-05-17 23:18 . 2008-04-14 06:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys 2010-05-17 23:17 . 2008-04-14 06:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys 2010-05-17 23:16 . 2008-08-15 18:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor 2010-05-17 23:13 . 2010-05-17 23:13 -------- d-----w- c:\windows\WebCam 2010-05-17 23:13 . 2008-04-14 11:42 53760 ----a-w- c:\windows\vfwwdm32.dll 2010-05-17 23:06 . 2010-05-17 23:06 -------- d---a-w- c:\windows\AcerStore . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-18 07:35 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-05-18 07:28 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Works 2010-05-17 23:29 . 2008-08-15 18:12 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-05-17 23:06 . 2004-09-21 21:28 3 ----a-w- c:\windows\HotFix.bat 2010-05-17 23:06 . 2004-06-26 00:13 139 ----a-w- c:\windows\HotFix2.bat 2010-05-17 23:03 . 2008-08-15 17:59 -------- d-----w- c:\program files\Realtek 2010-05-17 23:03 . 2008-08-15 18:15 -------- d-----w- c:\program files\Microsoft.NET 2010-05-17 23:03 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Office Suite Activation Assistant 2010-05-17 23:02 . 2008-08-15 17:37 -------- d-----w- c:\program files\microsoft frontpage 2010-05-17 23:02 . 2008-08-15 18:12 -------- d-----w- c:\program files\InterVideo 2010-05-17 23:02 . 2008-08-15 17:41 -------- d-----w- c:\program files\Intel 2010-05-17 23:02 . 2008-08-15 18:12 -------- d-----w- c:\program files\Common Files\InterVideo 2010-05-17 23:02 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe AIR 2010-05-17 23:02 . 2008-08-15 17:58 -------- d-----w- c:\program files\Common Files\InstallShield 2010-05-17 23:02 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe 2010-05-17 23:02 . 2008-08-15 18:00 -------- d-----w- c:\program files\Atheros 2010-05-17 23:01 . 2010-05-17 23:19 -------- d-----w- c:\documents and settings\Perez\Application Data\InstallShield 2010-05-17 23:01 . 2008-08-15 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Atheros 2010-03-11 12:38 . 2010-03-11 12:38 78336 ------w- c:\windows\system32\ieencode.dll 2010-02-25 06:24 . 2007-08-14 01:54 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-24 13:11 . 2008-04-15 03:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}] 2010-05-17 23:25 157168 ----a-w- c:\documents and settings\All Users\Application Data\Partner\partner.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "M3000Mnt"="M3000Rmv.dll " [X] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752] "RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720] "AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168] "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-05-17 24064] "eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984] c:\documents and settings\All Users\Start Menu\Programs\Startup\ InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-05-18 04:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/17/2010 10:42 PM 216200] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/17/2010 10:41 PM 242896] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [5/17/2010 10:40 PM 916760] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/17/2010 10:39 PM 308064] R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 10:01 AM 254976] S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/17/2010 5:25 PM 24064] S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [5/17/2010 5:29 PM 96856] S3 Partner Service;Partner Service;c:\documents and settings\All Users\Application Data\Partner\partner.exe [5/17/2010 5:25 PM 110576] . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 . ************************************************************************** scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3740) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\AVG\AVG9\avgnsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\system volume information\_restore{d5fffa500b1b}\smss.exe c:\windows\system32\wscntfy.exe c:\windows\RTHDCPL.EXE c:\windows\system32\igfxsrvc.exe c:\windows\system32\igfxext.exe c:\docume~1\Perez\LOCALS~1\Temp\RtkBtMnt.exe . ************************************************************************** . Completion time: 2010-05-18 21:42:13 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-19 03:42 Pre-Run: 144,117,424,128 bytes free Post-Run: 144,212,455,424 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - 2641F1C78A7B30DFF13B2C6A0B49F795

Hi, thanks for your time, here are my MBAM and DDS logs. I also want to be very specifc on this: even when i have reinstalled XP from the recovery partition, when i log in for the first time to windows, theres a folder named "_restore{d5fffa500b1b}" which has been created and contains "smss.exe" and "svchost.exe" files on it and its located on the System Volume Information folder. Why is that? MBAM Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4110 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 5/18/2010 4:44:27 PM mbam-log-2010-05-18 (16-44-27).txt Scan type: Quick scan Objects scanned: 120854 Time elapsed: 12 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully. DDS DDS (Ver_10-03-17.01) - NTFSx86 Run by Perez at 16:45:24.85 on Tue 05/18/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.504 [GMT -6:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== Executable.exe 4 C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\AVG\AVG9\avgemc.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Acer\Empowering Technology\eRecovery\eRAgent.exe C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\WINDOWS\system32\igfxext.exe C:\DOCUME~1\Perez\LOCALS~1\Temp\RtkBtMnt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Perez\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - c:\documents and settings\all users\application data\partner\partner.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.415.1646\swg.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [LaunchApp] Alaunch mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxdev.dll AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-17 216200] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-17 29512] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-17 242896] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-5-17 916760] R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-5-17 308064] R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [2008-5-5 254976] S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-5-17 24064] S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2010-5-17 96856] S3 Partner Service;Partner Service;c:\documents and settings\all users\application data\partner\partner.exe [2010-5-17 110576] =============== Created Last 30 ================ 2010-05-18 22:44:59 54016 ----a-w- c:\windows\system32\drivers\tnrym.sys 2010-05-18 17:28:09 0 d-----w- c:\windows\system32\XPSViewer 2010-05-18 17:27:08 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2010-05-18 17:27:08 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2010-05-18 17:27:08 117760 ------w- c:\windows\system32\prntvpt.dll 2010-05-18 17:27:07 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2010-05-18 17:27:07 575488 ------w- c:\windows\system32\xpsshhdr.dll 2010-05-18 17:27:07 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2010-05-18 17:27:07 1676288 ------w- c:\windows\system32\xpssvcs.dll 2010-05-18 17:27:06 0 d-----w- C:\18c83ea38e4aed1e31 2010-05-18 07:41:12 0 d-sh--w- c:\documents and settings\perez\PrivacIE 2010-05-18 07:39:37 0 d-sh--w- c:\documents and settings\perez\IETldCache 2010-05-18 07:26:56 0 d-----w- c:\program files\MSXML 4.0 2010-05-18 07:22:42 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll 2010-05-18 07:22:42 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll 2010-05-18 07:22:42 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2010-05-18 07:22:42 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll 2010-05-18 07:22:42 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2010-05-18 07:22:41 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll 2010-05-18 07:22:37 0 d-----w- c:\windows\ie8updates 2010-05-18 07:22:32 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll 2010-05-18 07:20:22 0 dc-h--w- c:\windows\ie8 2010-05-18 06:12:20 272128 -c----w- c:\windows\system32\dllcache\bthport.sys 2010-05-18 06:12:20 272128 ------w- c:\windows\system32\drivers\bthport.sys 2010-05-18 06:09:56 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys 2010-05-18 05:47:10 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe 2010-05-18 05:47:09 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe 2010-05-18 05:47:07 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe 2010-05-18 05:30:54 2560 ------w- c:\windows\system32\xpsp4res.dll 2010-05-18 05:22:41 0 d-----w- c:\windows\system32\PreInstall 2010-05-18 05:06:12 274288 ----a-w- c:\windows\system32\mucltui.dll 2010-05-18 05:06:12 215920 ----a-w- c:\windows\system32\muweb.dll 2010-05-18 05:06:12 16736 ----a-w- c:\windows\system32\mucltui.dll.mui 2010-05-18 04:55:00 0 d-----w- c:\windows\system32\SoftwareDistribution 2010-05-18 04:42:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-05-18 04:42:15 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-05-18 04:42:10 0 d-----w- c:\windows\system32\drivers\Avg 2010-05-18 04:41:21 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-05-18 04:37:34 0 d-----w- c:\program files\AVG 2010-05-18 04:37:04 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9 2010-05-18 02:35:34 0 d-----w- c:\docume~1\perez\applic~1\Malwarebytes 2010-05-18 02:35:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-18 02:35:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-05-18 02:35:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-18 02:35:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-17 23:30:42 730 ----a-w- c:\windows\system32\setup.iss 2010-05-17 23:30:42 321024 ----a-w- c:\windows\system32\ERUpdateHidden.EXE 2010-05-17 23:30:42 258048 ----a-w- c:\windows\system32\Uninstall_eRecovery.exe 2010-05-17 23:30:42 258048 ----a-w- c:\windows\system32\CheckD2DSystem.exe 2010-05-17 23:30:42 16384 ----a-w- c:\windows\system32\ClearEvent.exe 2010-05-17 23:30:42 159744 ----a-w- c:\windows\system32\CloseProcessWindow.dll 2010-05-17 23:29:14 125 ----a-w- c:\windows\xUninstall.bat 2010-05-17 23:29:13 96856 ----a-w- c:\windows\system32\drivers\jmcr.sys 2010-05-17 23:29:13 110080 ----a-w- c:\windows\system32\JmCrIcon.dll 2010-05-17 23:29:13 0 d-----w- c:\windows\JMCR_DIR 2010-05-17 23:27:32 222382 ----a-w- c:\windows\Acer Crystal Eye webcam.ico 2010-05-17 23:27:32 0 d-----w- c:\program files\common files\CrystalEye 2010-05-17 23:26:58 4342912 ----a-w- c:\windows\system32\acer.exe 2010-05-17 23:26:56 83554304 ----a-w- c:\windows\system32\acer.scr 2010-05-17 23:26:48 0 d-----w- c:\program files\Acer Incorporated 2010-05-17 23:26:47 0 d-----w- c:\windows\ACER 2010-05-17 23:25:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Partner 2010-05-17 23:25:03 83 ----a-w- c:\windows\QtZgAcer.UNI 2010-05-17 23:25:02 0 d-----w- c:\program files\Launch Manager 2010-05-17 23:18:24 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys 2010-05-17 23:18:21 16384 ----a-w- c:\windows\system32\ipsink.ax 2010-05-17 23:18:21 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys 2010-05-17 23:18:20 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys 2010-05-17 23:18:12 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys 2010-05-17 23:18:04 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS 2010-05-17 23:18:00 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys 2010-05-17 23:17:57 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys 2010-05-17 23:13:41 8192 ----a-w- c:\windows\REGLOCS.OLD 2010-05-17 23:13:33 91136 ----a-w- c:\windows\kswdmcap.ax 2010-05-17 23:13:33 61952 ----a-w- c:\windows\kstvtune.ax 2010-05-17 23:13:33 28672 ----a-w- c:\windows\vidcap.ax 2010-05-17 23:13:33 0 d-----w- c:\windows\WebCam 2010-05-17 23:13:32 53760 ----a-w- c:\windows\vfwwdm32.dll 2010-05-17 23:13:32 43008 ----a-w- c:\windows\ksxbar.ax 2010-05-17 23:06:43 0 d---a-w- c:\windows\AcerStore ==================== Find3M ==================== 2010-03-11 12:38:52 78336 ------w- c:\windows\system32\ieencode.dll 2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll 2008-08-15 17:51:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat ============= FINISH: 16:46:04.39 =============== Attach.txt

Hi guys, i really need help with my AOA150 netbook! I got infected from a usb flash drive, it installed the autorun.inf and other .cmd and .exe files in to the ACER(C:) and PQSERVICE partitions! So rebooted using a usb live linux distro and deleted those file from C: and PQSERVICE, rebooted again, and then XP asked me for a password which i had never set, so i couldnt log in... i decided to use the ALT+F10 shortcut on rebooting and had my system recovered from "factory settings" the eRecovery app formatted the C: partition and reinstalled XP home, so everything was fine... until i logged in again (in the recently new installed xp) and found out that i still had viruses located in SYSTEM VOLUMEN INFORMATION folder!!! What can i do? Are the viruses still on the recovery partition so every time i reinstall from factory setting these viruses are copied to my new installation? Help please