Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Possible Vundo infection [RESOLVED]

Started by ledgerat , Sep 16 2007 03:12 PM

  • This topic is locked This topic is locked

#1
ledgerat
Posted 16 September 2007 - 03:12 PM

ledgerat

    New Member

  • Member
  • Pip
  • 7 posts
Hopefully you can help. I believe I have the vundo spyware. I have run Spybot S&D, AVG Antivirus, AVG virus scan, and Lavasoft's Ad-aware. I have also run Vundofix, with little luck. AVG has caught a few random .dlls that have been created, but the main Winlogon culprit I can't seem to get rid of. I am running an ACER laptop with WinXP with 256mb ram.

Here is my unistall list...followed by the Hijack this list

uninstall list:
cer eManager for Notebook
Acer ePowerManagement
Ad-Aware 2007
Adobe Reader 7.0.9
Adobe Shockwave Player
Arcade 3.0
AVG Anti-Spyware 7.5
AVG Free Edition
Broadcom 802.11 Network Adapter
DivX Content Uploader
DivX Web Player
Google Earth
Google Updater
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Intel® Graphics Media Accelerator Driver for Mobile
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 2
Java™ SE Runtime Environment 6 Update 1
Launch Manager V1.0.8.8
Lemmings for Windows 95
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Move Networks Player for Firefox
Mozilla Firefox (2.0.0.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nancy Drew: Message in a Haunted Mansion
Nancy Drew: Stay Tuned For Danger
NoteBurner 1.22
NTI Backup NOW! 4
NTI CD & DVD-Maker Gold
Picasa 2
PowerProducer
QuickTime
RealPlayer
Realtek AC'97 Audio
ScummVM 0.10.0
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
SoftV90 Data Fax Modem with SmartCP
Spybot - Search & Destroy 1.4
StarOffice 8
Syberia
Synaptics Pointing Device Driver
The Longest Journey
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VideoLAN VLC media player 0.8.6c
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinPcap 3.1
WinRAR archiver
WM Recorder 11.2

hijack this list:

Logfile of HijackThis v1.99.1
Scan saved at 4:58:49 PM, on 9/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Acer\eRecovery\Monitor.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\h\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINDOWS\system32\efcyvtq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://bobvila.view2...2/View22RTE.cab
O20 - Winlogon Notify: efcyvtq - C:\WINDOWS\SYSTEM32\efcyvtq.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)




I believe the culprti is efcyvtq.dll...but am not positive if it is, or if there is anything else causing the slowdown.

Thanks for any help you can give
-Ledgerat
  • 0

Advertisements

#2
Rorschach112
Posted 16 September 2007 - 04:30 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello ledgerat, my name is Rorschach and I'll be helping you with your problems.


Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
ledgerat
Posted 17 September 2007 - 04:19 AM

ledgerat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks for your quick reply. I had run Vundofix, but I ran it again. It did not find anything though AVG Virus Scan seems to catch the radomly generated .dlls (such as jkkji.dl and vtsqr.dll) when I get on the internet. I also will get a message that it can't connect to the internet (like it is trying to connect) when I am just playing a game offline and it want me to connect. Here are the logs you need:

Vundofix log:

VundoFix V6.5.8

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 4:01:18 PM 9/16/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.8

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 5:57:10 AM 9/17/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...


OTHER LOGS:
Deckard's System Scanner v20070905.67
Run by Kim on 2007-09-17 06:06:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
38: 2007-09-17 10:07:09 UTC - RP100 - Deckard's System Scanner Restore Point
37: 2007-09-16 14:18:46 UTC - RP99 - Restore Operation
36: 2007-09-14 19:28:13 UTC - RP98 - Ad-Aware Restore Point 2007-09-14 15:28:06
35: 2007-09-14 19:15:49 UTC - RP97 - Installed Ad-Aware 2007
34: 2007-09-14 18:36:00 UTC - RP96 - Restore Operation


-- First Restore Point --
1: 2007-04-03 22:47:03 UTC - RP63 - Software Distribution Service 2.0


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 247 MiB (512 MiB recommended).
System Drive C: has 1.02 GiB (less than 15%) free.


-- HijackThis (run as Kim.exe) -------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-17 06:07:53
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\ePM\epm-dm.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\GUARD.EXE
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Launch Manager\Powerkey.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Kim\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINDOWS\system32\efcyvtq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKEY_LOCAL_MACHINE\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKEY_LOCAL_MACHINE\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKEY_LOCAL_MACHINE\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKEY_LOCAL_MACHINE\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKEY_LOCAL_MACHINE\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKEY_LOCAL_MACHINE\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://bobvila.view2...2/View22RTE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O20 - Winlogon Notify: efcyvtq - C:\WINDOWS\system32\efcyvtq.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini"


-- HijackThis Fixed Entries (C:\h\backups\) ------------------------------------

backup-20070916-113645-815 O2 - BHO: (no name) - {7378296C-1FA1-46CC-927A-059E501AFAE4} - C:\Program Files\Xhwfjwgz\ealbkzri.dll (file missing)
backup-20070916-113645-732 O20 - Winlogon Notify: efcyvtq-cjr2 - efcyvtq-cjr.dll (file missing)
backup-20070916-113646-417 O20 - Winlogon Notify: winwim-cjr32 - winwim32.dll (file missing)
backup-20070916-113646-481 O20 - Winlogon Notify: winwim32 - winwim32.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ntcdrdrv - c:\windows\system32\drivers\ntcdrdrv.sys <Not Verified; NoteBurn Software; NoteBurn>
R0 UBHelper - c:\windows\system32\drivers\ubhelper.sys
R1 Hotkey - c:\windows\system32\drivers\hotkey.sys
R2 EpmPsd (Acer EPM Power Scheme Driver) - c:\windows\system32\drivers\epm-psd.sys <Not Verified; Acer Value Labs, USA; Acer EPM Power Scheme Driver>
R2 EpmShd (Acer EPM System Hardware Driver) - c:\windows\system32\drivers\epm-shd.sys <Not Verified; Acer Value Labs, USA; Acer EPM System Hardware Driver>
R2 int15.sys - c:\program files\acer\erecovery\int15.sys
R2 osaio - c:\windows\system32\drivers\osaio.sys <Not Verified; Avocent/OSA Technologies Inc.; Windows ® Server 2003 DDK driver>
R2 osanbm - c:\windows\system32\drivers\osanbm.sys <Not Verified; Windows ® 2000 DDK provider; OSA int15 Driver>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 POWERKEY - c:\program files\launch manager\powerkey.sys

S1 Wbutton - c:\windows\system32\drivers\wbutton.sys (file missing)
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 anbmService (Notebook Manager Service) - c:\acer\emanager\anbmserv.exe <Not Verified; OSA Technologies Inc.; Acer eManager for Notebook>

S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-08-17 and 2007-09-17 -----------------------------

2007-09-16 16:01:18 0 d-------- C:\VundoFix Backups
2007-09-16 15:18:22 0 d-------- C:\!KillBox
2007-09-16 10:48:33 17801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
2007-09-16 10:45:10 65536 -----n--- C:\WINDOWS\system32\WLTRYSVC.EXE
2007-09-16 10:45:10 192512 --a------ C:\WINDOWS\system32\AegisI5.exe <Not Verified; ; AegisInstall Application>
2007-09-16 10:45:06 1396831 -----n--- C:\WINDOWS\system32\AegisE5.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client API>
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\TEMP\Start Menu
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\TEMP\SendTo
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\TEMP\Recent
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\TEMP\PrintHood
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\TEMP\NetHood
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\TEMP\My Documents
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\TEMP\Desktop
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\TEMP\Application Data\Identities
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\TEMP\Application Data\AVG7
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-09-16 10:07:20 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-09-16 10:07:20 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-09-16 10:07:20 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-09-16 10:07:20 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-09-16 10:07:20 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-09-16 10:07:20 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-09-16 10:07:19 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-09-16 09:15:56 0 d--hs---- C:\FOUND.000
2007-09-16 09:07:16 0 d--h----- C:\Documents and Settings\TEMP\Templates
2007-09-16 09:07:16 0 d--h----- C:\Documents and Settings\TEMP\Local Settings
2007-09-16 09:07:16 0 dr------- C:\Documents and Settings\TEMP\Favorites
2007-09-16 09:07:16 0 d---s---- C:\Documents and Settings\TEMP\Cookies
2007-09-16 09:07:16 0 dr-h----- C:\Documents and Settings\TEMP\Application Data
2007-09-16 09:07:16 0 d---s---- C:\Documents and Settings\TEMP\Application Data\Microsoft
2007-09-16 09:07:14 3932160 --ah----- C:\Documents and Settings\TEMP\NTUSER.DAT
2007-09-16 06:35:54 0 d-------- C:\h
2007-09-14 15:15:58 0 d-------- C:\Program Files\Lavasoft
2007-09-14 15:15:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-14 14:34:12 0 d-------- C:\Documents and Settings\Kim\Application Data\Grisoft
2007-09-13 18:37:26 0 d-------- C:\WINDOWS\system32\srvuqsja
2007-09-13 18:36:41 44054 -----n--- C:\WINDOWS\system32\efcyvtq.dll
2007-09-02 13:56:57 0 d-------- C:\Documents and Settings\Kim\Application Data\vlc
2007-08-30 18:17:09 0 d-------- C:\Program Files\Syberia
2007-08-19 09:39:03 0 d-------- C:\Documents and Settings\Kim\Application Data\StarOffice8
2007-08-19 09:34:31 0 d-------- C:\Program Files\Sun
2007-08-19 08:11:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater


-- Find3M Report ---------------------------------------------------------------

2007-08-11 10:25:18 0 d-------- C:\Documents and Settings\Kim\Application Data\ScummVM
2007-07-22 13:04:20 0 d-------- C:\Program Files\TLJ


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{733E9132-53CA-4C97-9AC9-145C4502FA20}]
09/13/2007 06:36 PM 44054 --------- C:\WINDOWS\system32\efcyvtq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/23/2005 10:36 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/23/2005 10:31 AM]
"SoundMan"="SOUNDMAN.EXE" [04/15/2005 11:01 AM C:\WINDOWS\SOUNDMAN.EXE]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/04/2005 11:12 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [02/04/2005 11:11 AM]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [06/01/2005 02:17 PM]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [03/15/2005 10:03 AM]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [09/16/2003 02:28 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [08/26/2007 10:08 AM]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [08/08/2007 03:53 PM]
"PowerKey"="C:\Program Files\Launch Manager\PowerKey.exe" [08/30/2002 03:02 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"PCMService"="C:\Program Files\Arcade\PCMService.exe" [03/09/2005 06:59 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/04/2004 05:00 AM]
"LMgrOSD"="C:\Program Files\Launch Manager\OSDCtrl.exe" [07/25/2005 10:45 AM]
"LManager"="C:\Program Files\Launch Manager\HotkeyApp.exe" [06/06/2005 11:52 AM]
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [07/25/2005 01:36 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 05:00 AM]
"eRecoveryService"="C:\Program Files\Acer\eRecovery\Monitor.exe" [06/29/2005 05:26 PM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05/31/2005 01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{733E9132-53CA-4C97-9AC9-145C4502FA20}"= C:\WINDOWS\system32\efcyvtq.dll [09/13/2007 06:36 PM 44054]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcyvtq]
efcyvtq.dll 09/13/2007 06:36 PM 44054 C:\WINDOWS\system32\efcyvtq.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bwpohexk]
regsvr32 /u "C:\Documents and Settings\All Users\Application Data\bwpohexk.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\preload]
C:\Windows\RUNXMLPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
C:\Program Files\SecCenter\scprot4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmlencrm]
rundll32.exe "C:\Program Files\lcpmtste\lwpkfajk.dll",Init

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]
"C:\Program Files\Launch Manager\Wbutton.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Autorun.exe HowToUse\HowToUse.html


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}]
C:\WINDOWS\system32\nusrmgr.exe



-- End of Deckard's System Scanner: finished at 2007-09-17 06:10:30 ------------

Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® M processor 1.50GHz
Percentage of Memory in Use: 73%
Physical Memory (total/avail): 246.42 MiB / 64.12 MiB
Pagefile Memory (total/avail): 602.38 MiB / 278.83 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1963.99 MiB

C: is Fixed (FAT32) - 16.96 GiB total, 1.02 GiB free.
D: is Fixed (FAT32) - 17.35 GiB total, 15.35 GiB free.
E: is CDROM (CDFS)
F: is CDROM (Unformatted)

\\.\PHYSICALDRIVE0 - WDC WD400UE-22HCT0 - 37.26 GiB - 3 partitions
\PARTITION0 - Unknown - 2.93 GiB
\PARTITION1 (bootable) - Unknown - 16.97 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 17.36 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.485 v7.5.485 (GRISOFT)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\DOCUME~1\\Kim\\LOCALS~1\\Temp\\win3E.tmp.exe"="C:\\DOCUME~1\\Kim\\LOCALS~1\\Temp\\win3E.tmp.exe:*:Enabled:win3E.tmp"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Kim\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KIMBERLY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Kim
LOGONSERVER=\\KIMBERLY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Kim\LOCALS~1\Temp
TMP=C:\DOCUME~1\Kim\LOCALS~1\Temp
USERDOMAIN=KIMBERLY
USERNAME=Kim
USERPROFILE=C:\Documents and Settings\Kim
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Kim (admin)
Kim (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Acer Inc.\Acer English Online Help Creator\Uninst.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acer eManager for Notebook --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{827289F5-B44F-4E49-9993-840741585A62}
Acer ePowerManagement --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\Setup.exe" -l0x9
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\INSTALL.LOG
Arcade 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\Setup.exe" -uninstall
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
Broadcom 802.11 Network Adapter --> C:\WINDOWS\system32\BCMWLU00.exe verbose
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\101\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 1.99.1 --> C:\h\HijackThis.exe /uninstall
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Launch Manager V1.0.8.8 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0846526-66DD-4DC9-A02C-98F9A2806812}\SETUP.EXE" -l0x9
Lemmings for Windows 95 --> C:\Program Files\WinLemm\wlvsun10.exe uninstall
Macromedia Flash Player 8 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Move Networks Player for Firefox --> "C:\Program Files\Mozilla Firefox\plugins\unins000.exe"
Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nancy Drew: Message in a Haunted Mansion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Nancy Drew\Message in a Haunted Mansion\Setup.exe"
Nancy Drew: Stay Tuned For Danger --> C:\WINDOWS\IsUninst.exe -f"C:\Nancy Drew\Stay Tuned For Danger\Uninst.isu"
NoteBurner 1.22 --> "C:\Program Files\NoteBurner\unins000.exe"
NTI Backup NOW! 4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{ED79C7E1-386E-4C12-81C7-8FEFB6D396B5} /l1033 BUN4
NTI CD & DVD-Maker Gold --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{65C39C99-F2C0-4286-A37A-23182E9A5E8E} /l1033 CDM7
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
ScummVM 0.10.0 --> "C:\Program Files\ScummVM\unins000.exe"
SoftV90 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_006A1025\HXFSETUP.EXE -U -IVEN_8086&DEV_266D&SUBSYS_006A1025
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
StarOffice 8 --> MsiExec.exe /I{86E2FE20-6679-4F30-B8E0-36D5BF6018BE}
Syberia --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\Syberia\Uninstall\setup.exe" -l0x9
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
The Longest Journey --> C:\WINDOWS\uninst.exe -y -f"C:\Program Files\TLJ\uninst.isu" -c"C:\Program Files\TLJ\Uninstall.dll"
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WM Recorder 11.2 --> C:\Program Files\WMR11\Uninstal.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type4113 / Error
Event Submitted/Written: 09/17/2007 05:47:01 AM
Event ID/Source: 1004 / Application Error
Event Description:
Faulting application winlogon.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x100051c5.
Error in creating result PEAP-TLV in response to received PEAP-TLV (winlogon.exe!ld!)

Event Record #/Type4108 / Error
Event Submitted/Written: 09/16/2007 04:23:25 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x100051c5.
Processing media-specific event for [!ws!]

Event Record #/Type4083 / Error
Event Submitted/Written: 09/16/2007 11:21:23 AM
Event ID/Source: 32045 / Microsoft Fax
Event Description:
Fax Service failed to initialize because it could not initialize the TAPI devices.


Verify that the fax modem was installed and configured correctly.
Win32 error code: -2147483576.
This error code indicates the cause of the error.

Event Record #/Type4071 / Warning
Event Submitted/Written: 09/16/2007 10:49:25 AM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type4070 / Error
Event Submitted/Written: 09/16/2007 10:41:00 AM
Event ID/Source: 0 / anbmServ.exe
Event Description:
The service process could not connect to the service controller



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type28269 / Error
Event Submitted/Written: 09/17/2007 05:48:24 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type28268 / Error
Event Submitted/Written: 09/17/2007 05:48:24 AM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type28267 / Error
Event Submitted/Written: 09/17/2007 05:48:09 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type28266 / Error
Event Submitted/Written: 09/17/2007 05:48:09 AM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type28198 / Error
Event Submitted/Written: 09/16/2007 03:45:07 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2007-09-17 06:10:30 ------------


Thanks again
Ledgerat
  • 0

#4
Rorschach112
Posted 17 September 2007 - 07:56 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello Ledgerat

The Vundo trojan can be a bit hard to remove, but luckily theres a few tricks in the trade we can use to remove it :whistling:


Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINDOWS\system32\efcyvtq.dll
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

Delete your version of VundoFix.exe and do the following


Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window.
  • Select "Add More Files?" from the menu that comes up.
  • This will open a new VundoFix window that says "Paste files into the boxes below:"
  • In that window, copy and paste the following file path in the first (top) field:
    C:\WINDOWS\system32\efcyvtq.dll
  • Click the 'Add Files' button.
  • Click the 'Close Window' button.
  • Click the 'Remove Vundo' button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.



So in your next reply please post the following : the VundoFix text, a new DSS log, and tell me how your PC is running now and if you had any problems.
  • 0

#5
ledgerat
Posted 17 September 2007 - 10:38 AM

ledgerat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I have uploaded the file to that site and ran Vundofix....it seems to have deleted the file:


VundoFix V6.5.8

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 4:01:18 PM 9/16/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.8

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 5:57:10 AM 9/17/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.8

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 12:24:27 PM 9/17/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\system32\efcyvtq.dll
C:\WINDOWS\system32\efcyvtq.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 12:35:52 PM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Acer\eRecovery\Monitor.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\h\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINDOWS\system32\efcyvtq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://bobvila.view2...2/View22RTE.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)


Let me know if there is anything else I might need to do. Thanks for your help!
  • 0

#6
Rorschach112
Posted 17 September 2007 - 10:59 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello ledgerat

Can you please run DSS again and post all of the log. It seems we are missing a bit.
  • 0

#7
ledgerat
Posted 17 September 2007 - 03:53 PM

ledgerat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ooops...Here it is:

Deckard's System Scanner v20070905.67
Run by Kim on 2007-09-17 17:50:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 89% (more than 75%).
Total Physical Memory: 247 MiB (512 MiB recommended).


-- HijackThis (run as Kim.exe) -------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-17 17:50:15
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\ePM\epm-dm.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Launch Manager\Powerkey.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\GUARD.EXE
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Kim\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKEY_LOCAL_MACHINE\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKEY_LOCAL_MACHINE\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKEY_LOCAL_MACHINE\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKEY_LOCAL_MACHINE\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKEY_LOCAL_MACHINE\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKEY_LOCAL_MACHINE\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://bobvila.view2...2/View22RTE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini"


-- Files created between 2007-08-17 and 2007-09-17 -----------------------------

2007-09-17 12:21:54 244832 --a------ C:\WINDOWS\system32\ssqpq.dll
2007-09-16 16:01:18 0 d-------- C:\VundoFix Backups
2007-09-16 15:18:22 0 d-------- C:\!KillBox
2007-09-16 10:48:33 17801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
2007-09-16 10:45:10 65536 -----n--- C:\WINDOWS\system32\WLTRYSVC.EXE
2007-09-16 10:45:10 192512 --a------ C:\WINDOWS\system32\AegisI5.exe <Not Verified; ; AegisInstall Application>
2007-09-16 10:45:06 1396831 -----n--- C:\WINDOWS\system32\AegisE5.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client API>
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\TEMP\Start Menu
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\TEMP\SendTo
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\TEMP\Recent
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\TEMP\PrintHood
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\TEMP\NetHood
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\TEMP\My Documents
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\TEMP\Desktop
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\TEMP\Application Data\Identities
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\TEMP\Application Data\AVG7
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-09-16 10:07:20 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-09-16 10:07:20 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-09-16 10:07:20 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-09-16 10:07:20 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-09-16 10:07:20 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-09-16 10:07:20 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-09-16 10:07:19 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-09-16 09:15:56 0 d--hs---- C:\FOUND.000
2007-09-16 09:07:16 0 d--h----- C:\Documents and Settings\TEMP\Templates
2007-09-16 09:07:16 0 d--h----- C:\Documents and Settings\TEMP\Local Settings
2007-09-16 09:07:16 0 dr------- C:\Documents and Settings\TEMP\Favorites
2007-09-16 09:07:16 0 d---s---- C:\Documents and Settings\TEMP\Cookies
2007-09-16 09:07:16 0 dr-h----- C:\Documents and Settings\TEMP\Application Data
2007-09-16 09:07:16 0 d---s---- C:\Documents and Settings\TEMP\Application Data\Microsoft
2007-09-16 09:07:14 3932160 --ah----- C:\Documents and Settings\TEMP\NTUSER.DAT
2007-09-16 06:35:54 0 d-------- C:\h
2007-09-14 15:15:58 0 d-------- C:\Program Files\Lavasoft
2007-09-14 15:15:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-14 14:34:12 0 d-------- C:\Documents and Settings\Kim\Application Data\Grisoft
2007-09-13 18:37:26 0 d-------- C:\WINDOWS\system32\srvuqsja
2007-09-02 13:56:57 0 d-------- C:\Documents and Settings\Kim\Application Data\vlc
2007-08-30 18:17:09 0 d-------- C:\Program Files\Syberia
2007-08-19 09:39:03 0 d-------- C:\Documents and Settings\Kim\Application Data\StarOffice8
2007-08-19 09:34:31 0 d-------- C:\Program Files\Sun
2007-08-19 08:11:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater


-- Find3M Report ---------------------------------------------------------------

2007-08-11 10:25:18 0 d-------- C:\Documents and Settings\Kim\Application Data\ScummVM
2007-07-22 13:04:20 0 d-------- C:\Program Files\TLJ


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/23/2005 10:36 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/23/2005 10:31 AM]
"SoundMan"="SOUNDMAN.EXE" [04/15/2005 11:01 AM C:\WINDOWS\SOUNDMAN.EXE]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/04/2005 11:12 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [02/04/2005 11:11 AM]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [06/01/2005 02:17 PM]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [03/15/2005 10:03 AM]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [09/16/2003 02:28 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [08/26/2007 10:08 AM]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [08/08/2007 03:53 PM]
"PowerKey"="C:\Program Files\Launch Manager\PowerKey.exe" [08/30/2002 03:02 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"PCMService"="C:\Program Files\Arcade\PCMService.exe" [03/09/2005 06:59 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/04/2004 05:00 AM]
"LMgrOSD"="C:\Program Files\Launch Manager\OSDCtrl.exe" [07/25/2005 10:45 AM]
"LManager"="C:\Program Files\Launch Manager\HotkeyApp.exe" [06/06/2005 11:52 AM]
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [07/25/2005 01:36 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 05:00 AM]
"eRecoveryService"="C:\Program Files\Acer\eRecovery\Monitor.exe" [06/29/2005 05:26 PM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05/31/2005 01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bwpohexk]
regsvr32 /u "C:\Documents and Settings\All Users\Application Data\bwpohexk.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\preload]
C:\Windows\RUNXMLPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
C:\Program Files\SecCenter\scprot4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmlencrm]
rundll32.exe "C:\Program Files\lcpmtste\lwpkfajk.dll",Init

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]
"C:\Program Files\Launch Manager\Wbutton.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Autorun.exe HowToUse\HowToUse.html


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}]
C:\WINDOWS\system32\nusrmgr.exe



-- End of Deckard's System Scanner: finished at 2007-09-17 17:51:32 ------------
  • 0

#8
Rorschach112
Posted 17 September 2007 - 04:12 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello Ledgerat, thanks for that :)


Now we need to reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.



While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\Documents and Settings\All Users\Application Data\bwpohexk.dll
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

Repeat that for the following file

C:\Program Files\lcpmtste\lwpkfajk.dll


Please go to Start > Control Panel > Add or Remove Programs > Remove

lcpmtste
SecCenter



Please download OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\ssqpq.dll
    C:\FOUND.000
    C:\WINDOWS\system32\srvuqsja
    C:\Documents and Settings\All Users\Application Data\bwpohexk.dll
    C:\Program Files\SecCenter
    C:\Program Files\lcpmtste
    C:\WINDOWS\system32\nusrmgr.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.



Finally :

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe


Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bwpohexk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmlencrm]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}]

[-HKEY_CLASSES_ROOT\CLSID\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}]


Then double click on the fix.reg file, when it prompts to merge click "Yes".



So in your next reply I need to see the following : the OTMoveIt results, a new DSS log, and tell me how your PC is running now and if you had any problems.
  • 0

#9
ledgerat
Posted 17 September 2007 - 06:42 PM

ledgerat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I uploaded the first file you asked me to...though it was in a zip folder within a spybot restore directory....the other file is no longer in my system that I can find.....Neither was in my add/remove programs. The system doesnt sem to have any popups anymore....it still boots a little slow but that could be because of the added spybot and ad-aware...not sure.

Here are the logs:
LoadLibrary failed for C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\ssqpq.dll NOT unregistered.
C:\WINDOWS\system32\ssqpq.dll moved successfully.
File/Folder C:\FOUND.000 not found.
C:\WINDOWS\system32\srvuqsja moved successfully.
File/Folder C:\Documents and Settings\All Users\Application Data\bwpohexk.dll not found.
File/Folder C:\Program Files\SecCenter not found.
File/Folder C:\Program Files\lcpmtste not found.
File/Folder C:\WINDOWS\system32\nusrmgr.exe not found.

Created on 09/17/2007 20:18:08


Deckard's System Scanner v20070905.67
Run by Kim on 2007-09-17 20:34:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 94% (more than 75%).
Total Physical Memory: 247 MiB (512 MiB recommended).


-- HijackThis (run as Kim.exe) -------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-17 20:34:29
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\Acer\ePM\epm-dm.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\GUARD.EXE
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Kim\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKEY_LOCAL_MACHINE\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKEY_LOCAL_MACHINE\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKEY_LOCAL_MACHINE\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKEY_LOCAL_MACHINE\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKEY_LOCAL_MACHINE\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKEY_LOCAL_MACHINE\..\Run: [epm-dm] c:\acer\epm\epm-dm.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://bobvila.view2...2/View22RTE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini"


-- Files created between 2007-08-17 and 2007-09-17 -----------------------------

2007-09-16 16:01:18 0 d-------- C:\VundoFix Backups
2007-09-16 15:18:22 0 d-------- C:\!KillBox
2007-09-16 10:48:33 17801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
2007-09-16 10:45:10 65536 -----n--- C:\WINDOWS\system32\WLTRYSVC.EXE
2007-09-16 10:45:10 192512 --a------ C:\WINDOWS\system32\AegisI5.exe <Not Verified; ; AegisInstall Application>
2007-09-16 10:45:06 1396831 -----n--- C:\WINDOWS\system32\AegisE5.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client API>
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\TEMP\Start Menu
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\TEMP\SendTo
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\TEMP\Recent
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\TEMP\PrintHood
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\TEMP\NetHood
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\TEMP\My Documents
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\TEMP\Desktop
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\TEMP\Application Data\Identities
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\TEMP\Application Data\AVG7
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-09-16 10:07:20 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-09-16 10:07:20 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-09-16 10:07:20 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-09-16 10:07:20 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-09-16 10:07:20 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-09-16 10:07:20 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-09-16 10:07:19 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-09-16 09:07:16 0 d--h----- C:\Documents and Settings\TEMP\Templates
2007-09-16 09:07:16 0 d--h----- C:\Documents and Settings\TEMP\Local Settings
2007-09-16 09:07:16 0 dr------- C:\Documents and Settings\TEMP\Favorites
2007-09-16 09:07:16 0 d---s---- C:\Documents and Settings\TEMP\Cookies
2007-09-16 09:07:16 0 dr-h----- C:\Documents and Settings\TEMP\Application Data
2007-09-16 09:07:16 0 d---s---- C:\Documents and Settings\TEMP\Application Data\Microsoft
2007-09-16 09:07:14 3932160 --ah----- C:\Documents and Settings\TEMP\NTUSER.DAT
2007-09-16 06:35:54 0 d-------- C:\h
2007-09-14 15:15:58 0 d-------- C:\Program Files\Lavasoft
2007-09-14 15:15:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-14 14:34:12 0 d-------- C:\Documents and Settings\Kim\Application Data\Grisoft
2007-09-02 13:56:57 0 d-------- C:\Documents and Settings\Kim\Application Data\vlc
2007-08-30 18:17:09 0 d-------- C:\Program Files\Syberia
2007-08-19 09:39:03 0 d-------- C:\Documents and Settings\Kim\Application Data\StarOffice8
2007-08-19 09:34:31 0 d-------- C:\Program Files\Sun
2007-08-19 08:11:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater


-- Find3M Report ---------------------------------------------------------------

2007-08-11 10:25:18 0 d-------- C:\Documents and Settings\Kim\Application Data\ScummVM
2007-07-22 13:04:20 0 d-------- C:\Program Files\TLJ


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/23/2005 10:36 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/23/2005 10:31 AM]
"SoundMan"="SOUNDMAN.EXE" [04/15/2005 11:01 AM C:\WINDOWS\SOUNDMAN.EXE]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/04/2005 11:12 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [02/04/2005 11:11 AM]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [09/16/2003 02:28 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [08/26/2007 10:08 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"PCMService"="C:\Program Files\Arcade\PCMService.exe" [03/09/2005 06:59 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/04/2004 05:00 AM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 05:00 AM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" []
"epm-dm"="c:\acer\epm\epm-dm.exe" [06/01/2005 02:17 PM]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [08/08/2007 03:53 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPM-DM]
c:\acer\epm\epm-dm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePowerManagement]
C:\Acer\ePM\ePM.exe boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
C:\Program Files\Acer\eRecovery\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
"C:\Program Files\Launch Manager\LaunchAp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
"C:\Program Files\Launch Manager\HotkeyApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LMgrOSD]
"C:\Program Files\Launch Manager\OSDCtrl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerKey]
"C:\Program Files\Launch Manager\PowerKey.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\preload]
C:\Windows\RUNXMLPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]
"C:\Program Files\Launch Manager\Wbutton.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Autorun.exe HowToUse\HowToUse.html




-- End of Deckard's System Scanner: finished at 2007-09-17 20:35:47 ------------
  • 0

#10
Rorschach112
Posted 17 September 2007 - 06:49 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello Ledgerat, we are making good progress

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Next run AVG Anti-Spyware
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.


Please download RUNSCANNER to your desktop and run it.
  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (optional) then click Start full computer scan at the bottom.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log
  • Call the file "Select a file name here" and save it to your desktop. You will see the .run file on your desktop. Please zip that file by right clicking and selecting send to Zip file
Then upload that as an attachment along with the log file produced in your next post.




So in your next reply please post the following : the AVG Anti-Spyware report, the .run file(you will need to attach this in your post), a new DSS log, and tell me how your PC is running now and if you had any problems.
  • 0

#11
ledgerat
Posted 17 September 2007 - 08:34 PM

ledgerat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I ran the full AVG spyware scan...no malware...just tracking cookies....no report showed up when I went to the report area....here are the logs:
Runscanner logfile http://www.runscanner.net

* = authenticode signed file
- = file not found

000 General info
----------------
Computer name : KIMBERLY
Creation time : 9/17/2007 10:26:18 PM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 6.0.2900.2180
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.0.3.0
Type of scan : Full scan
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS

001 Running processes
---------------------
* c:\program files\lavasoft\ad-aware 2007\aawtray.exe
c:\acer\epm\epm-dm.exe (Acer Inc)
* c:\program files\lavasoft\ad-aware 2007\aawservice.exe (Lavasoft AB)
c:\progra~1\grisoft\avgfre~1\avgamsvr.exe (GRISOFT, s.r.o.)
* c:\program files\grisoft\avg anti-spyware 7.5\guard.exe (GRISOFT s.r.o.)
c:\progra~1\grisoft\avgfre~1\avgcc.exe (GRISOFT, s.r.o.)
c:\progra~1\grisoft\avgfre~1\avgupsvc.exe (GRISOFT, s.r.o.)
c:\windows\system32\wltray.exe (Broadcom Corporation)
* c:\windows\system32\hkcmd.exe (Intel Corporation)
* c:\windows\system32\igfxtray.exe (Intel Corporation)
* c:\windows\soundman.exe (Realtek Semiconductor Corp.)
* c:\documents and settings\kim\desktop\runscanner.exe (Runscanner.net)
c:\acer\emanager\anbmserv.exe (OSA Technologies Inc.)
* c:\program files\synaptics\syntp\syntpenh.exe (Synaptics, Inc.)
* c:\program files\synaptics\syntp\syntplpr.exe (Synaptics, Inc.)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
* c:\program files\lavasoft\ad-aware 2007\aawtray.exe
c:\progra~1\grisoft\avgfre~1\avgcc.exe (GRISOFT, s.r.o.)
C:\windows\system32\wltray.exe (Broadcom Corporation)
c:\program files\launch manager\ctrlvol.exe (Wistron)
c:\acer\epm\epm-dm.exe (Acer Inc)
* c:\windows\system32\hkcmd.exe (Intel Corporation)
* c:\windows\system32\igfxtray.exe (Intel Corporation)
* c:\windows\system32\ime\pintlgnt\imscinst.exe
c:\program files\arcade\pcmservice.exe (CyberLink Corp.)
* C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
* c:\program files\synaptics\syntp\syntpenh.exe (Synaptics, Inc.)
* c:\program files\synaptics\syntp\syntplpr.exe (Synaptics, Inc.)

008 Default user \Software\Microsoft\Windows\CurrentVersion\Run (+subkeys)
--------------------------------------------------------------------------
c:\progra~1\grisoft\avgfre~1\avgw.exe (GRISOFT, s.r.o.)

009 System user\Software\Microsoft\Windows\CurrentVersion\Run (+subkeys)
------------------------------------------------------------------------
c:\progra~1\grisoft\avgfre~1\avgw.exe (GRISOFT, s.r.o.)

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
* c:\program files\lavasoft\ad-aware 2007\aawservice.exe (Ad-Aware 2007 Service)
* c:\program files\grisoft\avg anti-spyware 7.5\guard.exe (AVG Anti-Spyware Guard)
c:\progra~1\grisoft\avgfre~1\avgemc.exe (AVG E-mail Scanner)
c:\progra~1\grisoft\avgfre~1\avgamsvr.exe (AVG7 Alert Manager Server)
c:\progra~1\grisoft\avgfre~1\avgupsvc.exe (AVG7 Update Service)
* c:\program files\google\common\google updater\googleupdaterservice.exe (Google Updater Service)
c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe (InstallDriver Table Manager)
* c:\program files\ipod\bin\ipodservice.exe (iPod Service)
c:\acer\emanager\anbmserv.exe (Notebook Manager Service)
C:\Program Files\winpcap\rpcapd.exe (Remote Packet Capture Protocol v.0 (experimental))

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
c:\windows\system32\drivers\epm-psd.sys (Acer EPM Power Scheme Driver)
c:\windows\system32\drivers\epm-shd.sys (Acer EPM System Hardware Driver)
* C:\WINDOWS\system32\drivers\amdagp.sys (AMD AGP Bus Filter Driver)
* C:\WINDOWS\system32\drivers\avgascln.sys (AVG Anti-Spyware Clean Driver)
* c:\program files\grisoft\avg anti-spyware 7.5\guard.sys (AVG Anti-Spyware Driver)
c:\windows\system32\drivers\avgtdi.sys (AVG Network Redirector)
c:\windows\system32\drivers\avgclean.sys (AVG7 Clean Driver)
c:\windows\system32\drivers\avg7core.sys (AVG7 Kernel)
c:\windows\system32\drivers\avg7rsxp.sys (AVG7 Resident Driver XP)
c:\windows\system32\drivers\avg7rsw.sys (AVG7 Wrap Driver)
- c:\windows\system32\drivers\wbutton.sys (Base)
* C:\WINDOWS\system32\drivers\bcmwl5.sys (Broadcom 802.11 Network Adapter Driver)
* C:\WINDOWS\system32\drivers\mdmxsdk.sys (Diagnostic Interface DRIVER)
* C:\WINDOWS\system32\drivers\ptilink.sys (Direct Parallel Link Driver)
* C:\WINDOWS\system32\drivers\gearaspiwdm.sys (GEARAspiWDM)
* C:\WINDOWS\system32\drivers\hsf_cnxt.sys (HSF_CNXT driver)
* C:\WINDOWS\system32\drivers\hsf_dp.sys (HSF_DP driver)
* C:\WINDOWS\system32\drivers\hsfhwich.sys (HSFHWICH WDM driver)
c:\program files\acer\erecovery\int15.sys (int15.sys)
C:\WINDOWS\system32\drivers\npf.sys (NetGroup Packet Filter Driver)
* C:\WINDOWS\system32\drivers\nscirda.sys (NSC Infrared Device Driver)
c:\windows\system32\drivers\osaio.sys (osaio)
c:\windows\system32\drivers\osanbm.sys (osanbm)
C:\WINDOWS\system32\drivers\pfc.sys (Padus ASPI Shell)
c:\program files\launch manager\powerkey.sys (POWERKEY)
C:\WINDOWS\system32\drivers\pxhelp20.sys (PxHelp20)
* C:\WINDOWS\system32\drivers\rtlnicxp.sys (Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver)
* C:\WINDOWS\system32\drivers\symc810.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\sym_u3.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\ql1080.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\sparrow.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\ql12160.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\sym_hi.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\ql1280.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\symc8xx.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\asc3550.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\mraid35x.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\asc.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\ultra.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\dac2w2k.sys (SCSI Miniport)
C:\WINDOWS\system32\drivers\ntcdrdrv.sys (SCSI Miniport)
C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
* C:\WINDOWS\system32\drivers\alcxwdm.sys (Service for Realtek AC97 Audio (WDM))
* C:\WINDOWS\system32\drivers\sisagp.sys (SIS AGP Bus Filter)
* C:\WINDOWS\system32\drivers\syntp.sys (Synaptics TouchPad Driver)
* C:\WINDOWS\system32\drivers\aliide.sys (System Bus Extender)
* C:\WINDOWS\system32\drivers\cmdide.sys (System Bus Extender)
C:\WINDOWS\system32\drivers\ntidrvr.sys (Upper Class Filter Driver)
* C:\WINDOWS\system32\drivers\fetnd5.sys (VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver)
* C:\WINDOWS\system32\drivers\ialmnt5.sys (Video)

030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
c:\progra~1\common~1\system\oledb~1\msdaipp.dll (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
c:\progra~1\common~1\system\oledb~1\msdaipp.dll (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
c:\progra~1\common~1\system\oledb~1\msdaipp.dll (Microsoft Corporation) {E1D2BF40-A96B-11d1-9C6B-0000F875AC61}

035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
------------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

042 HKLM\Software\Microsoft\Internet Explorer\Extensions
--------------------------------------------------------
- c:\program files\messenger\msmsgs.exe {FB5F1910-F110-11d2-BB9E-00C04F795683}

050 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
-----------------------------------------------------------------------------
* c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll (GRISOFT s.r.o.) {57B86673-276A-48B2-BAE7-C6DBB3020EB8}

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
* c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll (Adobe Systems Incorporated) {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
* c:\progra~1\spybot~1\sdhelper.dll (Safer Networking Limited) {53707962-6F74-2D53-2644-206D7942484F}
* c:\program files\google\googletoolbarnotifier\2.1.615.5858\swg.dll (Google Inc.) {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
* c:\program files\java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.) {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
---------------------------------------------------------------------------------
c:\program files\grisoft\avg free\avgse.dll (GRISOFT, s.r.o.) {9F97547E-460A-42C5-AE0C-81C61FFAEBC3}
c:\program files\grisoft\avg free\avgse.dll (GRISOFT, s.r.o.) {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
C:\WINDOWS\system32\epm-po.dll (Acer Labs USA) {2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}
* c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8}
* c:\program files\itunes\itunesminiplayer.dll (Apple Computer, Inc.) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}
c:\program files\sun\staroffice 8\program\shlxthdl.dll (Sun Microsystems, Inc.) {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
c:\program files\sun\staroffice 8\program\shlxthdl.dll (Sun Microsystems, Inc.) {087B3AE3-E237-4467-B8DB-5A38AB959AC9}
c:\program files\sun\staroffice 8\program\shlxthdl.dll (Sun Microsystems, Inc.) {63542C48-9552-494A-84F7-73AA6A7C99C1}
c:\program files\sun\staroffice 8\program\shlxthdl.dll (Sun Microsystems, Inc.) {3B092F0C-7696-40E3-A80F-68D74DA84210}
c:\program files\real\realplayer\rpshell.dll (RealNetworks, Inc.) {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {e82a2d71-5b2f-43a0-97b8-81be15854de8}
* c:\program files\synaptics\syntp\syntpcpl.dll (Synaptics, Inc.) {2F603045-309F-11CF-9774-0020AFD0CFF6}
c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}

062 HKLM-HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
------------------------------------------------------------
c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}
c:\program files\sun\staroffice 8\program\shlxthdl.dll (Sun Microsystems, Inc.) {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}

063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
---------------------------------------------------------------------
C:\WINDOWS\system32\lsdelete.exe


Deckard's System Scanner v20070905.67
Run by Kim on 2007-09-17 22:29:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 247 MiB (512 MiB recommended).


-- HijackThis (run as Kim.exe) -------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-17 22:29:23
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\Acer\ePM\epm-dm.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\GUARD.EXE
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Kim\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKEY_LOCAL_MACHINE\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKEY_LOCAL_MACHINE\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKEY_LOCAL_MACHINE\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKEY_LOCAL_MACHINE\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKEY_LOCAL_MACHINE\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKEY_LOCAL_MACHINE\..\Run: [epm-dm] c:\acer\epm\epm-dm.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://bobvila.view2...2/View22RTE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini"


-- Files created between 2007-08-17 and 2007-09-17 -----------------------------

2007-09-16 16:01:18 0 d-------- C:\VundoFix Backups
2007-09-16 15:18:22 0 d-------- C:\!KillBox
2007-09-16 10:48:33 17801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
2007-09-16 10:45:10 65536 -----n--- C:\WINDOWS\system32\WLTRYSVC.EXE
2007-09-16 10:45:10 192512 --a------ C:\WINDOWS\system32\AegisI5.exe <Not Verified; ; AegisInstall Application>
2007-09-16 10:45:06 1396831 -----n--- C:\WINDOWS\system32\AegisE5.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client API>
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\TEMP\Start Menu
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\TEMP\SendTo
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\TEMP\Recent
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\TEMP\PrintHood
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\TEMP\NetHood
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\TEMP\My Documents
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\TEMP\Desktop
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\TEMP\Application Data\Identities
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\TEMP\Application Data\AVG7
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-09-16 10:17:34 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-09-16 10:17:34 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-09-16 10:17:34 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-09-16 10:17:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-09-16 10:07:20 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-09-16 10:07:20 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-09-16 10:07:20 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-09-16 10:07:20 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-09-16 10:07:20 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-09-16 10:07:20 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-09-16 10:07:19 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-09-16 09:07:16 0 d--h----- C:\Documents and Settings\TEMP\Templates
2007-09-16 09:07:16 0 d--h----- C:\Documents and Settings\TEMP\Local Settings
2007-09-16 09:07:16 0 dr------- C:\Documents and Settings\TEMP\Favorites
2007-09-16 09:07:16 0 d---s---- C:\Documents and Settings\TEMP\Cookies
2007-09-16 09:07:16 0 dr-h----- C:\Documents and Settings\TEMP\Application Data
2007-09-16 09:07:16 0 d---s---- C:\Documents and Settings\TEMP\Application Data\Microsoft
2007-09-16 09:07:14 3932160 --ah----- C:\Documents and Settings\TEMP\NTUSER.DAT
2007-09-16 06:35:54 0 d-------- C:\h
2007-09-14 15:15:58 0 d-------- C:\Program Files\Lavasoft
2007-09-14 15:15:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-14 14:34:12 0 d-------- C:\Documents and Settings\Kim\Application Data\Grisoft
2007-09-02 13:56:57 0 d-------- C:\Documents and Settings\Kim\Application Data\vlc
2007-08-30 18:17:09 0 d-------- C:\Program Files\Syberia
2007-08-19 09:39:03 0 d-------- C:\Documents and Settings\Kim\Application Data\StarOffice8
2007-08-19 09:34:31 0 d-------- C:\Program Files\Sun
2007-08-19 08:11:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater


-- Find3M Report ---------------------------------------------------------------

2007-08-11 10:25:18 0 d-------- C:\Documents and Settings\Kim\Application Data\ScummVM
2007-07-22 13:04:20 0 d-------- C:\Program Files\TLJ


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/23/2005 10:36 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/23/2005 10:31 AM]
"SoundMan"="SOUNDMAN.EXE" [04/15/2005 11:01 AM C:\WINDOWS\SOUNDMAN.EXE]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/04/2005 11:12 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [02/04/2005 11:11 AM]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [09/16/2003 02:28 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [08/26/2007 10:08 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"PCMService"="C:\Program Files\Arcade\PCMService.exe" [03/09/2005 06:59 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/04/2004 05:00 AM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 05:00 AM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" []
"epm-dm"="c:\acer\epm\epm-dm.exe" [06/01/2005 02:17 PM]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [08/08/2007 03:53 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPM-DM]
c:\acer\epm\epm-dm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePowerManagement]
C:\Acer\ePM\ePM.exe boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
C:\Program Files\Acer\eRecovery\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
"C:\Program Files\Launch Manager\LaunchAp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
"C:\Program Files\Launch Manager\HotkeyApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LMgrOSD]
"C:\Program Files\Launch Manager\OSDCtrl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerKey]
"C:\Program Files\Launch Manager\PowerKey.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\preload]
C:\Windows\RUNXMLPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]
"C:\Program Files\Launch Manager\Wbutton.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Autorun.exe HowToUse\HowToUse.html




-- End of Deckard's System Scanner: finished at 2007-09-17 22:30:03 ------------

Attached Files


  • 0

#12
Rorschach112
Posted 17 September 2007 - 08:56 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello Ledgerat, your logs are looking good ! We need to do a few little things.

Only re-enable one of these or else there will be conflicts and other problems. I recommend keeping TeaTimer enabled in real-time

Please re-enable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Check the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Please re-enable Ad-Watch

To re-enable Ad-Watch:

1. Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch".
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".Active: Switches Monitoring On or Off without closing
Automatic: Switches Automatic Blocking On or Off
3. Check (red X) both items.


Make sure you only re-enable one of those programs.


Some clean up :

Please double-click OTMoveIt.exe to run it.
Click the Clean up button
Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
Click Yes to the reboot



Download the zipped attachment at the end of this post(this will be your runscanner as fixed by me)
  • Unzip it to your desktop then double click the runscanner icon this will run the program.
  • You will notice several entries in ORANGE with a tick, right click them individually and select delete.
  • Accept the warning then repeat until they are all gone.
Please post back with a new .run file and tell me how your PC is running now and if you had any problems.



Go to Start > Control Panel > Add or Remove Programs > Remove

J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java™ SE Runtime Environment 6 Update 1



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html


Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

Edited by Rorschach112, 17 September 2007 - 09:03 PM.

  • 0

#13
ledgerat
Posted 18 September 2007 - 04:33 AM

ledgerat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Everything seems to be working well. System still boots a little slow, but once it is running I don't have any problems with slowness or pop-ups.
Heres a new log if you need it as well as a new runfile Thanks for your help.

Runscanner logfile http://www.runscanner.net

* = authenticode signed file
- = file not found

000 General info
----------------
Computer name : KIMBERLY
Creation time : 9/18/2007 6:21:05 AM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 6.0.2900.2180
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.0.3.0
Type of scan : Full scan
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS

001 Running processes
---------------------
* c:\program files\lavasoft\ad-aware 2007\aawtray.exe
c:\acer\epm\epm-dm.exe (Acer Inc)
* c:\program files\lavasoft\ad-aware 2007\aawservice.exe (Lavasoft AB)
* c:\program files\adobe\reader 8.0\reader\reader_sl.exe (Adobe Systems Incorporated)
c:\progra~1\grisoft\avgfre~1\avgamsvr.exe (GRISOFT, s.r.o.)
* c:\program files\grisoft\avg anti-spyware 7.5\guard.exe (GRISOFT s.r.o.)
c:\progra~1\grisoft\avgfre~1\avgcc.exe (GRISOFT, s.r.o.)
c:\progra~1\grisoft\avgfre~1\avgupsvc.exe (GRISOFT, s.r.o.)
c:\windows\system32\wltray.exe (Broadcom Corporation)
c:\program files\arcade\pcmservice.exe (CyberLink Corp.)
* c:\windows\system32\hkcmd.exe (Intel Corporation)
* c:\windows\system32\igfxtray.exe (Intel Corporation)
* c:\program files\java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
* c:\windows\soundman.exe (Realtek Semiconductor Corp.)
* c:\documents and settings\kim\desktop\runscanner.exe (Runscanner.net)
c:\acer\emanager\anbmserv.exe (OSA Technologies Inc.)
* c:\program files\synaptics\syntp\syntpenh.exe (Synaptics, Inc.)
* c:\program files\synaptics\syntp\syntplpr.exe (Synaptics, Inc.)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
* c:\program files\lavasoft\ad-aware 2007\aawtray.exe
* c:\program files\adobe\reader 8.0\reader\reader_sl.exe (Adobe Systems Incorporated)
c:\progra~1\grisoft\avgfre~1\avgcc.exe (GRISOFT, s.r.o.)
C:\windows\system32\wltray.exe (Broadcom Corporation)
c:\program files\launch manager\ctrlvol.exe (Wistron)
c:\acer\epm\epm-dm.exe (Acer Inc)
* c:\windows\system32\hkcmd.exe (Intel Corporation)
* c:\windows\system32\igfxtray.exe (Intel Corporation)
* c:\windows\system32\ime\pintlgnt\imscinst.exe
c:\program files\arcade\pcmservice.exe (CyberLink Corp.)
* C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
* c:\program files\java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
* c:\program files\synaptics\syntp\syntpenh.exe (Synaptics, Inc.)
* c:\program files\synaptics\syntp\syntplpr.exe (Synaptics, Inc.)

008 Default user \Software\Microsoft\Windows\CurrentVersion\Run (+subkeys)
--------------------------------------------------------------------------
c:\progra~1\grisoft\avgfre~1\avgw.exe (GRISOFT, s.r.o.)

009 System user\Software\Microsoft\Windows\CurrentVersion\Run (+subkeys)
------------------------------------------------------------------------
c:\progra~1\grisoft\avgfre~1\avgw.exe (GRISOFT, s.r.o.)

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
* c:\program files\lavasoft\ad-aware 2007\aawservice.exe (Ad-Aware 2007 Service)
* c:\program files\grisoft\avg anti-spyware 7.5\guard.exe (AVG Anti-Spyware Guard)
c:\progra~1\grisoft\avgfre~1\avgemc.exe (AVG E-mail Scanner)
c:\progra~1\grisoft\avgfre~1\avgamsvr.exe (AVG7 Alert Manager Server)
c:\progra~1\grisoft\avgfre~1\avgupsvc.exe (AVG7 Update Service)
* c:\program files\google\common\google updater\googleupdaterservice.exe (Google Updater Service)
c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe (InstallDriver Table Manager)
* c:\program files\ipod\bin\ipodservice.exe (iPod Service)
c:\acer\emanager\anbmserv.exe (Notebook Manager Service)
C:\Program Files\winpcap\rpcapd.exe (Remote Packet Capture Protocol v.0 (experimental))

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
c:\windows\system32\drivers\epm-psd.sys (Acer EPM Power Scheme Driver)
c:\windows\system32\drivers\epm-shd.sys (Acer EPM System Hardware Driver)
* C:\WINDOWS\system32\drivers\amdagp.sys (AMD AGP Bus Filter Driver)
* C:\WINDOWS\system32\drivers\avgascln.sys (AVG Anti-Spyware Clean Driver)
* c:\program files\grisoft\avg anti-spyware 7.5\guard.sys (AVG Anti-Spyware Driver)
c:\windows\system32\drivers\avgtdi.sys (AVG Network Redirector)
c:\windows\system32\drivers\avgclean.sys (AVG7 Clean Driver)
c:\windows\system32\drivers\avg7core.sys (AVG7 Kernel)
c:\windows\system32\drivers\avg7rsxp.sys (AVG7 Resident Driver XP)
c:\windows\system32\drivers\avg7rsw.sys (AVG7 Wrap Driver)
* C:\WINDOWS\system32\drivers\bcmwl5.sys (Broadcom 802.11 Network Adapter Driver)
* C:\WINDOWS\system32\drivers\mdmxsdk.sys (Diagnostic Interface DRIVER)
* C:\WINDOWS\system32\drivers\ptilink.sys (Direct Parallel Link Driver)
* C:\WINDOWS\system32\drivers\gearaspiwdm.sys (GEARAspiWDM)
* C:\WINDOWS\system32\drivers\hsf_cnxt.sys (HSF_CNXT driver)
* C:\WINDOWS\system32\drivers\hsf_dp.sys (HSF_DP driver)
* C:\WINDOWS\system32\drivers\hsfhwich.sys (HSFHWICH WDM driver)
c:\program files\acer\erecovery\int15.sys (int15.sys)
C:\WINDOWS\system32\drivers\npf.sys (NetGroup Packet Filter Driver)
* C:\WINDOWS\system32\drivers\nscirda.sys (NSC Infrared Device Driver)
c:\windows\system32\drivers\osaio.sys (osaio)
c:\windows\system32\drivers\osanbm.sys (osanbm)
C:\WINDOWS\system32\drivers\pfc.sys (Padus ASPI Shell)
c:\program files\launch manager\powerkey.sys (POWERKEY)
C:\WINDOWS\system32\drivers\pxhelp20.sys (PxHelp20)
* C:\WINDOWS\system32\drivers\rtlnicxp.sys (Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver)
* C:\WINDOWS\system32\drivers\ultra.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\sym_u3.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\sparrow.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\sym_hi.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\symc8xx.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\symc810.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\ql1280.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\ql12160.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\ql1080.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\asc.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\asc3550.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\mraid35x.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\dac2w2k.sys (SCSI Miniport)
C:\WINDOWS\system32\drivers\ntcdrdrv.sys (SCSI Miniport)
C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
* C:\WINDOWS\system32\drivers\alcxwdm.sys (Service for Realtek AC97 Audio (WDM))
* C:\WINDOWS\system32\drivers\sisagp.sys (SIS AGP Bus Filter)
* C:\WINDOWS\system32\drivers\syntp.sys (Synaptics TouchPad Driver)
* C:\WINDOWS\system32\drivers\cmdide.sys (System Bus Extender)
* C:\WINDOWS\system32\drivers\aliide.sys (System Bus Extender)
C:\WINDOWS\system32\drivers\ntidrvr.sys (Upper Class Filter Driver)
* C:\WINDOWS\system32\drivers\fetnd5.sys (VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver)
* C:\WINDOWS\system32\drivers\ialmnt5.sys (Video)

030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
c:\progra~1\common~1\system\oledb~1\msdaipp.dll (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
c:\progra~1\common~1\system\oledb~1\msdaipp.dll (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
c:\progra~1\common~1\system\oledb~1\msdaipp.dll (Microsoft Corporation) {E1D2BF40-A96B-11d1-9C6B-0000F875AC61}

035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
------------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

050 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
-----------------------------------------------------------------------------
* c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll (GRISOFT s.r.o.) {57B86673-276A-48B2-BAE7-C6DBB3020EB8}

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
* c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll (Adobe Systems Incorporated) {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
* c:\progra~1\spybot~1\sdhelper.dll (Safer Networking Limited) {53707962-6F74-2D53-2644-206D7942484F}
* c:\program files\google\googletoolbarnotifier\2.1.615.5858\swg.dll (Google Inc.) {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
* c:\program files\java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.) {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
---------------------------------------------------------------------------------
c:\program files\grisoft\avg free\avgse.dll (GRISOFT, s.r.o.) {9F97547E-460A-42C5-AE0C-81C61FFAEBC3}
c:\program files\grisoft\avg free\avgse.dll (GRISOFT, s.r.o.) {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\WINDOWS\system32\epm-po.dll (Acer Labs USA) {2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}
* c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8}
* c:\program files\itunes\itunesminiplayer.dll (Apple Computer, Inc.) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}
c:\program files\sun\staroffice 8\program\shlxthdl.dll (Sun Microsystems, Inc.) {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
c:\program files\sun\staroffice 8\program\shlxthdl.dll (Sun Microsystems, Inc.) {087B3AE3-E237-4467-B8DB-5A38AB959AC9}
c:\program files\sun\staroffice 8\program\shlxthdl.dll (Sun Microsystems, Inc.) {63542C48-9552-494A-84F7-73AA6A7C99C1}
c:\program files\sun\staroffice 8\program\shlxthdl.dll (Sun Microsystems, Inc.) {3B092F0C-7696-40E3-A80F-68D74DA84210}
c:\program files\real\realplayer\rpshell.dll (RealNetworks, Inc.) {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {e82a2d71-5b2f-43a0-97b8-81be15854de8}
* c:\program files\synaptics\syntp\syntpcpl.dll (Synaptics, Inc.) {2F603045-309F-11CF-9774-0020AFD0CFF6}
c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}

062 HKLM-HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
------------------------------------------------------------
c:\program files\common files\adobe\acrobat\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}
c:\program files\sun\staroffice 8\program\shlxthdl.dll (Sun Microsystems, Inc.) {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}

063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
---------------------------------------------------------------------
C:\WINDOWS\system32\lsdelete.exe

067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
---------------------------------------------------------------------
* C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)

100 Internet Explorer settings
------------------------------
CustomizeSearch HKLM : http://ie.search.msn...st/srchcust.htm
Default_Page_URL HKLM : http://global.acer.com/
Default_Search_URL HKCU : http://www.google.com/ie
Default_Search_URL HKLM : http://www.microsoft...amp;ar=iesearch
Search Page HKCU : http://www.google.com
Search Page HKLM : http://www.microsoft...amp;ar=iesearch
SearchAssistant HKCU : http://www.google.com/ie
SearchAssistant HKLM : http://www.google.com/ie
SearchUrl HKCU : http://www.google.com/search?q=%s
ShellNext HKCU : http://global.acer.com/
Start Page HKCU : http://www.msn.com/
Start Page HKLM : http://www.microsoft...p...ER}&ar=home

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
* c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {8AD9C840-044E-11D1-B3E9-00805F499D93}
* c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
* c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
* c:\windows\system32\macromed\flash\flash8b.ocx (Macromedia, Inc.) {D27CDB6E-AE6D-11CF-96B8-444553540000}

160 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
------------------------------------------------------------------
DisableRegistryTools : 0
DisableTaskMgr : 0

161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
------------------------------------------------------------------
dontdisplaylastusername : 0
shutdownwithoutlogon : 1
undockwithoutlogon : 1

170 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
------------------------------------------------------------------------
D : D:\setupSNK.exe
E : E:\Autorun.exe HowToUse\HowToUse.html

173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
* c:\program files\grisoft\avg anti-spyware 7.5\context.dll (GRISOFT s.r.o.) {8934FCEF-F5B8-468f-951F-78A921CD3920}
c:\program files\grisoft\avg free\avgse.dll (GRISOFT, s.r.o.) {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}

Attached Files


  • 0

#14
Rorschach112
Posted 18 September 2007 - 10:10 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello Ledgerat

Your logs look good. You can delete runscanner.exe now

Have a read of this link to help speed up your PC
http://users.telenet...owcomputer.html


Make sure you aren't running TeaTimer and Ad-Watch in real-time, you should only have one of these programs running or else your PC will be slow and have problems.


Also give your PC a defrag, this can help out a lot with speed.


Thats the best advice I can give you :)
  • 0

#15
Rorschach112
Posted 23 September 2007 - 11:25 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP