1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Slow computer, to the point where music cant play smoothly

Discussion in 'Virus & Other Malware Removal' started by oli212, Mar 3, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. oli212

    oli212 Thread Starter

    Joined:
    Mar 3, 2008
    Messages:
    14
    Hi, i am having real problems with my PC. It takes a good 15 mins to load from boot up (that is not a joke) and when it does it runs so slowly. And i mean REALLY slowly. It's so slow that it cant play music properly, you just get that stuttering soundas it trys to play but cant keep up.

    I have ran ad-aware and AVG (pre HJT scan) but it all found is tracking cookies. Below is my HJT log, i will be greatly appreciated if someone could look at this for me.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:19:18, on 03/03/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Acer\Empowering Technology\admServ.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Acer\Acer Arcade\PCMService.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
    C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
    C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
    C:\acer\Empowering Technology\ePower\epm-dm.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
    C:\Acer\Empowering Technology\admtray.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\WINDOWS\system32\dlcjcoms.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Grisoft\AVG7\avgwb.dat
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: {938d5fb6-5b20-6388-d164-8b4a893ccea2} - {2aecc398-a4b8-461d-8836-02b56bf5d839} - C:\WINDOWS\system32\rrvdomhn.dll (file missing)
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\efcbcab.dll (file missing)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: (no name) - {F09E1C3D-B00F-432A-9D14-EEEB6D80BA40} - C:\WINDOWS\system32\geebx.dll (file missing)
    O3 - Toolbar: Acer eDataSecurity Management - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\system32\ToolBand.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
    O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,[email protected]
    O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
    O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
    O4 - HKLM\..\Run: [epm-dm] c:\acer\Empowering Technology\ePower\epm-dm.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
    O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?a34702503fcf4fa6a02c7bb4c0365ef4
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?a34702503fcf4fa6a02c7bb4c0365ef4
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
    O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.bootsphoto.com/wpp/boots/app/opcuploader.cab
    O20 - Winlogon Notify: efcbcab - efcbcab.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
    O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
    O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
    O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
    O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O24 - Desktop Component 0: (no name) - http://photos-c.ak.facebook.com/photos-ak-sf2p/v160/132/74/595651833/n595651833_501270_7501.jpg

    --
    End of file - 12381 bytes
     
  2. oli212

    oli212 Thread Starter

    Joined:
    Mar 3, 2008
    Messages:
    14
    bump!
     
  3. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    You have signs of either leftovers from, or a current infection.

    But you also have the classic signs of a drive which has reverted to PIO mode. This causes the Ultra slowness and music stuttering you have. Let's troubleshoot PIO mode first and then continue. It's better to have a fast system when we do scans.

    For General Slowdown let's look at your Device Manager.
    Roght lick on My Computer and then click Properties on the menu. When the porperties page comes up, click the hardware tab. this will bring up a new page. On this new page, click the Device Manager button.
    When device manager opens Find the Ide Controllers entry and Double click on it to expand the branch.

    Under that, double click on Primary Ide Channel to bring up its properties page.

    Click the Advanced Settings tab.

    If the Current Transfer Mode is PIO then Click the Driver Tab and uninstall the driver. Restart the computer. Check to see if it is now in DMA mode. And if it is, has your computer gained speed?
     
  4. oli212

    oli212 Thread Starter

    Joined:
    Mar 3, 2008
    Messages:
    14
    Hi, sorry for the slow reply.

    Yes that has worked thank you! It's in DMA mode and it's speed has been greatly increased!
     
  5. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Now we need to have a closer look to see if you have some very nasty malware active on your system. Hijackthis indicates you do, however, can't find it or remove it. But from this point on, I won't want to see another Hijackthis log unless I request it. We'll use more advanced tools, one which includes Hijackthis + more.

    Download Deckard's System Scanner to your Desktop from one of these links:

    http://www.techsupportforum.com/sectools/Deckard/dss.exe
    http://deckard.geekstogo.com/dss.exe

    Close all applications and windows. Disable any currently running security programs and Anti virus.
    Go to start >run
    Paste in this command and then press enter.
    "%userprofile%\desktop\dss.exe" /config

    When DSS configuration opens, click the "Check all" button. Then click the Scan Button.



    When the scan is complete, a text file will open - Main.txt
    Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt here.
    A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
    Please attach Extra.txt to your post. If the Folder doesn't open, please open it and find extra.txt manually.

    Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

    To attach a file, do not use the quick reply feature. Instead, click the orange reply button. Next, scroll down and Click the[Manage Attachments] button.
    Upload
    C:\Deckard\System Scanner\Extra.txt


    Be sure to re-enable any Anti Virus or other security programs you disabled after Deckard's system scan has finished.



    What DSS will do:
    --create a new System Restore point in Windows XP and Vista.
    --clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
    --check some important areas of your system and produce a report for your analyst to review.
    --System Scanner automatically runs HijackThis for you, but if you do not have hijackthis installed, it will run its own cloned version of hijackthis.

    ----------------------------------------

    Run Kaspersky online virus from this link:

    http://www.kaspersky.co.uk/virusscanner

    After the updates have downloaded, click on the "Scan Settings" button.
    Choose the "Extended database" for the scan.
    Under "Please select a target to scan", click "My Computer".
    When the scan is finished, Save the results from the scan!

    Note: You have to use Internet Explorer to do the online scan.
    Post the Kaspersky log into your next reply please. Or if too long, attach it.
     
  6. oli212

    oli212 Thread Starter

    Joined:
    Mar 3, 2008
    Messages:
    14
    Ok will do. I'm away for the holiday period at the moment so am on my desktop but i promise i will do this ASAP when i get back in 10 days.

    Mnay thanks for your help.
     
  7. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    You're welcome. But if you know anyone who has access to that system, you really need to turn it off and disconect it from the internet if it is not already.

    Malware never rests. It updates itself and often downloads other malware.
     
  8. oli212

    oli212 Thread Starter

    Joined:
    Mar 3, 2008
    Messages:
    14
    Hi, apologies for the delay. I have been in hospital.

    Please find attached extra.txt and the contains of main.txt below:

    Deckard's System Scanner v20071014.68
    Run by Frances Bishop on 2008-04-17 18:03:55
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Successfully created a Deckard's System Scanner Restore Point.


    -- Last 5 Restore Point(s) --
    57: 2008-04-17 17:04:40 UTC - RP217 - Deckard's System Scanner Restore Point
    56: 2008-04-16 10:54:48 UTC - RP216 - System Checkpoint
    55: 2008-04-14 20:42:52 UTC - RP215 - System Checkpoint
    54: 2008-04-13 19:50:40 UTC - RP214 - System Checkpoint
    53: 2008-04-11 12:32:48 UTC - RP213 - System Checkpoint


    -- First Restore Point --
    1: 2008-01-21 10:27:21 UTC - RP161 - System Checkpoint


    Backed up registry hives.
    Performed disk cleanup.

    Percentage of Memory in Use: 84% (more than 75%).
    Total Physical Memory: 503 MiB (512 MiB recommended).


    -- HijackThis Clone ------------------------------------------------------------


    Emulating logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2008-04-17 18:08:54
    Platform: Windows XP Service Pack 2 (5.01.2600)
    MSIE: Internet Explorer (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Grisoft\AVG7\avgemc.exe
    C:\Acer\Empowering Technology\admServ.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
    C:\WINDOWS\RTHDCPL.exe
    C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Acer\Acer Arcade\PCMService.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Launch Manager\QtZgAcer.EXE
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
    C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
    C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
    C:\Acer\Empowering Technology\ePower\epm-dm.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    C:\WINDOWS\system32\dlcjcoms.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Acer\Empowering Technology\admtray.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Frances Bishop\Desktop\dss.exe
    C:\WINDOWS\system32\sol.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: {938d5fb6-5b20-6388-d164-8b4a893ccea2} - {2aecc398-a4b8-461d-8836-02b56bf5d839} - C:\WINDOWS\system32\rrvdomhn.dll (file missing)
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\efcbcab.dll (file missing)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: (no name) - {F09E1C3D-B00F-432A-9D14-EEEB6D80BA40} - C:\WINDOWS\system32\geebx.dll (file missing)
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
    O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,[email protected]
    O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
    O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
    O4 - HKLM\..\Run: [epm-dm] c:\acer\Empowering Technology\ePower\epm-dm.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
    O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?a34702503fcf4fa6a02c7bb4c0365ef4
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?a34702503fcf4fa6a02c7bb4c0365ef4
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
    O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.bootsphoto.com/wpp/boots/app/opcuploader.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
    O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
    O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
    O20 - Winlogon Notify: efcbcab - C:\WINDOWS\system32\efcbcab.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
    O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
    O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
    O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
    O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
    O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPCap\rpcapd.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O24 - Desktop Component 0: - http://photos-c.ak.facebook.com/photos-ak-sf2p/v160/132/74/595651833/n595651833_501270_7501.jpg

    --
    End of file - 13778 bytes

    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R0 UBHelper - c:\windows\system32\drivers\ubhelper.sys
    R1 OsaFsLoc - c:\windows\system32\drivers\osafsloc.sys <Not Verified; OSA Technologies; >
    R1 StarOpen - c:\windows\system32\drivers\staropen.sys
    R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.9.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.9.0>
    R2 EpmPsd (Acer EPM Power Scheme Driver) - c:\windows\system32\drivers\epm-psd.sys <Not Verified; Acer Value Labs, USA; Acer EPM Power Scheme Driver>
    R2 EpmShd (Acer EPM System Hardware Driver) - c:\windows\system32\drivers\epm-shd.sys <Not Verified; Acer Value Labs, USA; Acer EPM System Hardware Driver>
    R2 int15.sys - c:\acer\empowering technology\erecovery\int15.sys
    R2 osaio - c:\windows\system32\drivers\osaio.sys <Not Verified; OSA Technologies, An Avocent Company; Windows (R) 2000 DDK driver>
    R2 osanbm - c:\windows\system32\drivers\osanbm.sys <Not Verified; Windows (R) 2000 DDK provider; OSA int15 Driver>
    R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
    R3 NdisFilt (OSA NdisFilter Protocol) - c:\windows\system32\drivers\ndisfilt.sys <Not Verified; OSA Technologies; >
    R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

    S3 NETMNT (Acer NetMonitor Protocol) - c:\windows\system32\drivers\netmnt.sys
    S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
    R2 AWService (AdminWorks Agent X6) - "c:\acer\empowering technology\admserv.exe" <Not Verified; Avocent Inc.; Acer Empowering framework>
    R2 CLCapSvc (CyberLink Background Capture Service (CBCS)) - "c:\program files\acer\acer arcade\kernel\tv\clcapsvc.exe" <Not Verified; ; CLCapSvc Module>
    R2 CLSched (CyberLink Task Scheduler (CTS)) - "c:\program files\acer\acer arcade\kernel\tv\clsched.exe" <Not Verified; ; CLSched Module>
    R2 CyberLink Media Library Service - "c:\program files\acer\acer arcade\kernel\clml_ntservice\clmlserver.exe" <Not Verified; Cyberlink; Cyberlink Media Library Server>
    R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
    R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>


    -- Device Manager: Disabled ----------------------------------------------------

    No disabled devices found.


    -- Scheduled Tasks -------------------------------------------------------------

    2008-04-17 17:33:04 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
    2008-04-04 17:10:14 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


    -- Files created between 2008-03-17 and 2008-04-17 -----------------------------

    Nothing created in this timespan.


    -- Find3M Report ---------------------------------------------------------------

    2008-03-03 20:16:40 0 d-------- C:\Program Files\Trend Micro
    2008-02-29 17:43:46 0 d-------- C:\Program Files\PCFriendly


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2aecc398-a4b8-461d-8836-02b56bf5d839}]
    C:\WINDOWS\system32\rrvdomhn.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
    C:\WINDOWS\system32\efcbcab.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F09E1C3D-B00F-432A-9D14-EEEB6D80BA40}]
    C:\WINDOWS\system32\geebx.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp"="Alaunch" []
    "RTHDCPL"="RTHDCPL.EXE" [16/11/2005 20:27 C:\WINDOWS\RTHDCPL.exe]
    "Alcmtr"="ALCMTR.EXE" [03/05/2005 03:43 C:\WINDOWS\Alcmtr.exe]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [07/01/2005 16:17]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [07/01/2005 16:16]
    "PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [31/08/2005 19:59]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 05:00]
    "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [04/08/2004 05:00]
    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 05:00]
    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 05:00]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [18/07/2005 04:09]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [18/07/2005 04:06]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [18/07/2005 04:10]
    "LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [01/12/2005 17:38]
    "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [16/11/2005 17:00]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [13/04/2005 03:48]
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [14/10/2003 10:22]
    "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [17/03/2005 14:25]
    "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [17/03/2005 14:45]
    "BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [28/03/2006 15:48]
    "SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [26/01/2005 18:02]
    "ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [10/04/2006 14:58]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [15/04/2008 10:17]
    "DLCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [15/08/2005 17:40]
    "dlcjmon.exe"="C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" [12/08/2005 20:47]
    "MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 964\memcard.exe" [10/08/2005 14:12]
    "epm-dm"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [25/11/2005 15:59]
    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [15/01/2008 22:54]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/11/2007 14:56]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [14/11/2007 23:43]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [15/11/2007 13:11]
    "eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [19/10/2005 09:30]
    "ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [24/10/2005 16:45]
    "Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [09/11/2005 11:04]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [18/06/2007 17:09]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 04:44:06]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\efcbcab.dll [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbcab]
    efcbcab.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\system32\geebx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6d5657c-622f-11dc-bf05-00166fa1d880}]
    AutoRun\command- F:\LaunchU3.exe -a




    -- End of Deckard's System Scanner: finished at 2008-04-17 18:10:22 ------------
     

    Attached Files:

  9. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    oli212,

    I'm sorry to hear you have been ill. Unfortunately, you waited so long to run the scan, that the results are not terribly helpful. It scans for files created withtin the last 30 days and that gives us some very useful information we might not get otherwise.


    You do have a very nasty Vundo infection.

    I have had a flu bug for the past 2 + months myself and have not been very active on the forums. So I am not the best person to help. I only show up every few days for short periods of time. And malware like this needs prompt attention. You have several issues along with Vundo. You need updates to certain programs too. You are running a file sharing program. These are dangerous. Very often the files you download are infected and you end up with more than you bargained for. I stronly urge you to uninstall any file sharing programs you have on this system.





    Let's start with Combofix and see what it finds.

    Go here and follow the tutorial on using Combofix. Post the log when you have finished running that utility.


    http://www.bleepingcomputer.com/combofix/how-to-use-combofix


    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply.


    It is very important that you read the entire page and follow all directions before running combofix.

    AFTER you have run combofix, please run a new Deckard's System scan and post those results too. Before you connect to the internet, do re-enable your Anti Virus.

    There are going to be many things to do. If you are not up to it, I think a format and reinstall would be a good idea.


    Do you do any banking or other financial transaction on this system?
     
  10. oli212

    oli212 Thread Starter

    Joined:
    Mar 3, 2008
    Messages:
    14
    Any help you can give me would be greatly appreicated. It's better than no help at all! I do use it for banking transactions but i stopped doing that as soon as the problem started. As you can probably tell from my logs, i am running an up to date version of AVG antivirus. I know vundo is a particulaly difficult infection to remove and i understand that it is probably beyond the capibilities of anti-virus software, but what concerns me is that it is not even dectecting that an infection is present. Shouldn't it (at the very least) be doing this??

    Please find my combo fix log below. In case you need to know, i removed Limewire prior to running to combofix.

    ComboFix 08-04-18.3 - Frances Bishop 2008-04-19 12:56:31.1 - FAT32x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.194 [GMT 1:00]
    Running from: C:\Documents and Settings\Frances Bishop\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Frances Bishop\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\drivers\npf.sys
    C:\WINDOWS\system32\packet.dll
    C:\WINDOWS\system32\pthreadVC.dll
    C:\WINDOWS\system32\WanPacket.dll
    C:\WINDOWS\system32\wpcap.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_NPF


    ((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
    .

    2008-04-19 12:42 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
    2008-04-19 12:42 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
    2008-04-19 12:41 . 2004-08-04 05:00 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
    2008-04-19 12:41 . 2004-08-04 05:00 14,848 --a------ C:\WINDOWS\system32\dllcache\kbdhid.sys
    2008-04-18 18:34 . 2008-04-18 18:34 <DIR> d-------- C:\Program Files\iPod
    2008-04-18 12:51 . 2008-04-18 12:51 <DIR> d-------- C:\Program Files\Windows Media Connect 2
    2008-04-18 12:42 . 2008-04-18 12:42 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
    2008-04-18 12:33 . 2008-04-18 12:33 <DIR> d-------- C:\Program Files\Kontiki
    2008-04-18 12:33 . 2008-04-18 12:33 <DIR> d-------- C:\Program Files\Channel4
    2008-04-18 12:33 . 2008-04-18 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
    2008-04-18 12:32 . 2008-04-18 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Channel4
    2008-04-17 18:03 . 2008-04-17 18:03 <DIR> d-------- C:\Deckard
    2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
    2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
    2008-03-03 19:16 --------- d-----w C:\Program Files\Trend Micro
    2008-02-29 16:43 --------- d-----w C:\Program Files\PCFriendly
    2008-02-24 21:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
    2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
    2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
    2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
    2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
    2008-02-19 18:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\GoBit Games
    2008-02-16 22:29 3,059,712 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
    2008-02-15 09:23 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
    2008-01-29 11:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
    2008-01-07 13:01 13,004 ----a-w C:\Documents and Settings\Frances Bishop\Application Data\mdb.bin
    2007-11-05 15:02 6,470 --sh--w C:\WINDOWS\system32\xbeeg.bak1
    2007-11-11 14:40 107,862 --sh--w C:\WINDOWS\system32\xbeeg.bak2
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2aecc398-a4b8-461d-8836-02b56bf5d839}]
    C:\WINDOWS\system32\rrvdomhn.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F09E1C3D-B00F-432A-9D14-EEEB6D80BA40}]
    C:\WINDOWS\system32\geebx.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 17:09 68856]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
    "kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp"="Alaunch" []
    "RTHDCPL"="RTHDCPL.EXE" [2005-11-16 20:27 15600128 C:\WINDOWS\RTHDCPL.exe]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-07 16:17 102491]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-07 16:16 692315]
    "PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-08-31 19:59 147456]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
    "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-18 04:09 94208]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-18 04:06 77824]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-18 04:10 114688]
    "LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2005-12-01 17:38 458752]
    "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 17:00 397312]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
    "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25 57393]
    "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45 40960]
    "BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
    "SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
    "ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 10:17 579584]
    "DLCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 17:40 73728]
    "dlcjmon.exe"="C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 20:47 430080]
    "MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 14:12 286720]
    "epm-dm"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-25 15:59 212992]
    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 22:54 37376]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-12 14:56 185632]
    "eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-10-19 09:30 69632]
    "ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45 2462208]
    "Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 11:04 3084288]
    "4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-13 09:56 219136]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbcab]
    efcbcab.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
    "C:\\WINDOWS\\System32\\dlcjcoms.exe"=
    "C:\\WINDOWS\\System32\\SPOOL\\drivers\\W32X86\\3\\dlcjpswx.exe"=
    "C:\\Program Files\\Kontiki\\KService.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "135:TCP"= 135:TCP:TCP Port 135
    "5000:TCP"= 5000:TCP:TCP Port 5000
    "5001:TCP"= 5001:TCP:TCP Port 5001
    "5002:TCP"= 5002:TCP:TCP Port 5002
    "5003:TCP"= 5003:TCP:TCP Port 5003
    "5004:TCP"= 5004:TCP:TCP Port 5004
    "5005:TCP"= 5005:TCP:TCP Port 5005
    "5006:TCP"= 5006:TCP:TCP Port 5006
    "5007:TCP"= 5007:TCP:TCP Port 5007
    "5008:TCP"= 5008:TCP:TCP Port 5008
    "5009:TCP"= 5009:TCP:TCP Port 5009
    "5010:TCP"= 5010:TCP:TCP Port 5010
    "5011:TCP"= 5011:TCP:TCP Port 5011
    "5012:TCP"= 5012:TCP:TCP Port 5012
    "5013:TCP"= 5013:TCP:TCP Port 5013
    "5014:TCP"= 5014:TCP:TCP Port 5014
    "5015:TCP"= 5015:TCP:TCP Port 5015
    "5016:TCP"= 5016:TCP:TCP Port 5016
    "5017:TCP"= 5017:TCP:TCP Port 5017
    "5018:TCP"= 5018:TCP:TCP Port 5018
    "5019:TCP"= 5019:TCP:TCP Port 5019
    "5020:TCP"= 5020:TCP:TCP Port 5020

    R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20]
    R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
    R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08]
    R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
    R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
    R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
    R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34]
    S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
    S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
    S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
    S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6d5657c-622f-11dc-bf05-00166fa1d880}]
    \Shell\AutoRun\command - F:\LaunchU3.exe -a

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-19 11:33:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
    - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
    "2008-04-18 17:18:48 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-19 13:10:51
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRAM FILES\INTEL\WIRELESS\BIN\EVTENG.EXE
    C:\PROGRAM FILES\INTEL\WIRELESS\BIN\S24EVMON.EXE
    C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
    C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
    C:\ACER\EMPOWERING TECHNOLOGY\ADMSERV.EXE
    C:\PROGRAM FILES\ACER\ACER ARCADE\KERNEL\TV\CLCAPSVC.EXE
    C:\PROGRAM FILES\ACER\ACER ARCADE\KERNEL\CLML_NTSERVICE\CLMLSERVER.EXE
    C:\PROGRAM FILES\ACER\ACER ARCADE\KERNEL\CLML_NTSERVICE\CLMLSERVICE.EXE
    C:\Program Files\Kontiki\KService.exe
    C:\PROGRAM FILES\INTEL\WIRELESS\BIN\REGSRVC.EXE
    C:\PROGRAM FILES\CYBERLINK\SHARED FILES\RICHVIDEO.EXE
    C:\PROGRAM FILES\ACER\ACER ARCADE\KERNEL\TV\CLSCHED.EXE
    C:\PROGRAM FILES\LAUNCH MANAGER\QTZGACER.EXE
    C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
    C:\PROGRAM FILES\BROTHER\CONTROLCENTER3\BRCCMCTL.EXE
    C:\WINDOWS\system32\igfxext.exe
    C:\WINDOWS\SYSTEM32\IGFXSRVC.EXE
    C:\WINDOWS\SYSTEM32\DLCJCOMS.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2008-04-19 13:15:12 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-04-19 12:14:50

    Pre-Run: 4,608,851,968 bytes free
    Post-Run: 4,892,524,544 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

    219 --- E O F --- 2008-04-10 02:06:07
     
  11. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Hi,

    That was a good idea. HAve you changed yout banking passwords using a clean conectoin or by phone? That would be a great idea in the event they are no olonger secure. Check at the bank for any unusual activity on your accounts too.

    Please download Malwarebytes Anti-Malware from one of these links:

    http://www.besttechie.net/tools/mbam-setup.exe

    http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html


    Double Click mbam-setup.exe to install the application.
    Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    If an update is found, it will download and install the latest version.
    Once the program has loaded, select Perform Quick Scan, then click Scan.
    The scan may take some time to finish,so please be patient.
    When the scan is complete, click OK, then Show Results to view the results.
    Make sure that everything is checked, and click Remove Selected.
    When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    Copy the entire report and paste it in your next reply.
    Extra Note:

    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
    __________________

    After you post the MBAM results, please then run a new Deckard scan (dss.exe) and post that into your next reply.
     
  12. oli212

    oli212 Thread Starter

    Joined:
    Mar 3, 2008
    Messages:
    14
    Hi,

    Please find the MBAM log below. It said it was clear. Bad news, right?

    Malwarebytes' Anti-Malware 1.11
    Database version: 658

    Scan type: Quick Scan
    Objects scanned: 33216
    Time elapsed: 33 minute(s), 21 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    New DSS log is in next post.
     
  13. oli212

    oli212 Thread Starter

    Joined:
    Mar 3, 2008
    Messages:
    14
    Deckard's System Scanner v20071014.68
    Run by Frances Bishop on 2008-04-19 23:04:01
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    Total Physical Memory: 503 MiB (512 MiB recommended).


    -- HijackThis Clone ------------------------------------------------------------


    Emulating logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2008-04-19 23:04:13
    Platform: Windows XP Service Pack 2 (5.01.2600)
    MSIE: Internet Explorer (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Grisoft\AVG7\avgemc.exe
    C:\Acer\Empowering Technology\admServ.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
    C:\Program Files\Kontiki\KService.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
    C:\WINDOWS\RTHDCPL.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Acer\Acer Arcade\PCMService.exe
    C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Launch Manager\QtZgAcer.EXE
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
    C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
    C:\Acer\Empowering Technology\ePower\epm-dm.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    C:\Acer\Empowering Technology\admtray.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\dlcjcoms.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Documents and Settings\Frances Bishop\Desktop\dss.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: {938d5fb6-5b20-6388-d164-8b4a893ccea2} - {2aecc398-a4b8-461d-8836-02b56bf5d839} - C:\WINDOWS\system32\rrvdomhn.dll (file missing)
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: (no name) - {F09E1C3D-B00F-432A-9D14-EEEB6D80BA40} - C:\WINDOWS\system32\geebx.dll (file missing)
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
    O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,[email protected]
    O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
    O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
    O4 - HKLM\..\Run: [epm-dm] c:\acer\Empowering Technology\ePower\epm-dm.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
    O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
    O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?a34702503fcf4fa6a02c7bb4c0365ef4
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?a34702503fcf4fa6a02c7bb4c0365ef4
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
    O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.bootsphoto.com/wpp/boots/app/opcuploader.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
    O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
    O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
    O20 - Winlogon Notify: efcbcab - C:\WINDOWS\system32\efcbcab.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
    O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
    O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
    O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
    O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
    O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPCap\rpcapd.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O24 - Desktop Component 0: - http://photos-c.ak.facebook.com/photos-ak-sf2p/v160/132/74/595651833/n595651833_501270_7501.jpg

    --
    End of file - 13580 bytes

    -- Files created between 2008-03-19 and 2008-04-19 -----------------------------

    2008-04-19 22:15:36 0 d-------- C:\Documents and Settings\Frances Bishop\Application Data\Malwarebytes
    2008-04-19 22:15:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-04-19 22:15:21 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-04-19 12:55:49 0 d-------- C:\cmdcons
    2008-04-19 12:53:38 68096 --a------ C:\WINDOWS\zip.exe
    2008-04-19 12:53:38 49152 --a------ C:\WINDOWS\VFind.exe
    2008-04-19 12:53:38 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
    2008-04-19 12:53:38 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
    2008-04-19 12:53:38 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
    2008-04-19 12:53:38 98816 --a------ C:\WINDOWS\sed.exe
    2008-04-19 12:53:38 80412 --a------ C:\WINDOWS\grep.exe
    2008-04-19 12:53:38 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
    2008-04-18 18:34:56 0 d-------- C:\Program Files\iPod
    2008-04-18 17:56:34 1359 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
    2008-04-18 12:51:47 0 d-------- C:\Program Files\Windows Media Connect 2
    2008-04-18 12:42:37 0 d-------- C:\WINDOWS\system32\drivers\UMDF
    2008-04-18 12:38:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
    2008-04-18 12:33:07 0 d-------- C:\Program Files\Kontiki
    2008-04-18 12:33:06 0 d-------- C:\Program Files\Channel4
    2008-04-18 12:33:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
    2008-04-18 12:32:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Channel4


    -- Find3M Report ---------------------------------------------------------------

    2008-03-03 20:16:40 0 d-------- C:\Program Files\Trend Micro
    2008-02-29 17:43:46 0 d-------- C:\Program Files\PCFriendly


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2aecc398-a4b8-461d-8836-02b56bf5d839}]
    C:\WINDOWS\system32\rrvdomhn.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F09E1C3D-B00F-432A-9D14-EEEB6D80BA40}]
    C:\WINDOWS\system32\geebx.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp"="Alaunch" []
    "RTHDCPL"="RTHDCPL.EXE" [16/11/2005 20:27 C:\WINDOWS\RTHDCPL.exe]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [07/01/2005 16:17]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [07/01/2005 16:16]
    "PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [31/08/2005 19:59]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 05:00]
    "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [04/08/2004 05:00]
    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 05:00]
    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 05:00]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [18/07/2005 04:09]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [18/07/2005 04:06]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [18/07/2005 04:10]
    "LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [01/12/2005 17:38]
    "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [16/11/2005 17:00]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [13/04/2005 03:48]
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [14/10/2003 10:22]
    "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [17/03/2005 14:25]
    "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [17/03/2005 14:45]
    "BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [28/03/2006 15:48]
    "SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [26/01/2005 18:02]
    "ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [10/04/2006 14:58]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [15/04/2008 10:17]
    "DLCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [15/08/2005 17:40]
    "dlcjmon.exe"="C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" [12/08/2005 20:47]
    "MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 964\memcard.exe" [10/08/2005 14:12]
    "epm-dm"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [25/11/2005 15:59]
    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [15/01/2008 22:54]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/11/2007 14:56]
    "eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [19/10/2005 09:30]
    "ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [24/10/2005 16:45]
    "Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [09/11/2005 11:04]
    "4oD"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [18/06/2007 17:09]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54]
    "kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 04:44:06]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=0 (0x0)
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbcab]
    efcbcab.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6d5657c-622f-11dc-bf05-00166fa1d880}]
    AutoRun\command- F:\LaunchU3.exe -a




    -- End of Deckard's System Scanner: finished at 2008-04-19 23:05:05 ------------
     
  14. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    I am not sure if it's good or not. You have all the signs in your registry of a very deeply entrenched Vundo infection.

    From the dates on two files I see listed in your logs, you have had this since at least last November. Running around with a Vundo infection for that long is not wise. I am saying this not only to you, but to anyone else who may be reading this thread for help or information. Malware needs prompt attention.

    Hijackthis says files not found. But that means not too much. So let's see what happens when we attempt to remove these entries using hijackthis and if they come back: (Which they , or similar entries likely will because we haven't cleaned up)

    Please follow these instructions in the order given. Otherwise, the picture I get from the reports will not be accurate.v

    Run hijackthis.

    Select the following entries:
    O2 - BHO: {938d5fb6-5b20-6388-d164-8b4a893ccea2} - {2aecc398-a4b8-461d-8836-02b56bf5d839} - C:\WINDOWS\system32\rrvdomhn.dll (file missing)
    O2 - BHO: (no name) - {F09E1C3D-B00F-432A-9D14-EEEB6D80BA40} - C:\WINDOWS\system32\geebx.dll (file missing)
    O20 - Winlogon Notify: efcbcab - C:\WINDOWS\system32\efcbcab.dll (file missing)

    Press the fix checked button.

    Restart the computer.

    ------------------------

    I need another Desckard scan. But I need you to follow the original directoins I gave you so we can see a complete result please:
    Close all applications and windows. Disable any currently running security programs and Anti virus.
    Go to start >run
    Paste in this command and then press enter.
    "%userprofile%\desktop\dss.exe" /config

    When DSS configuration opens, click the "Check all" button. Then click the Scan Button.



    When the scan is complete, a text file will open - Main.txt
    Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt here.
    A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
    Please attach Extra.txt to your post. If the Folder doesn't open, please open it and find extra.txt manually.
    ----------------------------
    I'd also like to see this file:
    C:\WINDOWS\system32\dwqxntct.exe

    First, right click on dwqxntct.exe and sendto >compressed.
    This will create a new zip file.
    Please upload the file to this forum:
    http://thespykiller.co.uk/index.php?board=1.0

    Scroll down the page and Press new topic. Give a link to this topic. Let them know I asked for this file.
    Press the browse button and then navigate to the new zip file you have created.


    ----------

    The final step in this round it this:
    Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
    1. Close any open browsers.
    2. If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
    3. Open the OTScanit folder and double-click on OTScanit.exe to start the program.
    4. In the Files Created Within section, please click on 90 days.
    5. In the Files Modified Within Section, please click on 90 days.
    6. Now click the Run Scan button on the toolbar.
    7. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    8. When the scan is complete Notepad will open with the report file loaded in it.
    9. Save that notepad file
    If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.

    ------------------------------
    We'll be using these reports and then likely more powerful tools later to clean up.






    Press send and the file will be uploaded. Please do not post any logs over there. This is just an upload site for suspicious files.

    --------------------
     
  15. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    One more thing. We will probably be using a tool named Avenger in this removal process. It is an extremely powerful tool. But in the wrong hands and without proper instructions for its use, it can render Windows unbootable. I'd like you to download the zip file to your desktop and leave it there for future use in this removal.

    Here's the link to the download.
    http://swandog46.geekstogo.com/avenger2/download.php

    Do nothing with this tool until or unless I ask you to please.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/689577

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice