Please Assist With Virus

Matt200
edited July 2008 in Logs analysis

Hi Friends


I get popups that advise I download software because my computer has been infected with spyware. Further more I have also sent spam (unwillingly). I am going to run a HJT log file and post it here, as I have read many problems similar to mine.


Please assist.


regards


Matt


Here is the log file. Please assist.


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 10:06:02 PM, on 7/1/2008


Platform: Windows XP SP2 (WinNT 5.01.2600)


MSIE: Internet Explorer v7.00 (7.00.6000.16674)


Boot mode: Normal


Running processes:


C:WINDOWSSystem32smss.exe


C:WINDOWSsystem32winlogon.exe


C:WINDOWSsystem32services.exe


C:WINDOWSsystem32lsass.exe


C:WINDOWSsystem32svchost.exe


C:WINDOWSSystem32svchost.exe


C:Program FilesIntelWirelessBinEvtEng.exe


C:Program FilesIntelWirelessBinS24EvMon.exe


C:WINDOWSsystem32spoolsv.exe


c:program filescommon fileslogitechlvmvfmLVPrcSrv.exe


C:WINDOW###plorer.EXE


C:AcerEmpowering TechnologyePerformanceMemCheck.exe


C:Program FilesSynapticsSynTPSynTPEnh.exe


C:WINDOWSRTHDCPL.EXE


C:WINDOWSAGRSMMSG.exe


C:WINDOWSsystem32RUNDLL32.EXE


C:Program FilesCyberLinkPowerDVDPDVDServ.exe


C:Program FilesLaunch ManagerLaunchAp.exe


C:Program FilesLaunch ManagerHotkeyApp.exe


C:PROGRA~1AVGAVG8avgwdsvc.exe


C:Program FilesLaunch ManagerOSDCtrl.exe


C:Program FilesLaunch ManagerWbutton.exe


C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe


C:AcerEmpowering TechnologyePowerePower_DMC.exe


C:WINDOWSsystem32driversCDAC11BA.EXE


C:WINDOWSsystem32nvsvc32.exe


C:AcerEmpowering TechnologyePresentationePresentation.exe


C:AcerEmpowering TechnologyeRecoveryeRAgent.exe


C:WINDOWSsystem32LVCOMSX.EXE


C:Program FilesAcerOrbiCamCameraAssistant.exe


C:Program FilesIntelWirelessBinRegSrvc.exe


C:WINDOWSsystem32svchost.exe


C:WINDOWSsystem32ElkCtrl.exe


C:PROGRA~1AVGAVG8avgrsx.exe


C:Program FilesHPHP Software UpdateHPWuSchd2.exe


C:WINDOWSSystem32DLADLACTRLW.EXE


C:Program FilesJavajre1.6.0_03binjusched.exe


C:WINDOWSSystem32spoolDRIVERSW32X863fppdis2a.exe


C:PROGRA~1AVGAVG8avgtray.exe


C:PROGRA~1AVGAVG8avgemc.exe


C:Program FilesMessengermsmsgs.exe


C:WINDOWSsystem32ctfmon.exe


C:documents and settingsuserlocal settingsapplication dataycguiuo.exe


C:AcerEmpowering TechnologyAcer.Empowering.Framework.Launcher.exe


C:Program FilesHPDigital Imagingbinhpqtra08.exe


C:Program FilesSonySony Picture UtilityVolumeWatcherSPUVolumeWatcher.exe


C:Program FilesLimeWireLimeWire.exe


C:WINDOWSsystem32wbemwmiapsrv.exe


C:WINDOWSsystem32wbemunsecapp.exe


C:Program FilesTrend MicroHijackThisHijackThis.exe


R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://global.acer.com/


R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll


O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll


O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:PROGRA~1MEGAUP~1MEGAUP~1.DLL


O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:WINDOWSSystem32DLADLASHX_W.DLL


O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_03binssv.dll


O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL


O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:WINDOWSsystem32eDStoolbar.dll


O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:PROGRA~1MEGAUP~1MEGAUP~1.DLL


O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL


O4 - HKLM..Run: [Preload] C:WindowsRUNXMLPL.exe


O4 - HKLM..Run: [synTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe


O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE


O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE


O4 - HKLM..Run: [AzMixerSel] C:Program FilesRealtekInstallShieldAzMixerSel.exe


O4 - HKLM..Run: [AGRSMMSG] AGRSMMSG.exe


O4 - HKLM..Run: [ntiMUI] C:Program FilesNewTech InfosystemsNTI CD & DVD-Maker 7ntiMUI.exe


O4 - HKLM..Run: [iMJPMIG8.1] "C:WINDOWSIMEimjp8_1IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32


O4 - HKLM..Run: [MSPY2002] C:WINDOWSsystem32IMEPINTLGNTImScInst.exe /SYNC


O4 - HKLM..Run: [PHIME2002ASync] C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE /SYNC


O4 - HKLM..Run: [PHIME2002A] C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE /IMEName


O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup


O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit


O4 - HKLM..Run: [RemoteControl] "C:Program FilesCyberLinkPowerDVDPDVDServ.exe"


O4 - HKLM..Run: [LaunchAp] "C:Program FilesLaunch ManagerLaunchAp.exe"


O4 - HKLM..Run: [LManager] "C:Program FilesLaunch ManagerHotkeyApp.exe"


O4 - HKLM..Run: [CtrlVol] "C:Program FilesLaunch ManagerCtrlVol.exe"


O4 - HKLM..Run: [LMgrOSD] "C:Program FilesLaunch ManagerOSDCtrl.exe"


O4 - HKLM..Run: [Wbutton] "C:Program FilesLaunch ManagerWbutton.exe"


O4 - HKLM..Run: [eDataSecurity Loader] C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe 0


O4 - HKLM..Run: [ePower_DMC] C:AcerEmpowering TechnologyePowerePower_DMC.exe


O4 - HKLM..Run: [boot] C:AcerEmpowering TechnologyePowerBoot.exe


O4 - HKLM..Run: [Acer ePresentation HPD] C:AcerEmpowering TechnologyePresentationePresentation.exe


O4 - HKLM..Run: [eRecoveryService] C:AcerEmpowering TechnologyeRecoveryeRAgent.exe


O4 - HKLM..Run: [LVCOMSX] C:WINDOWSsystem32LVCOMSX.EXE


O4 - HKLM..Run: [LogitechCameraAssistant] C:Program FilesAcerOrbiCamCameraAssistant.exe


O4 - HKLM..Run: [LogitechVideo[inspector]] C:Program FilesAcerOrbiCamInstallHelper.exe /inspect


O4 - HKLM..Run: [LogitechCameraService(E)] C:WINDOWSsystem32ElkCtrl.exe /automation


O4 - HKLM..Run: [imageItEncrypt] C:WINDOWSsystem32ImageItEncrypt.exe


O4 - HKLM..Run: [HP Software Update] "C:Program FilesHPHP Software UpdateHPWuSchd2.exe"


O4 - HKLM..Run: [DLA] C:WINDOWSSystem32DLADLACTRLW.EXE


O4 - HKLM..Run: [sunJavaUpdateSched] "C:Program FilesJavajre1.6.0_03binjusched.exe"


O4 - HKLM..Run: [pdfFactory Dispatcher v2] "C:WINDOWSSystem32spoolDRIVERSW32X863fppdis2a.exe" /source=HKLM


O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe


O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background


O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe


O4 - HKCU..Run: [ycguiuo] c:documents and settingsuserlocal settingsapplication dataycguiuo.exe ycguiuo


O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:Program FilesSonySony Picture UtilityVolumeWatcherSPUVolumeWatcher.exe


O4 - Startup: LimeWire On Startup.lnk = C:Program FilesLimeWireLimeWire.exe


O4 - Global Startup: Acer Empowering Technology.lnk = ?


O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:Program FilesHPDigital Imagingbinhpqtra08.exe


O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll


O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe


O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe


O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll


O20 - AppInit_DLLs: avgrsstx.dll


O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:AcerEmpowering TechnologyePerformanceMemCheck.exe


O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgemc.exe


O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe


O23 - Service: C-DillaCdaC11BA - Macrovision - C:WINDOWSsystem32driversCDAC11BA.EXE


O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:Program FilesIntelWirelessBinEvtEng.exe


O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe


O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:program filescommon fileslogitechlvmvfmLVPrcSrv.exe


O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe


O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe


O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:Program FilesIntelWirelessBinRegSrvc.exe


O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:Program FilesWinPcaprpcapd.exe


O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:Program FilesIntelWirelessBinS24EvMon.exe


--


End of file - 9761 bytes

Comments

  • rootkit
    rootkit ✭✭✭
    edited July 2008

    Next time paste the full log file....it doesn have " \" in the file locations !


    Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe


    Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.


    It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.


    At the end ComboFix will generate a log file. Save it and post it here.

  • Next time paste the full log file....it doesn have " \" in the file locations !


    Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe


    Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.


    It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.


    At the end ComboFix will generate a log file. Save it and post it here.


    Hi Crysty2k5


    when I run ComboFix, it warns of information loss being a possible outcome. Not being a computer boffin, is it safe to proceed? or should I make back-ups first?


    regards


    Matt

  • Hello Matt200,


    How does the error message looks like? Because it could be the infection that give you that warning. Combofix only removes known infections and make a logfile. So it's safe to run it.


    Kind regards,


    Niels


  • Hi Niels


    I will check when I get home tonight. But it almost seemed to just be a disclaimer, that read something lik " only a small percentage of computer survive the scan..... something like that.


    But I will confirm tonight.


    thanks


    Matt

  • Hi There


    I ran Combofix and here is the log file.


    please advise.


    ComboFix 08-07-10.1 - user 2008-07-11 14:19:23.1 - FAT32x86


    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.573 [GMT -7:00]


    Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe


    * Created a new restore point


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


    .


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    c:\Documents and Settings\user\Local Settings\Application Data\ggkey.dat


    c:\documents and settings\user\local settings\application data\ggkey.exe


    C:\Documents and Settings\user\Local Settings\Application Data\ggkey_nav.dat


    C:\Documents and Settings\user\Local Settings\Application Data\ggkey_navps.dat


    C:\WINDOWS\system32\drivers\npf.sys


    C:\WINDOWS\system32\nvs2.inf


    C:\WINDOWS\system32\oeminfo.ini


    C:\WINDOWS\system32\packet.dll


    C:\WINDOWS\system32\pthreadVC.dll


    C:\WINDOWS\system32\WanPacket.dll


    C:\WINDOWS\system32\wpcap.dll


    C:\WINDOWS\Temp\log.txt


    .


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    -------\Service_NPF


    ((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))


    .


    2008-07-03 21:09 . 2008-07-03 21:09 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll


    2008-07-02 08:53 . 2008-07-02 08:53 <DIR> d-------- C:\Documents and Settings\user\Application Data\Yahoo!


    2008-07-02 08:53 . 2008-07-02 08:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion


    2008-07-02 08:01 . 2008-07-02 08:02 <DIR> d-------- C:\Program Files\Yahoo!


    2008-07-02 08:01 . 2008-07-02 08:01 <DIR> d-------- C:\Program Files\Recuva


    2008-07-02 07:33 . 2008-07-02 07:33 <DIR> d-------- C:\Program Files\Data Doctor Recovery Pen Drive (Demo)


    2008-07-01 21:51 . 2008-07-01 21:51 <DIR> d-------- C:\Program Files\Trend Micro


    2008-06-30 12:21 . 2008-06-30 12:21 <DIR> d--h----- C:\$AVG8.VAULT$


    2008-06-28 01:39 . 2004-08-04 00:56 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll


    2008-06-28 01:39 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll


    2008-06-28 01:38 . 2001-08-17 22:37 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe


    2008-06-28 01:38 . 2001-08-17 22:37 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe


    2008-06-28 01:38 . 2004-08-03 22:29 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys


    2008-06-28 01:38 . 2001-08-17 22:36 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll


    2008-06-28 01:38 . 2001-08-17 12:11 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys


    2008-06-28 01:38 . 2004-08-03 22:29 12,063 --a------ C:\WINDOWS\system32\dllcache\wsiintxx.sys


    2008-06-28 01:38 . 2001-08-17 22:37 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe


    2008-06-28 01:36 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys


    2008-06-28 01:35 . 2001-08-17 22:36 216,064 --a------ C:\WINDOWS\system32\dllcache\um34scan.dll


    2008-06-28 01:34 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll


    2008-06-28 01:33 . 2001-08-17 14:56 172,768 --a------ C:\WINDOWS\system32\dllcache\t2r4disp.dll


    2008-06-28 01:32 . 2001-08-17 12:18 285,760 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys


    2008-06-28 01:31 . 2004-08-03 22:41 404,990 --a------ C:\WINDOWS\system32\dllcache\slntamr.sys


    2008-06-28 01:30 . 2001-08-17 22:36 386,560 --a------ C:\WINDOWS\system32\dllcache\sgiul50.dll


    2008-06-28 01:29 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll


    2008-06-28 01:28 . 2004-08-04 00:56 397,056 --a------ C:\WINDOWS\system32\dllcache\s3gnb.dll


    2008-06-28 01:27 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys


    2008-06-28 01:26 . 2004-08-04 00:56 259,328 --a------ C:\WINDOWS\system32\dllcache\perm3dd.dll


    2008-06-28 01:25 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\system32\dllcache\ovcodek2.sys


    2008-06-28 01:24 . 2004-08-03 22:31 132,695 --a------ C:\WINDOWS\system32\dllcache\netwlan5.sys


    2008-06-28 01:23 . 2004-08-04 00:56 1,737,856 --a------ C:\WINDOWS\system32\dllcache\mtxparhd.dll


    2008-06-28 01:22 . 2001-08-17 12:50 320,384 --a------ C:\WINDOWS\system32\dllcache\mgaum.sys


    2008-06-28 01:21 . 2001-08-17 13:28 802,683 --a------ C:\WINDOWS\system32\dllcache\ltsm.sys


    2008-06-28 01:20 . 2001-08-17 22:36 90,200 --a------ C:\WINDOWS\system32\dllcache\io8ports.dll


    2008-06-28 01:20 . 2001-08-17 12:12 45,632 --a------ C:\WINDOWS\system32\dllcache\ip5515.sys


    2008-06-28 01:20 . 2001-08-17 22:36 45,568 --a------ C:\WINDOWS\system32\dllcache\kdsui.dll


    2008-06-28 01:20 . 2004-08-03 23:08 40,832 --a------ C:\WINDOWS\system32\dllcache\irbus.sys


    2008-06-28 01:20 . 2001-08-17 13:50 38,784 --a------ C:\WINDOWS\system32\dllcache\io8.sys


    2008-06-28 01:20 . 2001-08-17 13:49 26,624 --a------ C:\WINDOWS\system32\dllcache\irstusb.sys


    2008-06-28 01:20 . 2001-08-17 13:49 23,552 --a------ C:\WINDOWS\system32\dllcache\irmk7.sys


    2008-06-28 01:20 . 2001-08-17 13:51 18,688 --a------ C:\WINDOWS\system32\dllcache\irsir.sys


    2008-06-28 01:20 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\dllcache\kbdhid.sys


    2008-06-28 01:20 . 2001-08-17 13:47 13,056 --a------ C:\WINDOWS\system32\dllcache\inport.sys


    2008-06-28 01:18 . 2001-08-17 13:28 542,879 --a------ C:\WINDOWS\system32\dllcache\hsf_msft.sys


    2008-06-28 01:17 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll


    2008-06-28 01:16 . 2001-08-17 13:28 595,647 --a------ C:\WINDOWS\system32\dllcache\es56cvmp.sys


    2008-06-28 01:15 . 2001-08-17 13:28 634,134 --a------ C:\WINDOWS\system32\dllcache\el656ct5.sys


    2008-06-28 01:14 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys


    2008-06-28 01:13 . 2004-08-04 00:56 249,856 --a------ C:\WINDOWS\system32\dllcache\ctmasetp.dll


    2008-06-28 01:12 . 2001-08-17 12:13 980,034 --a------ C:\WINDOWS\system32\dllcache\cicap.sys


    2008-06-28 01:11 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\dllcache\ati3duag.dll


    2008-06-28 01:10 . 2001-08-17 13:28 762,780 --a------ C:\WINDOWS\system32\dllcache\3cwmcru.sys


    2008-06-27 14:19 . 2008-06-27 14:19 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg


    2008-06-27 14:19 . 2008-06-27 14:19 <DIR> d-------- C:\Program Files\AVG


    2008-06-27 14:19 . 2008-06-27 14:19 <DIR> d-------- C:\Documents and Settings\user\Application Data\AVGTOOLBAR


    2008-06-27 14:19 . 2008-06-27 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8


    2008-06-27 14:19 . 2008-07-03 21:09 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys


    2008-06-27 14:19 . 2008-07-03 21:09 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys


    2008-06-18 11:44 . 2008-06-18 11:45 2,362,422 --a------ C:\djtyuyifui.bmp


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll


    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll


    2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll


    2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys


    2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys


    2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys


    2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys


    2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys


    2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys


    2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys


    2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys


    2008-06-08 21:36 --------- d-----w C:\Program Files\Live-Player


    2008-05-21 09:12 --------- d-----w C:\Documents and Settings\user\Application Data\Image Zone Express


    2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys


    2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll


    2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll


    2008-04-24 05:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll


    2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe


    2008-04-22 07:39 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe


    2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe


    2008-04-21 07:04 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll


    2008-04-21 07:04 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll


    2008-04-21 07:03 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll


    2008-04-21 07:03 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll


    2008-04-21 07:03 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll


    2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]


    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "Preload"="C:\Windows\RUNXMLPL.exe" [2005-05-19 17:09 32768]


    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 16:32 761945]


    "AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 19:51 53248]


    "ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 17:15 45056]


    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 20:00 208952]


    "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00 59392]


    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 20:00 455168]


    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 20:00 455168]


    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-19 09:43 7397376]


    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-01-19 09:43 86016]


    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]


    "LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2005-07-25 13:36 32768]


    "LManager"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2006-04-19 15:08 69632]


    "CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 14:28 20480]


    "LMgrOSD"="C:\Program Files\Launch Manager\OSDCtrl.exe" [2005-07-25 10:45 241664]


    "Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2006-04-20 09:23 86016]


    "eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 15:00 345088]


    "ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-03-30 18:47 421888]


    "Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 22:12 579584]


    "Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 16:39 204800]


    "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 16:43 401408]


    "LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-06-23 10:39 225280]


    "LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 15:47 331776]


    "LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 15:55 73728]


    "LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 18:22 262144]


    "ImageItEncrypt"="C:\WINDOWS\system32\ImageItEncrypt.exe" [2005-12-30 14:02 40960]


    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152]


    "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-06-13 05:20 127036]


    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]


    "pdfFactory Dispatcher v2"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2005-04-03 19:06 483328]


    "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-03 21:09 1232152]


    "RTHDCPL"="RTHDCPL.EXE" [2006-01-11 17:23 15961088 C:\WINDOWS\RTHDCPL.exe]


    "AGRSMMSG"="AGRSMMSG.exe" [2005-09-09 11:20 88203 C:\WINDOWS\AGRSMMSG.exe]


    C:\Documents and Settings\user\Start Menu\Programs\Startup\


    Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-04-09 08:25:44 344064]


    LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-07-02 09:07:31 122880]


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\


    Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-11-10 12:44:22 45056]


    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]


    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]


    "AppInit_DLLs"=avgrsstx.dll


    [HKEY_LOCAL_MACHINE\software\microsoft\security center]


    "AntiVirusDisableNotify"=dword:00000001


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "C:\\WINDOWS\\system32\\sessmgr.exe"=


    "C:\\Program Files\\uTorrent\\uTorrent.exe"=


    "C:\\Program Files\\LimeWire\\LimeWire.exe"=


    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=


    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=


    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=


    R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 21:09]


    R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27]


    R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-03 21:09]


    R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 21:09]


    R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 21:09]


    R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2005-04-22 16:57]


    R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-22 16:57]


    R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-19 12:20]


    R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2006-06-23 10:40]


    S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4fc47d0-9cda-11dc-b3ae-0013028e7be1}]


    \Shell\AutoOpen\command - .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe


    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe


    .


    **************************************************************************


    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-07-11 14:31:28


    Windows 5.1.2600 Service Pack 2 FAT NTAPI


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    ------------------------ Other Running Processes ------------------------


    .


    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe


    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


    C:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe


    C:\Acer\Empowering Technology\ePerformance\MemCheck.exe


    C:\WINDOWS\system32\drivers\CDAC11BA.EXE


    C:\WINDOWS\system32\nvsvc32.exe


    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe


    C:\WINDOWS\system32\rundll32.exe


    C:\WINDOWS\system32\wbem\unsecapp.exe


    C:\WINDOWS\system32\wbem\wmiapsrv.exe


    C:\Program Files\AVG\AVG8\avgrsx.exe


    .


    **************************************************************************


    .


    Completion time: 2008-07-11 14:37:55 - machine was rebooted [user]


    ComboFix-quarantined-files.txt 2008-07-11 21:37:38


    Pre-Run: 15,651,799,040 bytes free


    Post-Run: 15,835,824,128 bytes free


    220 --- E O F --- 2008-07-11 13:44:37

  • Hello Matt200,


    Can you please do this click on start,my computer,QooBox,Quarantine open the subfolders. Now rename each file I mean removing the .vir entry. Archive them all. How to archive them see this topic look at the 2 post. Please make a new topic in this forum section and upload the archive there as an attachment. To do that just make a new topic once you are in creating screen scroll down till you see the attachments section press on browse,and navigate to the location of your archive press on upload. There is a 2 mb upload file limit. Please upload also djtyuyifui.bmp which is locate when you click on start,my computer there you will find it.


    Please download SDFix. Save it on your desktop. Be sure that you are logged on with an administrator account. Double click on it don't change the installation directory. Reboot your pc into safe mode by pressing the F8 button before the windows splash screen select safe mode press enter. Navigate to start,my computer,SDFix and double click on RunThis.bat


    press y and press enter. Please post the sdfix report.


    Kind regards,


    Niels

  • Hi Niels


    If i go to click on start,my computer, i cant see QooBox,Quarantine ???


    regards


    Matt

  • Hello Matt200,


    I thought that you knew that but you should also double click on the icon off the partition or hard disk were you have installed windows or your software on it is called C: but it can differ. Sorry for the confusion.


    Kind regards,


    Niels

  • Hi Niels


    As you can see, I am not quite the boffin. I have found the folders (thanks for previous explination). But the your next process is a little unclear to me. You say "Now rename each file I mean removing the .vir entry." do you mean that I must delete the ".vir" extention for each f the files? Must i then archive all the files together?


    There are 2 folders that contain sub-folders with a few files with the .vir extentions.


    Sorry, but I am a ###### when it comes to stuff like this.


    regards


    Matt


    ps. the good news is the pop-ups are gone, but my pc is a bit slow.

  • Niels
    Niels
    edited July 2008

    Hello Matt200,


    You will see something like this blabla.exe.vir Right click on it and select rename. You will now see that the name is now highlighted. Select only .vir press on the delete button on your keyboard. Is it clear now?The problem is that I don't have an English windows version and I am also not a native speaker. Archive these files into archives that don't exceed 2 MB.


    Please start Hijack This again but now once you are at the main screen press on open the misc tools section. Under startuplist please select list all minor section press now on generate Startuplist log. And attach the output at your next post.


    Can you also please post also a sdfix log?


    Kind regards,


    Niels

  • Hi Niels


    I have it now thanks. :D


    I will do this tonight and post the results.


    thank you


    Matt.

  • Here is the Hijackthis Log


    StartupList report, 7/26/2008, 11:29:06 PM


    StartupList version: 1.52.2


    Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE


    Detected: Windows XP SP2 (WinNT 5.01.2600)


    Detected: Internet Explorer v7.00 (7.00.6000.16674)


    * Using default options


    * Showing rarely important sections


    ==================================================


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe


    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


    C:\WINDOWS\system32\spoolsv.exe


    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe


    C:\WINDOWS\system32\drivers\CDAC11BA.EXE


    C:\WINDOWS\system32\nvsvc32.exe


    C:\WINDOWS\RTHDCPL.EXE


    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe


    C:\WINDOWS\system32\svchost.exe


    C:\PROGRA~1\AVG\AVG8\avgrsx.exe


    C:\WINDOWS\AGRSMMSG.exe


    C:\PROGRA~1\AVG\AVG8\avgemc.exe


    C:\WINDOWS\system32\RUNDLL32.EXE


    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe


    C:\Program Files\Launch Manager\LaunchAp.exe


    C:\Program Files\Launch Manager\HotkeyApp.exe


    C:\Program Files\Launch Manager\OSDCtrl.exe


    C:\Program Files\Launch Manager\Wbutton.exe


    C:\WINDOWS\system32\fxssvc.exe


    C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe


    C:\Acer\Empowering Technology\ePower\ePower_DMC.exe


    C:\Acer\Empowering Technology\ePresentation\ePresentation.exe


    C:\Acer\Empowering Technology\eRecovery\eRAgent.exe


    C:\WINDOWS\system32\LVCOMSX.EXE


    C:\Program Files\Acer\OrbiCam\CameraAssistant.exe


    C:\WINDOWS\system32\ElkCtrl.exe


    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe


    C:\WINDOWS\System32\DLA\DLACTRLW.EXE


    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe


    C:\PROGRA~1\AVG\AVG8\avgtray.exe


    C:\Program Files\Messenger\msmsgs.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe


    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe


    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe


    C:\Program Files\LimeWire\LimeWire.exe


    C:\WINDOWS\system32\wbem\unsecapp.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\WINDOWS\system32\wbem\wmiapsrv.exe


    C:\Acer\Empowering Technology\ePerformance\MemCheck.exe


    C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    --------------------------------------------------


    Listing of startup folders:


    Shell folders Startup:


    [C:\Documents and Settings\user\Start Menu\Programs\Startup]


    Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe


    LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe


    Shell folders Common Startup:


    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]


    Acer Empowering Technology.lnk = ?


    HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe


    Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


    --------------------------------------------------


    Checking Windows NT UserInit:


    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]


    UserInit = C:\WINDOWS\system32\userinit.exe,


    --------------------------------------------------


    Autorun entries from Registry:


    HKLM\Software\Microsoft\Windows\CurrentVersion\Run


    Preload = C:\Windows\RUNXMLPL.exe


    SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


    RTHDCPL = RTHDCPL.EXE


    AzMixerSel = C:\Program Files\Realtek\InstallShield\AzMixerSel.exe


    AGRSMMSG = AGRSMMSG.exe


    ntiMUI = C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe


    IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32


    MSPY2002 = C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC


    PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC


    PHIME2002A = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName


    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


    RemoteControl = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"


    LaunchAp = "C:\Program Files\Launch Manager\LaunchAp.exe"


    LManager = "C:\Program Files\Launch Manager\HotkeyApp.exe"


    CtrlVol = "C:\Program Files\Launch Manager\CtrlVol.exe"


    LMgrOSD = "C:\Program Files\Launch Manager\OSDCtrl.exe"


    Wbutton = "C:\Program Files\Launch Manager\Wbutton.exe"


    eDataSecurity Loader = C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0


    ePower_DMC = C:\Acer\Empowering Technology\ePower\ePower_DMC.exe


    Boot = C:\Acer\Empowering Technology\ePower\Boot.exe


    Acer ePresentation HPD = C:\Acer\Empowering Technology\ePresentation\ePresentation.exe


    eRecoveryService = C:\Acer\Empowering Technology\eRecovery\eRAgent.exe


    LVCOMSX = C:\WINDOWS\system32\LVCOMSX.EXE


    LogitechCameraAssistant = C:\Program Files\Acer\OrbiCam\CameraAssistant.exe


    LogitechVideo[inspector] = C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect


    LogitechCameraService(E) = C:\WINDOWS\system32\ElkCtrl.exe /automation


    ImageItEncrypt = C:\WINDOWS\system32\ImageItEncrypt.exe


    HP Software Update = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"


    DLA = C:\WINDOWS\System32\DLA\DLACTRLW.EXE


    SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


    pdfFactory Dispatcher v2 = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM


    AVG8_TRAY = C:\PROGRA~1\AVG\AVG8\avgtray.exe


    --------------------------------------------------


    Autorun entries from Registry:


    HKCU\Software\Microsoft\Windows\CurrentVersion\Run


    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background


    ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe


    --------------------------------------------------


    File association entry for .SCR:


    HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command


    (Default) = "C:\WINDOWS\notepad.exe" "%1"


    --------------------------------------------------


    Enumerating Active Setup stub paths:


    HKLM\Software\Microsoft\Active Setup\Installed Components


    (* = disabled by HKCU twin)


    [<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *


    StubPath = C:\WINDOWS\system32\ieudinit.exe


    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]


    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP


    [>{26923b43-4d38-484f-9b9e-de460746276c}] *


    StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig


    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *


    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE


    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *


    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll


    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *


    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install


    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *


    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install


    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *


    StubPath = regsvr32.exe /s /n /i:U shell32.dll


    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *


    StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings


    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *


    StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install


    --------------------------------------------------


    Load/Run keys from C:\WINDOWS\WIN.INI:


    load=*INI section not found*


    run=*INI section not found*


    Load/Run keys from Registry:


    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*


    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*


    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*


    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*


    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*


    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*


    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*


    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*


    HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*


    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*


    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*


    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*


    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=avgrsstx.dll


    --------------------------------------------------


    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:


    Shell=*INI section not found*


    SCRNSAVE.EXE=*INI section not found*


    drivers=*INI section not found*


    Shell & screensaver key from Registry:


    Shell=Explorer.exe


    SCRNSAVE.EXE=*Registry value not found*


    drivers=*Registry value not found*


    Policies Shell key:


    HKCU\..\Policies: Shell=*Registry value not found*


    HKLM\..\Policies: Shell=*Registry value not found*


    --------------------------------------------------


    Checking for EXPLORER.EXE instances:


    C:\WINDOWS\Explorer.exe: PRESENT!


    C:\Explorer.exe: not present


    C:\WINDOWS\Explorer\Explorer.exe: not present


    C:\WINDOWS\System\Explorer.exe: not present


    C:\WINDOWS\System32\Explorer.exe: not present


    C:\WINDOWS\Command\Explorer.exe: not present


    C:\WINDOWS\Fonts\Explorer.exe: not present


    --------------------------------------------------


    Checking for superhidden extensions:


    .lnk: HIDDEN! (arrow overlay: yes)


    .pif: HIDDEN! (arrow overlay: yes)


    .exe: not hidden


    .com: not hidden


    .bat: not hidden


    .hta: not hidden


    .scr: not hidden


    .shs: HIDDEN!


    .shb: HIDDEN!


    .vbs: not hidden


    .vbe: not hidden


    .wsh: not hidden


    .scf: HIDDEN! (arrow overlay: NO!)


    .url: HIDDEN! (arrow overlay: yes)


    .js: not hidden


    .jse: not hidden


    --------------------------------------------------


    Enumerating Browser Helper Objects:


    (no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}


    (no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}


    WormRadar.com IESiteBlocker.NavFilter - C:\Program Files\AVG\AVG8\avgssie.dll - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}


    (no name) - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}


    (no name) - C:\WINDOWS\System32\DLA\DLASHX_W.DLL - {5CA3D70E-1895-11CF-8E15-001234567890}


    (no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}


    (no name) - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL - {A057A204-BACC-4D26-9990-79A187E2698E}


    --------------------------------------------------


    Enumerating Download Program Files:


    [shockwave Flash Object]


    InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx


    CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab


    --------------------------------------------------


    Enumerating Windows NT/2000/XP services


    Memory Check Service: C:\Acer\Empowering Technology\ePerformance\MemCheck.exe (autostart)


    AEGIS Protocol (IEEE 802.1x) v3.4.9.0: system32\DRIVERS\AegisP.sys (autostart)


    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    AVG8 E-mail Scanner: C:\PROGRA~1\AVG\AVG8\avgemc.exe (autostart)


    AVG8 WatchDog: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (autostart)


    AVG8 Network Redirector: \SystemRoot\System32\Drivers\avgtdix.sys (autostart)


    Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)


    Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)


    C-DillaCdaC11BA: C:\WINDOWS\system32\drivers\CDAC11BA.EXE (autostart)


    CdaC15BA: \??\C:\WINDOWS\system32\drivers\CDAC15BA.SYS (autostart)


    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)


    DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)


    DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)


    DLABOIOM: System32\DLA\DLABOIOM.SYS (autostart)


    DLADResN: System32\DLA\DLADResN.SYS (autostart)


    DLAIFS_M: System32\DLA\DLAIFS_M.SYS (autostart)


    DLAOPIOM: System32\DLA\DLAOPIOM.SYS (autostart)


    DLAPoolM: System32\DLA\DLAPoolM.SYS (autostart)


    DLAUDFAM: System32\DLA\DLAUDFAM.SYS (autostart)


    DLAUDF_M: System32\DLA\DLAUDF_M.SYS (autostart)


    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)


    DRVNDDM: System32\Drivers\DRVNDDM.SYS (autostart)


    Acer EPM Power Scheme Driver: \??\C:\WINDOWS\system32\drivers\epm-psd.sys (autostart)


    Acer EPM System Hardware Driver: \??\C:\WINDOWS\system32\drivers\epm-shd.sys (autostart)


    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    Event Log: %SystemRoot%\system32\services.exe (autostart)


    Intel® PROSet/Wireless Event Log: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (autostart)


    Fax: %systemroot%\system32\fxssvc.exe (autostart)


    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    int15: \??\C:\WINDOWS\system32\drivers\int15.sys (autostart)


    Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)


    Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)


    TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)


    Logitech Process Monitor: c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (autostart)


    NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)


    Plug and Play: %SystemRoot%\system32\services.exe (autostart)


    Pml Driver HPZ12: C:\WINDOWS\system32\HPZipm12.exe (autostart)


    IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)


    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)


    Intel® PROSet/Wireless Registry Service: C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (autostart)


    Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)


    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)


    Intel® PROSet/Wireless Service: C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (autostart)


    WLAN Transport: system32\DRIVERS\s24trans.sys (autostart)


    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)


    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)


    Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)


    System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)


    Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)


    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)


    tvicport: \??\C:\WINDOWS\system32\drivers\tvicport.sys (autostart)


    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)


    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)


    Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)


    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    zntport: \??\C:\WINDOWS\system32\drivers\zntport.sys (autostart)


    --------------------------------------------------


    Enumerating ShellServiceObjectDelayLoad items:


    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll


    CDBurn: C:\WINDOWS\system32\SHELL32.dll


    WebCheck: C:\WINDOWS\system32\webcheck.dll


    SysTray: C:\WINDOWS\system32\stobject.dll


    --------------------------------------------------


    End of report, 17,012 bytes


    Report generated in 0.453 seconds


    Command line options:


    /verbose - to add additional info on each section


    /complete - to include empty sections and unsuspicious data


    /full - to include several rarely-important sections


    /force9x - to include Win9x-only startups even if running on WinNT


    /forcent - to include WinNT-only startups even if running on Win9x


    /forceall - to include all Win9x and WinNT startups, regardless of platform


    /history - to list version history only


  • SDFix: Version 1.208


    Run by Administrator on Sat 07/26/2008 at 11:54 PM


    Microsoft Windows XP [Version 5.1.2600]


    Running From: C:\SDFix


    Checking Services :


    Restoring Default Security Values


    Restoring Default Hosts File


    Rebooting


    Checking Files :


    No Trojan Files Found


    Removing Temp Files


    ADS Check :


    Final Check :


    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-07-27 00:07:03


    Windows 5.1.2600 Service Pack 2 FAT NTAPI


    scanning hidden processes ...


    scanning hidden services ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden processes: 0


    hidden services: 0


    hidden files: 0


    Remaining Services :


    Authorized Application Key Export:


    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]


    "C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"


    "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"


    "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"


    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"


    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"


    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]


    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


    Remaining Files :


    Files with Hidden Attributes :


    Thu 13 Apr 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"


    Thu 13 Apr 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMP3.dll"


    Thu 13 Apr 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"


    Thu 13 Apr 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIFCD3.dll"


    Thu 13 Apr 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTIBUN4.dll"


    Sat 8 Dec 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"


    Thu 23 Jan 2003 65,952 ..SHR --- "C:\Program Files\Autodesk\Autodesk Express Viewer\Setup.exe"


    Mon 21 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\BITD.tmp"


    Wed 14 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d20174378a49939f5f8825cfb630e979\BITCB.tmp"


    Finished!

  • Hello Matt200,


    Please try this :


    Click on start,my computer,double click on the icon off the partition or hard disk were windows is installed on. Open the windows folder and the Prefetch folder please delete only the oldest entries inside the prefetch folder.


    Please prevent limewire from loading at start-up.


    Please press the windows button together with r now type msconfig press enter. Now select selective start-up. Reboot your pc. Now each time you boot select an new start-up item that you find on the startup tab once you are in msconfig. Write always down the process that doesn't slow your boot time.


    Kind regards,


    Niels