hijack log can someone look please :smile:

kem · 10-04-2006, 04:47 PM

been having browser problems with ie6 ie7 firefox opera the browser just stops responding

no viruses or spyware thanks for help

Logfile of HijackThis v1.99.1
Scan saved at 12:45:35 AM, on 05/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\bits\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=midd-cache-6.server.ntli.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: rpcapd - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

**Glaswegian** · 10-07-2006, 03:14 PM

Hi and welcome to the Security Forum.

Apologies for any delay in replying, but we have been rather busy lately.

Since it has been a few days since you first posted, please post a fresh HijackThis Log if you still need assistance.

Thank you.

kem · 10-07-2006, 04:05 PM

ty for reply im having random explorer freezes

ive used ie6, now on ie7 still randomly freezing , firefox and opera still do the same thing non responsive browser. scanned for viruses all clear and for spyware

Logfile of HijackThis v1.99.1
Scan saved at 12:02:38 AM, on 08/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\bits\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=midd-cache-6.server.ntli.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: rpcapd - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

**Glaswegian** · 10-08-2006, 03:40 AM

Hi again

There's not a great deal showing in your log, so we'll do some cleaning and see what may turn up.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean.

MSconfig Enabled
You appear to have msconfig enabled. This may prevent us from seeing everything running on your system. Please re-enable all startup items.

Go to Start > Run type msconfig and press Enter.

In the Dialog box that appears select Normal Startup - Load all Device Drivers and Services

Press the 'Exit without restarting' button - we will reboot later.

Show Hidden Files
Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Downloads
Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later.
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Download AVG Anti Spyware
This is a 30 day trial

Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"
- I also recommend changing the "Update interval" to something more reasonable like 12 hours.

When you have finished updating, EXIT AVG Anti Spyware.

Disable Windows Defender
Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

Reboot
Reboot your system in Safe Mode.

Restart the computer. The computer begins processing a set of instructions known as BIOS.
After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
Instead of Windows loading as normal, a menu should appear
Use the arrow key to highlight Safe Mode and press Enter.

HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (if they still exist) (make sure you do not miss any)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Please remember to close all other windows, including browsers then click Fix checked.

Run CleanUp!
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!
Check the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the “Temporary Files” tab and uncheck the box for “Scan drives for file matching” if it’s checked.

Click OK, Press the CleanUp! button to start the program and DO NOT REBOOT when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Run AVG Anti Spyware
Run AVG with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine
Then click Apply all actions

Once finished, click the Save report button, then click Save Report As and save it to your desktop.

NOTE: AVG scan may require an hour.

Reboot
Reboot your system in Normal Mode.

Online Scan
Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner.

1. Click Check Now and a "pop up" window will appear. *Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

Logs required
Ewido Log
Panda Log
HijackThis Log

Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced from Normal Mode.

kem · 10-08-2006, 04:20 PM

hijack in safemode

Logfile of HijackThis v1.99.1
Scan saved at 11:48:03 PM, on 08/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\bits\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=midd-cache-6.server.ntli.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: rpcapd - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

hijack in normal mode

Logfile of HijackThis v1.99.1
Scan saved at 11:52:59 PM, on 08/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\bits\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=midd-cache-6.server.ntli.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: rpcapd - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Ewido Log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:40:11 PM 08/10/2006

+ Scan result:

Nothing found.

::Report end

Panda Log
Incident Status Location

Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\kem\Cookies\kem@apmebf[2].txt

thank you for help so far

kem · 10-08-2006, 06:42 PM

after i done all the fixes i tried cwshredder and it found cws.msconfig and deleted it

**Glaswegian** · 10-09-2006, 01:33 PM

Hi again

I’m curious – what made you run CWShredder?

I only need logs taken while in Normal Mode. Please don’t run any other tools or fixes unless I ask you to do so.

How is your system now?

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan: Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.
Copy and paste that information in your next post.

Take note of the name(s) and location(s) of any file(s) it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Please post back with the Kaspersky Log and a fresh HijackThis Log. Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced only while in Normal Mode.

kem · 10-09-2006, 02:27 PM

seems ive got java virus which none of the other avgs picked up

Logfile of HijackThis v1.99.1
Scan saved at 10:24:47 PM, on 09/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\bits\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=midd-cache-6.server.ntli.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: rpcapd - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

kaspersky log

KASPERSKY ONLINE SCANNER REPORT
Monday, October 09, 2006 10:19:58 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/10/2006
Kaspersky Anti-Virus database records: 230183

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 52131
Number of viruses found 2
Number of infected objects 4 / 0
Number of suspicious objects 0
Duration of the scan process 00:30:50

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{5A30CD3D-E099-4CAA-A6C1-844ECAC7E526}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Temp\CLML_AGENT_LOG1.txt Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_684.dat Object is locked skipped

C:\WINDOWS\Temp\sqlite_XG5GitkeVJS6Vsc Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_e00.dat Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-09242006-004147.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\kem\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\kem\Local Settings\Temp\Perflib_Perfdata_c5c.dat Object is locked skipped

C:\Documents and Settings\kem\Local Settings\Temp\~DF92A2.tmp Object is locked skipped

C:\Documents and Settings\kem\Local Settings\Temp\~DF2871.tmp Object is locked skipped

C:\Documents and Settings\kem\Local Settings\Temp\~DF28C6.tmp Object is locked skipped

C:\Documents and Settings\kem\Local Settings\Temp\~DF49E3.tmp Object is locked skipped

C:\Documents and Settings\kem\Local Settings\Temp\~DF4A2E.tmp Object is locked skipped

C:\Documents and Settings\kem\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\kem\Local Settings\History\History.IE5\MSHist012006100920061010\index.dat Object is locked skipped

C:\Documents and Settings\kem\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\kem\Local Settings\Application Data\Acer Arcade\Log\Trace20061009.log Object is locked skipped

C:\Documents and Settings\kem\Local Settings\Application Data\ApplicationHistory\ePower_DMC.exe.3ca0acde.ini.inuse Object is locked skipped

C:\Documents and Settings\kem\Local Settings\Application Data\ApplicationHistory\ePresentation.exe.e70224e9.ini.inuse Object is locked skipped

C:\Documents and Settings\kem\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\kem\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\kem\Local Settings\Application Data\Microsoft\Windows Live Contacts\kem115@hotmail.com\real\members.stg Object is locked skipped

C:\Documents and Settings\kem\Local Settings\Application Data\Microsoft\Windows Live Contacts\kem115@hotmail.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\kem\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\kem\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a26-70bb49e7.zip/Counter.class Infected: Trojan.Java.ClassLoader.i skipped

C:\Documents and Settings\kem\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a26-70bb49e7.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped

C:\Documents and Settings\kem\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a26-70bb49e7.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped

C:\Documents and Settings\kem\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a26-70bb49e7.zip ZIP: infected - 3 skipped

C:\Documents and Settings\kem\ntuser.dat Object is locked skipped

C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped

C:\Program Files\Sygate\SPF\debug.log Object is locked skipped

C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped

C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped

C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped

C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\client_kem.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\network_kem.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\billing_kem.log Object is locked skipped

C:\System Volume Information\_restore{13C10FBC-D4AA-43D2-A758-8129CFBBD7EB}\RP90\change.log Object is locked skipped

C:\palsound.txt Object is locked skipped

Scan process completed.

**Glaswegian** · 10-09-2006, 02:44 PM

Hi again

Not quite as bad as it looks……..

See this page for instructions on how to clear java's cache.

Let’s do a different check….

Please download combofix.exe to your desktop. Alternative download location here.

IMPORTANT - You must place combofix on your desktop!!

Double click combofix.exe & follow the prompts.

When finished, the tool will produce a log for you at c:\combofix.txt. Post that log in your next reply

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.

Post back with combofix.txt and a fresh HijackThis Log.

kem · 10-09-2006, 02:55 PM

i cleared the java cache and deleted files in java

combofix log

kem - 06-10-09 22:52:19.21 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\kem\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-09 to 2006-10-09 ))))))))))))))))))))))))))))))))))

2006-10-08 21:58 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-06 20:45 778,656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-06 20:45 4,992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-10-06 20:45 4,288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-06 20:45 27,904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-06 20:45 23,104 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-10-03 20:37 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2006-10-02 23:57 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2006-10-02 23:57 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2006-10-02 23:57 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2006-10-02 23:57 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-10-02 23:57 404,752 --a------ C:\WINDOWS\system32\javart.dll
2006-10-02 23:57 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2006-10-02 23:57 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2006-10-02 23:57 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2006-10-02 23:57 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2006-10-02 23:57 172,304 --a------ C:\WINDOWS\system32\jview.exe
2006-10-02 23:57 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2006-10-02 23:57 171,280 --a------ C:\WINDOWS\system32\jit.dll
2006-10-02 23:57 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2006-10-02 23:57 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-10-02 23:57 113 --a------ C:\WINDOWS\system32\zonedon.reg
2006-10-02 23:57 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-10-02 01:23 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-09-24 19:45 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-09-24 01:11 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-09-24 00:23 0 --a------ C:\WINDOWS\system32\Ultra.dll
2006-09-20 19:43 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-09-20 19:43 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2006-09-20 00:12 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2006-09-20 00:09 48,128 --a------ C:\WINDOWS\system32\igxprd32.dll
2006-09-20 00:09 397,312 --a------ C:\WINDOWS\system32\igxpun.exe
2006-09-20 00:09 309,760 --a------ C:\WINDOWS\system32\difxapi.dll
2006-09-20 00:09 309,760 --a------ C:\WINDOWS\system32\difx32.dll
2006-09-20 00:09 2,076,160 --a------ C:\WINDOWS\system32\igxpdx32.dll
2006-09-20 00:09 192,512 --a------ C:\WINDOWS\system32\igfxCoIn_v4670.dll
2006-09-20 00:09 140,288 --a------ C:\WINDOWS\system32\igxpgd32.dll
2006-09-20 00:09 1,304,320 --a------ C:\WINDOWS\system32\igxpdv32.dll
2006-09-20 00:09 1,109,568 --a------ C:\WINDOWS\system32\drivers\igxpmp32.sys
2006-09-17 23:57 299,520 --a------ C:\WINDOWS\uninst.exe
2006-09-17 22:18 3,972 --------- C:\WINDOWS\system32\drivers\PciBus.sys
2006-09-17 22:18 20,400 --------- C:\WINDOWS\system32\drivers\Entech.sys
2006-09-17 17:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2006-09-17 16:55 90,112 --a------ C:\WINDOWS\system32\LQCUI2.dll
2006-09-17 16:55 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2006-09-17 16:55 856,064 --a------ C:\WINDOWS\system32\Ltwvc12n.dll
2006-09-17 16:55 78,336 --a------ C:\WINDOWS\system32\lffax12n.dll
2006-09-17 16:55 65,536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL
2006-09-17 16:55 61,440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL
2006-09-17 16:55 61,440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL
2006-09-17 16:55 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL
2006-09-17 16:55 53,248 -ra------ C:\WINDOWS\system32\InstMed.exe
2006-09-17 16:55 49,152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL
2006-09-17 16:55 49,152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL
2006-09-17 16:55 466,944 --a------ C:\WINDOWS\system32\QCUI2.dll
2006-09-17 16:55 462,848 --a------ C:\WINDOWS\system32\LCamCpl.dll
2006-09-17 16:55 45,056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL
2006-09-17 16:55 406,016 --a------ C:\WINDOWS\system32\ltkrn12n.dll
2006-09-17 16:55 40,960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL
2006-09-17 16:55 372,736 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2006-09-17 16:55 328,704 --a------ C:\WINDOWS\system32\LFCMP12n.DLL
2006-09-17 16:55 326,656 --a------ C:\WINDOWS\system32\drivers\Camdrl.sys
2006-09-17 16:55 30,720 --a------ C:\WINDOWS\system32\lfbmp12n.dll
2006-09-17 16:55 259,072 --a------ C:\WINDOWS\system32\LTDIS12n.dll
2006-09-17 16:55 22,016 --a------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2006-09-17 16:55 215,552 --a------ C:\WINDOWS\system32\Lvkrn12n.dll
2006-09-17 16:55 207,872 --a------ C:\WINDOWS\system32\ltefx12n.dll
2006-09-17 16:55 204,800 --a------ C:\WINDOWS\system32\LVUI2.dll
2006-09-17 16:55 2,180,096 --a------ C:\WINDOWS\system32\drivers\lvsvf2.sys
2006-09-17 16:55 164,864 --a------ C:\WINDOWS\system32\ltimg12n.dll
2006-09-17 16:55 141,312 --a------ C:\WINDOWS\system32\lftif12n.dll
2006-09-17 16:55 131,072 --a------ C:\WINDOWS\system32\ltfil12n.DLL
2006-09-17 16:55 106,496 --a------ C:\WINDOWS\system32\lvcoinst.dll
2006-09-17 16:55 1,047,552 --a------ C:\WINDOWS\system32\MFC71u.dll
2006-09-17 16:51 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2006-09-17 16:51 61,008 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2006-09-17 16:51 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2006-09-17 16:51 14,448 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2006-09-17 16:51 14,448 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2006-09-17 16:51 14,448 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2006-09-17 16:51 14,448 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2006-09-17 16:41 46,080 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2006-09-17 16:41 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2006-09-17 16:41 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2006-09-17 16:20 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-09-17 16:20 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-09-17 16:20 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-09-17 16:20 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2006-09-17 16:20 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-09-17 06:51 40,960 --a------ C:\WINDOWS\system32\ImageItEncrypt.exe
2006-09-17 06:42 935,424 --a------ C:\WINDOWS\system32\ERUpdateHidden.EXE
2006-09-17 06:42 258,048 --a------ C:\WINDOWS\system32\Uninstall_eRecovery.exe
2006-09-17 06:42 258,048 --a------ C:\WINDOWS\system32\CheckD2DSystem.exe
2006-09-17 06:42 16,384 --a------ C:\WINDOWS\system32\ClearEvent.exe
2006-09-17 06:42 159,744 --a------ C:\WINDOWS\system32\CloseProcessWindow.dll
2006-09-17 06:41 5,120 --a------ C:\WINDOWS\system32\FILTRCOI.DLL
2006-09-17 06:41 49,152 --a------ C:\WINDOWS\system32\QtBtLib.dll
2006-09-17 06:41 16,896 --a------ C:\WINDOWS\system32\drivers\DKbFltr.SYS
2006-09-17 06:41 147,456 --a------ C:\WINDOWS\UNINST32.EXE
2006-09-17 06:38 78,208 --a------ C:\WINDOWS\system32\drivers\epm-shd.sys
2006-09-17 06:38 4,096 --a------ C:\WINDOWS\system32\drivers\epm-psd.sys
2006-09-17 06:38 32,512 --a------ C:\WINDOWS\system32\drivers\npf.sys
2006-09-17 06:36 868,352 --a------ C:\WINDOWS\system32\WirelessMgr.dll
2006-09-17 06:36 81,920 --a------ C:\WINDOWS\system32\packet.dll
2006-09-17 06:36 49,152 --a------ C:\WINDOWS\system32\acerGina.dll
2006-09-17 06:34 53,248 --a------ C:\WINDOWS\system32\acpimof.dll
2006-09-17 06:34 45,056 --a------ C:\WINDOWS\system32\Epm-Po.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-08 22:08 -------- d-------- C:\Program Files\CleanUp!
2006-10-08 19:34 -------- d-------- C:\Program Files\PC MightyMax
2006-10-08 19:34 -------- d-------- C:\Program Files\JustFreeGames.com
2006-10-08 19:20 -------- d-------- C:\Program Files\CleanUp!(2)
2006-10-07 02:05 -------- d-------- C:\Documents and Settings\kem\Application Data\CyberLink
2006-10-07 00:46 -------- d-------- C:\Documents and Settings\kem\Application Data\WinPatrol
2006-10-07 00:45 -------- d-------- C:\Program Files\BillP Studios
2006-10-07 00:41 -------- d-------- C:\Program Files\Symantec Technical Support
2006-10-06 20:46 -------- d-------- C:\Documents and Settings\kem\Application Data\AVG7
2006-10-06 20:45 -------- d-------- C:\Program Files\Grisoft
2006-10-02 01:24 -------- d-------- C:\Program Files\EA GAMES
2006-10-02 00:32 -------- d-------- C:\Program Files\Common Files\DirectX
2006-09-29 01:17 -------- d-------- C:\Documents and Settings\kem\Application Data\Intel
2006-09-27 00:14 -------- d-------- C:\Program Files\IObit
2006-09-26 00:49 -------- d-------- C:\Documents and Settings\kem\Application Data\Sun
2006-09-26 00:04 -------- d-------- C:\Program Files\Clock Tower 3D Screensaver
2006-09-26 00:04 -------- d-------- C:\Program Files\3Planesoft Screensaver Manager
2006-09-24 01:10 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-09-24 00:41 -------- d-------- C:\Program Files\Windows Defender
2006-09-24 00:18 -------- d-------- C:\Program Files\Bug Doctor
2006-09-22 21:39 -------- d-------- C:\Program Files\MAIET
2006-09-22 20:51 -------- d-------- C:\Program Files\Java
2006-09-22 20:50 -------- d-------- C:\Program Files\Common Files\Java
2006-09-21 00:14 -------- d-------- C:\Program Files\Opera
2006-09-21 00:14 -------- d-------- C:\Documents and Settings\kem\Application Data\Opera
2006-09-20 19:43 -------- d-------- C:\Program Files\XviD
2006-09-20 01:01 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-20 01:01 -------- d-------- C:\Documents and Settings\kem\Application Data\Mozilla
2006-09-17 23:57 -------- d-------- C:\Documents and Settings\kem\Application Data\AdobeUM
2006-09-17 23:37 -------- d-------- C:\Documents and Settings\kem\Application Data\Adobe
2006-09-17 22:18 -------- d-------- C:\Program Files\Futuremark
2006-09-17 20:46 -------- dr-h----- C:\Documents and Settings\kem\Application Data\yahoo!
2006-09-17 20:02 -------- d-------- C:\Documents and Settings\kem\Application Data\Paltalk
2006-09-17 17:39 -------- d-------- C:\Program Files\MSN Messenger
2006-09-17 17:36 -------- d-------- C:\Program Files\Google
2006-09-17 17:36 -------- d-------- C:\Documents and Settings\kem\Application Data\Google
2006-09-17 17:33 -------- d-------- C:\Program Files\XoftSpySE
2006-09-17 17:30 -------- d-------- C:\Program Files\Paltalk Messenger
2006-09-17 17:26 -------- d-------- C:\Program Files\Yahoo!
2006-09-17 16:54 -------- d-------- C:\Program Files\Logitech
2006-09-17 16:51 -------- d-------- C:\Program Files\Sygate
2006-09-17 16:47 24976 --a------ C:\WINDOWS\twain_16.dll
2006-09-17 16:43 -------- d-------- C:\Program Files\Acesoft
2006-09-17 16:40 -------- d-------- C:\Program Files\Winamp
2006-09-17 16:38 -------- d-------- C:\Program Files\WinRAR
2006-09-17 16:38 -------- d-------- C:\Program Files\BitTornado
2006-09-17 06:49 -------- d-------- C:\Program Files\Microsoft Office
2006-09-17 06:34 -------- d-------- C:\Documents and Settings\kem\Application Data\Macromedia
2006-08-24 22:42 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-08-24 22:42 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-08-24 22:30 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-08-24 22:30 990208 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-08-24 22:30 937984 --a------ C:\WINDOWS\system32\WMNetMgr.dll
2006-08-24 22:30 8337920 --a------ C:\WINDOWS\system32\wmploc.dll
2006-08-24 22:30 790016 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-08-24 22:30 757248 --a------ C:\WINDOWS\system32\WMADMOD.dll
2006-08-24 22:30 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-08-24 22:30 656896 --------- C:\WINDOWS\system32\WMVXENCD.dll
2006-08-24 22:30 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-08-24 22:30 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-08-24 22:30 611840 --------- C:\WINDOWS\system32\wmpmde.dll
2006-08-24 22:30 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-08-24 22:30 537600 --a------ C:\WINDOWS\system32\blackbox.dll
2006-08-24 22:30 532992 --------- C:\WINDOWS\system32\wmdrmsdk.dll
2006-08-24 22:30 428032 --a------ C:\WINDOWS\system32\WMDRMdev.dll
2006-08-24 22:30 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\WMVADVE.DLL
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\WMVADVD.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-08-24 22:30 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-08-24 22:30 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-08-24 22:30 349184 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-08-24 22:30 347648 --a------ C:\WINDOWS\system32\WMDRMNet.dll
2006-08-24 22:30 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-08-24 22:30 320512 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-08-24 22:30 316928 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-08-24 22:30 314368 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-08-24 22:30 305152 --------- C:\WINDOWS\system32\MSDelta.dll
2006-08-24 22:30 295424 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-08-24 22:30 284160 --------- C:\WINDOWS\system32\PortableDeviceApi.dll
2006-08-24 22:30 276480 --------- C:\WINDOWS\system32\audiodev.dll
2006-08-24 22:30 27648 --a------ C:\WINDOWS\system32\MsPMSNSv.dll
2006-08-24 22:30 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-08-24 22:30 2589184 --------- C:\WINDOWS\system32\WpdShext.dll
2006-08-24 22:30 258560 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-08-24 22:30 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-08-24 22:30 242176 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-08-24 22:30 228352 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-08-24 22:30 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-08-24 22:30 222208 --a------ C:\WINDOWS\system32\wmasf.dll
2006-08-24 22:30 211968 --------- C:\WINDOWS\system32\MFPLAT.dll
2006-08-24 22:30 210432 --a------ C:\WINDOWS\system32\qasf.dll
2006-08-24 22:30 204800 --------- C:\WINDOWS\system32\wmpsrcwp.dll
2006-08-24 22:30 198144 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-08-24 22:30 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-08-24 22:30 175104 --a------ C:\WINDOWS\system32\MsPMSP.dll
2006-08-24 22:30 166912 --------- C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-08-24 22:30 1660416 --------- C:\WINDOWS\system32\wmpencen.dll
2006-08-24 22:30 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-08-24 22:30 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-08-24 22:30 1539584 --------- C:\WINDOWS\system32\WMVDECOD.dll
2006-08-24 22:30 1532416 --------- C:\WINDOWS\system32\WMVENCOD.dll
2006-08-24 22:30 1392128 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-08-24 22:30 133120 --------- C:\WINDOWS\system32\WPDShServiceObj.dll
2006-08-24 22:30 1327616 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-08-24 22:30 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-08-24 22:30 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-08-24 22:30 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-08-24 22:30 1118208 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-08-24 22:30 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-08-24 20:31 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-08-24 20:27 249344 --------- C:\WINDOWS\system32\drmupgds.exe
2006-08-24 20:26 95288 --------- C:\WINDOWS\system32\WUDFCoinstaller.dll
2006-08-24 20:26 38656 --a------ C:\WINDOWS\system32\drivers\wpdusb.sys
2006-08-24 20:26 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-08-24 19:22 90112 --------- C:\WINDOWS\system32\drivers\WudfRd.sys
2006-08-24 19:19 316416 --------- C:\WINDOWS\system32\WUDFx.dll
2006-08-24 19:19 145920 --------- C:\WINDOWS\system32\WudfHost.exe
2006-08-24 19:18 84864 --------- C:\WINDOWS\system32\drivers\WudfPf.sys
2006-08-24 19:18 56320 --------- C:\WINDOWS\system32\WudfSvc.dll
2006-08-24 19:18 168448 --------- C:\WINDOWS\system32\WudfPlatform.dll
2006-08-23 00:31 5906432 --------- C:\WINDOWS\system32\ieframe.dll
2006-08-23 00:31 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-08-23 00:31 457728 --------- C:\WINDOWS\system32\msfeeds.dll
2006-08-23 00:31 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-08-23 00:31 225792 --a------ C:\WINDOWS\system32\webcheck.dll
2006-08-23 00:31 175616 --------- C:\WINDOWS\system32\ieui.dll
2006-08-23 00:31 152064 --a------ C:\WINDOWS\system32\msls31.dll
2006-08-23 00:18 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-08-23 00:18 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-08-23 00:17 40448 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-08-23 00:17 105472 --a------ C:\WINDOWS\system32\url.dll
2006-08-23 00:17 100352 --a------ C:\WINDOWS\system32\occache.dll
2006-08-23 00:16 16896 --a------ C:\WINDOWS\system32\corpol.dll
2006-08-23 00:14 378368 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-08-23 00:14 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-08-23 00:13 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-08-23 00:13 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-08-23 00:13 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-08-23 00:13 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-08-23 00:13 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-08-23 00:13 122880 --a------ C:\WINDOWS\system32\advpack.dll
2006-08-23 00:13 11776 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-08-23 00:11 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-08-23 00:10 61440 --------- C:\WINDOWS\system32\icardie.dll
2006-08-23 00:10 35328 --a------ C:\WINDOWS\system32\imgutil.dll
2006-08-23 00:09 262656 --------- C:\WINDOWS\system32\iertutil.dll
2006-08-23 00:07 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-08-22 23:37 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-08-22 23:36 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-08-22 23:30 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltMc.exe
2006-08-21 10:14 128896 --a------ C:\WINDOWS\system32\drivers\fltMgr.sys
2006-08-14 15:19 450560 --a------ C:\WINDOWS\system32\igldev32.dll
2006-08-14 15:16 2363392 --a------ C:\WINDOWS\system32\iglicd32.dll
2006-08-14 14:41 450560 --a------ C:\WINDOWS\system32\igfxcfg.exe
2006-08-14 14:41 23552 --a------ C:\WINDOWS\system32\igfxexps.dll
2006-08-14 14:41 114688 --a------ C:\WINDOWS\system32\hkcmd.exe
2006-08-14 14:41 110592 --a------ C:\WINDOWS\system32\igfxext.exe
2006-08-14 14:39 98304 --a------ C:\WINDOWS\system32\igfxtray.exe
2006-08-14 14:38 98304 --a------ C:\WINDOWS\system32\igfxdo.dll
2006-08-14 14:38 94208 --a------ C:\WINDOWS\system32\igfxpers.exe
2006-08-14 14:38 3276800 --a------ C:\WINDOWS\system32\igfxress.dll
2006-08-14 14:38 106496 --a------ C:\WINDOWS\system32\igfxzoom.exe
2006-08-14 14:37 81920 --a------ C:\WINDOWS\system32\hccutils.dll
2006-08-14 14:37 43520 --a------ C:\WINDOWS\system32\igfxsrvc.dll
2006-08-14 14:37 188416 --a------ C:\WINDOWS\system32\igfxsrvc.exe
2006-08-14 14:37 163840 --a------ C:\WINDOWS\system32\igfxpph.dll
2006-08-14 14:37 155648 --a------ C:\WINDOWS\system32\igfxdev.dll
2006-08-10 19:46 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch"
"AGRSMMSG"="AGRSMMSG.exe"
"RTHDCPL"="RTHDCPL.EXE"
"AzMixerSel"="C:\\Program Files\\Realtek\\InstallShield\\AzMixerSel.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PCMService"="\"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe\""
"ntiMUI"="C:\\Program Files\\NewTech Infosystems\\NTI CD & DVD-Maker 7\\ntiMUI.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"eDataSecurity Loader"="C:\\Acer\\Empowering Technology\\eDataSecurity\\eDSloader.exe 0"
"Acer ePresentation HPD"="C:\\Acer\\Empowering Technology\\ePresentation\\ePresentation.exe"
"ePower_DMC"="C:\\Acer\\Empowering Technology\\ePower\\ePower_DMC.exe"
"LManager"="C:\\PROGRA~1\\LAUNCH~1\\QtZgAcer.EXE"
"eRecoveryService"="C:\\Acer\\Empowering Technology\\eRecovery\\eRAgent.exe"
"ImageItEncrypt"="C:\\WINDOWS\\system32\\ImageItEncrypt.exe"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"AOL Spyware Protection"="C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,04,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,e1,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"LinkResolveIgnoreLinkInfo"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acer Empowering Technology.lnk"
"backup"="C:\\WINDOWS\\pss\\Acer Empowering Technology.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Acer\\EMPOWE~1\\ACEREM~1.EXE "
"item"="Acer Empowering Technology"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061008-220717-185
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20061008-220718-924
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
backup-20061008-191812-184
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 09/10/2006 22:52:45.68
ComboFix.txt

hijack log

Logfile of HijackThis v1.99.1
Scan saved at 10:55:32 PM, on 09/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\bits\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=midd-cache-6.server.ntli.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: rpcapd - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

**Glaswegian** · 10-09-2006, 03:36 PM

Hi

Looks good. How is your system running now?

kem · 10-09-2006, 04:01 PM

ty for all your help its still getting ie freezes randomly i cant work out whats causing it

**Glaswegian** · 10-10-2006, 02:13 PM

Hi again

Let’s see if there is anything lurking deeper…….

Gmer
Download GMER and extract it to your desktop.

Double-click gmer.exe to run it and select the rootkit tab. Press scan. When it has finished, press copy and paste the log back here.

Blacklight
Download and run Blacklight

Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this.

When it finishes, click Next. You may get a screen similar to the picture below. Click on Close.

BlackLight beta will create a log file called "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log.

kem · 10-10-2006, 04:35 PM

for past few days ive also noticed if i double click or right click any desktop item it wont open theres no response if i reboot its all ok

its a brand new machine im begining to wonder if its a hardware problem

gmer log

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-11 00:31:59
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.11 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwShutdownSystem
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwWriteVirtualMemory

---- Devices - GMER 1.0.11 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F6D40220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F6D40480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F6D405A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B5885A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F6D40220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F6D40480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F6D405A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B5885A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F6D40220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F6D40480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F6D405A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B5885A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F6D40220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F6D40480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F6D405A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B5885A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F6D40220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F6D40480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F6D405A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B5885A] avgtdi.sys

---- EOF - GMER 1.0.11 ----

blacklight log

10/11/06 00:33:44 [Info]: BlackLight Engine 1.0.47 initialized
10/11/06 00:33:44 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/11/06 00:33:44 [Note]: 7019 4
10/11/06 00:33:44 [Note]: 7005 0
10/11/06 00:33:48 [Note]: 7006 0
10/11/06 00:33:48 [Note]: 7011 1588
10/11/06 00:33:48 [Note]: 7026 0
10/11/06 00:33:48 [Note]: 7026 0
10/11/06 00:33:52 [Note]: FSRAW library version 1.7.1020

**Glaswegian** · 10-11-2006, 12:40 PM

Hi again

IE7 is probably still a bit buggy, so goodness knows when they’ll get it straightened out.

There’s no sign of malware on your system, so I would suggest posting in the XP forum for better help than I can provide. I have my doubts that it’s hardware related. Make sure you tell them that your system is clean.

Other than that, we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure.

You can go ahead and delete any special tools we used (SmitRem, SmitfraudFix, ComboFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and there is therefore no need to keep them.

Reset Hidden/System Files
To reset your hidden and system files:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

System Restore
To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

IMPORTANT!!!
Please ensure that Windows is patched against the WMF exploit. This is a dangerous vulnerability that opens the door to multiple infections. Visit Window's Update to get the KB912919 patch if you have not already done so.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.

Ad-aware
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.

IE-SPYAD
IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here.

SnoopFree
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems.

MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Maxthon

Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Sygate Personal Firewall
ZoneAlarm
Tiny Personal Firewall

Anti Virus Software
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners:
Anti-Spyware Tutorial

Here are three very good free Antivirus products which are available:
BitDefender Free
Avast!
AVG

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.

Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.

kem · 10-11-2006, 04:09 PM

ty for all your help

10-04-2006, 04:47 PM	#1 (permalink)
kem Registered User Join Date: Oct 2006 Posts: 28 OS: win xp home	hijack log can someone look please :smile: been having browser problems with ie6 ie7 firefox opera the browser just stops responding no viruses or spyware thanks for help Logfile of HijackThis v1.99.1 Scan saved at 12:45:35 AM, on 05/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5700.0006) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Acer\Empowering Technology\ePerformance\MemCheck.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe C:\Acer\Empowering Technology\eRecovery\eRAgent.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Realtek\InstallShield\AzMixerSel.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Acer\Acer Arcade\PCMService.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\Acer\Empowering Technology\ePresentation\ePresentation.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Acer\Empowering Technology\ePower\ePower_DMC.exe C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\igfxext.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\bits\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=midd-cache-6.server.ntli.net:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.* R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe" O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0 O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Acer Empowering Technology.lnk = ? O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = O17 - HKLM\Software\..\Telephony: DomainName = O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: rpcapd - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

10-07-2006, 03:14 PM	#2 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,952 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi and welcome to the Security Forum. Apologies for any delay in replying, but we have been rather busy lately. Since it has been a few days since you first posted, please post a fresh HijackThis Log if you still need assistance. Thank you. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

10-07-2006, 04:05 PM	#3 (permalink)
kem Registered User Join Date: Oct 2006 Posts: 28 OS: win xp home	fresh hijack log ty for reply im having random explorer freezes ive used ie6, now on ie7 still randomly freezing , firefox and opera still do the same thing non responsive browser. scanned for viruses all clear and for spyware Logfile of HijackThis v1.99.1 Scan saved at 12:02:38 AM, on 08/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5700.0006) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Acer\Empowering Technology\ePerformance\MemCheck.exe C:\WINDOWS\AGRSMMSG.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Realtek\InstallShield\AzMixerSel.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Acer\Empowering Technology\eRecovery\eRAgent.exe C:\Program Files\Acer\Acer Arcade\PCMService.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe C:\Acer\Empowering Technology\ePresentation\ePresentation.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Acer\Empowering Technology\ePower\ePower_DMC.exe C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\igfxext.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\WINDOWS\system32\wbem\unsecapp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\bits\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=midd-cache-6.server.ntli.net:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.* R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe" O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0 O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - Global Startup: Acer Empowering Technology.lnk = ? O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = O17 - HKLM\Software\..\Telephony: DomainName = O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: rpcapd - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

10-08-2006, 03:40 AM	#4 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,952 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again There's not a great deal showing in your log, so we'll do some cleaning and see what may turn up. You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below. Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean. MSconfig Enabled You appear to have msconfig enabled. This may prevent us from seeing everything running on your system. Please re-enable all startup items. Go to Start > Run type msconfig and press Enter. In the Dialog box that appears select Normal Startup - Load all Device Drivers and Services Press the 'Exit without restarting' button - we will reboot later. Show Hidden Files Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Downloads Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later. NOTE Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW! Download AVG Anti Spyware This is a 30 day trial Install AVG Anti Spyware Double-click the icon on Desktop to launch AVG On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" I also recommend changing the "Update interval" to something more reasonable like 12 hours. When you have finished updating, EXIT AVG Anti Spyware. Disable Windows Defender Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries. Open Windows Defender. Click on Tools, General Settings. Scroll down and uncheck Turn on real-time protection (recommended). After you uncheck this, click on the Save button and close Windows Defender. Reboot Reboot your system in Safe Mode. Restart the computer. The computer begins processing a set of instructions known as BIOS. After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key) Instead of Windows loading as normal, a menu should appear Use the arrow key to highlight Safe Mode and press Enter. HijackThis Entries Open Hijack This and click on Scan. Check the following entries (if they still exist) (make sure you do not miss any) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE Please remember to close all other windows, including browsers then click Fix checked. Run CleanUp! NOTE Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW! Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the “Temporary Files” tab and uncheck the box for “Scan drives for file matching” if it’s checked. Click OK, Press the CleanUp! button to start the program and DO NOT REBOOT when prompted. Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility. Run AVG Anti Spyware Run AVG with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine Then click Apply all actions Once finished, click the Save report button, then click Save Report As and save it to your desktop. NOTE: AVG scan may require an hour. Reboot Reboot your system in Normal Mode. Online Scan Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner. 1. Click Check Now and a "pop up" window will appear. Please ensure that your pop up blocker doesn't block it 2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan Logs required Ewido Log Panda Log HijackThis Log Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced from Normal Mode. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

10-08-2006, 04:20 PM	#5 (permalink)
kem Registered User Join Date: Oct 2006 Posts: 28 OS: win xp home	fresh hijack logs and panda and spyware report hijack in safemode Logfile of HijackThis v1.99.1 Scan saved at 11:48:03 PM, on 08/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5700.0006) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\bits\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=midd-cache-6.server.ntli.net:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.* R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe" O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0 O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Acer Empowering Technology.lnk = ? O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = O17 - HKLM\Software\..\Telephony: DomainName = O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: rpcapd - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe hijack in normal mode Logfile of HijackThis v1.99.1 Scan saved at 11:52:59 PM, on 08/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5700.0006) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Acer\Empowering Technology\ePerformance\MemCheck.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Realtek\InstallShield\AzMixerSel.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Acer\Empowering Technology\eRecovery\eRAgent.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Acer\Acer Arcade\PCMService.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\Acer\Empowering Technology\ePresentation\ePresentation.exe C:\Acer\Empowering Technology\ePower\ePower_DMC.exe C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe C:\WINDOWS\system32\igfxext.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\system32\wuauclt.exe C:\bits\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=midd-cache-6.server.ntli.net:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.* R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe" O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0 O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Acer Empowering Technology.lnk = ? O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = O17 - HKLM\Software\..\Telephony: DomainName = O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: rpcapd - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe Ewido Log --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 11:40:11 PM 08/10/2006 + Scan result: Nothing found. ::Report end Panda Log Incident Status Location Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\kem\Cookies\kem@apmebf[2].txt thank you for help so far

10-08-2006, 06:42 PM	#6 (permalink)
kem Registered User Join Date: Oct 2006 Posts: 28 OS: win xp home	postcript after i done all the fixes i tried cwshredder and it found cws.msconfig and deleted it

10-09-2006, 01:33 PM	#7 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,952 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again I’m curious – what made you run CWShredder? I only need logs taken while in Normal Mode. Please don’t run any other tools or fixes unless I ask you to do so. How is your system now? Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Take note of the name(s) and location(s) of any file(s) it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Please post back with the Kaspersky Log and a fresh HijackThis Log. Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced only while in Normal Mode. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

10-09-2006, 02:27 PM	#8 (permalink)
kem Registered User Join Date: Oct 2006 Posts: 28 OS: win xp home	hijack and kaspersky logs seems ive got java virus which none of the other avgs picked up Logfile of HijackThis v1.99.1 Scan saved at 10:24:47 PM, on 09/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5700.0006) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Acer\Empowering Technology\ePerformance\MemCheck.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Acer\Empowering Technology\eRecovery\eRAgent.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Realtek\InstallShield\AzMixerSel.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Acer\Acer Arcade\PCMService.exe C:\WINDOWS\system32\svchost.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe C:\Acer\Empowering Technology\ePresentation\ePresentation.exe C:\Acer\Empowering Technology\ePower\ePower_DMC.exe C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE C:\WINDOWS\system32\igfxext.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\bits\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.co.uk/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=midd-cache-6.server.ntli.net:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.* R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe" O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0 O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = O17 - HKLM\Software\..\Telephony: DomainName = O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: rpcapd - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe kaspersky log KASPERSKY ONLINE SCANNER REPORT Monday, October 09, 2006 10:19:58 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 9/10/2006 Kaspersky Anti-Virus database records: 230183 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer C:\ D:\ E:\ Scan Statistics Total number of scanned objects 52131 Number of viruses found 2 Number of infected objects 4 / 0 Number of suspicious objects 0 Duration of the scan process 00:30:50 Infected Object Name Virus Name Last Action C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{5A30CD3D-E099-4CAA-A6C1-844ECAC7E526}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Temp\CLML_AGENT_LOG1.txt Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_684.dat Object is locked skipped C:\WINDOWS\Temp\sqlite_XG5GitkeVJS6Vsc Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_e00.dat Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-09242006-004147.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped C:\Documents and Settings\kem\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\kem\Local Settings\Temp\Perflib_Perfdata_c5c.dat Object is locked skipped C:\Documents and Settings\kem\Local Settings\Temp\~DF92A2.tmp Object is locked skipped C:\Documents and Settings\kem\Local Settings\Temp\~DF2871.tmp Object is locked skipped C:\Documents and Settings\kem\Local Settings\Temp\~DF28C6.tmp Object is locked skipped C:\Documents and Settings\kem\Local Settings\Temp\~DF49E3.tmp Object is locked skipped C:\Documents and Settings\kem\Local Settings\Temp\~DF4A2E.tmp Object is locked skipped C:\Documents and Settings\kem\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\kem\Local Settings\History\History.IE5\MSHist012006100920061010\index.dat Object is locked skipped C:\Documents and Settings\kem\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\kem\Local Settings\Application Data\Acer Arcade\Log\Trace20061009.log Object is locked skipped C:\Documents and Settings\kem\Local Settings\Application Data\ApplicationHistory\ePower_DMC.exe.3ca0acde.ini.inuse Object is locked skipped C:\Documents and Settings\kem\Local Settings\Application Data\ApplicationHistory\ePresentation.exe.e70224e9.ini.inuse Object is locked skipped C:\Documents and Settings\kem\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\kem\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\kem\Local Settings\Application Data\Microsoft\Windows Live Contacts\kem115@hotmail.com\real\members.stg Object is locked skipped C:\Documents and Settings\kem\Local Settings\Application Data\Microsoft\Windows Live Contacts\kem115@hotmail.com\shadow\members.stg Object is locked skipped C:\Documents and Settings\kem\Cookies\index.dat Object is locked skipped C:\Documents and Settings\kem\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a26-70bb49e7.zip/Counter.class Infected: Trojan.Java.ClassLoader.i skipped C:\Documents and Settings\kem\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a26-70bb49e7.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped C:\Documents and Settings\kem\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a26-70bb49e7.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped C:\Documents and Settings\kem\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a26-70bb49e7.zip ZIP: infected - 3 skipped C:\Documents and Settings\kem\ntuser.dat Object is locked skipped C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped C:\Program Files\Sygate\SPF\debug.log Object is locked skipped C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped C:\Program Files\Yahoo!\Messenger\logs\client_kem.log Object is locked skipped C:\Program Files\Yahoo!\Messenger\logs\network_kem.log Object is locked skipped C:\Program Files\Yahoo!\Messenger\logs\billing_kem.log Object is locked skipped C:\System Volume Information\_restore{13C10FBC-D4AA-43D2-A758-8129CFBBD7EB}\RP90\change.log Object is locked skipped C:\palsound.txt Object is locked skipped Scan process completed.

10-09-2006, 02:44 PM	#9 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,952 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again Not quite as bad as it looks…….. See this page for instructions on how to clear java's cache. Let’s do a different check…. Please download combofix.exe to your desktop. Alternative download location here. IMPORTANT - You must place combofix on your desktop!! Double click combofix.exe & follow the prompts. When finished, the tool will produce a log for you at c:\combofix.txt. Post that log in your next reply Note: Do not mouseclick combofix's window while it's running. That may cause it to stall. Post back with combofix.txt and a fresh HijackThis Log. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

10-09-2006, 03:36 PM	#11 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,952 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi Looks good. How is your system running now? __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

10-09-2006, 04:01 PM	#12 (permalink)
kem Registered User Join Date: Oct 2006 Posts: 28 OS: win xp home	ty for all your help its still getting ie freezes randomly i cant work out whats causing it

10-10-2006, 02:13 PM	#13 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,952 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again Let’s see if there is anything lurking deeper……. Gmer Download GMER and extract it to your desktop. Double-click gmer.exe to run it and select the rootkit tab. Press scan. When it has finished, press copy and paste the log back here. Blacklight Download and run Blacklight Note that you must have local administrative privileges to run the program. Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this. When it finishes, click Next. You may get a screen similar to the picture below. Click on Close. BlackLight beta will create a log file called "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

10-10-2006, 04:35 PM	#14 (permalink)
kem Registered User Join Date: Oct 2006 Posts: 28 OS: win xp home	gmer log and blacklight log for past few days ive also noticed if i double click or right click any desktop item it wont open theres no response if i reboot its all ok its a brand new machine im begining to wonder if its a hardware problem gmer log GMER 1.0.11.11390 - http://www.gmer.net Rootkit 2006-10-11 00:31:59 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.11 ---- SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwCreateThread SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwMapViewOfSection SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwShutdownSystem SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwWriteVirtualMemory ---- Devices - GMER 1.0.11 ---- Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F6D40220] wpsdrvnt.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F6D40480] wpsdrvnt.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F6D405A0] wpsdrvnt.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B5885A] avgtdi.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F6D40220] wpsdrvnt.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F6D40480] wpsdrvnt.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F6D405A0] wpsdrvnt.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B5885A] avgtdi.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F6D40220] wpsdrvnt.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F6D40480] wpsdrvnt.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F6D405A0] wpsdrvnt.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B5885A] avgtdi.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F6D40220] wpsdrvnt.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F6D40480] wpsdrvnt.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F6D405A0] wpsdrvnt.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B5885A] avgtdi.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F6D40220] wpsdrvnt.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F6D40480] wpsdrvnt.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F6D405A0] wpsdrvnt.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B5885A] avgtdi.sys ---- EOF - GMER 1.0.11 ---- blacklight log 10/11/06 00:33:44 [Info]: BlackLight Engine 1.0.47 initialized 10/11/06 00:33:44 [Info]: OS: 5.1 build 2600 (Service Pack 2) 10/11/06 00:33:44 [Note]: 7019 4 10/11/06 00:33:44 [Note]: 7005 0 10/11/06 00:33:48 [Note]: 7006 0 10/11/06 00:33:48 [Note]: 7011 1588 10/11/06 00:33:48 [Note]: 7026 0 10/11/06 00:33:48 [Note]: 7026 0 10/11/06 00:33:52 [Note]: FSRAW library version 1.7.1020

10-11-2006, 12:40 PM	#15 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,952 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again IE7 is probably still a bit buggy, so goodness knows when they’ll get it straightened out. There’s no sign of malware on your system, so I would suggest posting in the XP forum for better help than I can provide. I have my doubts that it’s hardware related. Make sure you tell them that your system is clean. Other than that, we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure. You can go ahead and delete any special tools we used (SmitRem, SmitfraudFix, ComboFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and there is therefore no need to keep them. Reset Hidden/System Files To reset your hidden and system files: Click *Start.* Open *My Computer.* Select the *Tools menu* and click *Folder Options.* Select the *View* tab. Deselect the *Show hidden files and folders* option. Select the *Hide file extensions for known types* option. Select the *Hide protected operating system files* option. Click *Yes* to confirm. Click *OK.* System Restore To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. This will create a new Restore Point. IMPORTANT!!! Please ensure that Windows is patched against the WMF exploit. This is a dangerous vulnerability that opens the door to multiple infections. Visit Window's Update to get the KB912919 patch if you have not already done so. Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: Spyware Blaster to help prevent spyware from installing in the first place. Spyware Guard to catch and block spyware before it can execute. Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here. *Ad-aware* Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here. *IE-SPYAD* IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here. *SnoopFree* SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems. *MVPS Hosts File* The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. *Alternate Browsers* Try the following free alternate browsers rather than Internet Explorer Firefox Opera Maxthon *Firewalls* A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use: Sygate Personal Firewall ZoneAlarm Tiny Personal Firewall *Anti Virus Software* It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial Here are three very good free Antivirus products which are available: BitDefender Free Avast! AVG It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. *Other Protection* Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles PC Safety & Security - What Do I Need?. Making Internet Explorer Safer. Keep clean and safe and enjoy your computing! Please respond to this thread one more time so we can mark this thread as resolved. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

10-11-2006, 04:09 PM	#16 (permalink)
kem Registered User Join Date: Oct 2006 Posts: 28 OS: win xp home	ty for all your help ty for all your help