[bshz38]

I think i have Trojan file. i have no load up screen. I can not run anti virus checks online.

promblem with these files

HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exeboot
"Added by the PUPPET-A TROJAN!"

HKLM\..\Run: [Alcmtr] ALCMTR.EXE

HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')Ctfmon.exe
"CoolWebSearch Ctfmon32 parasite variant"

HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
DDS (Version 1.0) - FAT32x86
Run by brian at 4:09:16.21 on 27/11/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.368 [GMT 0:00]

check for any others and how do i get rid of them

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\ehtray.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kontiki\KHost.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\brian\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.aceradvantage.com/stdreg
mDefault_Page_URL = hxxp://global.acer.com
uInternet Connection Wizard,ShellNext = hxxp://www.aceradvantage.com/stdreg
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [LaunchApp]
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [<NO NAME>]
mRun: [Acer ePresentation HPD] c:\acer\empowering technology\epresentation\ePresentation.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Boot] c:\acer\empowering technology\epower\Boot.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-27 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-27 20560]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys []

=============== Created Last 30 ================

2008-11-27 03:56 250 a------- c:\windows\gmer.ini
2008-11-27 03:08 <DIR> --d----- c:\program files\PCPitstop
2008-11-27 02:30 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner
2008-11-27 02:08 <DIR> --dsh--- C:\FOUND.000
2008-11-27 02:01 <DIR> --d----- c:\docume~1\brian\applic~1\Uniblue
2008-11-27 02:00 <DIR> --d----- c:\program files\Uniblue
2008-11-27 02:00 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-11-27 01:53 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-11-27 01:53 32 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-11-27 01:50 4,212 ----h--- c:\windows\system32\zllictbl.dat
2008-11-27 01:50 75,248 a------- c:\windows\zllsputility.exe
2008-11-27 01:50 11,264 a------- c:\windows\system32\SpOrder.dll
2008-11-27 01:49 <DIR> --d----- c:\program files\Zone Labs
2008-11-27 01:44 <DIR> --d----- c:\windows\pss
2008-11-26 21:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kontiki
2008-11-26 21:38 <DIR> --d----- c:\program files\Sky
2008-11-26 21:38 <DIR> --d----- c:\program files\Kontiki
2008-11-26 21:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sky
2008-11-26 21:37 <DIR> --d----- c:\program files\Windows Media Connect 2
2008-11-26 21:36 <DIR> --d----- c:\windows\system32\LogFiles
2008-11-26 16:15 <DIR> --d----- c:\windows\system32\CatRoot_bak
2008-11-26 16:12 272,128 -------- c:\windows\system32\drivers\bthport.sys
2008-11-26 16:12 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2008-11-26 16:06 2,136,064 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-26 16:06 2,180,352 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-26 16:06 2,015,744 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-26 16:06 2,057,728 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-26 16:06 23,040 -------- c:\windows\kb913800.exe
2008-11-26 16:02 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-26 12:57 <DIR> --d----- c:\windows\system32\PreInstall
2008-11-26 09:54 92 a------- c:\windows\GridV.UNI
2008-11-26 09:49 602,112 a------- c:\windows\system32\Acer.Empowering.Windows.Forms_v820.dll
2008-11-26 09:48 1,168,896 a------- c:\windows\system32\ERUpdateHidden.EXE
2008-11-26 09:48 258,048 a------- c:\windows\system32\Uninstall_eRecovery.exe
2008-11-26 09:48 258,048 a------- c:\windows\system32\CheckD2DSystem.exe
2008-11-26 09:48 159,744 a------- c:\windows\system32\CloseProcessWindow.dll
2008-11-26 09:48 16,384 a------- c:\windows\system32\ClearEvent.exe
2008-11-26 09:48 552 a------- c:\windows\system32\setup.iss
2008-11-26 09:47 <DIR> --d----- c:\windows\Options
2008-11-26 09:45 83 a------- c:\windows\LManager.UNI
2008-11-26 09:45 <DIR> --d----- c:\program files\Launch Manager
2008-11-26 09:44 192,672 a------- c:\windows\system32\drivers\SynTP.sys
2008-11-26 09:44 114,688 a------- c:\windows\system32\SynCtrl.dll
2008-11-26 09:44 94,298 a------- c:\windows\system32\SynTPAPI.dll
2008-11-26 09:44 82,013 a------- c:\windows\system32\SynCOM.dll
2008-11-26 09:44 81,920 a------- c:\windows\system32\SynTPCo2.dll
2008-11-26 09:44 69,722 a------- c:\windows\system32\SynTPFcs.dll
2008-11-26 09:44 <DIR> --d----- c:\program files\Synaptics
2008-11-26 09:42 2,879,488 a------- c:\windows\SkyTel.exe
2008-11-26 09:42 69,632 a------- c:\windows\Alcmtr.exe
2008-11-26 09:41 53,248 a------- c:\windows\system32\acpimof.dll
2008-11-26 09:41 45,056 a------- c:\windows\system32\Epm-Po.dll
2008-11-26 09:31 <DIR> --d----- c:\windows\Acer
2008-11-26 09:31 <DIR> --d----- c:\documents and settings\brian
2008-11-25 22:12 <DIR> --ds---- c:\documents and settings\brian\UserData
2008-11-25 22:11 <DIR> --d----- c:\windows\system32\SoftwareDistribution

==================== Find3M ====================

2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 16:57 332,800 a------- c:\windows\system32\dllcache\netapi32.dll
2008-09-15 11:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 a------- c:\windows\system32\dllcache\win32k.sys
2008-09-04 16:42 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-09-04 16:42 1,106,944 a------- c:\windows\system32\dllcache\msxml3.dll

============= FINISH: 4:09:40.45 ===============

 

[amateur]

Hello and welcome to TSF.:smile:

This looks like a brand new system installed on the day you posted, i.e. 26/11/2008 at 09:30. What makes you believe you have malware already?

None of the files you've listed are harmful. They could have been harmful if they were located elsewhere, but as they are in your logs, they are legitimate files.

HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe is related to Acer. Info: http://www.systemlookup.com/Startup/1436-Boot_exe.html

HKLM\..\Run: [Alcmtr] ALCMTR.EXE is a process loaded along side Realtek AC97 audio hardware. It doesn't need to load at startup, but it's not classified as malicious Info:http://www.processlibrary.com/directory/files/alcmtr/

HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE is related to the language/alternative input services in Office XP Info: http://www.systemlookup.com/Startup/2443-ctfmon_exe.html

Please let us know what issues you have, if any, and post a fresh DDS main.txt as it has been a while since you posted.

P.S. I see that you've installed Uniblue RegistryBooster 2009. We do not recommend the use of any registry cleaning/boosting/tweaking tools. Please read this article written by Miekiemoes, a colleague of ours.

 

[amateur]

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/sec...read-before-posting-malware-removal-help.html