32 replies to this topic

[alicez]

Just bought a net-notebook for my grandson's birthday. Received it yesterday and today ran a MB scan and following 5 exceptions were found:



http://img19.imagesh...lawarebytes.jpg

I don't know whether to click on the "Remove Selected" or close the MB and wait for your answers after seeing the HJT Log.
Can you please help me so we can give a "clean" computer to our grandson?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:24 PM, on 2/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Carbonite\CarbonitePreinstaller.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\PLFSetL.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\AOL\1235576147\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\DOCUME~1\BOBTIG~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\AOL 9.5\waol.exe
C:\Program Files\AOL 9.5\shellmon.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&a...mp;m=aspire_one
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scandoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&a...mp;m=aspire_one
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&a...mp;m=aspire_one
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PLFSetL] C:\WINDOWS\PLFSetL.exe
O4 - HKLM\..\Run: [snp2uvc] rundll32.exe C:\WINDOWS\system32\csnp2uvc.dll,ResetCIDS
O4 - HKLM\..\Run: [NotificationCenterLauncher] C:\Program Files\Acer\Acer eRecovery Management\NotificationLauncher.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1235576147\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5\AOL.EXE" -b
O4 - Global Startup: Acer VCM.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1235590921406
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Acer\Acer VCM\Skype4COM.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe
--
End of file - 6623 bytes

[alicez]

I looked in the MB Logs secton, but there is nothing there. (I am using my desktop now.)
I have not closed the MB after it reported the 5 errors. I didn't know whether to click on "Remove Selected," or to click on "Ignore" which might mean that the 5 errors would remain on the computer forever and never be shown again when I ran a MB scan. I didn't want to click on "Remove Selected" now because that might remove something that should not be removed. (Hope I am making myself clear. I am new at all of this!)
Can I click on "Ignore" in order to get the Log that you (might) need? And then later when I do a scan, the 5 will show up again for further action

Alice

[AdvancedSetup]

No don't remove them for now. They might be a false positive.


Please close it and then run this.
Click on START - RUN and type in MBAM /DEVELOPER and then do another Quick Scan and don't fix anything and when the log pops up post back that information please.


Then also do the following.

Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your antivirus/antimalware has it. You can disconnect from the Internet while this run for a minute.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
• Save both reports to your desktop.

Please include the following logs in your next reply:
DDS.txt
Attach.txt

[alicez]

Malwarebytes' Anti-Malware 1.34
Database version: 1802
Windows 5.1.2600 Service Pack 3

2/25/2009 5:23:40 PM
mbam-log-2009-02-25 (17-23-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 89463
Time elapsed: 34 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\snp2uvc (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP8\A0004889.dll (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{EECCC067-5764-4761-8178-47FA5F6368E3}\RP8\A0004890.exe (Trojan.BHO) -> No action taken.
C:\WINDOWS\system32\csnp2uvc.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\SERVICES.REG (Heuristics.Reserved.Word.Exploit) -> No action taken.

[alicez]

AdvancedSetup, on Feb 25 2009, 11:09 PM, said:

No don't remove them for now. They might be a false positive.


Please close it and then run this.
Click on START - RUN and type in MBAM /DEVELOPER and then do another Quick Scan and don't fix anything and when the log pops up post back that information please.


Then also do the following.

Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your antivirus/antimalware has it. You can disconnect from the Internet while this run for a minute.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
• Save both reports to your desktop.

Please include the following logs in your next reply:
DDS.txt
Attach.txt

==================

I clicked on Start and then Run and typed in MBAM/DEVELOPER
and got pop up reading: Windows cannot find "MBAM/DEVELOPER"

[alicez]

I hope these are right. Remember please, I am a senior citizen and novice at all of this....

Attach:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 2/25/2009 1:05:23 PM
System Uptime: 2/25/2009 6:13:03 PM (0 hours ago)

Motherboard: Acer | | Aspire one
Processor: Intel® Atom™ CPU N270 @ 1.60GHz | CPU | 1596/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 143 GiB total, 132.353 GiB free.
D: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 2/25/2009 1:05:26 PM - System Checkpoint
RP2: 2/25/2009 1:07:17 PM - Installed WebCam
RP3: 2/25/2009 1:10:10 PM - Installed Acer eRecovery Management
RP4: 2/25/2009 1:58:57 PM - Installed AVG Free 8.0
RP5: 2/25/2009 2:45:51 PM - Software Distribution Service 3.0
RP6: 2/25/2009 3:47:08 PM - Software Distribution Service 3.0
RP7: 2/25/2009 4:10:52 PM - Removed Google Toolbar for Internet Explorer
RP8: 2/25/2009 4:14:11 PM - Software Distribution Service 3.0
RP9: 2/25/2009 6:06:58 PM - Removed Microsoft Office Home and Student 2007
RP10: 2/25/2009 6:18:26 PM - Removed Microsoft Works
RP11: 2/25/2009 6:21:15 PM - Removed Microsoft Office Suite Activation Assistant.
RP12: 2/26/2009 9:07:43 AM - Removed AVG Free 8.0
RP13: 2/26/2009 9:09:40 AM - Installed AVG Free 8.0
RP14: 2/26/2009 9:15:14 AM - Installed AVG Free 8.0
RP15: 2/25/2009 10:39:48 AM - Installed Windows Media Format 9 Series Runtime Setup

==== Installed Programs ======================

Acer eRecovery Management
Acer ScreenSaver
Acer VCM
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
AOL Uninstaller (Choose which Products to Remove)
Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
Atheros for Acer Driver v7.6.0.260_Foxconn Installation Program
AVG Free 8.0
Carbonite Online Backup Setup
CCleaner (remove only)
Choice Guard
Compatibility Pack for the 2007 Office system
eSobi v2
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Junk Mail filter update
Launch Manager
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
MSVCRT
MSXML 4.0 SP2 (KB954430)
PC Tools Firewall Plus 5.0
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
Segoe UI
Spybot - Search & Destroy
SpywareBlaster 4.1
Synaptics Pointing Device Driver
Uninstall AOL Emergency Connect Utility 1.0
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
USB2.0 Card Reader Software
Viewpoint Media Player
WebCam
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer

==== Event Viewer Messages From Past Week ========

2/25/2009 6:19:38 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
2/25/2009 6:10:54 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer GOTARO234 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{6C7D767E-D63A-4C55. The master browser is stopping or an election is being forced.
2/25/2009 5:33:18 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.46 with the system having network hardware address 00:12:F0:73:CB:53. Network operations on this system may be disrupted as a result.
2/25/2009 2:13:44 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
2/25/2009 1:35:45 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer GOTARO234 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F9FECE78-7DAE-4A70. The master browser is stopping or an election is being forced.
2/25/2009 1:19:57 PM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -68236 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.47:123->207.46.232.182:123) is working properly.

==== End Of File ===========================


DDS:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Bob Tiger at 18:28:46.98 on Wed 02/25/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.542 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: PC Tools Firewall Plus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Carbonite\CarbonitePreinstaller.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\PLFSetL.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\AOL\1235576147\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\WINDOWS\system32\igfxext.exe
C:\DOCUME~1\BOBTIG~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Documents and Settings\Bob Tiger\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.scandoo.com/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0209&m=aspire_one
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0209&m=aspire_one
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0209&m=aspire_one
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [NotificationCenterLauncher] c:\program files\acer\acer erecovery management\NotificationLauncher.exe
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [HostManager] c:\program files\common files\aol\1235576147\ee\AOLSoftware.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235590921406
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\acer\acer vcm\Skype4COM.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-26 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-26 27656]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-2-25 159600]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-26 298264]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-2-25 73840]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2009-2-25 146800]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-1-16 237568]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2009-1-16 38400]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-2-25 95640]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rts5121.sys --> c:\windows\system32\drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

=============== Created Last 30 ================

2009-02-25 17:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-25 17:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-25 15:53 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-25 15:52 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-25 15:52 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-25 15:52 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-25 15:52 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-25 15:52 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-25 15:52 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-02-25 15:52 <DIR> --d----- C:\5783e9d61ef97d983c8dc1a4915e0169
2009-02-25 15:52 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-25 15:44 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-02-25 15:44 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-02-25 15:44 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-02-25 15:44 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-02-25 15:44 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-02-25 15:44 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-02-25 15:44 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-02-25 15:44 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-02-25 15:44 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-02-25 15:12 <DIR> --d----- c:\program files\Trend Micro
2009-02-25 14:46 <DIR> --d----- c:\windows\system32\PreInstall
2009-02-25 14:42 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-02-25 14:42 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-02-25 14:42 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-02-25 14:42 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-02-25 14:42 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-02-25 14:35 <DIR> --d----- c:\program files\SpywareBlaster
2009-02-25 14:31 <DIR> --d----- c:\program files\CCleaner
2009-02-25 14:11 <DIR> --d----- c:\docume~1\bobtig~1\applic~1\PCToolsFirewallPlus
2009-02-25 14:09 130,928 a------- c:\windows\system32\drivers\PCTCore.sys
2009-02-25 14:09 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-02-25 14:09 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-02-25 14:08 97,408 a------- c:\windows\system32\drivers\pctfw.sys
2009-02-25 14:08 <DIR> --d----- c:\program files\common files\PC Tools
2009-02-25 14:08 95,640 a------- c:\windows\system32\drivers\pctplfw.sys
2009-02-25 14:08 <DIR> --d----- c:\program files\PC Tools Firewall Plus
2009-02-25 13:58 <DIR> --d----- c:\program files\AVG
2009-02-25 13:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-25 13:51 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-02-25 13:09 <DIR> a-d----- c:\windows\BTW
2009-02-25 13:07 1,769,984 a------- c:\windows\system32\drivers\snp2uvc.sys
2009-02-25 13:07 286,720 a------- c:\windows\system32\vsnp2uvc.dll
2009-02-25 13:07 196,608 a------- c:\windows\system32\csnp2uvc.dll
2009-02-25 13:07 94,208 a------- c:\windows\PLFSetL.exe
2009-02-25 13:07 28,160 a------- c:\windows\system32\drivers\sncduvc.sys
2009-02-25 13:07 36 a------- c:\windows\PidList.ini
2009-02-25 13:07 172,032 a------- c:\windows\system32\rsnp2uvc.dll
2009-02-25 13:07 <DIR> --d----- c:\windows\SUYIN NB Cam
2009-02-25 13:07 <DIR> --d----- c:\program files\common files\SNP2UVC
2009-02-25 13:06 <DIR> --d----- c:\docume~1\bobtig~1\applic~1\Acer
2009-02-25 13:06 <DIR> --d----- c:\documents and settings\Bob Tiger
2009-02-25 13:01 8,192 a------- c:\windows\REGLOCS.OLD
2009-02-25 10:41 <DIR> --d----- c:\docume~1\bobtig~1\applic~1\AOL
2009-02-25 10:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2009-02-25 10:37 <DIR> --d----- c:\program files\Viewpoint
2009-02-25 10:37 <DIR> --d----- c:\program files\common files\Nullsoft
2009-02-25 10:36 33,588 a----r-- c:\windows\system32\drivers\wanatw4.sys
2009-02-25 10:35 <DIR> --d----- c:\program files\common files\aolshare
2009-02-25 10:35 <DIR> --d----- c:\program files\common files\aol
2009-02-25 10:35 <DIR> --d----- c:\program files\AOL 9.5
2009-02-11 11:25 499,712 a------- c:\windows\system32\msvcp71.dll
2009-02-11 11:25 348,160 a------- c:\windows\system32\msvcr71.dll

==================== Find3M ====================

2009-02-25 13:09 2,001 a------- c:\windows\CLEANUP.CMD
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 19:29 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-01-16 19:29 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-16 18:33 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-16 18:32 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-01-07 18:56 2,437,120 a------- c:\windows\system32\acer.scr
2008-12-30 02:20 2,040 a------- c:\windows\system32\drivers\MOD01SET0500000032.enc
2008-12-30 02:20 8 a------- c:\windows\system32\drivers\1025_ACER_AOD150.MRK
2008-12-30 01:23 8 a------- c:\windows\system32\drivers\rtkhdaud.dat
2008-12-26 03:20 18,081,280 a------- c:\windows\RTHDCPL.EXE
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-18 01:32 34,816 a------- c:\windows\system32\RtkCoInstXP.dll
2008-12-05 01:55 307,560 a------- c:\windows\WLXPGSS.SCR
2008-12-03 01:37 49,480 a------- c:\windows\system32\sirenacm.dll

============= FINISH: 18:29:39.12 ===============

I got the following by just opening MB and running a quick scan (hope it is what you require):

Malwarebytes' Anti-Malware 1.34
Database version: 1802
Windows 5.1.2600 Service Pack 3

2/25/2009 6:23:03 PM
mbam-log-2009-02-25 (18-22-54).txt

Scan type: Quick Scan
Objects scanned: 57432
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\snp2uvc (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\csnp2uvc.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\SERVICES.REG (Heuristics.Reserved.Word.Exploit) -> No action taken.
==============

I believe this one showed 3 "errors" while the Longer Scan had 5 "errors.'

Alice

[AdvancedSetup]

Hi Alice,

You need a space after the word MBAM.EXE it's not all one word. Then it should run just fine. thanks

[alicez]

AdvancedSetup, on Feb 26 2009, 12:10 AM, said:

Hi Alice,

You need a space after the word MBAM.EXE it's not all one word. Then it should run just fine. thanks

I realize that now. Was the one I sent you okay? The one I ran after I opened the MB manually?



(FYI - Ran AVG8 (AV/AS) and SpyBot S&D and nothing found.)

[AdvancedSetup]

If you can I'd like to get the DEVELOPER scan just to make sure. So yes please runt he MBAM and a space, then /DEVELOPER and do a Quick Scan and post back that log.

[alicez]

Did the MBAM /DEVELOPER and here are the results (I hope it is what you want) I really am hoping they are false/positives:

Malwarebytes' Anti-Malware 1.34
Database version: 1802
Windows 5.1.2600 Service Pack 3

2/25/2009 10:06:02 PM
mbam-log-2009-02-25 (22-05-40).txt

Scan type: Quick Scan
Objects scanned: 57280
Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\snp2uvc (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301414438586445483634456446343641424738615
24839535634513861467468838084807185615674796980888461368683837079855570838474807
9
6151867993323232323232113011838679697777201915708970113232323232156977771184]

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\csnp2uvc.dll (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301414438586445483634456446343641424738615
24839535634513861467468838084807185615674796980888461368683837079855570838474807
9
6151867993323232323232113011838679697777201915708970113232323232156977771184]
C:\WINDOWS\SERVICES.REG (Heuristics.Reserved.Word.Exploit) -> No action taken. [4642524945343638373084708387746870841301474853017089709378846893676676937484689
3777976937884689378807193778072935746459381697193807769]

[AdvancedSetup]

Hi Alice,

Well it looks like at least one of the files may not be a FP. Please run the following.
We need to get a copy of those files so that we can check them for sure.

First let's unhide the files so we can see them to upload them.

STEP 01
Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.

STEP 02
Please make a NEW folder on your Desktop. Right click, new folder.
Open "My Computer" and browse to this location C:\WINDOWS\system32\ and see if you can copy the file csnp2uvc.dll to that new folder you created.
Do the same thing for this file: C:\WINDOWS\ SERVICES.REG

Then zip them up into a new archive and upload it to your reply

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista
[/indent]

[alicez]

I found the files after looking around in windows and put them into a new folder and that's as far as I got. I don't know how to get them onto/into this message.
(Please remember we are extreme novices at this. We are looking for what you ask on our netbook (where the 5 problems are showing) transferring them to flash drive and then bringing them over to my desktop (where I am typing this) and then trying to get them onto this message.
I have the two files in a new folder. I believe I placed them in a "New Compressed" folder. When I look in that folder, I see the two files, but they do not have Zip next to them.
I read and re-read the zip page you supplied but it is so confusing to me.
Don't know what to do now?

[AdvancedSetup]

Hi Alice,

Yes I'm sorry, computers can be a bit difficult to understand at times. Let's try this.
Make sure your files are not hidden as shown in the other post on how to set them to unhidden.
Then rename the extension of the file. Extensions are the last parts of a file usually 3 characters. In this case .DLL and .REG

So please try to rename csnp2uvc.dll to csnp2uvc.txt
So please try to rename SERVICES.REG to SERVICES.TXT

Then on your reply you should see a green UPLOAD button towards the bottom right side under the text window with a Browse button next to it.
Click on the Browse button and browse to your DESKTOP where you copied the files and then click on the csnp2uvc.txt file. Then when the window comes back, click on the UPLOAD button. Doing it this way you may not be able to post both files as it may only allow you to attach 1 at a time. You might have to post a second time to attach the next one.

Let's see if that works or not.

[alicez]

AdvancedSetup, on Feb 26 2009, 04:17 AM, said:

Hi Alice,

Yes I'm sorry, computers can be a bit difficult to understand at times. Let's try this.
Make sure your files are not hidden as shown in the other post on how to set them to unhidden.
Then rename the extension of the file. Extensions are the last parts of a file usually 3 characters. In this case .DLL and .REG

So please try to rename csnp2uvc.dll to csnp2uvc.txt
So please try to rename SERVICES.REG to SERVICES.TXT

Then on your reply you should see a green UPLOAD button towards the bottom right side under the text window with a Browse button next to it.
Click on the Browse button and browse to your DESKTOP where you copied the files and then click on the csnp2uvc.txt file. Then when the window comes back, click on the UPLOAD button. Doing it this way you may not be able to post both files as it may only allow you to attach 1 at a time. You might have to post a second time to attach the next one.

Let's see if that works or not.

================================

Attached Files

•  SERVICES.txt   7.08K   48 downloads
•  csnp2uvc.txt   192K   23 downloads

[alicez]

services
Don't know how it will appear at your end....

Attached Files

•  SERVICES.txt   7.08K   29 downloads

[alicez]

csnp2uvc.txt

Attached Files

•  SERVICES.txt   7.08K   50 downloads

[alicez]

csnp2uvc

Attached Files

•  csnp2uvc.txt   192K   22 downloads

[AdvancedSetup]

Hi Alice,

Can you please UPDATE MBAM and do another Quick Scan and post back the new log.

Thanks.

[alicez]

Here is the Quick Scan I just did for myself. I'll send the MBAM /DEVELOPER one in a few moments...
===========================================

Malwarebytes' Anti-Malware 1.34
Database version: 1802
Windows 5.1.2600 Service Pack 3

2/26/2009 10:22:30 AM
mbam-log-2009-02-26 (10-22-22).txt

Scan type: Quick Scan
Objects scanned: 57284
Time elapsed: 4 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\snp2uvc (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\csnp2uvc.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\SERVICES.REG (Heuristics.Reserved.Word.Exploit) -> No action taken.

[alicez]

Here is the MBAM /DEVELOPER I just completed (hope this is what you needed):

Malwarebytes' Anti-Malware 1.34
Database version: 1807
Windows 5.1.2600 Service Pack 3

2/26/2009 4:09:54 PM
mbam-log-2009-02-26 (16-09-41).txt

Scan type: Quick Scan
Objects scanned: 58286
Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SERVICES.REG (Heuristics.Reserved.Word.Exploit) -> No action taken. [4642524945343638373084708387746870841301474853017089709378846893676676937484689
3777976937884689378807193778072935746459381697193807769]