RtkBtMnt.exe virus - Unable to remove Help Needed!

Solved
By greenaliens
Jan 25, 2011
Topic Status:
Not open for further replies.
  1. Hi,

    I seem to have become infected with a RtkBtMnt.exe virus. This file always loads on boot up as it located here:-

    C:\Users\Tony\AppData\Local\Temp\RtkBtMnt.exe

    I am running Windows Vista 32 bit operating system.

    I have run Malwarebytes in safe mode but this does not pick up anything.
    Remove It Pro picks it up and removes it but also finds other infected files which it cannot remove.

    This virus is slowing down my system.

    I have also added a HJT log as this clearly shows the file in question.

    Hope to hear from you soon.
    Best wishes and thanks, Tony

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 14:24:07, on 24/01/2011
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18999)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Users\Tony\AppData\Local\Temp\RtkBtMnt.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\ShortKeys2\shortkey.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
    C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
    C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\ProgramData\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo! UK
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo! UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! UK
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
    O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
    O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Tony\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: Empowering Technology Launcher.lnk = ?
    O4 - Global Startup: ShortKeys 2.lnk = C:\Program Files\ShortKeys2\shortkey.exe
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
    O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
    O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
    O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
    O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 12743 bytes
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Welcome to TechSpot! I'll be glad to help. But we don't screen for malware with HijackThis. The example you have given is not a virus:
    rtkbtmnt.exe
    Process name: Realtek HD Audio Data Rerouter
    Application using this process: Realtek HD Audio Data Rerouter
    Process author: Realtek Semiconductor Corp.> rtkbtmnt.exe is a Realtek HD Audio Data Rerouter. from Realtek Semiconductor Corp. belonging to Realtek HD Audio Data Rerouter Non-system processes like rtkbtmnt.exe originate from software you installed on your system.

    Additionally: The process Realtek HD Audio Data Rerouter or RtkBtMnt.exe belongs to the software Realtek HD Audio Data Rerouter or Adobe AIR or Spy Sweeper by Realtek Semiconductor Corp (www.realtek.com.tw).

    The fact that is it running from a temp file does make it suspect. Why do you think this is a virus?

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. greenaliens

    greenaliens Newcomer, in training Topic Starter Posts: 18

    Hi,
    Thanks for your reply. I am fairly sure it is a suspect file as it keeps coming back into a Temp Folder and I found the following online:-

    "it is definetely a virus.
    Since it appears in the temp file, it starts creating labuage.bin files, useless foulders and rubbish that fill up your disk at great speed. If you try to delete it, you can't. Unlocker is useless against it. If you restart your pc in safe mode, file is unavailable, nor can it be found.
    So far, the only I was able to do, was to open the task manager whenever I start my pc, and stop its process. That seems to stop its creating new rubbish. "

    I have to stop the process running each time I boot up or the computer is very slow.

    I will take a look at your Preliminary Virus and Malware Removal thread next and post my results asap.

    Thanks, Tony
  4. greenaliens

    greenaliens Newcomer, in training Topic Starter Posts: 18

    Hi,

    How long should TFC (Temp File Cleaner) take to run? So far it has been running for over two hours.

    Tony
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    The more files and folders, the longer it takes. If you don't do regular maintenance on the system like disc Cleanup, defrag, delete Cookies & downloads, the longer it will take.

    Note: I saw the item you quoted. Please note there are multiple misspellings and what is being said is conjecture, not fact. While "it" may turn out to be a virus or other malware, it may also be just something on the Startup menu that can't run properly because another process it needs doesn't start.>>
    What is labuage.bin files?
    useless foulders (?) and rubbish> how does he know this?
    Opening the Task Manager and stopping it there just end the process that is running at that time.
    ================================================
    RtkBtMnt.EXE -> running in a temp file may be nothing more than a file remaining from Realtek audio driver installation. Some downloads do not clean up well removing a temp file in the setup after it has been installed.
    Have you tried doing a search for rtbtmnt or ReakTek in your system and doing a right click> delete on this file?
    and/or this>>
    Try doing this: you will want to uncheck any process related to RealTek Audio
    To remove entries from Startup using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
    • Click on Selective Startup
    • Choose the Startup tab:
      This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Click on Apply> OK when finished.

    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
    Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot
    ===============================================
    I note this anomaly in the HJT log: The system has got to be confused! I would not like to be you browser!

    =====================
  6. greenaliens

    greenaliens Newcomer, in training Topic Starter Posts: 18

    Hi,

    Thanks for your reply.

    Yes, I do undertake regular maintenance on the system but it does have a fairly large hard drive which is more than half full. The program is still running at the moment which has now been running for more than three hours.

    I know how to use msconfig so I will try that once the TFC program has finished. I know there is no reference to rtkbtmnt.exe as I checked for that, but I have not checked for other items relating to RealTek Audio but I will untick these if there are any.

    With regard to the rtkbtmnt.exe file that is in my Temp folder I have been able to remove it but on each re-boot it pops back in there.

    Yes, I did notice that the guys spelling was awful. However, I did find several others places via google that said if this file was in the Temp folder then it was more than likely a virus. Also when I ran "Remove It Pro v4" before I posted on here it identified the file as infected and deleted it.

    With regard to my HJT file would you suggest that I run HJT again tick these boxes and remove these lines?

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo! UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo! UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! UK

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    and
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK

    Could I be lucky enough that this is the problem?

    Thanks for all your help which is really appreciated.

    Tony
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    About maintance: there is a lot more to a computer system than the hard drive. You can't ignore files and folders just because you have a big hard drive! That's hardware- you have to take care of the software also.

    Please close and remove TFC and on to the other scans. I'll have you run it later.

    As for the entries in HJT, I'd rather you not remove anything yet. But can you tell me what all the home and search pages are for? It looks like you have multiple Internet Explores set up instead of using the tabs. I that is the case (multiple), the RealTek entry "could be" associated with one of those pages.

    Since you can delete the file in question, but it returns when you reboot, it has to have an entry somewhere in the system>> maybe in the Registry or on Startup, or an executable file starting it>> or>> it's malware of some kind which we need to find and remove.

    About the spelling comments I made about the quote. I did that because I was reading a comment that sounded like it was made in the heat of the moment and not from valid knowledge. You'll find a lot of suggestions on the internet from people who had a problem and tried something to fix it. It worked for them, but with malware cleaning it may not work for you.
  8. greenaliens

    greenaliens Newcomer, in training Topic Starter Posts: 18

    Hi,

    I shut down the TFC program after it was running for 7 hours. To be honest I think it was stuck?

    I have already run malwarebytes today, both quick scan and full scans and it picked up nothing. I use this program all the time as it seems quite a good one.

    I have downloaded and run GMER and here is the log:-

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-01-26 00:19:38
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-24A23T0 rev.01.01A02
    Running: rcznllr7.exe; Driver: C:\Users\Tony\AppData\Local\Temp\kgtdipob.sys


    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 854131F8
    Device \Driver\atapi \Device\Ide\IdePort0 854131F8
    Device \Driver\atapi \Device\Ide\IdePort1 854131F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 854131F8
    Device \FileSystem\Ntfs \Ntfs 854141F8

    AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    I have also downloaded DDS and here are the two logs:-


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Tony at 0:21:54.09 on 26/01/2011
    Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_23
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1121 [GMT 0:00]

    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\System32\rundll32.exe
    C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\ShortKeys2\shortkey.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Acer\Empowering Technology\eNet\eNet Service.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Acer\Mobility Center\MobilityService.exe
    C:\Program Files\CDBurnerXP\NMSAccessU.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\PSIService.exe
    C:\Program Files\Macrium\Reflect\ReflectService.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
    C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
    C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
    C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Tony\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://en.uk.acer.yahoo.com/
    uSEARCH PAGE = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mStart Page = hxxp://en.uk.acer.yahoo.com
    mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
    uRun: [Google Update] "c:\users\tony\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [Acer Tour]
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
    mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
    mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\shortk~1.lnk - c:\program files\shortkeys2\shortkey.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: igfxcui - igfxdev.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\tony\appdata\roaming\mozilla\firefox\profiles\y2kbc7yj.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.ukwins.co.uk/daily/
    FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\users\tony\appdata\roaming\mozilla\firefox\profiles\y2kbc7yj.default\extensions\{22119944-ed35-4ab1-910b-e619ea06a115}\components\rfproxy_31.dll
    FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\users\tony\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programdata\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\programdata\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\programdata\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\programdata\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\programdata\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\programdata\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: YouTube Video Downloader: firefox-ext@youtubekeep.com - %profile%\extensions\firefox-ext@youtubekeep.com
    FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - %profile%\extensions\{22119944-ED35-4ab1-910B-E619EA06A115}
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\siber systems\ai roboform\Firefox
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord\firefox\ext
    FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
    FF - Ext: AVG Security Toolbar em:version=6.011.025.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
    R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [2009-10-11 902432]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-15 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 67656]
    R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [2009-11-23 95592]
    R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2009-10-11 2326920]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2009-8-25 220128]
    R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2009-10-11 159168]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-14 135664]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-20 517448]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-7-30 21504]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 12872]
    S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2006-12-2 31232]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    =============== Created Last 30 ================

    2011-01-25 13:41:29 -------- d-----w- c:\program files\RegistryFix8
    2011-01-25 10:26:02 2048 ----a-w- c:\windows\system32\winrsmgr.dll
    2011-01-25 10:21:21 -------- dc----w- c:\progra~2\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
    2011-01-25 07:49:51 -------- d-----w- c:\program files\Sophos
    2011-01-24 17:50:06 -------- d-----w- c:\program files\InCode Solutions
    2011-01-24 15:04:18 -------- d-----w- C:\Problem
    2011-01-24 13:49:38 2560 ----a-w- c:\windows\_MSRSTRT.EXE
    2011-01-23 20:17:01 -------- d-----w- c:\program files\CCleaner
    2011-01-14 07:35:02 73728 ----a-w- c:\windows\system32\APISlice.dll
    2011-01-12 16:59:10 1169408 ----a-w- c:\windows\system32\sdclt.exe
    2011-01-12 11:51:29 413696 ----a-w- c:\windows\system32\odbc32.dll
    2011-01-12 11:51:28 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
    2011-01-12 11:51:27 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll
    2011-01-12 11:51:27 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll
    2011-01-12 11:51:27 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll
    2011-01-12 11:51:27 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll
    2011-01-11 22:04:40 -------- d-----w- c:\program files\Microsoft Synchronization Services
    2011-01-11 22:02:25 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
    2011-01-11 21:48:21 -------- d-----w- c:\program files\Microsoft Analysis Services
    2011-01-04 22:50:15 -------- d-----w- C:\Photo Others 2011
    2011-01-03 17:46:58 -------- d-----w- C:\Photo Ours 2011

    ==================== Find3M ====================

    2010-11-12 18:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
    2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
    2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
    2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
    2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll

    ============= FINISH: 0:23:56.24 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 31/07/2009 00:54:33
    System Uptime: 25/01/2011 23:36:54 (1 hours ago)

    Motherboard: Acer | | Grapevine
    Processor: Genuine Intel(R) CPU T2060 @ 1.60GHz | U1 | 1600/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 200 GiB total, 118.988 GiB free.
    D: is CDROM ()
    E: is FIXED (NTFS) - 98 GiB total, 21.433 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP702: 24/01/2011 23:00:59 - Removed Ask Toolbar.
    RP703: 24/01/2011 23:04:35 - Removed Ask Toolbar.
    RP704: 25/01/2011 10:24:04 - Windows Update

    ==== Installed Programs ======================

    7-Zip 4.65
    Acer Arcade Deluxe
    Acer eDataSecurity Management
    Acer eLock Management
    Acer Empowering Technology
    Acer eNet Management
    Acer ePower Management
    Acer ePresentation Management
    Acer eSettings Management
    Acer GridVista
    Acer Mobility Center Plug-In
    Acer ScreenSaver
    Acer Tour
    Acronis*True*Image*Home
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Help Center 2.0
    Adobe Photoshop Elements 4.0
    Adobe Reader 9.4.1
    AI RoboForm (All Users)
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft Print Creations
    ArcSoft Print Creations - Album Page
    ArcSoft Print Creations - Funhouse
    ArcSoft Print Creations - Greeting Card
    ArcSoft Print Creations - Photo Book
    ArcSoft Print Creations - Photo Calendar
    ArcSoft Print Creations - Scrapbook
    ArcSoft Print Creations - Slimline Card
    Arles Image Web Page Creator 7.1
    µTorrent
    AVG 2011
    AVIcodec (remove only)
    Blaine's Custom Speed Effects
    Bonjour
    Button Maker v1.0 Freeware
    CCleaner
    CCScore
    CDBurnerXP
    CoffeeCup Photo Gallery - Registered
    Core FTP LE 2.1
    Corel Paint Shop Pro Photo X2
    Definition update for Microsoft Office 2010 (KB982726)
    DivX Plus Web Player
    DVD Decrypter (Remove Only)
    DVD Flick 1.3.0.7
    DVD Shrink 3.2
    ESSBrwr
    ESSCDBK
    ESScore
    ESSgui
    ESSini
    ESSPCD
    ESSPDock
    ESSTOOLS
    essvatgt
    ffdshow (remove only)
    FileZilla Client 3.3.4.1
    FlvRecorder
    Google Earth
    Google Update Helper
    HDAUDIO Soft Data Fax Modem with SmartCP
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    Jasc Paint Shop Pro 9
    Java Auto Updater
    Java(TM) 6 Update 23
    K-Lite Codec Pack 4.9.5 (Standard)
    Kodak EasyShare software
    Launch Manager
    LightScribe 1.4.124.1
    Macrium Reflect - Free Edition
    Malwarebytes' Anti-Malware
    Maxthon2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Expression Web
    Microsoft Expression Web MUI (English)
    Microsoft Expression Web Service Pack 1 (SP1)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2007
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing (English) 2010
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
    Microsoft Office Word MUI (English) 2007
    Microsoft Office Word MUI (English) 2010
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Movie Rotator 1.2
    Mozilla Firefox (3.6.13)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Music Rescue
    netbrdg
    NTI Backup NOW! 4.7
    NTI CD & DVD-Maker
    OfotoXMI
    Paint Shop Pro 7 Evaluation
    pdfsam
    Picture Collage Maker Free 2.1.2
    PowerProducer
    QuickTime
    RAD Video Tools
    RealPlayer
    Realtek High Definition Audio Driver
    RemoveIT Pro v4 - SE
    Replay Music
    Replay Video Capture
    Safari
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office 2010 (KB2289078)
    Security Update for Microsoft Office 2010 (KB2289161)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Microsoft Publisher 2010 (KB2409055)
    Security Update for Microsoft Word 2010 (KB2345000)
    Serif PhotoPlus SE
    SFR
    SHASTA
    ShortKeys 2
    ShortKeys Lite
    skin0001
    SKINXSDK
    Skype™ 5.0
    SMSC Fast Infrared Driver
    Sophos Anti-Rootkit 1.5.4
    Spelling Dictionaries Support For Adobe Reader 9
    Spotify
    Spybot - Search & Destroy
    StarBurn Version 12r10 (Build 0x20091021)
    staticcr
    SUPERAntiSpyware Free Edition
    Synaptics Pointing Device Driver
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2010 (KB2202188)
    Update for Microsoft Office 2010 (KB2413186)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office Outlook 2007 (KB2412171)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Microsoft OneNote 2010 (KB2433299)
    Update for Microsoft Outlook Social Connector (KB2289116)
    Update for Outlook 2007 Junk Email Filter (KB2483110)
    VC80CRTRedist - 8.0.50727.4053
    Visual C++ 9.0 CRT (x86) WinSXS MSM
    Visual C++ 9.0 OpenMP (x86) WinSXS MSM
    VPRINTOL
    WinAVI Video Converter
    WinPcap 4.0.2
    WinRAR archiver
    WinZip 14.0
    WIRELESS
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    25/01/2011 23:39:00, Error: Service Control Manager [7000] - The adfs service failed to start due to the following error: The system cannot find the file specified.
    24/01/2011 11:08:14, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss SASDIFSV SASKUTIL Smb spldr tdx Wanarpv6
    24/01/2011 11:08:14, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    24/01/2011 11:08:14, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    24/01/2011 11:08:14, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
    24/01/2011 11:08:14, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    24/01/2011 11:08:14, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    24/01/2011 11:08:14, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    24/01/2011 11:08:14, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    24/01/2011 11:08:14, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
    24/01/2011 11:08:14, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    24/01/2011 11:08:14, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    24/01/2011 11:08:14, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    24/01/2011 11:08:14, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    24/01/2011 11:08:14, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    24/01/2011 11:08:14, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    24/01/2011 11:07:54, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    24/01/2011 11:07:20, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    24/01/2011 11:07:20, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    24/01/2011 11:07:20, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    24/01/2011 11:07:16, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    24/01/2011 11:07:08, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    23/01/2011 19:47:00, Error: EventLog [6008] - The previous system shutdown at 19:42:52 on 23/01/2011 was unexpected.

    ==== End Of File ===========================

    Hope I have done these correctly?

    Not really sure what all those home and search pages are for. I use Firefox as my main browser and only use Internet Explorer on the odd occasion.

    As instructed I won't remove anything from the HJT file until you tell me to remove it.

    Thanks again for all your help.
    Tony
  9. greenaliens

    greenaliens Newcomer, in training Topic Starter Posts: 18

    Hi,

    In your earlier reply you said:-

    [
    I]"RtkBtMnt.EXE -> running in a temp file may be nothing more than a file remaining from Realtek audio driver installation. Some downloads do not clean up well removing a temp file in the setup after it has been installed.
    Have you tried doing a search for rtbtmnt or ReakTek in your system and doing a right click> delete on this file?
    and/or this>>
    Try doing this: you will want to uncheck any process related to RealTek Audio
    To remove entries from Startup using the msconfig utility:

    * Click on Start> Run> type in msconfig> enter>
    * Click on Selective Startup
    * Choose the Startup tab:
    This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
    * To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    * Click on Apply> OK when finished.
    [/I]​

    Anyway, I have just tried this and when I re-booted the RtkBtMnt.EXE was not running as a process, so maybe it is just a fault of Realtek?

    The item I un-ticked was:-
    HD Audio Control Panel - Realtek Semiconductor - RtHDVCpl.exe
    Will this matter not loading?

    However, I will not do anything else until hear back from you, just in case I still have further issues that need sorting out.

    Once again a big thank you for all your help.
    Tony
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I went to far in telling you to uncheck everything related to RealTek.

    The process that need to run on Startup is: Filename: RtHDVCpl.exe This is part of the Realtek Semiconductor High Definition Audio System driver. It is located in %WinDir% and need to run on Startup. It is running correctly in the DDS log: C:\Windows\RtHDVCpl.exe

    The entry you were having the problem with was running from the temp directory:
    The entry in the temp directory, as I mentioned previously, is most likely a 'left-over' driver entry from the setup at download or driver update. So check msconfig again> if you see the RtHDVCpl.exe, recheck it. If you see an entry for RtkBtMnt.exe, uncheck it.

    My apology for the confusion. I believe the RtHDVCpl.exe is the executable foe the actual soundcard software and RtkBtMnt.exe is from the setup or an outdated driver.
    .......................................................However, that being said............................................................
    .

    If you sound is working okay after you unchecked the process then rebooted, leave it unchecked. Then we'll blame the problem on RealTek!
  11. greenaliens

    greenaliens Newcomer, in training Topic Starter Posts: 18

    Hi,

    Thanks for your reply.

    Well, I went back in msconfig and placed a tick in the line:-
    HD Audio Control Panel - Realtek Semiconductor - RtHDVCpl.exe

    Re-booted the system and the RtkBtMnt.EXE was back in my temp folder and couldn't be removed until the process had been stopped.

    So, I again unticked this line and rebooted.

    No RtkBtMnt.EXE in the temp file and the sound appears to be working fine. I have also checked device manager and nothing appears to be missing.

    So, it must be a problem with Realtek! I assume it isn't a virus but feel that it's better NOT being there, as when it is, my computer seems much slower. Maybe that's because something isn't loading up correctly?

    Hopefully my others reports I posted are all okay?

    Thanks for your help in solving this problem.

    Tony
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay, it pretty much sounds like that's just an old file. If the sound works with the entry unchecked, leave it like that for now. There are 2 more scans I'd like you to run. I may see a Registry entry that needs removing:


    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =======================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    I will see Registry enteries, Services and drivers in Combofix.
  13. greenaliens

    greenaliens Newcomer, in training Topic Starter Posts: 18

    Hi,

    I have just finished running the first scan which took several hours. While it was running it referred to 7 possible infections but the log dodesn't appera to have any details?

    Here is the log and all it contained

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK

    Should I move on to the second scan?

    Thanks, Tony
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Yes, please go ahead and run Combofix.

    Try this online virus scan instead. I need to see what is being found:
    Run Kaspersky Online Scanner in Internet Explorer

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
  15. greenaliens

    greenaliens Newcomer, in training Topic Starter Posts: 18

    Hi,

    I am having troubles getting Combofix to run. Although I have turned off my AVG anti-virus software by turning off the resident shield it says that it cannot run unless AVG is un-installed? Is this the only way I can get Combofix to run?

    Also I have tired a couple of time to get Kaspersky online scanner to work but after the updates are downloaded it says failed and closes? Not sure what to do next?

    Best Wishes, Tony
  16. greenaliens

    greenaliens Newcomer, in training Topic Starter Posts: 18

    Hi,

    Just spotted this on the Kaspersky website!

    Coming soon:
    New, improved version of the Kaspersky Online Scanner

    The current Kaspersky Online Scanner is unavailable - we apologize for the inconvenience.​
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Both the site we use for the virus scans go down occasionally. I would guess it's to update their databases.

    You can't disable AVG> you will have to uninstall it. It's a real pain but running Combofix is worth it.

    Did you disable the AV when you ran the Eset scan? If entries were found, there has to be a log. I have to get a virus scan since you're telling me entries are found.

    TrendMicro has a new version of Housecall. I haven't seen this so let me download and run it first and get some idea of what it puts out. Panda has one also, but I haven't used it either.
  18. greenaliens

    greenaliens Newcomer, in training Topic Starter Posts: 18

    Hi,

    Good news I am making progress. I have just managed to run the Eset scan again and save the results.

    These are:-

    C:\bit downloads\KMS Activator for Microsoft Office 2010 Applications x86 x64 Multilingual-FIXISO~DiBYA\mini-KMS_Activator_v1.053.exe a variant of Win32/HackKMS.A application
    C:\Downloads\SpywareRemovalToolkit_Setup.exe multiple threats
    C:\Downloads\7 zip\7zip.uk02.exe a variant of Win32/Adware.DoubleD.AF application
    C:\Downloads\Nero 9\Nero-9.4.12.3d_free.exe Win32/Toolbar.AskSBar application
    C:\Pendrive data\Utilitys\WGA_v19400\WGA_v1.9.40.0_crack.exe probably a variant of Win32/Agent.NARLUUV trojan
    C:\Users\Tony\AppData\Local\Temp\wfpdisable.exe Win32/WFPDisabler.A application
    C:\Users\Tony\Downloads\KMS Activator for Microsoft Office 2010 Applications x86 x64 Multilingual-FIXISO~DiBYA\mini-KMS_Activator_v1.053.exe a variant of Win32/HackKMS.A application
    C:\Windows\System32\APISlice.dll Win32/DllInject.D application

    I am a bit concerned about the entry regarding "wfpdisable.exe" Is this a virus? Especially as it is located in a Temp folder?

    Also are there any other items in the results that I should be worried about.

    I will wait to hear back from you regarding these results before moving on to anything else.

    Thanks, Tony
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Tony, it appears that you may have been pirating programs. Please run the following and leave the log:

    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click [b/]Save List To File.[/b]
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
      in your next reply.
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Per PM: Run the following:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\bit downloads\KMS Activator for Microsoft Office 2010 Applications x86 x64 Multilingual-FIXISO~DiBYA\mini-KMS_Activator_v1.053.exe 
      C:\Downloads\SpywareRemovalToolkit_Setup.exe 
      C:\Downloads\7 zip\7zip.uk02.exe 
      C:\Downloads\Nero 9\Nero-9.4.12.3d_free.exe 
      C:\Users\Tony\AppData\Local\Temp\wfpdisable.exe 
      C:\Users\Tony\Downloads\KMS Activator for Microsoft Office 2010 Applications x86 x64 Multilingual-FIXISO~DiBYA\mini-KMS_Activator_v1.053.exe 
      C:\Windows\System32\APISlice.dll 
      C:\Pendrive data\Utilitys\WGA_v19400\WGA_v1.9.40.0_crack.exe 
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =========================================
    Per the CK log:> Remove all of the programs using crack or keygen
    ==========================================
    Post log generated by OTM.
    =========================================
    Rescan with Eset.

    You didn't get the pirated programs for nothing! You paid a price of malware. Cracks and keys are a malware author's dream.
  21. greenaliens

    greenaliens Newcomer, in training Topic Starter Posts: 18

    Hi,

    Thanks for your reply and all the help. Hope I haven’t been too quick in responding to your early PM as I have already deleted most of the files/programs in question before I read your reply.

    This is what I have done so far:-

    C:\bit downloads\KMS Activator for Microsoft Office 2010 Applications x86 x64 Multilingual-FIXISO~DiBYA\mini-KMS_Activator_v1.053.exe
    C:\Users\Tony\Downloads\KMS Activator for Microsoft Office 2010 Applications x86 x64 Multilingual-FIXISO~DiBYA\mini-KMS_Activator_v1.053.exe

    Neither of these items have ever been used by me so I deleted them immediately

    C:\Pendrive data\Utilitys\WGA_v19400\WGA_v1.9.40.0_crack.exe

    I have deleted this one as well as again I have never used it.

    C:\Users\Tony\AppData\Local\Temp\wfpdisable.exe

    This one really did worry me as it was in the Temp folder and an exe file, so I deleted it immediately. So far, there is no sign of it returning.

    C:\Downloads\SpywareRemovalToolkit_Setup.exe

    This one was a spyware removal toolkit that I downloaded from a website a while ago. Again as it was on the list I deleted it.

    C:\Downloads\7 zip\7zip.uk02.exe

    This one was downloaded from the product’s website so don’t really understand why it was listed. However, never found any use for it so it has been deleted.

    C:\Downloads\Nero 9\Nero-9.4.12.3d_free.exe

    This one really did confuse me as this was a free download from the Nero site itself. Anyway, I tend to use CDBurnerXP as this is a free program and I think better. So once again this item has been deleted.

    C:\Windows\System32\APISlice.dll

    This last one I wanted to check with you before I did anything with it. I am user an Acer machine and I have seen a lot of comments about this file on the net. Lots of people are saying that this file is used by Acer so I wanted to be sure about deleting it before I do anything with it? Please can you confirm that I should delete it?

    I have re-scanned with Eset and here are the results.
    C:\Windows\System32\APISlice.dll Win32/DllInject.D application

    Just the one file, that I am not sure about removing. What do you think about this one?

    Best Wishes, Tony
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    C:\Windows\System32\APISlice.dll Win32/DllInject.D application was submitted to for an online identification. It came back clean at that time, making it a False Positive. But I'd like you to submit it again for a more current accessment. If it tells you it's already been scanned, click on 'new scan.;

    Please go to Virus Total for ID::

    VirusTotal
    • At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to the following file:
      C:\Windows\System32\APISlice.dll
    • Click "Open".
    • Then click the "Send" button at the top of the VirusTotal page.
    • This will scan the file. Please be patient.
    • Once scanned, copy and paste the results in your next reply together with a new
      HijackThis log.
  23. greenaliens

    greenaliens Newcomer, in training Topic Starter Posts: 18

    Hi,

    I have send the file in question for testing and these are the results. Is this correct?

    File name:
    APISlice.dll
    Submission date:
    2011-02-01 19:51:58 (UTC)
    Current status:
    queued queued analysing finished
    Result:
    9/ 43 (20.9%)

    Antivirus Version Last update Result
    AhnLab-V3 2011.01.27.01 2011.01.27 -
    AntiVir 7.11.2.50 2011.02.01 -
    Antiy-AVL 2.0.3.7 2011.01.28 Trojan/Win32.Agent.gen
    Avast 4.8.1351.0 2011.02.01 -
    Avast5 5.0.677.0 2011.02.01 -
    AVG 10.0.0.1190 2011.02.01 -
    BitDefender 7.2 2011.02.01 -
    CAT-QuickHeal 11.00 2011.02.01 -
    ClamAV 0.96.4.0 2011.02.01 -
    Commtouch 5.2.11.5 2011.02.01 -
    Comodo 7559 2011.01.31 -
    DrWeb 5.0.2.03300 2011.02.01 -
    Emsisoft 5.1.0.2 2011.02.01 Trojan-PSW.Win32.Agent.uyr!A2
    eSafe 7.0.17.0 2011.02.01 -
    eTrust-Vet 36.1.8135 2011.02.01 -
    F-Prot 4.6.2.117 2011.02.01 -
    F-Secure 9.0.16160.0 2011.02.01 -
    Fortinet 4.2.254.0 2011.02.01 -
    GData 21 2011.02.01 -
    Ikarus T3.1.1.97.0 2011.02.01 -
    Jiangmin 13.0.900 2011.02.01 Trojan/PSW.Agent.nbp
    K7AntiVirus 9.80.3713 2011.02.01 -
    Kaspersky 7.0.0.125 2011.02.01 -
    McAfee 5.400.0.1158 2011.02.01 Artemis!51A6CD592A4E
    McAfee-GW-Edition 2010.1C 2011.02.01 Artemis!51A6CD592A4E
    Microsoft 1.6502 2011.02.01 -
    NOD32 5838 2011.02.01 Win32/DllInject.D
    Norman 6.06.12 2011.02.01 -
    nProtect 2011-01-27.01 2011.02.01 Trojan-PWS/W32.Agent.73728.Z
    Panda 10.0.3.5 2011.02.01 -
    PCTools 7.0.3.5 2011.01.31 -
    Prevx 3.0 2011.02.01 -
    Rising 23.43.01.08 2011.02.01 -
    Sophos 4.61.0 2011.02.01 -
    SUPERAntiSpyware 4.40.0.1006 2011.02.01 -
    Symantec 20101.3.0.103 2011.02.01 -
    TheHacker 6.7.0.1.122 2011.01.30 Trojan/PSW.Agent.uyr
    TrendMicro 9.120.0.1004 2011.02.01 -
    TrendMicro-HouseCall 9.120.0.1004 2011.02.01 -
    VBA32 3.12.14.3 2011.02.01 TrojanPSW.Agent.uyr
    VIPRE 8277 2011.02.01 -
    ViRobot 2011.2.1.4285 2011.02.01 -
    VirusBuster 13.6.176.0 2011.02.01 -
    MD5: 51a6cd592a4e49ce90c5dcfb00a58d39
    SHA1: bc83c63bdbb9654015e21e81be725e0ba15a03b7
    SHA256: 4577f4338a6be0034cb2ba73347c0786294d3f916d6beda98c120be2b3e5ea5a
    File size: 73728 bytes
    Scan date: 2011-02-01 19:51:58 (UTC)
  24. greenaliens

    greenaliens Newcomer, in training Topic Starter Posts: 18

    Hi,

    Thanks for your help.

    New HJT log:-

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 19:59:08, on 01/02/2011
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18999)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\ShortKeys2\shortkey.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
    C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
    C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\ProgramData\Mozilla Firefox\firefox.exe
    C:\ProgramData\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Windows Mail\WinMail.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
    O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
    O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Tony\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: Empowering Technology Launcher.lnk = ?
    O4 - Global Startup: ShortKeys 2.lnk = C:\Program Files\ShortKeys2\shortkey.exe
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
    O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
    O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
    O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
    O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 12622 bytes
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    C:\Windows\System32\APISlice.dll<<<<< Delte it

    Eset: C:\Windows\System32\APISlice.dll Win32/DllInject.D application
    Viruscan: Trojan-PSW.Win32.Agent.uyr!A2

    PWS is password stealer.

    I would gess that while you were stealing programs using cracks and keygens, somewhere, one of them infected this file.

    Tony, I am not comfortable continuing without benefit of a log from the CK scan. Please rescan and leave a log> here:

    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
      in your next reply.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.