Karl`s PC Help Forums

HJT please Pancake.
LSemmens - 1-7-2008 at 15:11

Acer Lappy 512Mb RAM Vista Home Basic. Flaky as all you know what!

It's taken me three days just to get the thing stable enough to run HJT and save a log to disk. In the meantime I've managed to, I hope, remove Norton Internet Security Suite, which I think was causing some issues. I would have gone the re-load route but the owner cant seem to find her CD's (doesn't think she got any). HJT reports that it cannot access the Hosts file, (I've looked at it but there seems nothing untoward in it.) It also throws up a more cryptic "An unexpected error has occurred at Procedure
mod.main_CheckOther1Item()
Error #75 - Path/File access error
Please tell merjin about this problem etc" and then continues with the log. as follows:

Logfile of HijackThis v1.99.1
Scan saved at 12:04:56 AM, on 2/07/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)

Running processes:
C:Windowssystem32taskeng.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:WindowsRtHDVCpl.exe
C:Program FilesAcerAcer ArcadePCMService.exe
C:WindowsSystem32igfxtray.exe
C:WindowsSystem32hkcmd.exe
C:WindowsSystem32igfxpers.exe
C:Program FilesApoint2KApoint.exe
C:AcerEmpowering TechnologyeDataSecurityeDSLoader.exe
C:Windowssystem32igfxsrvc.exe
C:Program FilesApoint2KApntex.exe
C:UsersdeniceAppDataLocalTempRtkBtMnt.exe
C:UsersdeniceDesktopHijackThis.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://en.au.acer.yahoo.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://en.au.acer.yahoo.com
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:Windowssystem32ActiveToolBand.dll
O4 - HKLM..Run: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
O4 - HKLM..Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..Run: [PCMService] "C:Program FilesAcerAcer ArcadePCMService.exe"
O4 - HKLM..Run: [IgfxTray] C:Windowssystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:Windowssystem32hkcmd.exe
O4 - HKLM..Run: [Persistence] C:Windowssystem32igfxpers.exe
O4 - HKLM..Run: [Apoint] C:Program FilesApoint2KApoint.exe
O4 - HKLM..Run: [SetPanel] C:AcerAPanelAPanel.cmd
O4 - HKLM..Run: [LManager] C:PROGRA~1LAUNCH~1LManager.exe
O4 - HKLM..Run: [eDataSecurity Loader] C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe
O4 - HKLM..Run: [ALaunch] C:AcerALaunchAlaunchClient.exe
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [Acer Tour Reminder] C:AcerAcerTourReminder.exe
O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:windowssystem32nlaapi.dll
O10 - Unknown file in Winsock LSP: c:windowssystem32napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:Program FilesCommon FilesMicrosoft SharedHelphxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:PROGRA~1COMMON~1MICROS~1OFFICE12MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:WindowsSYSTEM32igfxdev.dll
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:AcerALaunchALaunchSvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:Program FilesSymantecLiveUpdateALUSchedulerSvc.exe (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:Program FilesAcerAcer ArcadeKernelTVCLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:Program FilesAcerAcer ArcadeKernelTVCLSched.exe
O23 - Service: COM Host (comHost) - Unknown owner - C:Program FilesCommon FilesSymantec SharedVAScannercomHost.exe (file missing)
O23 - Service: CyberLink Media Library Service - Cyberlink - C:Program FilesAcerAcer ArcadeKernelCLML_NTServiceCLMLServer.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:AcerEmpowering TechnologyeDataSecurityeDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:AcerEmpowering TechnologyeLockServiceeLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:AcerEmpowering TechnologyeNeteNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:AcerEmpowering TechnologyeRecoveryeRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:AcerEmpowering TechnologyeSettingsServicecapuserv.exe
O23 - Service: GWIYKPO - Unknown owner - C:UsersdeniceAppDataLocalTempGWIYKPO.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:Program FilesCommon FilesLightScribeLSSrvc.exe
O23 - Service: @%SystemRoot%system32qwave.dll,-1 (QWAVE) - Unknown owner - %windir%system32svchost.exe (file missing)
O23 - Service: @%SystemRoot%system32seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%system32svchost.exe (file missing)
O23 - Service: VGZCCHGNX - Sysinternals - http://www.sysinternals.com - C:UsersdeniceAppDataLocalTempVGZCCHGNX.exe
O23 - Service: @%ProgramFiles%Windows Media Playerwmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%Windows Media Playerwmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:Windowssystem32DRIVERSxaudio.exe

Thanks Mate!
I'll be off air for a couple of days so will not get back to this until Friday.


Pancake - 1-7-2008 at 22:52

Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> http://www.bleepingcomputer.com/combofix/how-to-use-combofix A Guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:ComboFix.txt
New HijackThis log.


Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems
NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.


LSemmens - 2-7-2008 at 00:18

Thanks Mate, I'm off to the big smoke in a couple of hours so will do this upon my return, probably Friday.
Leigh


Pancake - 3-7-2008 at 23:24

Ok.


LSemmens - 4-7-2008 at 16:03

Will do HJT in a moment


LSemmens - 4-7-2008 at 16:24

Thanks Pancake.


Pancake - 4-7-2008 at 23:17

Ok.Combo seems to have fixed it. It just now a matter to see if these are dead.Then your done.

Download The Avenger by Swandog46 from http://swandog46.geekstogo.com/avenger2/download.php.

Unzip/extract it to a folder on your desktop.

  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clipboard by highlighting it and then pressing Ctrl+C.

    Code:

    Files to delete:
    C:UsersdeniceAppDataLocalTempGWIYKPO.exe
    C:UsersdeniceAppDataLocalTempVGZCCHGNX.exe



  • In the avenger window, click the Paste Script from Clipboard, [badimg]http://img220.imageshack.us/img220/8923/pastets4.png[/bad img] button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.

  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a shutdown. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%avenger.txt (typically C:avenger.txt).
  • Please post this log, along with a new HijackThis log in your next reply.


    LSemmens - 6-7-2008 at 12:08


    LSemmens - 6-7-2008 at 12:09


    Pancake - 6-7-2008 at 22:38

    Just need to clean these and your done..

    Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.


    O23 - Service: GWIYKPO - Unknown owner - C:UsersdeniceAppDataLocalTempGWIYKPO.exe (file missing)
    O23 - Service: @%SystemRoot%system32qwave.dll,-1 (QWAVE) - Unknown owner - %windir%system32svchost.exe (file missing)
    O23 - Service: @%SystemRoot%system32seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%system32svchost.exe (file missing)
    O23 - Service: VGZCCHGNX - Unknown owner - C:UsersdeniceAppDataLocalTempVGZCCHGNX.exe (file missing)
    O23 - Service: @%ProgramFiles%Windows Media Playerwmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%Windows Media Playerwmpnetwk.exe (file missing)

    ----------------------------------------

    This will clear away any of the files and folders that were created by ComboFix.

    Go to :
    Start > Run then copy and paste the following highlighted text below and click OK.

    Quote:


    ComboFix /u


    LSemmens - 10-7-2008 at 00:41

    Thank you sir, you are a gentleman and a scholar.

    Bl**dy Lappy is still unstable! I think I'm going to have to return it, and say, take it back from whence it came and demand a set of recovery disks!


    Pancake - 10-7-2008 at 01:34

    Ok.No problem.:D


    LSemmens - 11-7-2008 at 12:39

    Yeah! No problem.... to you! Bl***y Vista! If it were XP, or older, we'd never have had this "conversation". I've spoken to the owner and she is cool, but it still frustrates the "you know what" out of me!
    Just as a f'rinstance: First reboot gave this

    Quote:
    Failed to load Apoint.dll/ Alps Pointing device has stopped
    Ok


    Installing AVG 8.0 And I get a BSOD "KERNEL_STACK_IN_PAGE" error and a re-start.
    I've also had this prior to cleaning out the nasties, so sommat is still not right.

    Since the second re-start

    Quote:
    Cyberlink PowerCinema Resident Program has stopped working

    Check online for a solution
    close the program


    and now
    Quote:
    LManager.exe - Bad image

    C:ProgramFilesLaunch ManagerRgnMaker.dll is either not designed to rum on Wimdows or it contains an error....


    Quote:
    HD Audio Control panel has stopped working

    Check online for a solution
    close the program

    Quote:
    igfxtray Module has stopped working

    Check online for a solution
    close the program


    I've since been into Control panel and turned off auto boot after a failure and now the bl***y thing is behaving itself! Aaaaaaaaarrrrrrrgh!


    Pancake - 11-7-2008 at 22:38

    Well as long as its working thats fine.


    LSemmens - 13-7-2008 at 12:36

    I actually managed to find an option buried deep within the options of the Acer eManagement Backup program that gave me the opportunity to create a recovery set of CDs or DVDs. I tried it, two DVDs later it was time to re-boot and see what happens. The recovery program started to load and I thought I was on a winner. Nope! It threw up a "the program has failed owing to an error, please reboot" I did mention the error, which was very informative "0CE00BOOLSHIRT" or similar.

    The owner picked up the lappy this PM as I could offer nothing more than return it to place of purchase with a cryptic remark or six.

    She rang me to say that it's working better than it has for ages, despite the fact that I wasn't happy. She is going to take my advice, though.

    From this experience I've learnt that, of the Vista lappies that I've had experience with so far, Acer is not at the top of my list.