Hijackthis log

Flutenbal

Hi,

Just working through the sticky to speed up this laptop (or trying to anyway!). It's an Acer 5051 running Windows Vista basic.

The first hijack this log is here if anyone would be so good as to cast their eye over it. I'll go off and work through the rest of the instructions.

Thanks

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:13:09, on 16/09/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16448)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Olympus\ib\olycamdetect.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Users\Daryl\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\sdclt.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Daryl\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = - link removed for spam filter
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = link removed for spam filter
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =link removed for spam filter
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =link removed for spam filter
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =link removed for spam filter
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = link removed for spam filter
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = link removed for spam filter
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =link removed for spam filter
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =link removed for spam filter
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = link removed for spam filter
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MDS_Menu] "C:\Program Files\Olympus\ib\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Olympus\ib" UpdateWithCreateOnce "Software\OLYMPUS\ib\1.0"
O4 - HKLM\..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [HF_G_Jul] "C:\Program Files\AVG Secure Search\HF_G_Jul.exe" /DoAction
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Olympus ib] "C:\Program Files\Olympus\ib\olycamdetect.exe" /Startup
O4 - HKCU\..\Run: [Epson Stylus SX420W(Network)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIGCE.EXE /FU "C:\Windows\TEMP\E_SDF8A.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Daryl\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - link removed for spam filter (sky broadband)(file missing)
O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
O20 - AppInit_DLLs: eNetHook.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ABBYY FineReader 9.0 Sprint Licensing Service (ABBYY.Licensing.FineReader.Sprint.9.0) - ABBYY - C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: vToolbarUpdater11.2.0 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9451 bytes

DevCoder

Get rid of the rtkbtmnt.exe line as its a hog at best and malware in some cases.
Ill check the rest in a bit, dinner is burning!

closed

backup data to an external drive, and or dvd's, check backups are readable, create windows disc, user acer erecovery to factory restore it from restore partition, install avast free, disable defender, put your data back on, avoid installing too many toolbars/printers/mobile phone/security software.

If you don't have much data, all that could be done in 30 minutes.

Flutenbal

Thank you both for your time, it's much appreciated.

I have backed up all documents and pictures onto an external HD and onto a disk. I went through the Acer's own dialogue to create another proper backup disk but got a couple of error messages so I'm not sure if that worked. My main concern was making sure that all my own spreadsheets etc were safe if I blew the laptop up (and I'm confident that they are).

I'm not entirely sure how to go about restoring from a restore partition so will Google that. Malwarebytes is still running on the machine so I'll wait for that to stop before proceeding.

Probably a daft question but if I restore, do I still need to work through the rest of the 12 step plan or will the action of restoring wipe the laptop of everything?

closed

If you create a disk image backup (not clone), with this, http://www.macrium.com/reflectfree.aspx

and create the macrium bootcd from the menu, then whatever happens you can recover everything to the way it is now, should anything go wrong with the factory restore

if you do a factory restore, the 12 steps aren't needed, but avoid putting on the software that causes slowness afterwards (avg and rapport and defender all at the same time won't help)

http://support.acer.com/acerpanam/desktop/0000/acer/aspiree360/aspiree360faq40.shtml

alternatively, you could uninstall avg, nokia, yahoo, rapport, disable defender, mozilla, olympus, sony, google update, quite quickly if you want to see if you can cure it without a restore.

DevCoder

Id try getting rid of rtkbtmnt.exe first though as its a resource hog, the rest of your hijackthis log seems ok , you could start some of the other "features" from starting up.

Flutenbal

krisdorey wrote: »

Id try getting rid of rtkbtmnt.exe first

Apologies how do I do this?

DevCoder

check the checkbox next to the entry and click "Fix Selected"

Reboot and rerun hijackthis to ensure its not there.

Flutenbal

Gawd, I sound like a right idiot but the checkboxes only start from R1 to O23. The stuff before it shows on the notepad but it's not on the results.

DevCoder

Sorry, my mistake (Im the idiot )


Step 1: Remove RtkBtMnt.exe Processes with Windows Task Manager Press

Press CTRL+ALT+DEL or CTRL+SHIFT+ESC > tab Processes > list of "Image Name" > search "RtkBtMnt.exe" process > select "RtkBtMnt.exe" process > click "End Process" button.

Step 2: Find RtkBtMnt.exe Path with Windows File Search Tool

1. Click Start > Search > select All files and folders > type "RtkBtMnt.exe" in the "All or part of the file name" section.

2. Go to "Look in" > select "Local Hard Drives" or "My Computer" > click "Search" button > delete the file "RtkBtMnt.exe".

If its malware rather than the legit app then it may restart when you end task it but we'll cross that bridge if it happens.

Flutenbal

Guys, thank you so much for all your help yesterday. I worked through the whole list and followed all your advice (until my eyes went square) and the laptop was still running really slowly. Eventually I did a factory restore, crossed my fingers and hoped I wasn't about to blow it up.

It's worked a treat and I learned a lot in the process!

Thanks for taking the time to answer my questions :T