Recurring issue with malware and viruses

Acer Aspire 5670 notebook
September 12, 2009 at 23:50:19
Specs: Windows XP

I have an acer aspire 5670 running windows XP professional. I've had it for over 3 years now and never had 1 problem or one spyware...out of nowhere...its infected and I cant get it fixed. I have hijackthis, combofix, malwarebytes, spybot s&d, spywareblaser, superantispyware, atf cleaner, and antivir antivirus on my computer. Ive cleaned out the pc countless times, including deleting all cache and prefetch and temp data...ive cleared out all suspicious keys and paths in the registry. Also, there are multiple hidden objects on my computer (26 to be exact) that I cannot find, view or delete...but I did block them with the group policy editor. Everything I've done only seems to be a temporary fix.

There have been multiple issues with things such as antivirus pro 2007/2009, etc (other fake spyware programs). My google links or other search engine links are all redirected to other sites. After I clean the fixes the issue but only for a short while. Also, most of my processes in my task manager are UPPERCASE...after i clean the pc...again, they go back to lowercase but only for a short while. Ive deleted spyware with names such as svchast, and multiple other trojans. I'm pretty computer savvy and fix computers in my spare I'm able to stop the issue, but it seems I cannot find the source of my problem and it just keeps coming back. I am going to include a log from hijackthis and anything you can do to help would be greatly appreciated.

Oh...also, the virus seemed to delete my registry key for SAFEBOOT...I imported it from another pc so i can get back into safemode and run a scan...but Im not sure if the fact that it deleted that registry key can help identify the culprit virus.

Thank You.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:25 PM, on 9/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\TrillianPro\trillian.exe
C:\Program Files\Firefox\firefox.exe
C:\Documents and Settings\Work\My Documents\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [Windows System Recover!] C:\WINDOWS\TEMP\win.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows System Recover!] C:\WINDOWS\TEMP\win.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O24 - Desktop Component 0: (no name) - (no file)

End of file - 5322 bytes

Again...thank you...

See More: Recurring issue with malware and viruses

Report •

September 13, 2009 at 02:47:48
What a story

Did you check msconfig and then the startup section ??
Als the Run and Runonce section in your registry

maybe you think DUHHHH ;-)

But I am only figuring out what can be the problem

Also check c:\Windows and c:\Windows\system32 folder for strange files.

What AV software are you using by default

Report •

September 13, 2009 at 06:47:14
I have checked msconfig...pretty much on a daily basis :(...cuz there are always new programs running at startup and I have to stop them before I shutdown the pc. I also have the standalone product "autoruns" that lets me know everything running in more detail. I just checked the run and runonce sections of the registry...dont see anything really strange in there (kinda worried my actual system files that are supposed to be there may be infected maybe? i dont know)...also just noticed my SAFEBOOT registry key was deleted again :(...gonna have to go to another pc and import that all over again.

I am using Antivir Antivirus...its not the best, but its free, automatic, and works pretty well. It has deleted a ton of stuff and constantly finds new things...I just cant seem to get the source of it I guess.

I feel like you are probly right about the strange folder and files in C:\windows and C:\windows\system32...but the probelm is..they all look strange to me..haha...all of em have weird names and I guess nothing really stands out to me saying "I'm a Virus"...I wish something could just scan it and tell me.

I need to get to the bottom of this...any help will be greatly appreciated.


Report •

Related Solutions

Ask Question