Infected -

[orangealert]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:10:15, on 09/02/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Acer\Empowering Technology\admServ.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Creative\Shared Files\CTDevSrv.exe

C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe

C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe

C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

C:\Program Files\F-Secure\Common\FSMA32.EXE

C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE

C:\Program Files\F-Secure\Common\FSMB32.EXE

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\F-Secure\Common\FCH32.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe

C:\Program Files\F-Secure\Anti-Virus\fsqh.exe

C:\Program Files\F-Secure\Common\FAMEH32.EXE

C:\Program Files\F-Secure\FSPC\fspc.exe

C:\Program Files\F-Secure\FSAUA\program\fsaua.exe

C:\Program Files\F-Secure\Anti-Virus\fssm32.exe

C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Acer\Acer Arcade\PCMService.exe

C:\Acer\Empowering Technology\eRecovery\Monitor.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\acer\Empowering Technology\ePower\epm-dm.exe

C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE

C:\Acer\Empowering Technology\admtray.exe

C:\WINDOWS\V0220Mon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

C:\Program Files\F-Secure\Common\FSM32.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\F-Secure\FSAUA\program\fsus.exe

C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe

C:\Program Files\Creative\Software Update 3\SoftAuto.exe

C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\F-Secure\FSGUI\fsguidll.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\F-Secure\Anti-Virus\fsav32.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\services.exe

C:\WINDOWS\system32\svschost.exe

C:\WINDOWS\sysguard.exe

C:\WINDOWS\system32\sv

[Tigger93]

Hi.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1

Link 2

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

[orangealert]

Hi, thanks for the reply. I have not been able to download the fix tool as any attempt to access a webpage is blocked by this bleeping virus! So I am having to contact you via another pc... Please can you help with a way I can regain control of my web browser long enough to be able to begin disinfection?

Cheers!

[Tigger93]

Can you download the tool to a flash drive or CD, and take it to the infected PC and try to run ti?

[orangealert]

Hi, after a bit of a nightmare evening where the pc kept shutting down on startup, factory settings were eventually restored today. All appears to be well again. MBAM states I am clean, and here is the HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:20:34 PM, on 2/11/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Acer\Acer Arcade\PCMService.exe

C:\Acer\Empowering Technology\admServ.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\acer\Empowering Technology\ePower\epm-dm.exe

C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE

C:\Acer\Empowering Technology\admtray.exe

C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe

C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe

C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Acer\Empowering Technology\eRecovery\Monitor.exe

C:\WINDOWS\system32\CTFMON.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Anthony\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: Acer eDataSecurity Management - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\system32\ToolBand.dll

O4 - HKLM\..\Run: [LaunchApp] Alaunch

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe

O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot

O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE

O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe

O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe

O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--

End of file - 5626 bytes

[Tigger93]

Thanks, it would have been fixable but your choice. It's clean.