Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help ! My Laptop Is Bieng Destroyed !


  • Please log in to reply
8 replies to this topic

#1 Eph-Kay

Eph-Kay

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 25 November 2007 - 04:50 AM

Two days ago a couple of viruses installed themselves on my PC. Now my Norton AV subscription was over and I wasnt protected. What these viruses did was the following:

- As I had MSN Messenger opened, they managed to invade my email and started sending out spam msgs to random people (so far 188 msgs) !
- Slowed my computer performance down to the maximum, to the point that loading an IE page would take 1 to 2 minutes literarly.
- My soundcard doesnt work as well, after listening to say 3 or 4 minutes it turns wierd and the sounds become super distorted.
- Upon startup a message appears that sais svchost.exe is missing.
- IE opens up every now and then, and directly signs in to fvsdaccwww92123@hotmail.com(close enough) and ooawueasdfe29832@hotmail.com.
- All softwares are almost impossible to run, becase of the slowness of the computer.

Kasperski managed to identify 2 of them, but not delete them :

Trojan.Win32.Pakes.bpw
Trojan-Downloader.Win32.Delf.dbo


Here is my HijackThis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:10 AM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B1C0C073-F340-4FE3-82A8-C8556DF5966E} - c:\windows\system32\cicv.dll
O2 - BHO: (no name) - {CC6EFD11-74FD-4049-BDCC-1BF816033A65} - C:\WINDOWS\system32\catsrvs.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [z4lb2i3a2tqb] C:\WINDOWS\system32\z4lb2i3a2tqb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [z4lb2i3a2tqb] C:\WINDOWS\system32\z4lb2i3a2tqb.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O20 - Winlogon Notify: sekiesbp - C:\WINDOWS\SYSTEM32\cicv.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9148 bytes




Hope to hear from someone soon, this cannot go on much further, because the more time passes the worse my computer performance becomes.

BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:30 PM

Posted 25 November 2007 - 06:28 AM

Hi Eph-Kay!

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I'm in Hijackthis school and Teachers will check my posts.

Edited by Baabiouz, 25 November 2007 - 06:36 AM.

Posted Image

#3 Eph-Kay

Eph-Kay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 25 November 2007 - 06:40 AM

Hi Eph-Kay!

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I'm in Hijackthis school and Teachers will check my posts.


Fantastic news ! Waiting for your replies :thumbsup:

#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:30 PM

Posted 25 November 2007 - 10:49 AM

Hi!

#1
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe


#2
Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3
Please, post a fresh HijackThis log, Sdfix log and Combofix log :thumbsup:
Posted Image

#5 Eph-Kay

Eph-Kay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 28 November 2007 - 02:13 PM

Alright, first of all let me say that this has been a really really bad experience to me, with all due respect what you suggested only furthered my problem! What first was only a virus , now it take 5 minutes and a half to startup the computer (after I did what you told me!) when previously it only took me normal time to load. Furthermore, my anti-virus doesnt work anymore, and my firewall doesnt either (because that is directly connected to the anti-virus). My whole computer performance is disturbed and frankly it is now seriously bieng destroyed. You have got to help me some how ! I dont know how, but I have to get things normal again. Also Id like to add that my wireless internet does not work anymore and neither does limewire. And 1 thing i stress on, the fact the it takes 5 minutes to startup (that is after the welcome message appears) and all i see is a cursor and my background. HELP!


Combofix Report :

ComboFix 07-11-19.4C - HP 2007-11-28 20:15:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190 [GMT 2:00]
Running from: C:\Documents and Settings\HP\My Documents\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\autorun.inf
C:\WINDOWS\system32\catsrvs.dll
C:\WINDOWS\system32\cicv.dll
C:\WINDOWS\system32\drivers\cvaxmuim.dat
C:\WINDOWS\Tasks.\At1.job
C:\WINDOWS\xcopy.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FTINRZND
-------\LEGACY_QLUDVIYB
-------\ftinrznd
-------\qludviyb


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-28 19:55 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-28 19:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-11-28 00:29 <DIR> C:\a O
2007-11-28 00:25 129,808 --------- C:\WINDOWS\system32\COMDLG32.ocx
2007-11-28 00:23 <DIR> d-------- C:\Program Files\FL.Studio Producer Edition 4.5.2
2007-11-28 00:22 <DIR> d-------- C:\Program Files\EJAY_SE
2007-11-25 21:17 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-25 15:34 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-25 11:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-24 21:37 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-11-24 21:37 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-11-24 21:36 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-11-24 21:35 4,587,552 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-24 21:35 98,592 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-24 21:35 65,624 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-24 21:35 11,336 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-24 21:00 <DIR> d-------- C:\kav
2007-11-24 19:38 41,728 --a------ C:\WINDOWS\system32\efgqfnxt.dat
2007-11-24 19:38 36,096 --a------ C:\WINDOWS\system32\cusbwtur.dat
2007-11-24 14:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-24 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-24 13:45 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-11-24 13:18 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll
2007-11-24 13:18 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll
2007-11-24 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-24 12:35 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-24 12:34 <DIR> d-------- C:\Program Files\CCleaner
2007-11-24 01:47 1,319 --a------ C:\WINDOWS\system32\EraserAHS.tlg
2007-11-24 01:45 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-23 22:25 <DIR> d-------- C:\Program Files\Google
2007-11-23 22:02 <DIR> d-------- C:\Program Files\ToniArts
2007-11-23 21:24 14,090 --a------ C:\WINDOWS\system32\coh.cache
2007-11-23 20:54 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-23 19:33 <DIR> d-------- C:\Program Files\Symantec
2007-11-23 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-23 19:31 120,064 --a------ C:\WINDOWS\system32\hzyztvti.dat
2007-11-23 19:29 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-23 19:25 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-11-18 22:54 <DIR> d-------- C:\Program Files\MixVibesFREE
2007-11-17 03:07 <DIR> d-------- C:\Documents and Settings\HP\Application Data\vlc
2007-11-16 22:30 <DIR> d-------- C:\Program Files\VideoLAN
2007-11-15 23:29 <DIR> d-------- C:\Documents and Settings\HP\Application Data\Sonic
2007-11-15 23:28 <DIR> d-------- C:\Documents and Settings\HP\Application Data\Leadertech
2007-11-13 20:43 <DIR> d-------- C:\WINDOWS\Sun
2007-11-11 18:57 <DIR> d-------- C:\Program Files\iTunes
2007-11-11 18:57 <DIR> d-------- C:\Program Files\iPod
2007-11-11 18:55 <DIR> d-------- C:\Program Files\QuickTime
2007-11-10 20:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-10 19:49 <DIR> d-------- C:\Program Files\LimeWire
2007-11-09 11:01 <DIR> d-------- C:\Documents and Settings\HP\Application Data\Dev-Cpp
2007-11-09 11:00 <DIR> d-------- C:\Dev-Cpp
2007-11-09 00:24 237,568 --a------ C:\WINDOWS\system32\glut32.dll
2007-11-04 19:57 <DIR> d-------- C:\Documents and Settings\HP\Application Data\MixMeister Technology
2007-11-04 19:54 <DIR> d-------- C:\Program Files\MixMeister Fusion
2007-11-04 19:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-04 00:13 <DIR> d-------- C:\WINDOWS\system32\athan
2007-11-04 00:13 <DIR> d-------- C:\Program Files\Athan
2007-11-03 21:41 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-11-03 21:30 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2007-11-03 21:30 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2007-11-03 21:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-03 18:11 <DIR> d-------- C:\Documents and Settings\HP\Application Data\IDM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 17:54 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-11-27 23:29 --------- d-----w C:\Program Files\VirtualDJ
2007-11-27 22:22 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-11-27 22:14 --------- d-----w C:\Program Files\Traktor DJ Studio
2007-11-24 23:32 --------- d-----w C:\Documents and Settings\HP\Application Data\LimeWire
2007-11-23 20:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-11 17:00 --------- d-----w C:\Documents and Settings\HP\Application Data\Apple Computer
2007-11-11 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-03 19:43 --------- d-----w C:\Program Files\Microsoft.NET
2007-11-03 16:13 --------- d-----w C:\Documents and Settings\HP\Application Data\DMCache
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-11-23 22:26]
"z4lb2i3a2tqb"="C:\WINDOWS\system32\z4lb2i3a2tqb.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 14:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 20:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 20:38]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-22 20:36]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-22 20:31]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-11-05 22:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 22:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [2007-09-13 02:25]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 08:11]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 20:41]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 21:25]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"RegistryMechanic"="" []
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
"z4lb2i3a2tqb"="C:\WINDOWS\system32\z4lb2i3a2tqb.exe" []
"hpWirelessAssistant"="C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-01-21 22:40]

C:\Documents and Settings\HP\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-09-17 16:19:14]
C:\WINDOWS\system32\klogon.dll 2007-06-28 12:51 206088 C:\WINDOWS\system32\klogon.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6c711ea-95eb-11dc-9c1b-0016410821d1}]
\Shell\AutoRun\command - fooool.exe
\Shell\explore\Command - fooool.exe
\Shell\open\Command - fooool.exe

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 20:21:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????6?0?1?8??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-28 20:22:43 - machine was rebooted
.
--- E O F ---



SDFix log :



SDFix: Version 1.115

Run by Administrator on Wed 11/28/2007 at 07:56 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\svchost.exe - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 20:06:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Download Manager\\IDMan.exe"="C:\\Program Files\\Internet Download Manager\\IDMan.exe:*:Enabled:Internet Download Manager"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\z4lb2i3a2tqb.exe"="C:\\WINDOWS\\system32\\z4lb2i3a2tqb.exe:*:Disabled:z4lb2i3a2tqb"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe:*:Enabled:Kaspersky Anti-Virus"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 13 May 2006 1,211 A.SHR --- "C:\WINDOWS\xcopy.exe"
Mon 26 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\370b2a188dd072eff44894897fd97c50\BIT2.tmp"
Sun 25 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\410ff09308a833491dba7686f0aee2eb\BIT5.tmp"
Sun 11 Mar 2007 55,296 A..H. --- "C:\Documents and Settings\HP\My Documents\277\Assignments\~WRL0001.tmp"

Finished!


and my HijackThis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:25, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.aub.edu.lb/autoproxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [z4lb2i3a2tqb] C:\WINDOWS\system32\z4lb2i3a2tqb.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [z4lb2i3a2tqb] C:\WINDOWS\system32\z4lb2i3a2tqb.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8386 bytes

Edited by Eph-Kay, 28 November 2007 - 03:11 PM.


#6 Eph-Kay

Eph-Kay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 28 November 2007 - 03:00 PM

Also id like to add that I can no longer connect to wireless internet and limewire start anymore !

#7 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:30 PM

Posted 29 November 2007 - 02:06 PM

Hi!

#1
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O4 - HKLM\..\Run: [z4lb2i3a2tqb] C:\WINDOWS\system32\z4lb2i3a2tqb.exe

O4 - HKCU\..\Run: [z4lb2i3a2tqb] C:\WINDOWS\system32\z4lb2i3a2tqb.exe


Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

#2
Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\efgqfnxt.dat
C:\WINDOWS\system32\cusbwtur.dat
C:\WINDOWS\system32\z4lb2i3a2tqb.exe
C:\Windows\System32\fooool.exe
C:\WINDOWS\xcopy.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6c711ea-95eb-11dc-9c1b-0016410821d1}]


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

#3

Please do the following...

Download ATF (Atribune Temp File) Cleaner by Atribune to your desktop.
This program is for XP and Windows 2000 only!

Double-click ATF Cleaner.exe to open it.

Under Main select the following:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
AVG Anti-Spyware
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Once in Safe Mode:

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Do not automatically generate reports and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware log.

#4

Did you try remove Kaspersky or symantec?
If you didn't please do it now.

Do you have still same problems than before doing those things?

Please, post a fresh HijackThis log, Combofix log and AVG Anti-Spywares report :thumbsup:
Posted Image

#8 Eph-Kay

Eph-Kay
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 30 November 2007 - 06:14 AM

Alright, so I did everything up until installing AVG , however when I launched it this is the message that came up :

"Something bad happened in the application. Error diagnostic file saved to 'C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\gaurd.err'

Here is what gaurd.err said :

//==<AVG AntiSpyware 7.5.1.22>===================================
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 004030A0 01:000020A0 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Module Date: 05/30/2007 13:55:10
File Version of C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe: 7.5.1.36
Exception Date: 11/30/2007 12:40:21

MiniDump Information Saved to C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.dmp

Registers:
EAX:00000000
EBX:007CFEF4
ECX:00000000
EDX:01B00008
ESI:00000000
EDI:007CFEC6
CS:EIP:001B:004030A0
SS:ESP:0023:007CFA70 EBP:007CFED0
DS:0023 ES:0023 FS:003B GS:0000
Flags:00010246

Intel specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module
004030A0 007CFED0 007CFEF4 0044A888 0000013C 013FFFA0 0001:000020A0 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

ImageHelp specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address
004030A0 007CFED0 007CFEF4 0044A888 0000013C 013FFFA0 0001:000020A0 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

Loaded Modules:
Base Size Module
00400000 04E000 7.05.0001.0036 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
7C900000 0B0000 5.01.2600.2180 C:\WINDOWS\system32\ntdll.dll
7C800000 0F5000 5.01.2600.3119 C:\WINDOWS\system32\kernel32.dll
10000000 0DE000 4.02.0000.0019 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll
76780000 009000 6.00.2900.2180 C:\WINDOWS\system32\SHFOLDER.dll
77C10000 058000 7.00.2600.2180 C:\WINDOWS\system32\msvcrt.dll
77DD0000 09B000 5.01.2600.2180 C:\WINDOWS\system32\ADVAPI32.dll
77E70000 092000 5.01.2600.3173 C:\WINDOWS\system32\RPCRT4.dll
77FE0000 011000 5.01.2600.2180 C:\WINDOWS\system32\Secur32.dll
77F60000 076000 6.00.2900.3199 C:\WINDOWS\system32\SHLWAPI.dll
77F10000 047000 5.01.2600.3159 C:\WINDOWS\system32\GDI32.dll
7E410000 090000 5.01.2600.3099 C:\WINDOWS\system32\USER32.dll
76B40000 02D000 5.01.2600.2180 C:\WINDOWS\system32\WINMM.dll
76BF0000 00B000 5.01.2600.2180 C:\WINDOWS\system32\PSAPI.DLL
77C00000 008000 5.01.2600.2180 C:\WINDOWS\system32\VERSION.dll
76D60000 019000 5.01.2600.2912 C:\WINDOWS\system32\iphlpapi.dll
71AB0000 017000 5.01.2600.2180 C:\WINDOWS\system32\WS2_32.dll
71AA0000 008000 5.01.2600.2180 C:\WINDOWS\system32\WS2HELP.dll
774E0000 13D000 5.01.2600.2726 C:\WINDOWS\system32\ole32.dll
77120000 08B000 5.01.2600.3139 C:\WINDOWS\system32\OLEAUT32.dll
76390000 01D000 5.01.2600.2180 C:\WINDOWS\system32\IMM32.DLL
629C0000 009000 5.01.2600.2180 C:\WINDOWS\system32\LPK.DLL
74D90000 06B000 1.420.2600.2180 C:\WINDOWS\system32\USP10.dll
773D0000 103000 5.82.2900.2982 C:\WINDOWS\system32\comctl32.dll
5D090000 09A000 5.82.2900.2982 C:\WINDOWS\system32\comctl32.dll
007F0000 017000 7.00.0000.0125 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
77690000 021000 5.01.2600.2180 C:\WINDOWS\system32\NTMARTA.DLL
76F60000 02C000 5.01.2600.2180 C:\WINDOWS\system32\WLDAP32.dll
71BF0000 013000 5.01.2600.2180 C:\WINDOWS\system32\SAMLIB.dll
59A60000 0A1000 5.01.2600.2180 C:\WINDOWS\system32\DBGHELP.DLL

//==<AVG AntiSpyware 7.5.1.22>===================================
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 004030A0 01:000020A0 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Module Date: 05/30/2007 13:55:10
File Version of C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe: 7.5.1.36
Exception Date: 11/30/2007 12:48:20

MiniDump Information Saved to C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.dmp

Registers:
EAX:00000000
EBX:014FFEF4
ECX:00000000
EDX:007D4008
ESI:00000000
EDI:014FFEC6
CS:EIP:001B:004030A0
SS:ESP:0023:014FFA70 EBP:014FFED0
DS:0023 ES:0023 FS:003B GS:0000
Flags:00010246

Intel specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module
004030A0 014FFED0 014FFEF4 0044A888 00000120 013FFFA0 0001:000020A0 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

ImageHelp specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address
004030A0 014FFED0 014FFEF4 0044A888 00000120 013FFFA0 0001:000020A0 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

Loaded Modules:
Base Size Module
00400000 04E000 7.05.0001.0036 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
7C900000 0B0000 5.01.2600.2180 C:\WINDOWS\system32\ntdll.dll
7C800000 0F5000 5.01.2600.3119 C:\WINDOWS\system32\kernel32.dll
10000000 0DE000 4.02.0000.0019 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll
76780000 009000 6.00.2900.2180 C:\WINDOWS\system32\SHFOLDER.dll
77C10000 058000 7.00.2600.2180 C:\WINDOWS\system32\msvcrt.dll
77DD0000 09B000 5.01.2600.2180 C:\WINDOWS\system32\ADVAPI32.dll
77E70000 092000 5.01.2600.3173 C:\WINDOWS\system32\RPCRT4.dll
77FE0000 011000 5.01.2600.2180 C:\WINDOWS\system32\Secur32.dll
77F60000 076000 6.00.2900.3199 C:\WINDOWS\system32\SHLWAPI.dll
77F10000 047000 5.01.2600.3159 C:\WINDOWS\system32\GDI32.dll
7E410000 090000 5.01.2600.3099 C:\WINDOWS\system32\USER32.dll
76B40000 02D000 5.01.2600.2180 C:\WINDOWS\system32\WINMM.dll
76BF0000 00B000 5.01.2600.2180 C:\WINDOWS\system32\PSAPI.DLL
77C00000 008000 5.01.2600.2180 C:\WINDOWS\system32\VERSION.dll
76D60000 019000 5.01.2600.2912 C:\WINDOWS\system32\iphlpapi.dll
71AB0000 017000 5.01.2600.2180 C:\WINDOWS\system32\WS2_32.dll
71AA0000 008000 5.01.2600.2180 C:\WINDOWS\system32\WS2HELP.dll
774E0000 13D000 5.01.2600.2726 C:\WINDOWS\system32\ole32.dll
77120000 08B000 5.01.2600.3139 C:\WINDOWS\system32\OLEAUT32.dll
76390000 01D000 5.01.2600.2180 C:\WINDOWS\system32\IMM32.DLL
629C0000 009000 5.01.2600.2180 C:\WINDOWS\system32\LPK.DLL
74D90000 06B000 1.420.2600.2180 C:\WINDOWS\system32\USP10.dll
773D0000 103000 5.82.2900.2982 C:\WINDOWS\system32\comctl32.dll
5D090000 09A000 5.82.2900.2982 C:\WINDOWS\system32\comctl32.dll
007F0000 017000 7.00.0000.0125 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
77690000 021000 5.01.2600.2180 C:\WINDOWS\system32\NTMARTA.DLL
76F60000 02C000 5.01.2600.2180 C:\WINDOWS\system32\WLDAP32.dll
71BF0000 013000 5.01.2600.2180 C:\WINDOWS\system32\SAMLIB.dll
59A60000 0A1000 5.01.2600.2180 C:\WINDOWS\system32\DBGHELP.DLL

//==<AVG AntiSpyware 7.5.1.22>===================================
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 004030A0 01:000020A0 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Module Date: 05/30/2007 13:55:10
File Version of C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe: 7.5.1.36
Exception Date: 11/30/2007 13:09:00

MiniDump Information Saved to C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.dmp

Registers:
EAX:00000000
EBX:017CFEF4
ECX:00000000
EDX:007D4004
ESI:00000000
EDI:017CFEC6
CS:EIP:001B:004030A0
SS:ESP:0023:017CFA70 EBP:017CFED0
DS:0023 ES:0023 FS:003B GS:0000
Flags:00010246

Intel specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module
004030A0 017CFED0 017CFEF4 0044A888 0000010C 013FFFA0 0001:000020A0 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

ImageHelp specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address
004030A0 017CFED0 017CFEF4 0044A888 0000010C 013FFFA0 0001:000020A0 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

Loaded Modules:
Base Size Module
00400000 04E000 7.05.0001.0036 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
7C900000 0B0000 5.01.2600.2180 C:\WINDOWS\system32\ntdll.dll
7C800000 0F5000 5.01.2600.3119 C:\WINDOWS\system32\kernel32.dll
10000000 0DE000 4.02.0000.0019 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll
76780000 009000 6.00.2900.2180 C:\WINDOWS\system32\SHFOLDER.dll
77C10000 058000 7.00.2600.2180 C:\WINDOWS\system32\msvcrt.dll
77DD0000 09B000 5.01.2600.2180 C:\WINDOWS\system32\ADVAPI32.dll
77E70000 092000 5.01.2600.3173 C:\WINDOWS\system32\RPCRT4.dll
77FE0000 011000 5.01.2600.2180 C:\WINDOWS\system32\Secur32.dll
77F60000 076000 6.00.2900.3199 C:\WINDOWS\system32\SHLWAPI.dll
77F10000 047000 5.01.2600.3159 C:\WINDOWS\system32\GDI32.dll
7E410000 090000 5.01.2600.3099 C:\WINDOWS\system32\USER32.dll
76B40000 02D000 5.01.2600.2180 C:\WINDOWS\system32\WINMM.dll
76BF0000 00B000 5.01.2600.2180 C:\WINDOWS\system32\PSAPI.DLL
77C00000 008000 5.01.2600.2180 C:\WINDOWS\system32\VERSION.dll
76D60000 019000 5.01.2600.2912 C:\WINDOWS\system32\iphlpapi.dll
71AB0000 017000 5.01.2600.2180 C:\WINDOWS\system32\WS2_32.dll
71AA0000 008000 5.01.2600.2180 C:\WINDOWS\system32\WS2HELP.dll
774E0000 13D000 5.01.2600.2726 C:\WINDOWS\system32\ole32.dll
77120000 08B000 5.01.2600.3139 C:\WINDOWS\system32\OLEAUT32.dll
76390000 01D000 5.01.2600.2180 C:\WINDOWS\system32\IMM32.DLL
629C0000 009000 5.01.2600.2180 C:\WINDOWS\system32\LPK.DLL
74D90000 06B000 1.420.2600.2180 C:\WINDOWS\system32\USP10.dll
773D0000 103000 5.82.2900.2982 C:\WINDOWS\system32\comctl32.dll
5D090000 09A000 5.82.2900.2982 C:\WINDOWS\system32\comctl32.dll
77690000 021000 5.01.2600.2180 C:\WINDOWS\system32\NTMARTA.DLL
76F60000 02C000 5.01.2600.2180 C:\WINDOWS\system32\WLDAP32.dll
71BF0000 013000 5.01.2600.2180 C:\WINDOWS\system32\SAMLIB.dll
59A60000 0A1000 5.01.2600.2180 C:\WINDOWS\system32\DBGHELP.DLL

#9 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:30 PM

Posted 01 December 2007 - 02:27 PM

Hi!

Do not use AVG, let's try Panda Online scanner;

Panda ActiveScan

- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Do NOT lose it!

Please, send the Panda activescan report, a fresh hijackthis log and combofix log :thumbsup:

Edited by Baabiouz, 01 December 2007 - 02:27 PM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users