PDA

View Full Version : PLEASE Virus-Just help me on the end



minela
2007-02-24, 13:14
I have XP-SP2,I did Spybot - Search & Destroy and there file rpcc.dll could not be fixed,than I did HijackThis and here is what says:

Logfile of HijackThis v1.99.1
Scan saved at 11:29:22, on 24.2.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
D:\Program Files\VIAudioi\SBADeck\ADeck.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\PROGRA~1\MICROS~3\rapimgr.exe
D:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: XBTP08408 - {8350A9D4-A419-4656-9A03-4E3D59AA791A} - D:\PROGRA~1\EFSATO~1\EFSA_T~1.DLL
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: EFSA Toolbar - {C49DD894-C6DE-4910-8C41-BA20F852D8BC} - D:\Program Files\EFSA Toolbar\efsa_toolbar.dll
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AudioDeck] D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\RunOnce: [SpybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: EFSA Toolbar - {C49DD894-C6DE-4910-8C41-BA20F852D8BC} - D:\Program Files\EFSA Toolbar\efsa_toolbar.dll
O9 - Extra 'Tools' menuitem: EFSA Toolbar - {C49DD894-C6DE-4910-8C41-BA20F852D8BC} - D:\Program Files\EFSA Toolbar\efsa_toolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167066198218
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F23BFD2-BE2A-4810-805C-EE3C94619705}: NameServer = 195.222.32.10 195.222.32.20
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rpcc - D:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - D:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe




HELP me to finish I dont know what to fix please HELP

Shaba
2007-02-25, 12:24
Hi minela

One or more of the identified infections is a backdoor trojan (that rpcc.dll for example), link (http://www.castlecops.com/o20list-310.html)

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post

minela
2007-02-25, 17:03
well I did this,
I used HijackThis and function Delete on Reboot tool "rpcc.dll",and my comp rebooted and now is ok.

I dont have any special passwords on my comp. and dont do banking or other financial transactions on the PC.

Do you think my comp. is ok because is normal???

Shaba
2007-02-25, 17:34
Hi

Please send a fresh HijackThis log, please :)

minela
2007-02-25, 23:14
Ok here it is:


Logfile of HijackThis v1.99.1
Scan saved at 22:14:30, on 25.2.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
D:\Program Files\VIAudioi\SBADeck\ADeck.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\PROGRA~1\MICROS~3\rapimgr.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\hijackthis\HijackThis.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: XBTP08408 - {8350A9D4-A419-4656-9A03-4E3D59AA791A} - D:\PROGRA~1\EFSATO~1\EFSA_T~1.DLL
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: EFSA Toolbar - {C49DD894-C6DE-4910-8C41-BA20F852D8BC} - D:\Program Files\EFSA Toolbar\efsa_toolbar.dll
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AudioDeck] D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: EFSA Toolbar - {C49DD894-C6DE-4910-8C41-BA20F852D8BC} - D:\Program Files\EFSA Toolbar\efsa_toolbar.dll
O9 - Extra 'Tools' menuitem: EFSA Toolbar - {C49DD894-C6DE-4910-8C41-BA20F852D8BC} - D:\Program Files\EFSA Toolbar\efsa_toolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167066198218
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - D:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


What my status is?

Shaba
2007-02-26, 09:23
Hi

At least there are sdbot leftovers.

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

tashi
2007-03-03, 03:29
:sad:

This topic is closed due to lack of a response to helper, if you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.

tashi
2007-04-04, 01:37
Re-opened upon request.

minela
2007-04-04, 01:45
Thanks for re-opening!
OK I did what was told me to do here are my reports:




SDFix: Version 1.68

Run by Minela - uto 03.04.2007 @ 23:42:43,35

Microsoft Windows XP [Version 5.1.2600]

Running From: D:\SDFix

Safe Mode:
Checking Services:

Name:
MsaSvc

Path:
D:\WINDOWS\system32\msasvc.exe

MsaSvc Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

D:\Documents and Settings\Minela\Local Settings\Temp\2.dllb - Deleted
D:\Documents and Settings\Minela\Local Settings\Temp\6.dllb - Deleted
D:\Documents and Settings\Minela\Local Settings\Temp\7.dllb - Deleted



ADS Check:

D:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\MSN Messenger\\msncall.exe"="D:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"D:\\Program Files\\BitTorrent\\bittorrent.exe"="D:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"D:\\Program Files\\Messenger\\msmsgs.exe"="D:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"D:\\Program Files\\MSN Messenger\\livecall.exe"="D:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"D:\\Program Files\\Skype\\Phone\\Skype.exe"="D:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\MSN Messenger\\msncall.exe"="D:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"D:\\Program Files\\MSN Messenger\\livecall.exe"="D:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"


Remaining Files:
---------------



Checking For Files with Hidden Attributes :

D:\Documents and Settings\All Users\Application Data\Microsoft\VisualStudio\7.1\vs000223.tmp
D:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
D:\Documents and Settings\Minela\Local Settings\Temp\$b17a2e8.tmp
D:\Documents and Settings\Nesko\Local Settings\Temp\$b17a2e8.tmp
D:\Program Files\Trend Micro\Internet Security 2006\Quarantine\141.tmp
D:\Program Files\Trend Micro\Internet Security 2006\Quarantine\50.tmp
D:\WINDOWS\Temp\$_2341235.TMP

Add/Remove Programs List:

BitTorrent 5.0.6
Dia (remove only)
eMule
GenoPro 2.0.0.2
Google Earth Pro version 3.0.XXXX (beta) Patch Files
Hex Workshop v4.23
HijackThis 1.99.1
VIA Platform Device Manager
K-Lite Codec Pack 2.72 Full
LasVegasTycoon
LiveUpdate 3.0 (Symantec Corporation)
Maxima 5.9.1
Mozilla Firefox (2.0.0.3)
Microsoft Compression Client Pack 1.0 for Windows XP
MSN
Mysteryville
Nero 6 Ultra Edition
Polypix WiFive323
RealPlayer
Adobe Flash Player 9 ActiveX
Ski Resort Tycoon
Skype 3.0
Skypet for Pocket PC 2.1
Spybot - Search & Destroy 1.4
Rjecnik
PCskola
Total Commander (Remove or Repair)
Microsoft Visual Studio .NET Professional 2003 - English
GTK+ 2.8.18-1 runtime environment
WinRAR archiver
WinZip
Microsoft User-Mode Driver Framework Feature Pack 1.0
EFSA Toolbar
MySQL Connector/ODBC 3.51
Microsoft FrontPage Client - English
Microsoft Visual J# .NET Redistributable Package 1.1
Visual Studio .NET Professional 2003 - English
Platform
OPNET Model Library Academic Edition 9.1
J2SE Runtime Environment 5.0 Update 9
Skype Plugin Manager
Google Earth
DAEMON Tools
QuickTime
Windows Live Messenger
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Professional 2003
Microsoft ActiveSync
VirtuallyJenna-2.017.002 (Cracked)
Apple Software Update
Adobe Reader 7.0
Microsoft .NET Framework 1.1
Visual Studio.NET Baseline - English
OPNET IT Guru Academic Edition 9.1
Trend Micro PC-cillin Internet Security 2006

Finished


AND HERE IS FROM HIJACKTHIS:


Logfile of HijackThis v1.99.1
Scan saved at 23:57:01, on 3.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
D:\Program Files\VIAudioi\SBADeck\ADeck.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\PROGRA~1\MICROS~3\rapimgr.exe
D:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: XBTP08408 - {8350A9D4-A419-4656-9A03-4E3D59AA791A} - D:\PROGRA~1\EFSATO~1\EFSA_T~1.DLL
O3 - Toolbar: EFSA Toolbar - {C49DD894-C6DE-4910-8C41-BA20F852D8BC} - D:\Program Files\EFSA Toolbar\efsa_toolbar.dll
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AudioDeck] D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: EFSA Toolbar - {C49DD894-C6DE-4910-8C41-BA20F852D8BC} - D:\Program Files\EFSA Toolbar\efsa_toolbar.dll
O9 - Extra 'Tools' menuitem: EFSA Toolbar - {C49DD894-C6DE-4910-8C41-BA20F852D8BC} - D:\Program Files\EFSA Toolbar\efsa_toolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167066198218
O16 - DPF: {A6212120-01D4-11D5-9A39-0080C8D85044} (GameDesire Slots 70th) - http://67.15.101.3/g_bin/eng/slots70_2_0_0_33.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Shaba
2007-04-04, 09:07
Hi

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Post:

- a fresh hijackthis log
- kaspersky report

minela
2007-04-04, 22:09
OK I will do that I just need few days for it.

Shaba
2007-04-05, 17:58
Hi minela

That's ok, post when ready :)

Shaba
2007-04-12, 20:24
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.