My pc is runnig slow and in task manager i notice many svchost.exe are running and Cpu usage is 100 percent or higher than normal.. I suspect my Pc is in trouble so i require your kind help.. Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:30 PM, on 8/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\System32\wudfhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5166 bytes

We can see if it's spyware/malware/virus related.

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.

We strongly suggest you do this first.
ERUNT - Download - Homepage
This ensures we have a valid registry backup. ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore if needed. Removing modern malware infections often requires making changes to the registry, and a corrupt registry can prevent a system from booting. Compatible with Windows NT, 2000, 2003, XP, Vista, 32 & 64-bit versions.

1. Download ERUNT
2. Double-click erunt_setup.exe to run.
3. Follow the prompts and install using the default configuration (setup language, install location, shortcuts...).
4. Say No to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later.
   
5. Start ERUNT
6. Choose a location for the backup
   The default location C:\WINDOWS\ERDNT\[today's date] is preferred
   
7. The first two check boxes are ticked by default (System registry and Current user registry).
8. Press OK
9. When prompted, click YES to create a new folder.
10. Progress bars will show backup status.
11. A confirmation window will popup when complete. Click OK to close.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

Sir LDTate Your clipart is scary lol but you are doing a great job..


At the start of the problem , my Opera browser used to get jam many times during web surfing and also my Zone Alarm Firewall gave me following strange notifications every now and then:



Would you tell me if i was being hijacked or something? Besides , I m a little frustrated to have all these infections cz i regularly update my Nod32 AV but i still end up having an infected Pc! Recommend a Good anti virus Please!

Here is Malware bytes Anti-Malware report:
Malwarebytes' Anti-Malware 1.26
Database version: 1111
Windows 5.1.2600 Service Pack 2

9/4/2008 4:43:50 AM
mbam-log-2008-09-04 (04-43-50).txt

Scan type: Quick Scan
Objects scanned: 42434
Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ckvo1.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kamsoft (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ckvo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ckvo0.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ckvo1.dll (Trojan.Agent) -> Delete on reboot.

Here is new HIjack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:24:27 AM, on 9/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Nokia\Nokia PC Suite 7\OneTouchAccess.exe
C:\Program Files\Opera 9\Opera.exe
C:\WINDOWS\System32\wudfhost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{13D55031-0924-4031-9EC1-AF4CAD07C937}: NameServer = 221.132.112.8 202.163.96.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{13D55031-0924-4031-9EC1-AF4CAD07C937}: NameServer = 221.132.112.8 202.163.96.3
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5436 bytes

You can search IP address' here:
http://www.domaintools.com/

IP Information for 202.163.96.3
IP Location: Pakistan Karachi Cyber Internet Services (pvt) Ltd
Resolve Host: ns.cyber.net.pk
IP Address: 202.163.96.3


IP Information for 221.132.112.8
IP Location: Pakistan Karachi Transworld Associates (pvt.) Ltd
Resolve Host: ns1.tw1.biz
IP Address: 221.132.112.8


It's not always your anti-virus program's fault.
You can get these infections just by visiting web sites.

Lets make sure we got it all

Download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------

• Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
• WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
• Please do not re-connect your machine back to the Internet until Combofix has completely finished.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Give it atleast 20-30 minutes to finish if needed.

you didnt tell me if i was being hacked? I think i have made a mistake during that combofix.exe process cz i didnt find C:\ComboFix.txt but the scan was completed and it also created a log file given below but then i couldnt see any desktop item , only the wallpaper so i restarted my pc.. did i make any mistake?

ComboFix 08-09-03.02 - adil8 2008-09-04 6:17:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.594 [GMT 5:00]
Running from: C:\Documents and Settings\adil8\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\kk3.bat
D:\kk3.bat
E:\kk3.bat
F:\kk3.bat
G:\kk3.bat
H:\kk3.bat
I:\kk3.bat

.
((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))
.

2008-09-04 04:31 . 2008-09-04 04:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-04 04:31 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-04 04:31 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-04 04:18 . 2008-09-04 04:19 <DIR> d-------- C:\Program Files\ERUNT
2008-09-02 05:21 . 2008-09-02 05:21 <DIR> d-------- C:\Documents and Settings\adil8\Application Data\PC Tools
2008-09-02 05:21 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-02 05:21 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-02 05:21 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-02 05:21 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-30 03:07 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-08-30 03:07 . 2004-08-03 23:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-08-30 03:06 . 2008-08-30 03:06 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-08-30 03:06 . 2008-08-30 03:06 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-08-30 02:42 . 2008-08-30 02:42 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-08-30 02:42 . 2008-08-30 02:42 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-08-30 02:41 . 2008-08-30 02:41 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-08-30 02:41 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-08-30 02:40 . 2008-05-07 07:39 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-08-30 02:40 . 2008-05-07 07:38 659,968 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-08-30 02:40 . 2008-05-07 07:38 20,864 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys
2008-08-30 02:40 . 2008-05-07 07:38 17,536 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys
2008-08-30 02:40 . 2008-06-06 09:24 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys
2008-08-29 22:31 . 2008-08-29 22:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-29 21:10 . 2008-09-02 05:52 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-23 10:13 . 2008-08-23 10:13 <DIR> d-------- C:\Documents and Settings\adil8\Application Data\Publish Providers
2008-08-23 10:06 . 2008-08-23 10:06 <DIR> d-------- C:\Program Files\Vstplugins
2008-08-23 10:05 . 2008-08-23 10:05 <DIR> d-------- C:\Program Files\Sony Setup
2008-08-23 10:05 . 2008-08-23 10:07 <DIR> d-------- C:\Program Files\Sony
2008-08-23 10:00 . 2008-08-23 10:00 <DIR> d-------- C:\Documents and Settings\adil8\Application Data\Sony
2008-08-23 09:46 . 2008-08-23 09:49 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-08-23 04:23 . 2008-08-23 11:22 <DIR> d-------- C:\Program Files\Dr.Hardware 2008 english

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-04 00:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-03 12:37 --------- d-----w C:\Program Files\Yahoo!
2008-08-31 12:01 2,759,168 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp
2008-08-30 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-08-29 22:02 --------- d-----w C:\Documents and Settings\adil8\Application Data\Nokia
2008-08-29 21:42 --------- d-----w C:\Program Files\Nokia
2008-08-29 21:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-08-27 23:15 --------- d-----w C:\Program Files\Opera 9
2008-08-27 23:14 --------- d-----w C:\Program Files\Opera
2008-08-27 10:57 2,686,976 ----a-w C:\WINDOWS\Internet Logs\xDB1E.tmp
2008-08-27 10:57 130,048 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp
2008-08-24 22:43 2,615,296 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp
2008-08-24 22:43 134,144 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp
2008-08-23 00:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-08-23 00:06 --------- d-----w C:\Program Files\backburner 2
2008-08-22 12:44 259,072 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp
2008-08-18 03:54 24,576 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2008-08-18 03:54 2,547,712 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-08-17 20:26 215,040 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-08-17 20:26 2,546,176 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-08-10 10:23 208,384 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-08-10 10:23 2,536,960 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-08-08 21:58 2,533,888 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-08-08 10:59 2,532,352 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-08-05 16:58 2,655,232 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-08-05 16:58 2,527,744 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-08-01 12:23 --------- d-----w C:\Program Files\Auralog
2008-08-01 09:55 5,506 ----a-w C:\WINDOWS\E220AutoRunLog.tmp
2008-07-27 05:58 2,502,656 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-07-24 16:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-23 05:58 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-07-22 06:49 --------- d-----w C:\Program Files\Total Video Converter
2008-07-21 17:33 --------- d-----w C:\Program Files\psp
2008-07-16 14:48 --------- d-----w C:\Program Files\CamStudio
2008-07-15 18:56 2,231,808 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-07-15 13:54 2,231,808 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-07-14 08:42 --------- d--h--w C:\Program Files\Common Files\LanguageFile
2008-07-14 08:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-08 06:54 2,778,633 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-07-07 13:39 2,207,232 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-07-03 14:56 2,202,624 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-06-25 17:58 2,171,904 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-06-24 00:36 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-06-19 00:58 2,122,240 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-06-17 17:57 2,113,536 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-06-17 17:45 2,111,488 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-06-17 17:13 2,110,976 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-06-13 22:57 2,099,712 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-06-12 17:12 2,098,176 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-05-08 05:05 86 ----a-w C:\Program Files\plugin.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-08-11 1124352]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 126976]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 1103752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;C:\WINDOWS\system32\DRIVERS\hmemdm.sys [2008-04-17 88960]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18b81fcc-5f14-11dd-86a3-983404e74b89}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ETS_Setup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Nokia.PCSync - C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe


.
------- Supplementary Scan -------
.
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-04 06:22:18
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-04 6:24:34
ComboFix-quarantined-files.txt 2008-09-04 01:24:28

Pre-Run: 3,458,052,096 bytes free
Post-Run: 3,543,662,592 bytes free

165

New Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:25 AM, on 9/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\System32\wudfhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5238 bytes

Are you in Pakistan? Is your ISP in Pakistan?

Yes Sir I m in Pakistan and my ISP in Pakistan too.. So am i not hacked and is my pc clean now? I still have the problem of 100 percent cpu usage and the memory is consuming for no reason in the taskmanager too... Please help!

I'll look at your logs tonite.

today my zone alarm gave me the following new warning:


Now do you think that someone is trying to hack me.. thanks

This post has been edited by adil8: Sep 4 2008, 04:34 PM

I'd suggest you get help at Zone Alarms' help site.
http://forums.zonealarm.org/zonelabs/

Your logs look good to me

Thanks a lot LDTate for your help!

Great job

You're more then welcome.
Glad we were able to help

Peace be with you

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.