Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

xih9.cmd, ckvo.exe and other worms, malware


  • This topic is locked This topic is locked
14 replies to this topic

#1 botcheck

botcheck

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 23 January 2009 - 11:40 AM

Hello,
I've got some serious problems with my computer. I've got Spybot and AVG installed in my machine, OS-Windows XP Ultimate.
Im unable to initialize many programs. When I click on Spybot nothing happens. I've tried reinstalling, but still nothing. When I try to open AVG Antivirus, Dowload Accelerator, Spyware Blaster, I get the msgs "Error while unpacking program, code LP5. Please report to author". Because of this, im unable to give a spyware, virus scan to my machine.
I've got multiple OS on my system, On the other i've got Windows XP , and im facing the same problems in that OS too, and in addition im unable to access the internet.
Also, Zone Alarm firewall doesn't get opened too.
Im unable to view hidden folders, taskmanager is disabled.

Here is my DDS log

DDS (Ver_09-01-19.01) - NTFSx86
Run by Lajan at 22:16:59.31 on Fri 01/23/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.85 [GMT 6:00]

AV: AVG 7.5.488 *On-access scanning disabled* (Outdated)

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Windows Defender\MSASCui.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
E:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
E:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
E:\Program Files\Spybot - Search & Destroy\SDFiles.exe
E:\WINDOWS\Explorer.EXE
E:\Users\Lajan\LOCALS~1\Temp\hpjq.exe
E:\Users\Lajan\LOCALS~1\Temp\ocwa.exe
E:\Users\Lajan\LOCALS~1\Temp\ukqn.exe
E:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
E:\Users\Lajan\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: UIHost=%SystemRoot%\System32\ultlogonui.exe
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - e:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
uRun: [VisualTaskTips] e:\windows\system32\visualtasktips.exe
uRun: [TopDesk] e:\windows\system32\topdesk.exe
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
uRun: [kamsoft] e:\windows\system32\ckvo.exe
uRun: [msnmsgr] "e:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [Windows Defender] "e:\program files\windows defender\MSASCui.exe" -hide
dRun: [MsnMsgr] "e:\program files\windows live\messenger\msnmsgr.exe" /background
dRun: [Sidebar] e:\program files\windows sidebar\sidebar.exe /autoRun
dRun: [VisualTaskTips] e:\windows\system32\visualtasktips.exe
dRun: [TopDesk] e:\windows\system32\topdesk.exe
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [ProfileFolderName] hc /w cmd.exe /c Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}" /v "" /t REG_SZ /d "%UserName%" /f
dRunOnce: [CheckUpdates] wuauclt /detectnow
StartupFolder: e:\users\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - e:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - e:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - e:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - e:\progra~1\dap\dapie.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\wpdshserviceobj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - e:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;e:\windows\system32\drivers\avg7core.sys [2008-4-10 821728]
R1 Avg7RsW;AVG7 Wrap Driver;e:\windows\system32\drivers\avg7rsw.sys [2008-4-10 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;e:\windows\system32\drivers\avg7rsxp.sys [2008-4-10 27776]
R1 AvgClean;AVG7 Clean Driver;e:\windows\system32\drivers\avgclean.sys [2008-4-10 3968]
R3 abp470n5;abp470n5;\??\e:\windows\system32\drivers\mogjt.sys --> e:\windows\system32\drivers\mogjt.sys [?]
R4 AvgTdi;AVG Network Redirector;e:\windows\system32\drivers\avgtdi.sys [2008-4-10 4960]
R4 WinDefend;Windows Defender;e:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 vsdatant;vsdatant;e:\windows\system32\vsdatant.sys [2009-1-22 394952]
S4 Avg7Alrt;AVG7 Alert Manager Server;e:\progra~1\grisoft\avg7\avgamsvr.exe [2008-4-8 353280]
S4 Avg7UpdSvc;AVG7 Update Service;e:\progra~1\grisoft\avg7\avgupsvc.exe [2008-4-8 49664]
S4 AVGEMS;AVG E-mail Scanner;e:\progra~1\grisoft\avg7\avgemc.exe [2008-4-8 353280]

=============== Created Last 30 ================

2009-01-23 20:45 175,616 ---shr-- E:\xih9.cmd
2009-01-23 20:44 175,616 ---shr-- e:\windows\system32\ckvo.exe
2009-01-23 20:11 <DIR> --d----- e:\program files\File Shredder
2009-01-23 13:39 <DIR> --d----- e:\users\alluse~1.win\applic~1\PrevxCSI
2009-01-23 12:18 <DIR> --d----- e:\users\alluse~1.win\applic~1\Spybot - Search & Destroy
2009-01-23 12:18 <DIR> --d----- e:\program files\Spybot - Search & Destroy
2009-01-23 11:54 <DIR> --d----- e:\windows\pss
2009-01-23 11:34 <DIR> --d-h--- e:\windows\system32\GroupPolicy
2009-01-23 10:36 <DIR> --d----- e:\program files\Trend Micro
2009-01-22 22:27 <DIR> --d----- e:\users\lajan\My Completed Downloads
2009-01-22 22:27 <DIR> --d----- e:\users\alluse~1.win\applic~1\SpeedBit
2009-01-22 22:27 479,298 a------- e:\windows\system32\wbocx.ocx
2009-01-22 22:27 172,032 a------- e:\windows\system32\AniGIF.ocx
2009-01-22 22:27 50,688 a------- e:\windows\system32\wbhelp2.dll
2009-01-22 22:27 <DIR> --d----- e:\program files\DAP
2009-01-22 20:17 <DIR> --d----- e:\program files\ZoneAlarmSB
2009-01-22 20:13 4,212 ----h--- e:\windows\system32\zllictbl.dat
2009-01-22 20:12 75,248 a------- e:\windows\zllsputility.exe
2009-01-22 20:12 11,264 a------- e:\windows\system32\SpOrder.dll
2009-01-22 20:10 1,086,952 a------- e:\windows\system32\zpeng24.dll
2009-01-22 20:10 <DIR> --d----- e:\windows\system32\ZoneLabs
2009-01-22 20:10 <DIR> --d----- e:\program files\Zone Labs
2009-01-22 20:10 352,767 a------- e:\windows\system32\vsconfig.xml
2009-01-22 20:08 <DIR> --d----- e:\windows\Internet Logs

==================== Find3M ====================

2009-01-23 20:44 85,504 ---shr-- e:\windows\system32\ckvo0.dll
2009-01-23 20:43 1,632 a------- e:\windows\system32\d3d8caps.dat
2008-04-10 20:14 16,384 a--sh--- e:\windows\system32\config\systemprofile\cookies\index.dat
2008-04-10 20:14 32,768 a--sh--- e:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-04-10 20:13 32,768 a--sh--- e:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008041020080411\index.dat
2008-04-10 20:14 32,768 a--sh--- e:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 22:17:37.65 ===============

I would very much appreciate any help
Thankyou

Attached Files



BC AdBot (Login to Remove)

 


#2 botcheck

botcheck
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 27 January 2009 - 12:49 AM

Also, im unable to boot in safe mode

#3 botcheck

botcheck
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 28 January 2009 - 02:08 AM

hello forum,
i haven't recieved help for a long time

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 PM

Posted 31 January 2009 - 11:25 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.
Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. If you are using Windows Vista, right click the icon and select "Run as Administrator". Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the OTScanIt log (attached)
-the GMER log (pasted directly into your reply)

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

#5 botcheck

botcheck
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 01 February 2009 - 11:13 AM

Hello,
Thankyou for responding Mr.Panda. During the inbetween period since my post, i did some changes to on of my Operating systems. I had my Windows XP ultimate sp3 OS installed in one partition and XP in the other three partitions. I formatted my ultimate OS partition and reinstalled OS. In an attempt to fix things, i downloaded Bitdefender10 and spybot and ran a scan but they were unable to remove the viruses and malware in the other partitions. (I hv a question , bitdefender doesnt find anything wrong with xih9.cmd and other similar processes, why is that ? It simply displays OK against these files as if they were harmless) .Everything ws going on fine on this partition until i transferred this logfile from the other partition.( I did this bcoz internet connection is not working in other partition). Nw bitdefender doest work too. I get the message "Error while unpacking program, code LP5. Please report to author". I was getting similar messages in the other partitions. And nw i hv the same earlier problems in this artitions too.
I did not make any changes in the other partitions.
Also, please recommend the best antivirus program, maybe i expected too much from bitdefender.

Here is my GMER log

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-01 07:15:27
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD6269.SYS The process cannot access the file because it is being used by another process.
? srescan.sys The system cannot find the file specified. !
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 F93FA4F0 16 Bytes [ 8E, B3, 9A, 14, 8C, 20, 5E, ... ]
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 F93FA501 31 Bytes [ 90, 3F, F9, AB, 10, A1, DC, ... ]
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\system32\drivers\uqrnnn.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F994C89E] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F9962D86] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F994CE24] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F994CD28] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F994CEF4] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IofCallDriver] [F994CEF4] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F994CE24] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F994CD28] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F99621AE] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F994CA5A] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [F996204A] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F994C8F2] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F993FAD2] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F993FC0E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F993FB96] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F994076C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F9940642] sptd.sys
IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F9962E4A] sptd.sys
IAT \WINDOWS\system32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F99518C6] sptd.sys
IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F9962E4A] sptd.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F996204A] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F9962056] sptd.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F614FCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F61501C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F6150320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F614FE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F614FE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F614FCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F61501C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F6150320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F614FCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F6150320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F61501C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F614FE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F6150320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F61501C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F614FCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F614FE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F614FCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F61501C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F6150320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F615D330] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IofCallDriver] [F994CCC6] sptd.sys
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IofCallDriver] [F994CCC6] sptd.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F614FCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F614FE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F6150320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F61501C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F6148670] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F61485C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F6148770] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F61482D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 81BAD1D8
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\dmio \Device\DmControl\DmIoDaemon 81BAD980
Device \Driver\dmio \Device\DmControl\DmConfig 81BAD980
Device \Driver\dmio \Device\DmControl\DmPnP 81BAD980
Device \Driver\dmio \Device\DmControl\DmInfo 81BAD980
Device \Driver\NetBT \Device\NetBT_Tcpip_{4D8D6AD9-FF3A-4235-8FA2-378F0639B589} 8185B6A0
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\00000091 \Device\00000057 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 81BADC38
Device \Driver\Ftdisk \Device\HarddiskVolume2 81BADC38
Device \Driver\Cdrom \Device\CdRom0 81A32EB0
Device \FileSystem\Rdbss \Device\FsWrap 816A7798
Device \Driver\Ftdisk \Device\HarddiskVolume3 81BADC38
Device \Driver\Cdrom \Device\CdRom1 81A32EB0
Device \Driver\Ftdisk \Device\HarddiskVolume4 81BADC38
Device \Driver\NetBT \Device\NetBt_Wins_Export 8185B6A0
Device \Driver\NetBT \Device\NetbiosSmb 8185B6A0
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Disk \Device\Harddisk0\DR0 81BAD410
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81692640
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 81692640
Device \FileSystem\Npfs \Device\NamedPipe 8186DAC8
Device \Driver\Ftdisk \Device\FtControl 81BADC38
Device \FileSystem\Msfs \Device\Mailslot 81866AA0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 81A61570
Device \Driver\dtscsi \Device\Scsi\dtscsi1 81A61570
Device \FileSystem\Cdfs \Cdfs 8164ABB8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8E 0x0D 0x57 0xA6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x8D 0x43 0x60 0xC6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x64 0x62 0x03 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8E 0x0D 0x57 0xA6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x8D 0x43 0x60 0xC6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x64 0x62 0x03 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 261

---- EOF - GMER 1.0.14 ----

Attached Files



#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 PM

Posted 01 February 2009 - 12:45 PM

Hello.

No antivirus program is perfect.

For the .cmd files, they are actually batch scripts. No scanner would detect them because they contain only text.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

Do not use the NTREGOPT that comes with the installation package.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Run Fix with OTScanIt
We will run OTScanIt with directives. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Kill Explorer]
    [Processes - Safe List]
    YY -> xih9.cmd -> %SystemDrive%\xih9.cmd
    YY -> xih9.cmd -> G:\xih9.cmd
    YY -> xih9.cmd -> G:\xih9.cmd
    [Win32 Services - Safe List]
    YN -> (bepldr) BCL easyPDF SDK 5 Loader [Win32_Shared | On_Demand | Stopped] -> %CommonProgramFiles%\BCL Technologies\easyPDF 5\bepldr.exe
    [Registry - Safe List]
    < Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
    YN -> ShellBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> ShellBrowser\\"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> WebBrowser\\"{E1BACF55-35E1-4E47-9247-2D48660E5545}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    < Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YY -> "kamsoft" -> %SystemRoot%\system32\ckvo.exe [C:\WINDOWS\system32\ckvo.exe]
    < Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    YN -> awttuss -> 
    YN -> klogon -> 
    YN -> winzlo32 -> 
    < ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    YN -> "{B3ADDB7B-3DF5-4672-82DD-775FFF180134}" [HKLM] -> Reg Error: Key does not exist or could not be opened. []
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    *LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    YY -> C:\WINDOWS\system32\jkkJcBrr -> 
    < LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    < Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    YN -> "C:\DOCUME~1\Dhenu\LOCALS~1\Temp\winBB.exe" -> C:\DOCUME~1\Dhenu\LOCALS~1\Temp\winBB.exe [C:\DOCUME~1\Dhenu\LOCALS~1\Temp\winBB.exe:*:Enabled:winBB]
    YN -> "C:\DOCUME~1\Dhenu\LOCALS~1\Temp\winF5.exe" -> C:\DOCUME~1\Dhenu\LOCALS~1\Temp\winF5.exe [C:\DOCUME~1\Dhenu\LOCALS~1\Temp\winF5.exe:*:Enabled:winF5]
    YN -> "C:\Documents and Settings\Dhenu\Desktop\prx.exe" -> C:\Documents and Settings\Dhenu\Desktop\prx.exe [C:\Documents and Settings\Dhenu\Desktop\prx.exe:*:Enabled:GoogleToolbars]
    YN -> "C:\WINDOWS\TEMP\win786.exe" -> C:\WINDOWS\TEMP\win786.exe [C:\WINDOWS\TEMP\win786.exe:*:Enabled:win786]
    < Drives with AutoRun files > -> 
    NY -> C:\autorun.inf [;LSLr9o35Ado8ropkHkk5DdwO3ZlAid3lAwswoiapd0rjDald0n3Dlja1Kw3iD2k1DKKjeL20kwAeawqwaslkia4q | [AutoRun] |;so34fsAs55A04O744LwaLKdL12qaoAwsDaK4ek | open=xih9.cmd |;i831AA5XorkjDoipwfKSCkaa04qAlZ083eiwoKwDe3SAaDikF1rlIkafJLD79JKJed3ida3ka1jw3cwscw45rl4 | shell\open\Command=xih9.cmd |;eLC8aw4cIaSwkiei1ww7sXdwq2sqnLJfojAf4kdd220dSLAiis0q0r4lkOa | shell\open\Default=1 |;dKaAlsw2awoCDke5l2DaLeko9Z57drlwk3Kjs09li1jLeki1Lfla7sj | shell\explore\Command=xih9.cmd |; | ] -> %SystemDrive%\autorun.inf [ NTFS ]
    NY -> E:\autorun.inf [;LSLr9o35Ado8ropkHkk5DdwO3ZlAid3lAwswoiapd0rjDald0n3Dlja1Kw3iD2k1DKKjeL20kwAeawqwaslkia4q | [AutoRun] |;so34fsAs55A04O744LwaLKdL12qaoAwsDaK4ek | open=xih9.cmd |;i831AA5XorkjDoipwfKSCkaa04qAlZ083eiwoKwDe3SAaDikF1rlIkafJLD79JKJed3ida3ka1jw3cwscw45rl4 | shell\open\Command=xih9.cmd |;eLC8aw4cIaSwkiei1ww7sXdwq2sqnLJfojAf4kdd220dSLAiis0q0r4lkOa | shell\open\Default=1 |;dKaAlsw2awoCDke5l2DaLeko9Z57drlwk3Kjs09li1jLeki1Lfla7sj | shell\explore\Command=xih9.cmd |; | ] -> E:\autorun.inf [ NTFS ]
    NY -> F:\autorun.inf [;LSLr9o35Ado8ropkHkk5DdwO3ZlAid3lAwswoiapd0rjDald0n3Dlja1Kw3iD2k1DKKjeL20kwAeawqwaslkia4q | [AutoRun] |;so34fsAs55A04O744LwaLKdL12qaoAwsDaK4ek | open=xih9.cmd |;i831AA5XorkjDoipwfKSCkaa04qAlZ083eiwoKwDe3SAaDikF1rlIkafJLD79JKJed3ida3ka1jw3cwscw45rl4 | shell\open\Command=xih9.cmd |;eLC8aw4cIaSwkiei1ww7sXdwq2sqnLJfojAf4kdd220dSLAiis0q0r4lkOa | shell\open\Default=1 |;dKaAlsw2awoCDke5l2DaLeko9Z57drlwk3Kjs09li1jLeki1Lfla7sj | shell\explore\Command=xih9.cmd |; | ] -> F:\autorun.inf [ NTFS ]
    < MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
    YN -> \{153e4102-b15c-11dc-a9df-0000e25b415b} -> 
    YN -> \{247946a7-a694-11dd-b414-0000e25b415b} -> 
    YN -> \{4e39a0b8-be18-11dd-b44e-0000e25b415b} -> 
    YN -> \{8b117924-5cf9-11dc-a8b8-0000e25b415b} -> 
    YN -> \{95645d18-5953-11dc-a8ab-0000e25b415b} -> 
    NY -> \{95a89dee-58d5-11dc-92d1-806d6172696f}\Shell\AutoRun\command\\"" -> %SystemDrive%\xih9.cmd [C:\xih9.cmd]
    YN -> \{cda850a3-b603-11dd-b43b-0000e25b415b} -> 
    YN -> \{d6a25c64-5920-11dc-9857-806d6172696f} -> 
    NY -> \{d6a25c64-5920-11dc-9857-806d6172696f}\Shell\AutoRun\command\\"" -> G:\xih9.cmd [G:\xih9.cmd]
    NY -> \{d6a25c64-5920-11dc-9857-806d6172696f}\Shell\explore\Command\\"" -> G:\xih9.cmd [G:\xih9.cmd]
    YN -> \{dad1dbbe-5922-11dc-a8a8-806d6172696f} -> 
    NY -> \{dad1dbbe-5922-11dc-a8a8-806d6172696f}\Shell\explore\Command\\"" -> E:\xih9.cmd [E:\xih9.cmd]
    YN -> \{e113883e-5921-11dc-ae0b-806d6172696f} -> 
    [Files/Folders - Created Within 30 Days]
    NY -> uvsqfgwd.cmd -> %SystemDrive%\uvsqfgwd.cmd
    [Empty Temp Folders]
    [Reboot]
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Download and Run FlashDisinfector
You have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.

After all that, take a new OTScanIt scan log.

With Regards,
The Panda

#7 botcheck

botcheck
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 07 February 2009 - 12:27 AM

Hello Mr.Panda
When i paste the text and click on run fix, after some time otscan it winow freezes. After waiting for a long time, i ended it using taskmanager. And i got a log file:-

Files moved on Reboot...

Registry entries deleted on Reboot...
Registry delete failed. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINDOWS\system32\jkkJcBrr scheduled to be deleted on reboot.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 PM

Posted 07 February 2009 - 10:30 AM

Hello.

Let's see what we can do. Please do not install an antivirus yet.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.
With Regards,
The Panda

#9 botcheck

botcheck
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 08 February 2009 - 03:54 AM

Here's my combofix logfile

ComboFix 09-02-06.04 - Lajan 2009-02-08 0:13:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.92 [GMT 5.5:30]
Running from: f:\users\Lajan\ComboFix.exe
FW: ZoneAlarm Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\9.cmd
C:\autorun.inf
C:\bo1dhu.bat
C:\c9hehpa.bat
c:\documents and settings\All Users\Application Data\autorun.inf
c:\documents and settings\Lajan\Application Data\Zango
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\1.sdf
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\1057799.sdf
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\1383771.sdf
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\600583.sdf
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\625696.sdf
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\819382.sdf
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\domains.txt
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\14171
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\1491
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\38186
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\43142
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\45355
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\528235
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\65770
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\748176
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79246
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\98441
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\ustat\3645.dat
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\dynamic\ustat\3647.dat
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\btntrans1.dat
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\buttondir.txt
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\components.cdf
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\cursors.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_1000.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_2000.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_3000.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\d_icons_buttons_bbar1.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\d_icons_weather.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\default.cdf
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_511745-514279.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-ca.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_bidzC_ZT_IE-us.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_categorize.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_comparison.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-Mails.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_explorer-people.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_favorites.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_Games.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_Hide.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_hotbarcom.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_Hotmail.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_hsskin.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_jemster.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_jemsterie.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_jemsteruk.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_jobsearch.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_Mails.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_MobileSidewalk.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_new.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_premium.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_reun.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_ringtones.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_SearchBoxTrapper.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_searchfor.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_searchgo.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_weather.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Default_yellowpages.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-548964.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\email-def-511724-9595.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\email-t1-bg.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\icons2.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\ie_games_icon.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\ie_video.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\keywords.idx
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\keywords1.dat
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\layout.cdf
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\linkpathlegal.txt
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\s_icons_buttons.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\sales_buttons.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\t2_bg.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\theweb.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\top7.cdf
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\Top7_theweb.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\tsd_bg.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\zango_btn.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\1\zango_ie_menu.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\btntrans.idx
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\btntrans1.dat
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\buttondir.txt
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\components.cdf
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\cursors.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_1000.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_2000.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_3000.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\d_icons_buttons_bbar1.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\d_icons_weather.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\default.cdf
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_511745-514279.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-ca.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_bidzC_ZT_IE-us.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_categorize.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_comparison.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-Mails.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_explorer-people.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_favorites.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_Games.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_Hide.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_hotbarcom.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_Hotmail.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_hsskin.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_jemster.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_jemsterie.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_jemsteruk.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_jobsearch.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_Mails.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_MobileSidewalk.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_new.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_premium.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_reun.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_ringtones.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_SearchBoxTrapper.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_searchfor.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_searchgo.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_weather.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Default_yellowpages.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-548964.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\email-def-511724-9595.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\email-t1-bg.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\icons2.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\ie_games_icon.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\ie_video.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\keywords.idx
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\keywords1.dat
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\layout.cdf
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\linkpathlegal.txt
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\s_icons_buttons.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\sales_buttons.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\t2_bg.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\theweb.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\top7.cdf
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\Top7_theweb.mnu
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\tsd_bg.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\zango_btn.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\2\zango_ie_menu.res
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.txt
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\top7.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip
c:\documents and settings\Lajan\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip
c:\documents and settings\Lajan\Local Settings\Application Data\inetinfo.exe
c:\documents and settings\Lajan\Local Settings\Application Data\lsass.exe
c:\documents and settings\Lajan\Local Settings\Application Data\services.exe
c:\documents and settings\Lajan\Local Settings\Application Data\winlogon.exe
c:\documents and settings\Loges\Local Settings\Application Data\inetinfo.exe
c:\documents and settings\Loges\Local Settings\Application Data\lsass.exe
c:\documents and settings\Loges\Local Settings\Application Data\services.exe
c:\documents and settings\Loges\Local Settings\Application Data\winlogon.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\inetinfo.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\lsass.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\services.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\winlogon.exe
c:\recycler\S-4-9-22-100006281-100013881-100007727-3340.com
C:\uvsqfgwd.cmd
c:\windows\BM2fb6de20.txt
c:\windows\BM2fb6de20.xml
c:\windows\cookies.ini
c:\windows\regsvr.exe
c:\windows\system32\akrmfobi.dllbox
c:\windows\system32\bunucdwm.ini
c:\windows\system32\ckvo.exe
c:\windows\system32\ckvo0.dll
c:\windows\system32\ckvo1.dll
c:\windows\system32\covuajeq.ini
c:\windows\system32\cwxfvwrc.ini
c:\windows\system32\dqrimyoe.ini
c:\windows\system32\fool0.dll
c:\windows\system32\fool1.dll
c:\windows\system32\ggxkopoy.ini
c:\windows\system32\hfnihefu.ini
c:\windows\system32\ieso0.dll
c:\windows\system32\jgdxprwf.ini
c:\windows\system32\jqtqddem.ini
c:\windows\system32\kkmslsdj.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mdm.exe
c:\windows\system32\njakafuu.ini
c:\windows\system32\nkgcqees.ini
c:\windows\system32\odgvswlb.ini
c:\windows\system32\olwaukae.dllbox
c:\windows\system32\pfegcguf.ini
c:\windows\system32\qtutv.ini
c:\windows\system32\qtutv.ini2
c:\windows\system32\qwbrbvkx.ini
c:\windows\system32\regsvr.exe
c:\windows\system32\rrBcJkkj.ini
c:\windows\system32\sloytjwh.ini
c:\windows\system32\sqvmtccc.ini
c:\windows\system32\svchost .exe
c:\windows\system32\wiotiafj.ini
c:\windows\system32\xndyhexs.ini
c:\windows\system32\ywpmfvfs.ini
C:\xih9.cmd
E:\9.cmd
E:\Autorun.inf
E:\bo1dhu.bat
E:\c9hehpa.bat
e:\recycler\S-4-9-22-100006281-100013881-100007727-3340.com
E:\uvsqfgwd.cmd
E:\xih9.cmd
E:\yssjnngm.cmd
F:\Autorun.inf
F:\xih9.cmd
G:\9.cmd
G:\Autorun.inf
G:\bo1dhu.bat
G:\c9hehpa.bat
g:\recycler\S-4-9-22-100006281-100013881-100007727-3340.com
G:\uvsqfgwd.cmd
G:\xih9.cmd
G:\yssjnngm.cmd

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CSNETMANAGERXP


((((((((((((((((((((((((( Files Created from 2009-01-07 to 2009-02-07 )))))))))))))))))))))))))))))))
.

2009-02-07 23:27 . 2008-09-01 14:27 <DIR> d-------- C:\327882R2FWJFW
2009-02-06 21:22 . 2009-02-06 20:14 7,025 --a------ C:\Document.rtf
2009-02-06 16:53 . 2009-02-07 11:07 <DIR> d-------- C:\eagle
2009-02-06 16:53 . 2009-02-06 16:45 791,393 --a------ C:\erunt-setup.exe
2009-02-06 16:53 . 2009-02-06 16:48 214,517 --a------ C:\Flash_Disinfector.exe
2009-02-06 03:29 . 2009-02-06 03:29 <DIR> d-------- c:\program files\ERUNT
2009-02-04 00:54 . 2009-02-04 00:54 <DIR> d-------- C:\_OTScanIt
2009-02-01 21:17 . 2009-02-01 21:16 109,930 -r-hs---- C:\a2h2.com
2009-02-01 06:19 . 2009-02-01 06:57 250 --a------ c:\windows\gmer.ini
2009-01-27 23:40 . 2009-01-25 20:00 359,656 --a------ C:\msicuu2.exe
2009-01-25 19:28 . 2009-01-25 19:28 0 --a------ C:\c39e
2009-01-23 11:38 . 2009-01-23 11:38 15,083,520 --a------ c:\program files\spybotsd160_1.exe
2009-01-23 11:10 . 2009-01-23 11:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-01-23 00:48 . 2009-01-23 00:48 <DIR> d--h----- c:\windows\PIF
2009-01-20 23:16 . 2009-02-07 10:42 <DIR> d-------- C:\Lajan
2009-01-14 19:05 . 2009-01-14 19:17 82 --a------ c:\windows\mafosav.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 16:05 --------- d-----w c:\program files\SuperDVD Player 5.0
2009-02-02 00:53 --------- d-----w c:\documents and settings\Lajan\Application Data\dvdcss
2009-01-31 16:38 --------- d-----w c:\program files\DAEMON Tools
2009-01-25 14:20 --------- d-----w c:\program files\Common Files\Softwin
2009-01-24 03:07 29,480 ----a-w c:\documents and settings\Lajan\Application Data\GDIPFONTCACHEV1.DAT
2009-01-23 05:38 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-01-23 05:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-23 03:56 --------- d-----w c:\program files\Google
2009-01-23 03:23 --------- d-----w c:\documents and settings\Lajan\Application Data\AVG7
2009-01-22 14:20 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-22 14:03 --------- d-----w c:\program files\DAP
2009-01-22 14:02 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2009-01-22 09:12 --------- d-----w c:\program files\Spybot - Search & Destroy1
2009-01-21 05:58 79,360 ----a-w c:\windows\Internet Logs\xDB7A.tmp
2009-01-19 18:16 1,580,032 ----a-w c:\windows\Internet Logs\xDB79.tmp
2009-01-18 21:24 72,704 ----a-w c:\windows\Internet Logs\xDB77.tmp
2009-01-18 21:24 1,579,008 ----a-w c:\windows\Internet Logs\xDB78.tmp
2009-01-17 15:18 47,104 ----a-w c:\windows\Internet Logs\xDB76.tmp
2009-01-16 19:39 71,168 ----a-w c:\windows\Internet Logs\xDB75.tmp
2009-01-16 04:16 107,520 ----a-w c:\windows\Internet Logs\xDB73.tmp
2009-01-16 04:16 1,575,424 ----a-w c:\windows\Internet Logs\xDB74.tmp
2009-01-16 04:01 --------- d-----w c:\documents and settings\Lajan\Application Data\U3
2009-01-14 18:58 124,416 ----a-w c:\windows\Internet Logs\xDB72.tmp
2009-01-11 15:33 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-01-11 10:54 16,384 ----a-w c:\windows\system32\dotnetfx.dll
2009-01-10 18:40 209,920 ----a-w c:\windows\Internet Logs\xDB70.tmp
2009-01-10 18:40 1,570,816 ----a-w c:\windows\Internet Logs\xDB71.tmp
2009-01-09 08:01 1,567,744 ----a-w c:\windows\Internet Logs\xDB6F.tmp
2009-01-07 08:12 46,080 ----a-w c:\windows\Internet Logs\xDB6E.tmp
2009-01-06 18:28 101,376 ----a-w c:\windows\Internet Logs\xDB6D.tmp
2009-01-05 17:39 81,408 ----a-w c:\windows\Internet Logs\xDB6B.tmp
2009-01-05 17:39 1,560,576 ----a-w c:\windows\Internet Logs\xDB6C.tmp
2009-01-05 03:36 192,512 ----a-w c:\windows\Internet Logs\xDB6A.tmp
2009-01-03 07:35 136,704 ----a-w c:\windows\Internet Logs\xDB68.tmp
2009-01-03 07:35 1,555,456 ----a-w c:\windows\Internet Logs\xDB69.tmp
2009-01-01 18:34 101,376 ----a-w c:\windows\Internet Logs\xDB67.tmp
2008-12-30 19:12 418,304 ----a-w c:\windows\Internet Logs\xDB66.tmp
2008-12-30 10:15 202,752 ----a-w c:\documents and settings\All Users\Application Data\explorer.exe
2008-12-26 11:53 --------- d-----w c:\program files\Smallvideosoft
2008-12-25 11:21 --------- d-----w c:\program files\Cucusoft
2008-12-25 08:22 37,376 ----a-w c:\windows\Internet Logs\xDB65.tmp
2008-12-24 21:05 93,696 ----a-w c:\windows\Internet Logs\xDB63.tmp
2008-12-24 21:05 1,541,632 ----a-w c:\windows\Internet Logs\xDB64.tmp
2008-12-23 10:10 131,584 ----a-w c:\windows\Internet Logs\xDB62.tmp
2008-12-22 15:44 --------- d-----w c:\program files\3GP Player
2008-12-22 15:44 --------- d-----w c:\documents and settings\Lajan\Application Data\vlc
2008-12-22 15:40 --------- d-----w c:\program files\VideoLAN
2008-12-20 07:18 34,304 ----a-w c:\windows\Internet Logs\xDB61.tmp
2008-12-19 20:22 67,072 ----a-w c:\windows\Internet Logs\xDB60.tmp
2008-12-17 19:50 105,472 ----a-w c:\windows\Internet Logs\xDB5E.tmp
2008-12-17 19:50 1,536,000 ----a-w c:\windows\Internet Logs\xDB5F.tmp
2008-12-15 13:39 96,768 ----a-w c:\windows\Internet Logs\xDB5C.tmp
2008-12-15 13:39 1,532,416 ----a-w c:\windows\Internet Logs\xDB5D.tmp
2008-12-12 07:47 77,312 ----a-w c:\windows\Internet Logs\xDB5B.tmp
2008-12-11 03:13 22,528 ----a-w c:\windows\Internet Logs\xDB5A.tmp
2008-12-10 18:29 30,720 ----a-w c:\windows\Internet Logs\xDB59.tmp
2008-12-08 16:53 29,184 ----a-w c:\windows\Internet Logs\xDB58.tmp
2008-12-08 06:07 --------- d-----w c:\documents and settings\Loges\Application Data\Yahoo!
2008-12-07 03:04 67,072 ----a-w c:\windows\Internet Logs\xDB57.tmp
2008-12-07 02:30 2,321,718 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-04 19:05 25,600 ----a-w c:\windows\Internet Logs\xDB56.tmp
2008-12-04 07:06 12,800 ----a-w c:\windows\Internet Logs\xDB54.tmp
2008-12-04 07:06 1,527,296 ----a-w c:\windows\Internet Logs\xDB55.tmp
2008-12-03 21:33 18,432 ----a-w c:\windows\Internet Logs\xDB53.tmp
2008-12-02 16:29 35,840 ----a-w c:\windows\Internet Logs\xDB52.tmp
2008-12-01 07:38 33,792 ----a-w c:\windows\Internet Logs\xDB51.tmp
2008-11-30 19:04 28,672 ----a-w c:\windows\Internet Logs\xDB50.tmp
2008-11-30 15:07 140,288 ----a-w c:\windows\Internet Logs\xDB4E.tmp
2008-11-30 15:07 1,524,224 ----a-w c:\windows\Internet Logs\xDB4F.tmp
2008-11-24 17:57 94,720 ----a-w c:\windows\Internet Logs\xDB4C.tmp
2008-11-24 17:57 1,508,352 ----a-w c:\windows\Internet Logs\xDB4D.tmp
2008-11-22 19:30 83,968 ----a-w c:\windows\Internet Logs\xDB4A.tmp
2008-11-22 19:30 1,506,304 ----a-w c:\windows\Internet Logs\xDB4B.tmp
2008-11-19 12:59 47,616 ----a-w c:\windows\Internet Logs\xDB49.tmp
2008-11-15 19:13 26,112 ----a-w c:\windows\Internet Logs\xDB48.tmp
2008-11-14 19:16 133,632 ----a-w c:\windows\Internet Logs\xDB46.tmp
2008-11-14 19:16 1,500,160 ----a-w c:\windows\Internet Logs\xDB47.tmp
2008-11-10 17:32 39,936 ----a-w c:\windows\Internet Logs\xDB45.tmp
2008-11-08 17:30 43,520 ----a-w c:\windows\Internet Logs\xDB44.tmp
2008-11-07 19:50 54,784 ----a-w c:\windows\Internet Logs\xDB42.tmp
2008-11-07 19:50 1,496,576 ----a-w c:\windows\Internet Logs\xDB43.tmp
2008-07-01 15:29 28,312 ----a-w c:\documents and settings\Dhenu\Application Data\GDIPFONTCACHEV1.DAT
2008-02-03 15:16 24,344 ----a-w c:\documents and settings\Bavani\Application Data\GDIPFONTCACHEV1.DAT
2007-09-21 14:11 1,187,840 ----a-w c:\windows\system32\config\systemprofile\NTUSER(2).DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus-2256"="c:\documents and settings\Lajan\Local Settings\Application Data\br5535on.exe" [2006-09-06 44471]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-10-26 335917]
"Bron-Spizaetus"="c:\windows\ShellNew\RakyatKelaparan.exe" [2006-09-06 44471]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus-1860"="c:\documents and settings\NetworkService\Local Settings\Application Data\br4743on.exe" [2006-09-06 44471]

c:\documents and settings\NetworkService\Start Menu\Programs\Startup\
Empty.pif [2006-09-06 44471]

c:\documents and settings\Loges\Start Menu\Programs\Startup\
Empty.pif [2006-09-06 44471]

c:\documents and settings\Lajan\Start Menu\Programs\Startup\
Empty.pif [2006-09-06 44471]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 161184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"
"Shell"="Explorer.exe \"c:\windows\KesenjanganSosial.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\DAP\\DAP.exe"= c:\\Program Files\\DAP\\DAP.EXE
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"g:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Product Assistant\\bin\\hprblog.exe"=
"c:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqSTE08.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\Spybot - Search & Destroy1\\TeaTimer.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\uqrnnn.sys --> c:\windows\system32\drivers\uqrnnn.sys [?]
S1 VFILT;Outpost Firewall Kernel Driver;\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [?]
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [?]
S3 AVPsys;AVPsys;c:\windows\system32\drivers\tdi.sys [2004-08-04 18560]
S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe [2007-02-21 221184]
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [?]
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [?]
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [?]
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [?]
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [?]
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [?]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [2007-09-07 58288]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [2007-09-07 85408]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\drivers\k510obex.sys [2007-09-07 83344]
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [?]
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [?]
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [?]
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [?]
S3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\drivers\w200bus.sys [2007-12-05 61504]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\drivers\w200mdfl.sys [2007-12-05 9328]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\drivers\w200mdm.sys [2007-12-05 97056]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w200mgmt.sys [2008-11-19 88560]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\drivers\w200obex.sys [2007-12-05 86368]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{153e4102-b15c-11dc-a9df-0000e25b415b}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MntDrCore.exe
\Shell\Open\command - H:\MntDrCore.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{247946a7-a694-11dd-b414-0000e25b415b}]
\Shell\open\Command - 1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e39a0b8-be18-11dd-b44e-0000e25b415b}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - I:\system.exe
\Shell\Open\command - I:\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b117924-5cf9-11dc-a8b8-0000e25b415b}]
\Shell\AutoRun\command - H:\SSCVIIHOST.exe
\Shell\Open\command - H:\SSCVIIHOST.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cda850a3-b603-11dd-b43b-0000e25b415b}]
\Shell\AutoRun\command - I:\
\Shell\explore\Command - I:\
\Shell\open\Command - I:\
.
Contents of the 'Scheduled Tasks' folder

2009-02-07 c:\windows\Tasks\At1.job
- c:\documents and settings\Lajan\Templates\9252-NendangBro.com [2006-09-06 07:07]

2009-02-07 c:\windows\Tasks\At2.job
- c:\documents and settings\Lajan\Templates\9252-NendangBro.com [2006-09-06 07:07]

2008-10-01 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy1\SDUpdate.exe []

2009-01-03 c:\windows\Tasks\Uniblue SpyEraser Nag.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []

2008-09-10 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Tok-Cirrhatus - (no file)
HKU-Default-Run-Tok-Cirrhatus - (no file)


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Lajan\Application Data\Mozilla\Firefox\Profiles\56qfjgrf.default\
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: g:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 00:23:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\AlienGUIse\fastload.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\WgaTray.exe
c:\qoobox\Quarantine\C\Documents and Settings\Lajan\Local Settings\Application Data\winlogon.exe.vir\COMCTL32.DLL
c:\qoobox\Quarantine\C\Documents and Settings\Lajan\Local Settings\Application Data\services.exe.vir078145449-1417001333-1004
c:\qoobox\Quarantine\C\Documents and Settings\Lajan\Local Settings\Application Data\lsass.exe.virWizard.lnk
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2009-02-08 0:36:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-07 19:06:03

Pre-Run: 886,771,712 bytes free
Post-Run: 874,016,768 bytes free

524 --- E O F --- 2008-07-16 00:49:32

Attached Files


Edited by PropagandaPanda, 08 February 2009 - 11:53 AM.


#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 PM

Posted 08 February 2009 - 12:04 PM

Hello.

Let's finish that off.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\documents and settings\Lajan\Local Settings\Application Data\br5535on.exe
    c:\documents and settings\NetworkService\Local Settings\Application Data\br4743on.exe
    c:\documents and settings\NetworkService\Start Menu\Programs\Startup\Empty.pif
    c:\documents and settings\Loges\Start Menu\Programs\Startup\Empty.pif
    c:\documents and settings\Lajan\Start Menu\Programs\Startup\Empty.pif
    c:\windows\KesenjanganSosial.exe
    H:\MntDrCore.exe
    I:\system.exe
    H:\SSCVIIHOST.exe
    c:\documents and settings\Lajan\Templates\9252-NendangBro.com
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At2.job
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Tok-Cirrhatus-2256"=-
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Tok-Cirrhatus-1860"=-
    
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=-
    
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=-
    "DisableRegistryTools"=-
    
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoFolderOptions"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Shell"="Explorer.exe"
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=-
    "UpdatesDisableNotify"=-
    "AntiVirusOverride"=-
    "FirewallOverride"=-
    "UacDisableNotify"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=-
    "AntiVirusDisableNotify"=-
    "FirewallDisableNotify"=-
    "FirewallOverride"=-
    "UpdatesDisableNotify"=-
    "UacDisableNotify"=-
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"=DWORD:1
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{153e4102-b15c-11dc-a9df-0000e25b415b}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{247946a7-a694-11dd-b414-0000e25b415b}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e39a0b8-be18-11dd-b44e-0000e25b415b}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b117924-5cf9-11dc-a8b8-0000e25b415b}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cda850a3-b603-11dd-b43b-0000e25b415b}]
    
    Driver::
    abp470n5
    
    Rootkit::
    c:\windows\system32\drivers\uqrnnn.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

With Regards,
The Panda

#11 botcheck

botcheck
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 12 February 2009 - 04:18 AM

Hello Mr.Panda

When i do what u said, combo fix initializes and after that while it is creating a restore point, my machine suddenly shuts down and restarts. I hv tried this three times bt the same thing happens. Please help me

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 PM

Posted 12 February 2009 - 12:01 PM

Hello.

Let's try something else.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

Do not use the NTREGOPT that comes with the installation package.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.


Download The Avenger and Run Script
Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Right click and extract avenger.exe to your desktop
  • Start the Avenger by clicking on its icon on your desktop.
  • Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
    Drivers to delete:
    abp470n5
    
    Files to delete:
    c:\windows\system32\drivers\uqrnnn.sys
    c:\documents and settings\Lajan\Local Settings\Application Data\br5535on.exe
    c:\documents and settings\NetworkService\Local Settings\Application Data\br4743on.exe
    c:\documents and settings\NetworkService\Start Menu\Programs\Startup\Empty.pif
    c:\documents and settings\Loges\Start Menu\Programs\Startup\Empty.pif
    c:\documents and settings\Lajan\Start Menu\Programs\Startup\Empty.pif
    c:\windows\KesenjanganSosial.exe
    H:\MntDrCore.exe
    I:\system.exe
    H:\SSCVIIHOST.exe
    c:\documents and settings\Lajan\Templates\9252-NendangBro.com
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At2.job
  • Click Posted Image to paste the script from the clipboard.
  • Click the Execute button
  • Answer Yes twice when prompted.
The process is completely automatic. Do not touch your computer until a log file opens.

The Avenger will do the following:
  • It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt (considering your operating drive is C:). Post back with it in your next reply.

After the Avenger runs, run ComboFix again just by double clicking it.

With Regards,
The Panda

#13 botcheck

botcheck
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 13 February 2009 - 12:18 PM

Problem again Mr.Panda. While running erunt, machine restarts

Also, whenever i try to access the registry editor, my machine restarts. I think this is related to the problem

Please help me .
Thnkyou

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 PM

Posted 13 February 2009 - 01:06 PM

Hello.

Please run ComboFix again just by clicking it. ComboFix contains ERUNT backup. No need to post back this log.

Next, run The Avenger with the script above.

Then, click on your Start Menu -> Run..
ComboFix /F3M

Take a new log with GMER too.

With Regards,
The Panda

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 PM

Posted 25 February 2009 - 03:36 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users