Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware on my PC! kingduuba a (Trojan.Agent), winhelp32 (Backdoor.Hupigon)


  • This topic is locked This topic is locked
27 replies to this topic

#1 henceforth

henceforth

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 24 May 2009 - 05:39 AM

Greetings to all the wizards here and a request to help!

My PC has definitely ben infected by some spyware - maybe a trojan or something bad like that!

Could you please help?

I have Zone Alarm firewall and also use their spyware antivirus.

I also have programs like Malwarebytes' Anti-Malware, Super Anti Spyware Spybot but this spyware seems to be really malicious and would not go away!

Please help me get rid of it.

Thanks in advance and have a good day!

henceforth

Here is the DDS.txt


DDS (Ver_09-05-14.01) - FAT32x86
Run by All Mankind at 15:59:29.12 on Sun 05/24/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.508 [GMT 5.5:30]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated)

{5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\clfileeFilename.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe -k krnlsrvc
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\All Mankind\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.in/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download

manager\iefdm2.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} -

c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
TCP: {00625B36-378C-4E4C-B1A3-DD19A0F20596} = 218.248.240.208 218.248.255.193
TCP: {BE0879DC-2C8A-4BBD-AA8F-61210777E326} = 218.248.240.208,218.248.255.193
TCP: {D7B79D92-E866-473A-952D-D5EFBB928073} = 218.248.240.208,218.248.255.193
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web

folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program

files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\allman~1\applic~1\mozilla\firefox\profiles\ze70e4pm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - component: c:\documents and settings\all mankind\application

data\mozilla\firefox\profiles\ze70e4pm.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\winnt_x8

6-msvc\components\libchm.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-5-6 150544]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-5 353672]
R2 MediaqCentern;MS Median Control qCenter;c:\windows\system32\svchost.exe -k krnlsrvc [2004-8-3 14336]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service -->

c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [2008-3-23 18004]
S2 awp;Kaspersky Internet Security;c:\windows\system32\36O.exe [2009-5-23 15360]
S2 clddos0Nameeeee;clddosTestppppp;c:\windows\clfileeFilename.exe [2009-5-18 12288]
S2 ddd;dddd;c:\windows\ddd.exe --> c:\windows\ddd.exe [?]
S2 feos Service;feos soft Service;c:\windows\system32\f3tct53fwn\j001.exe -->

c:\windows\system32\f3tct53fwn\J001.exe [?]
S2 hdds Service;hdds soft Service;c:\windows\system32\v3c77jaozn\J001.exe [2009-5-18 16106]
S2 jmrovk;jmrovk;c:\windows\system32\SVCHOST.EXE -k jmrovk [2004-8-3 14336]
S2 lpjbht;lpjbht;c:\windows\system32\svchost.exe -k lpjbht [2004-8-3 14336]
S2 MediaCenter server;MS Media Control Centers;c:\windows\system32\svchost.exe -k krnlsrvc [2004-8-3 14336]
S2 oicxcm;icxcm;c:\windows\system32\svchost.exe -k oicxcm [2004-8-3 14336]
S2 RouSvc;Routing Service;c:\program files\r_server\RemoteAbc.exe [2009-5-23 296448]
S2 SmbApSrv;SMB Performance Adapter;c:\windows\system32\svchost.exe -k LocalSystem [2004-8-3 14336]
S2 ymrovkru;ymrovkru;\??\c:\windows\system32\drivers\bdlovf.rxr --> c:\windows\system32\drivers\bdlovf.rxr [?]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\NPF.sys [?]
S4 bfddos;bfddos;c:\windows\system32\g0ss8432en\H001.exe [2009-5-20 67584]
S4 dkaron;dkaron;c:\windows\system32\v3c77jaozn\h002.exe --> c:\windows\system32\v3c77jaozn\H002.exe [?]
S4 ihzaq;ihzaq;c:\windows\system32\ihzaq.exe --> c:\windows\system32\ihzaq.exe [?]
S4 ijzab;ijzab;c:\windows\system32\ijzab.exe --> c:\windows\system32\ijzab.exe [?]
S4 ijzaq;ijzaq;c:\windows\system32\ijzaq.exe --> c:\windows\system32\ijzaq.exe [?]
S4 wedr;wedr;c:\windows\system32\wedr.exe --> c:\windows\system32\wedr.exe [?]
S4 Windows Media Service;Windows Media Service;c:\windows\system32\154o0ldu5n\H001.exe [2009-5-19 33280]

=============== Created Last 30 ================

2009-05-24 15:16 4,480 a------- c:\windows\system32\drivers\PCIDump.sys
2009-05-24 08:16 <DIR> --d----- c:\docume~1\allman~1\applic~1\Free Download Manager
2009-05-24 08:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\FreeDownloadManager.ORG
2009-05-24 08:16 <DIR> --d----- c:\program files\Free Download Manager
2009-05-23 18:45 <DIR> --d----- c:\program files\R_Server
2009-05-23 18:43 <DIR> --d----- c:\windows\system32\1QE14LCZAn
2009-05-23 15:54 108,544 a------- c:\windows\system32\smbsvc.dll
2009-05-23 15:54 <DIR> --d----- c:\windows\system32\18R6IUQ04n
2009-05-23 08:57 15,360 -------- c:\windows\system32\36O.exe
2009-05-23 08:44 695,284 a------- c:\windows\system32\libmysql.dll
2009-05-23 08:44 <DIR> --d----- c:\windows\system32\GSVKM88Q6n
2009-05-23 06:33 <DIR> --d----- c:\windows\system32\OCHLH2UKZn
2009-05-23 05:52 <DIR> --d----- c:\windows\system32\F3TCT53FWn
2009-05-22 22:03 1,528 a------- c:\windows\system32\ajtbqi.key
2009-05-22 22:02 1 a------- c:\windows\system32\0005a26f.ini
2009-05-22 22:01 <DIR> --d----- c:\windows\system32\M56CHOT81n
2009-05-22 15:26 <DIR> --d----- c:\windows\system32\9X5T5EQCPn
2009-05-22 11:48 <DIR> --d----- c:\windows\system32\YTV773FQAn
2009-05-20 19:34 1,866 a------- c:\windows\system32\oicxcmD@.key
2009-05-20 19:34 1,864 a------- c:\windows\system32\rltwsoD@.key
2009-05-20 19:26 1 a------- c:\windows\system32\00054615.ini
2009-05-20 19:25 1 a------- c:\windows\system32\0004d289.ini
2009-05-20 19:24 <DIR> --d----- c:\windows\system32\G0SS8432En
2009-05-19 11:39 3,866 a------- c:\windows\system32\bdlovf.key
2009-05-19 11:39 1 a------- c:\windows\system32\3a353.imj
2009-05-19 11:39 96,904 -------- c:\windows\system32\bdlovf.gtm
2009-05-19 11:36 <DIR> --d----- c:\windows\system32\154O0LDU5n
2009-05-19 07:11 <DIR> --d----- c:\windows\system32\GEQISRQM8n
2009-05-18 17:22 <DIR> --d----- c:\windows\system32\IDMNTRTNPn
2009-05-18 14:20 12,288 a------- c:\windows\clfileeFilename.exe
2009-05-18 14:17 <DIR> --d----- c:\windows\system32\EV27MH0KDn
2009-05-18 12:50 <DIR> --d----- c:\windows\system32\V3C77JAOZn
2009-05-18 10:23 <DIR> --d----- c:\windows\system32\i
2009-05-18 09:01 81 a------- c:\windows\system32\asr_zuqdc
2009-05-17 17:19 <DIR> --d----- c:\program files\Real Alternative
2009-05-17 16:43 168,448 a------- c:\windows\system32\unrar.dll
2009-05-17 16:43 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-05-06 07:42 <DIR> --d----- c:\program files\SonicWallES
2009-05-06 06:11 1,122 a------- C:\rollback.ini
2009-05-05 22:32 <DIR> --d----- c:\docume~1\allman~1\applic~1\MailFrontier
2009-05-05 22:31 4,212 a---hr-- c:\windows\system32\zllictbl.dat
2009-05-05 22:20 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-05 22:20 32 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-05 22:14 72,584 a------- c:\windows\zllsputility.exe
2009-05-05 22:14 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-05-05 22:14 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-05-05 22:14 <DIR> --d----- c:\program files\Zone Labs
2009-05-05 22:14 351,219 a------- c:\windows\system32\vsconfig.xml
2009-05-05 19:33 713,216 -------- c:\windows\system32\dllcache\sxs.dll
2009-05-04 22:53 87,608 a------- c:\docume~1\allman~1\applic~1\inst.exe
2009-04-29 21:52 <DIR> --dsh--- C:\FOUND.001
2009-04-28 14:23 25,600 a------- c:\windows\system32\drivers\usbser.sys
2009-04-28 14:23 25,600 a------- c:\windows\system32\dllcache\usbser.sys
2009-04-28 14:23 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-04-28 14:23 0 a---h---

c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-04-28 14:23 14,640 -------- c:\windows\system32\spmsgXP_2k3.dll
2009-04-28 13:27 <DIR> --d----- c:\program files\common files\PCSuite
2009-04-28 13:27 <DIR> --d----- c:\program files\common files\Nokia
2009-04-28 13:22 18,816 a------- c:\windows\system32\drivers\pccsmcfd.sys
2009-04-28 13:21 <DIR> --d----- c:\program files\PC Connectivity Solution
2009-04-28 13:20 7,808 a------- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-04-28 13:20 7,808 a------- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-04-28 13:20 22,016 a------- c:\windows\system32\drivers\ccdcmbo.sys
2009-04-28 13:20 1,112,288 a------- c:\windows\system32\wdfcoinstaller01007.dll
2009-04-28 13:20 659,968 a------- c:\windows\system32\nmwcdcocls.dll
2009-04-28 13:20 17,664 a------- c:\windows\system32\drivers\ccdcmb.sys
2009-04-28 10:02 <DIR> --d----- c:\program files\Nokia

==================== Find3M ====================

2009-05-04 22:53 47,360 a------- c:\docume~1\allman~1\applic~1\pcouffin.sys
2009-04-29 21:41 90,112 a------- c:\windows\DUMP6c22.tmp
2009-04-29 21:39 90,112 a------- c:\windows\DUMP1d68.tmp
2009-04-29 21:33 90,112 a------- c:\windows\DUMP12e7.tmp
2009-04-29 21:31 90,112 a------- c:\windows\DUMP4532.tmp
2009-04-29 21:28 90,112 a------- c:\windows\DUMP1d76.tmp
2009-04-29 21:25 90,112 a------- c:\windows\DUMP1d96.tmp
2009-04-29 21:23 90,112 a------- c:\windows\DUMP1d67.tmp
2009-04-29 21:20 90,112 a------- c:\windows\DUMP1d66.tmp
2009-04-29 21:18 90,112 a------- c:\windows\DUMP1db4.tmp
2009-04-29 16:51 90,112 a------- c:\windows\DUMP1d95.tmp
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 14:44 67,792 a------- c:\docume~1\allman~1\applic~1\GDIPFONTCACHEV1.DAT
2008-04-25 13:07 87,608 a------- c:\docume~1\allman~1\applic~1\ezpinst.exe
2002-11-04 14:54 3,392 a------- c:\windows\inf\other\cmiainfo.sys
2009-02-17 10:19 2 a--shr-- c:\windows\winstart.bat
2004-08-17 20:00 67,584 ---sh--- c:\windows\system32\TxmgtdD.dll

============= FINISH: 16:01:33.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 24 May 2009 - 08:58 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

------------------------------------------------------------------------------------------------------------------

NOTE: IMPORTANT! To other lurkers who see this topic, if you ever want to use ComboFix, please have a look at below tutorial.. You have been warned!

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 henceforth

henceforth
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 24 May 2009 - 09:37 PM

Thanks fenzodahl512 for the prompt response! :)

I am afraid I need further help ... :)

Downloaded combofix! Have it ready to run on my desktop.

Problem is I just cannot disable zone alarm!

I disabled the ZA firewall, ZA antivirus and ZA spyware in the program.
After that I right clicked the ZA tray icon and shutdown zone alarm completely! :)

And when I fire up combofix it warns me Zone Alarm Anti Virus is still running! :cool:
Rebooted a dozen times and searched for tutorials to disable Zone Alarm completely with no luck!
The link you provided does not list Zone Alarm.

Should I UNINSTALL Zone Alarm completely? :)
I have found a complicated method to do it online and I can manage.
Or do you recommend any other firewall/antivirus combination?

Sorry for these elementary queries - I am sure you would understand.

Please guide and thanks in advance for all the help. :thumbup2:

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 24 May 2009 - 10:52 PM

Should I UNINSTALL Zone Alarm completely?


Yup.. Firstly please do below first..

Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..


Then please uninstall Zone Alarm completely.. You can either use their internal uninstaller, or Revo Uninstaller (link below) or use the technique I give you in a link (below Revo Uninstaller link)..

Revo Uninstaller: http://www.revouninstaller.com/revo_uninst...e_download.html
Alternative technique: http://www.suggestafix.com/index.php?showtopic=7102


Then run ComboFix and post the log here :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 henceforth

henceforth
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 25 May 2009 - 01:43 AM

Hi fenzodahl512! :)

Managed to do all the steps!

Downloaded comedian which ran fine.

Disabled all spyware proggys and Zone Alarm too [I think I did! ;)]

Ran comedian. He cracked some jokes, scanned the PC and installed ERUNT and left a reg file called NTREGOPT on the desktop.

Uninstalled Zone Alarm using Revo. Worked fine. Restarted PC.

Ran combofix which ran without any warnings about Zone Alarm :cool:

combofix downloaded something from Microsoft and also restarted the PC and generated the log file below!

I also ran hijackthis after that and am appending that log too below! Do you want a hijackthis startup log too?

Trust we are going in the right direction behind the nasty spyware. :) All strength to ye!
Am feeling a tad insecure about not having any firewall or antivirus right now! :)
But guess it should be all ok soon! :)

Thanks so much for your help. Await further orders fenzodahl512 sir! :thumbup2:

henceforth

The logs:

The combofix log:

ComboFix 09-05-23.04 - All Mankind 05/25/2009 11:51.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.735 [GMT 5.5:30]
Running from: c:\documents and settings\All Mankind\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Mankind\Application Data\inst.exe
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\windows\system32\1QE14LCZAn\001.exe
c:\windows\system32\drivers\pcidump.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GRAYPIGEON_HACKER.COM.CN
-------\Legacy_KINGDUUBA_A
-------\Legacy_WINHELP32
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-25 06:07 . 2009-05-25 06:07 -------- d-----w c:\program files\ERUNT
2009-05-24 02:46 . 2009-05-24 02:46 -------- d-----w c:\documents and settings\All Mankind\Application Data\Free Download Manager
2009-05-24 02:46 . 2009-05-24 02:46 -------- d-----w c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2009-05-24 02:46 . 2009-05-24 02:46 -------- d-----w c:\program files\Free Download Manager
2009-05-23 13:15 . 2009-05-23 13:15 -------- d-----w c:\program files\R_Server
2009-05-23 13:13 . 2009-05-23 13:13 -------- d-----w c:\windows\system32\1QE14LCZAn
2009-05-23 10:24 . 2009-05-23 13:13 108544 ----a-w c:\windows\system32\smbsvc.dll
2009-05-23 10:24 . 2009-05-23 10:24 -------- d-----w c:\windows\system32\18R6IUQ04n
2009-05-23 03:14 . 2009-05-23 13:13 695284 ----a-w c:\windows\system32\libmysql.dll
2009-05-23 03:14 . 2009-05-23 03:14 -------- d-----w c:\windows\system32\GSVKM88Q6n
2009-05-23 01:03 . 2009-05-23 01:03 -------- d-----w c:\windows\system32\OCHLH2UKZn
2009-05-23 00:22 . 2009-05-23 00:22 -------- d-----w c:\windows\system32\F3TCT53FWn
2009-05-22 16:31 . 2009-05-22 16:31 -------- d-----w c:\windows\system32\M56CHOT81n
2009-05-22 09:56 . 2009-05-22 09:56 -------- d-----w c:\windows\system32\9X5T5EQCPn
2009-05-22 06:18 . 2009-05-22 06:18 -------- d-----w c:\windows\system32\YTV773FQAn
2009-05-20 13:54 . 2009-05-20 13:54 -------- d-----w c:\windows\system32\G0SS8432En
2009-05-19 06:06 . 2009-05-19 06:06 -------- d-----w c:\windows\system32\154O0LDU5n
2009-05-19 01:41 . 2009-05-19 01:41 -------- d-----w c:\windows\system32\GEQISRQM8n
2009-05-18 11:52 . 2009-05-18 11:52 -------- d-----w c:\windows\system32\IDMNTRTNPn
2009-05-18 08:50 . 2009-05-18 08:50 12288 ----a-w c:\windows\clfileeFilename.exe
2009-05-18 08:47 . 2009-05-18 08:47 -------- d-----w c:\windows\system32\EV27MH0KDn
2009-05-18 07:20 . 2009-05-18 07:20 -------- d-----w c:\windows\system32\V3C77JAOZn
2009-05-18 04:53 . 2009-05-18 04:53 -------- d-----w c:\windows\system32\i
2009-05-17 11:49 . 2009-05-17 11:49 -------- d-----w c:\program files\Real Alternative
2009-05-17 11:49 . 2009-05-17 11:49 -------- d-----w c:\documents and settings\All Mankind\Local Settings\Application Data\Real
2009-05-17 11:13 . 2008-09-16 19:23 168448 ----a-w c:\windows\system32\unrar.dll
2009-05-17 11:13 . 2009-05-17 11:13 -------- d-----w c:\program files\K-Lite Codec Pack
2009-05-06 02:12 . 2009-05-06 02:12 -------- d-----w c:\program files\SonicWallES
2009-05-05 17:01 . 2009-05-05 17:03 4212 ---ha-r c:\windows\system32\zllictbl.dat
2009-05-05 16:44 . 2009-05-05 16:44 -------- d-----w c:\windows\system32\ZoneLabs
2009-05-05 14:03 . 2008-01-17 17:59 713216 ------w c:\windows\system32\dllcache\sxs.dll
2009-04-29 16:22 . 2009-04-29 16:22 -------- d-sh--w C:\FOUND.001
2009-04-28 16:36 . 2008-06-08 19:52 94208 ----a-w c:\documents and settings\All Mankind\Application Data\Mozilla\Firefox\Profiles\ze70e4pm.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\WINNT_x86-msvc\components\libchm.dll
2009-04-28 08:53 . 2004-08-03 17:38 25600 ----a-w c:\windows\system32\drivers\usbser.sys
2009-04-28 08:53 . 2004-08-03 17:38 25600 ----a-w c:\windows\system32\dllcache\usbser.sys
2009-04-28 08:53 . 2008-03-21 08:27 14640 ------w c:\windows\system32\spmsgXP_2k3.dll
2009-04-28 07:57 . 2009-04-28 07:57 -------- d-----w c:\program files\Common Files\PCSuite
2009-04-28 07:57 . 2009-04-28 07:57 -------- d-----w c:\program files\Common Files\Nokia
2009-04-28 07:52 . 2008-08-26 04:56 18816 ----a-w c:\windows\system32\drivers\pccsmcfd.sys
2009-04-28 07:51 . 2009-04-28 07:51 -------- d-----w c:\program files\PC Connectivity Solution
2009-04-28 07:50 . 2009-02-09 02:07 7808 ----a-w c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-04-28 07:50 . 2009-02-09 02:07 7808 ----a-w c:\windows\system32\drivers\usbser_lowerflt.sys
2009-04-28 07:50 . 2009-02-09 02:07 22016 ----a-w c:\windows\system32\drivers\ccdcmbo.sys
2009-04-28 07:50 . 2009-02-09 02:07 659968 ----a-w c:\windows\system32\nmwcdcocls.dll
2009-04-28 07:50 . 2009-02-09 02:07 17664 ----a-w c:\windows\system32\drivers\ccdcmb.sys
2009-04-28 07:50 . 2009-02-09 02:02 1112288 ----a-w c:\windows\system32\wdfcoinstaller01007.dll
2009-04-28 07:46 . 2009-04-28 07:43 34396584 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng_web.exe
2009-04-28 07:46 . 2009-04-28 07:46 8192 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-04-28 07:46 . 2009-04-28 07:46 61440 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-04-28 07:46 . 2009-04-28 07:46 10240 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-04-28 07:45 . 2009-04-28 07:45 -------- d-----w c:\documents and settings\All Users\Application Data\Installations
2009-04-28 04:32 . 2009-04-28 04:32 -------- d-----w c:\program files\Nokia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 02:44 . 2009-03-18 09:52 117760 ----a-w c:\documents and settings\All Mankind\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-25 01:54 . 2009-05-25 01:54 113091 ------w c:\windows\Internet Logs\vsmon_2nd_2009_05_25_07_16_22_small.dmp.zip
2009-05-24 15:51 . 2009-05-24 15:51 3942391 ------w c:\windows\Internet Logs\tvDebug.Zip
2009-05-24 02:01 . 2009-05-24 01:58 19321598 ------w c:\windows\Internet Logs\vsmon_on_demand_thread_2009_05_24_05_14_05_full.dmp.zip
2009-05-23 00:22 . 2009-05-23 00:22 158589 ------w c:\windows\Internet Logs\vsmon_2nd_2009_05_22_23_15_02_small.dmp.zip
2009-05-15 07:35 . 2008-03-23 09:41 63928 ----a-w c:\documents and settings\All Mankind\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-04 17:23 . 2008-04-25 07:37 47360 ----a-w c:\documents and settings\All Mankind\Application Data\pcouffin.sys
2009-05-04 17:23 . 2008-04-25 07:37 47360 ----a-w c:\documents and settings\All Mankind\Application Data\pcouffin.sys
2009-04-29 16:11 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP6c22.tmp
2009-04-29 16:09 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d68.tmp
2009-04-29 16:03 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP12e7.tmp
2009-04-29 16:01 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP4532.tmp
2009-04-29 15:58 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d76.tmp
2009-04-29 15:55 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d96.tmp
2009-04-29 15:53 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d67.tmp
2009-04-29 15:50 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d66.tmp
2009-04-29 15:48 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1db4.tmp
2009-04-29 11:21 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d95.tmp
2009-04-28 08:53 . 2009-04-28 08:53 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-04-28 08:53 . 2009-04-28 08:53 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-04-24 03:36 . 2009-04-24 03:36 -------- d-----w c:\program files\CCleaner
2009-04-20 15:55 . 2009-04-20 15:55 -------- d-----w c:\documents and settings\All Users\Application Data\Bluetooth
2009-04-20 15:49 . 2009-04-20 15:49 -------- d-----w c:\program files\IVT Corporation
2009-04-16 01:23 . 2009-04-16 01:23 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-06 10:02 . 2009-01-08 04:05 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 10:02 . 2009-01-08 04:05 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 09:45 . 2009-04-02 09:45 -------- d-----w c:\program files\Lonely Cat Games
2009-04-01 09:27 . 2009-04-01 09:27 -------- d-----w c:\program files\GPLGS
2009-04-01 09:21 . 2009-04-01 09:21 -------- d-----w c:\program files\Acro Software
2009-02-17 04:49 . 2009-02-17 04:49 2 --sha-r c:\windows\winstart.bat
2004-08-17 14:30 . 2004-08-17 14:30 67584 --sh--w c:\windows\system32\TxmgtdD.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\All Mankind\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mdm.exe]
"Debugger"=rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/15/2009 4:17 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 4:17 PM 55024]
R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [3/23/2008 3:25 PM 18004]
S2 awp;Kaspersky Internet Security;c:\windows\system32\36O.exe --> c:\windows\system32\36O.exe [?]
S2 clddos0Nameeeee;clddosTestppppp;c:\windows\clfileeFilename.exe [5/18/2009 2:20 PM 12288]
S2 ddd;dddd;c:\windows\ddd.exe --> c:\windows\ddd.exe [?]
S2 feos Service;feos soft Service;c:\windows\system32\F3TCT53FWn\J001.exe --> c:\windows\system32\F3TCT53FWn\J001.exe [?]
S2 hdds Service;hdds soft Service;c:\windows\system32\V3C77JAOZn\J001.exe [5/18/2009 12:54 PM 16106]
S2 jmrovk;jmrovk;c:\windows\system32\SVCHOST.EXE -k jmrovk [8/3/2004 7:26 PM 14336]
S2 lpjbht;lpjbht;c:\windows\system32\svchost.exe -k lpjbht [8/3/2004 7:26 PM 14336]
S2 MediaCenter server;MS Media Control Centers;c:\windows\System32\svchost.exe -k krnlsrvc [8/3/2004 7:26 PM 14336]
S2 MediaqCentern;MS Median Control qCenter;c:\windows\System32\svchost.exe -k krnlsrvc [8/3/2004 7:26 PM 14336]
S2 oicxcm;icxcm;c:\windows\system32\svchost.exe -k oicxcm [8/3/2004 7:26 PM 14336]
S2 RouSvc;Routing Service;c:\program files\R_Server\RemoteAbc.exe --> c:\program files\R_Server\RemoteAbc.exe [?]
S2 SmbApSrv;SMB Performance Adapter;c:\windows\System32\svchost.exe -k LocalSystem [8/3/2004 7:26 PM 14336]
S2 ymrovkru;ymrovkru;\??\c:\windows\system32\DRiVeRs\bdlovf.rxr --> c:\windows\system32\DRiVeRs\bdlovf.rxr [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 4:17 PM 7408]
S4 bfddos;bfddos;c:\windows\system32\G0SS8432En\H001.exe [5/20/2009 7:25 PM 67584]
S4 dkaron;dkaron;c:\windows\system32\V3C77JAOZn\H002.exe --> c:\windows\system32\V3C77JAOZn\H002.exe [?]
S4 ihzaq;ihzaq;c:\windows\system32\ihzaq.exe --> c:\windows\system32\ihzaq.exe [?]
S4 ijzab;ijzab;c:\windows\system32\ijzab.exe --> c:\windows\system32\ijzab.exe [?]
S4 ijzaq;ijzaq;c:\windows\system32\ijzaq.exe --> c:\windows\system32\ijzaq.exe [?]
S4 wedr;wedr;c:\windows\system32\wedr.exe --> c:\windows\system32\wedr.exe [?]
S4 Windows Media Service;Windows Media Service;c:\windows\system32\154O0LDU5n\H001.exe [5/19/2009 11:38 AM 33280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystem REG_MULTI_SZ SmbApSrv SMB
jmrovk REG_MULTI_SZ jmrovk
oicxcm REG_MULTI_SZ oicxcm
lpjbht REG_MULTI_SZ lpjbht

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\WinXP Manager Live Update.job
- c:\program files\Yamicsoft\WinXP Manager\LiveUpdate.exe [2007-09-21 20:13]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
TCP: {00625B36-378C-4E4C-B1A3-DD19A0F20596} = 218.248.240.208 218.248.255.193
TCP: {BE0879DC-2C8A-4BBD-AA8F-61210777E326} = 218.248.240.208,218.248.255.193
TCP: {D7B79D92-E866-473A-952D-D5EFBB928073} = 218.248.240.208,218.248.255.193
FF - ProfilePath - c:\documents and settings\All Mankind\Application Data\Mozilla\Firefox\Profiles\ze70e4pm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - component: c:\documents and settings\All Mankind\Application Data\Mozilla\Firefox\Profiles\ze70e4pm.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\WINNT_x86-msvc\components\libchm.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 11:56
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jmrovk]
"ServiceDll"="%SystemRoot%\System32\bdlovf.gtm"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ymrovkru]
"ImagePath"="\??\c:\windows\system32\DRiVeRs\bdlovf.rxr"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\BGSVCGEN.EXE
c:\program files\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\FNPLICENSINGSERVICE.EXE
c:\windows\SYSTEM32\WDFMGR.EXE
c:\program files\CANON\CAL\CALMAIN.EXE
.
**************************************************************************
.
Completion time: 2009-05-25 11:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-25 06:29
ComboFix2.txt 2009-01-08 17:33

Pre-Run: 10,522,804,224 bytes free
Post-Run: 10,490,413,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
225



The hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:39, on 5/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\clfileeFilename.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
H:\downloadsoft\hijackthis\30122008\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{00625B36-378C-4E4C-B1A3-DD19A0F20596}: NameServer = 218.248.240.208 218.248.255.193
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE0879DC-2C8A-4BBD-AA8F-61210777E326}: NameServer = 218.248.240.208,218.248.255.193
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7B79D92-E866-473A-952D-D5EFBB928073}: NameServer = 218.248.240.208,218.248.255.193
O17 - HKLM\System\CS3\Services\Tcpip\..\{00625B36-378C-4E4C-B1A3-DD19A0F20596}: NameServer = 218.248.240.208 218.248.255.193
O17 - HKLM\System\CS4\Services\Tcpip\..\{00625B36-378C-4E4C-B1A3-DD19A0F20596}: NameServer = 218.248.240.208 218.248.255.193
O23 - Service: Kaspersky Internet Security (awp) - Unknown owner - C:\WINDOWS\system32\36O.exe (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: clddosTestppppp (clddos0Nameeeee) - Unknown owner - C:\WINDOWS\clfileeFilename.exe
O23 - Service: dddd (ddd) - Unknown owner - C:\WINDOWS\ddd.exe (file missing)
O23 - Service: feos soft Service (feos Service) - Unknown owner - C:\WINDOWS\system32\F3TCT53FWn\J001.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hdds soft Service (hdds Service) - Unknown owner - C:\WINDOWS\system32\V3C77JAOZn\J001.exe
O23 - Service: Routing Service (RouSvc) - Unknown owner - C:\Program Files\R_Server\RemoteAbc.exe (file missing)

--
End of file - 3987 bytes



Should I UNINSTALL Zone Alarm completely?


Yup.. Firstly please do below first..

Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..


Then please uninstall Zone Alarm completely.. You can either use their internal uninstaller, or Revo Uninstaller (link below) or use the technique I give you in a link (below Revo Uninstaller link)..

Revo Uninstaller: http://www.revouninstaller.com/revo_uninst...e_download.html
Alternative technique: http://www.suggestafix.com/index.php?showtopic=7102


Then run ComboFix and post the log here :)



#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 25 May 2009 - 02:15 AM

Before I gave a next fixes, do you use Radmin program?.. A program to control your computer remotely?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 henceforth

henceforth
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 25 May 2009 - 02:46 AM

Before I gave a next fixes, do you use Radmin program?.. A program to control your computer remotely?


No fenzodahl512!

That was a quick response! Thanks chief! :thumbup2:


I do not use Radmin nor have I installed it. :)

In fact, I had tried deleting it before ... but no luck! :)

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 25 May 2009 - 04:04 AM

edited.. fixing script

Edited by fenzodahl512, 25 May 2009 - 04:09 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 henceforth

henceforth
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 25 May 2009 - 04:10 AM

Thanks fenzodahl512! :thumbup2:

Following the steps and will revert in 5 mins! :)

Thanks again! :)

henceforth

#10 henceforth

henceforth
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 25 May 2009 - 04:11 AM

edited.. fixing script


Should I wait chief? :thumbup2:

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 25 May 2009 - 04:15 AM

Sorry, my internet connection is always disconnect :thumbup2: :)


Do below...


Please copy/paste below code into Notepad

@ECHO OFF
FOR %%G IN (
"c:\program files\R_Server"
"c:\windows\system32\1QE14LCZAn"
"c:\windows\system32\smbsvc.dll"
"c:\windows\system32\18R6IUQ04n"
"c:\windows\system32\libmysql.dll"
"c:\windows\system32\GSVKM88Q6n"
"c:\windows\system32\OCHLH2UKZn"
"c:\windows\system32\F3TCT53FWn"
"c:\windows\system32\M56CHOT81n"
"c:\windows\system32\9X5T5EQCPn"
"c:\windows\system32\YTV773FQAn"
"c:\windows\system32\G0SS8432En"
"c:\windows\system32\154O0LDU5n"
"c:\windows\system32\GEQISRQM8n"
"c:\windows\system32\IDMNTRTNPn"
"c:\windows\clfileeFilename.exe"
"c:\windows\system32\EV27MH0KDn"
"c:\windows\system32\V3C77JAOZn"
"c:\windows\system32\i"
"c:\windows\winstart.bat"
"c:\windows\system32\TxmgtdD.dll"
"c:\windows\system32\36O.exe"
"c:\windows\clfileeFilename.exe"
"c:\windows\ddd.exe"
"c:\windows\system32\DRiVeRs\bdlovf.rxr"
"c:\windows\system32\ihzaq.exe"
"c:\windows\system32\ijzab.exe"
"c:\windows\system32\ijzaq.exe"
"c:\windows\system32\wedr.exe"
) DO Zip -Sr UpLoadTheseFolders.zip %%G
DEL %0


After that, go to File >> Save as... >> do below instruction
  • At Save in: choose Desktop
  • At File name: write ask.bat
  • At Save as type: choose All Files
Then press Enter.. A batch file will be created on your Desktop (ask.bat) and it would look like this: Posted Image

Double-click that file, a new zipfile (UpLoadTheseFolders.zip) will be created on your Desktop.. Please upload that zipped file to this site. Don't forget to link it with here..




1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

NetSvc::
jmrovk
lpjbht
oicxcm

Driver::
lpjbht
awp
clddos0Nameeeee
ddd
feos Service
hdds Service
jmrovk
MediaqCentern
MediaCenter server
oicxcm
RouSvc
SmbApSrv
ymrovkru
bfddos
dkaron
ihzaq
ijzab
ijzaq
wedr
Windows Media Service

Rootkit::
c:\windows\winstart.bat
c:\windows\system32\TxmgtdD.dll
c:\windows\system32\36O.exe
c:\windows\clfileeFilename.exe
c:\windows\ddd.exe
c:\windows\system32\DRiVeRs\bdlovf.rxr
c:\windows\system32\ihzaq.exe
c:\windows\system32\ijzab.exe
c:\windows\system32\ijzaq.exe
c:\windows\system32\wedr.exe
c:\windows\system32\smbsvc.dll
c:\windows\System32\bdlovf.gtm

Folder::
c:\program files\R_Server
c:\windows\system32\1QE14LCZAn
c:\windows\system32\18R6IUQ04n
c:\windows\system32\GSVKM88Q6n
c:\windows\system32\OCHLH2UKZn
c:\windows\system32\F3TCT53FWn
c:\windows\system32\M56CHOT81n
c:\windows\system32\9X5T5EQCPn
c:\windows\system32\YTV773FQAn
c:\windows\system32\G0SS8432En
c:\windows\system32\154O0LDU5n
c:\windows\system32\GEQISRQM8n
c:\windows\system32\IDMNTRTNPn
c:\windows\system32\EV27MH0KDn
c:\windows\system32\V3C77JAOZn
c:\windows\system32\i

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"LocalSystem"=-
"jmrovk"=-
"oicxcm"=-
"lpjbht"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jmrovk]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ymrovkru]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 henceforth

henceforth
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 25 May 2009 - 04:17 AM

Sure chief! Thanks! :thumbup2:

Will do that and revert in 5 mins! :)

#13 henceforth

henceforth
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 25 May 2009 - 04:29 AM

Hi fenzodahl512!

Have uploaded UpLoadTheseFolders.zip

Also given the link reference of this thread!

Now doing the second step and might reboot my PC.

Will revert as soon as it is done with the combofix and hijackthis logs.

Thanks for your speedy responses pal! :thumbup2:

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 25 May 2009 - 04:36 AM

Ok.. no problem :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 henceforth

henceforth
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 25 May 2009 - 04:48 AM

Hi fenzodahl512! :thumbup2:

Done both steps fine!

Thanks for your help! :)

henceforth

Here are BOTH the combofix and hijackthis logs below:

1. Combofix log:

ComboFix 09-05-23.04 - All Mankind 05/25/2009 15:03.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.710 [GMT 5.5:30]
Running from: c:\documents and settings\All Mankind\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\All Mankind\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\R_Server
c:\windows\clfileeFilename.exe
c:\windows\system32\154O0LDU5n
c:\windows\system32\154O0LDU5n\H001.exe
c:\windows\system32\18R6IUQ04n
c:\windows\system32\18R6IUQ04n\Q001.exe
c:\windows\system32\1QE14LCZAn
c:\windows\system32\1QE14LCZAn\Q001.exe
c:\windows\system32\9X5T5EQCPn
c:\windows\system32\9X5T5EQCPn\Q001.exe
c:\windows\System32\bdlovf.gtm
c:\windows\system32\EV27MH0KDn
c:\windows\system32\EV27MH0KDn\H001.exe
c:\windows\system32\F3TCT53FWn
c:\windows\system32\F3TCT53FWn\Q001.exe
c:\windows\system32\G0SS8432En
c:\windows\system32\G0SS8432En\H001.exe
c:\windows\system32\G0SS8432En\J001.exe
c:\windows\system32\GEQISRQM8n
c:\windows\system32\GSVKM88Q6n
c:\windows\system32\GSVKM88Q6n\H001.exe
c:\windows\system32\GSVKM88Q6n\J001.exe
c:\windows\system32\GSVKM88Q6n\Q001.exe
c:\windows\system32\i
c:\windows\system32\i\A001.exe
c:\windows\system32\i\R.bat
c:\windows\system32\IDMNTRTNPn
c:\windows\system32\M56CHOT81n
c:\windows\system32\M56CHOT81n\Q001.exe
c:\windows\system32\OCHLH2UKZn
c:\windows\system32\OCHLH2UKZn\Q001.exe
c:\windows\system32\smbsvc.dll
c:\windows\system32\TxmgtdD.dll
c:\windows\system32\V3C77JAOZn
c:\windows\system32\V3C77JAOZn\J001.exe
c:\windows\system32\YTV773FQAn
c:\windows\system32\YTV773FQAn\H002.exe
c:\windows\system32\YTV773FQAn\Q001.exe
c:\windows\winstart.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AWP
-------\Legacy_BFDDOS
-------\Legacy_CLDDOS0NAMEEEEE
-------\Legacy_DDD
-------\Legacy_DKARON
-------\Legacy_FEOS_SERVICE
-------\Legacy_HDDS_SERVICE
-------\Legacy_IHZAQ
-------\Legacy_IJZAB
-------\Legacy_IJZAQ
-------\Legacy_JMROVK
-------\Legacy_LPJBHT
-------\Legacy_MEDIACENTER_SERVER
-------\Legacy_MEDIAQCENTERN
-------\Legacy_OICXCM
-------\Legacy_ROUSVC
-------\Legacy_SMBAPSRV
-------\Legacy_WEDR
-------\Legacy_WINDOWS_MEDIA_SERVICE
-------\Legacy_YMROVKRU
-------\Service_awp
-------\Service_bfddos
-------\Service_clddos0Nameeeee
-------\Service_ddd
-------\Service_dkaron
-------\Service_feos Service
-------\Service_hdds Service
-------\Service_ihzaq
-------\Service_ijzab
-------\Service_ijzaq
-------\Service_lpjbht
-------\Service_MediaCenter server
-------\Service_MediaqCentern
-------\Service_oicxcm
-------\Service_RouSvc
-------\Service_SmbApSrv
-------\Service_wedr
-------\Service_Windows Media Service


((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-25 06:07 . 2009-05-25 06:07 -------- d-----w c:\program files\ERUNT
2009-05-24 02:46 . 2009-05-24 02:46 -------- d-----w c:\documents and settings\All Mankind\Application Data\Free Download Manager
2009-05-24 02:46 . 2009-05-24 02:46 -------- d-----w c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2009-05-24 02:46 . 2009-05-24 02:46 -------- d-----w c:\program files\Free Download Manager
2009-05-23 03:14 . 2009-05-23 13:13 695284 ----a-w c:\windows\system32\libmysql.dll
2009-05-17 11:49 . 2009-05-17 11:49 -------- d-----w c:\program files\Real Alternative
2009-05-17 11:49 . 2009-05-17 11:49 -------- d-----w c:\documents and settings\All Mankind\Local Settings\Application Data\Real
2009-05-17 11:13 . 2008-09-16 19:23 168448 ----a-w c:\windows\system32\unrar.dll
2009-05-17 11:13 . 2009-05-17 11:13 -------- d-----w c:\program files\K-Lite Codec Pack
2009-05-06 02:12 . 2009-05-06 02:12 -------- d-----w c:\program files\SonicWallES
2009-05-05 17:01 . 2009-05-05 17:03 4212 ---ha-r c:\windows\system32\zllictbl.dat
2009-05-05 16:44 . 2009-05-05 16:44 -------- d-----w c:\windows\system32\ZoneLabs
2009-05-05 14:03 . 2008-01-17 17:59 713216 ------w c:\windows\system32\dllcache\sxs.dll
2009-04-29 16:22 . 2009-04-29 16:22 -------- d-sh--w C:\FOUND.001
2009-04-28 16:36 . 2008-06-08 19:52 94208 ----a-w c:\documents and settings\All Mankind\Application Data\Mozilla\Firefox\Profiles\ze70e4pm.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\WINNT_x86-msvc\components\libchm.dll
2009-04-28 08:53 . 2004-08-03 17:38 25600 ----a-w c:\windows\system32\drivers\usbser.sys
2009-04-28 08:53 . 2004-08-03 17:38 25600 ----a-w c:\windows\system32\dllcache\usbser.sys
2009-04-28 08:53 . 2008-03-21 08:27 14640 ------w c:\windows\system32\spmsgXP_2k3.dll
2009-04-28 07:57 . 2009-04-28 07:57 -------- d-----w c:\program files\Common Files\PCSuite
2009-04-28 07:57 . 2009-04-28 07:57 -------- d-----w c:\program files\Common Files\Nokia
2009-04-28 07:52 . 2008-08-26 04:56 18816 ----a-w c:\windows\system32\drivers\pccsmcfd.sys
2009-04-28 07:51 . 2009-04-28 07:51 -------- d-----w c:\program files\PC Connectivity Solution
2009-04-28 07:50 . 2009-02-09 02:07 7808 ----a-w c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-04-28 07:50 . 2009-02-09 02:07 7808 ----a-w c:\windows\system32\drivers\usbser_lowerflt.sys
2009-04-28 07:50 . 2009-02-09 02:07 22016 ----a-w c:\windows\system32\drivers\ccdcmbo.sys
2009-04-28 07:50 . 2009-02-09 02:07 659968 ----a-w c:\windows\system32\nmwcdcocls.dll
2009-04-28 07:50 . 2009-02-09 02:07 17664 ----a-w c:\windows\system32\drivers\ccdcmb.sys
2009-04-28 07:50 . 2009-02-09 02:02 1112288 ----a-w c:\windows\system32\wdfcoinstaller01007.dll
2009-04-28 07:46 . 2009-04-28 07:43 34396584 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng_web.exe
2009-04-28 07:46 . 2009-04-28 07:46 8192 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-04-28 07:46 . 2009-04-28 07:46 61440 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-04-28 07:46 . 2009-04-28 07:46 10240 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-04-28 07:45 . 2009-04-28 07:45 -------- d-----w c:\documents and settings\All Users\Application Data\Installations
2009-04-28 04:32 . 2009-04-28 04:32 -------- d-----w c:\program files\Nokia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 02:44 . 2009-03-18 09:52 117760 ----a-w c:\documents and settings\All Mankind\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-25 01:54 . 2009-05-25 01:54 113091 ------w c:\windows\Internet Logs\vsmon_2nd_2009_05_25_07_16_22_small.dmp.zip
2009-05-24 15:51 . 2009-05-24 15:51 3942391 ------w c:\windows\Internet Logs\tvDebug.Zip
2009-05-24 02:01 . 2009-05-24 01:58 19321598 ------w c:\windows\Internet Logs\vsmon_on_demand_thread_2009_05_24_05_14_05_full.dmp.zip
2009-05-23 00:22 . 2009-05-23 00:22 158589 ------w c:\windows\Internet Logs\vsmon_2nd_2009_05_22_23_15_02_small.dmp.zip
2009-05-15 07:35 . 2008-03-23 09:41 63928 ----a-w c:\documents and settings\All Mankind\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-04 17:23 . 2008-04-25 07:37 47360 ----a-w c:\documents and settings\All Mankind\Application Data\pcouffin.sys
2009-05-04 17:23 . 2008-04-25 07:37 47360 ----a-w c:\documents and settings\All Mankind\Application Data\pcouffin.sys
2009-04-29 16:11 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP6c22.tmp
2009-04-29 16:09 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d68.tmp
2009-04-29 16:03 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP12e7.tmp
2009-04-29 16:01 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP4532.tmp
2009-04-29 15:58 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d76.tmp
2009-04-29 15:55 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d96.tmp
2009-04-29 15:53 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d67.tmp
2009-04-29 15:50 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d66.tmp
2009-04-29 15:48 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1db4.tmp
2009-04-29 11:21 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d95.tmp
2009-04-28 08:53 . 2009-04-28 08:53 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-04-28 08:53 . 2009-04-28 08:53 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-04-24 03:36 . 2009-04-24 03:36 -------- d-----w c:\program files\CCleaner
2009-04-20 15:55 . 2009-04-20 15:55 -------- d-----w c:\documents and settings\All Users\Application Data\Bluetooth
2009-04-20 15:49 . 2009-04-20 15:49 -------- d-----w c:\program files\IVT Corporation
2009-04-16 01:23 . 2009-04-16 01:23 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-06 10:02 . 2009-01-08 04:05 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 10:02 . 2009-01-08 04:05 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 09:45 . 2009-04-02 09:45 -------- d-----w c:\program files\Lonely Cat Games
2009-04-01 09:27 . 2009-04-01 09:27 -------- d-----w c:\program files\GPLGS
2009-04-01 09:21 . 2009-04-01 09:21 -------- d-----w c:\program files\Acro Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\All Mankind\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mdm.exe]
"Debugger"=rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/15/2009 4:17 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 4:17 PM 55024]
R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [3/23/2008 3:25 PM 18004]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 4:17 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\WinXP Manager Live Update.job
- c:\program files\Yamicsoft\WinXP Manager\LiveUpdate.exe [2007-09-21 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
TCP: {BE0879DC-2C8A-4BBD-AA8F-61210777E326} = 218.248.240.208,218.248.255.193
TCP: {D7B79D92-E866-473A-952D-D5EFBB928073} = 218.248.240.208,218.248.255.193
FF - ProfilePath - c:\documents and settings\All Mankind\Application Data\Mozilla\Firefox\Profiles\ze70e4pm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - component: c:\documents and settings\All Mankind\Application Data\Mozilla\Firefox\Profiles\ze70e4pm.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\WINNT_x86-msvc\components\libchm.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 15:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\bgsvcgen.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2009-05-25 15:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-25 09:41
ComboFix3.txt 2009-01-08 17:33
ComboFix2.txt 2009-05-25 06:29

Pre-Run: 10,511,515,648 bytes free
Post-Run: 10,484,531,200 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
231


2. And this is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:12:26, on 5/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
H:\downloadsoft\hijackthis\30122008\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE0879DC-2C8A-4BBD-AA8F-61210777E326}: NameServer = 218.248.240.208,218.248.255.193
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7B79D92-E866-473A-952D-D5EFBB928073}: NameServer = 218.248.240.208,218.248.255.193
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

--
End of file - 2908 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users