Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Apple Confirms Major Issues With MacBook Keyboards, Offers Free Service

Featured Deal: Get Over 90% off a Windscribe Pro VPN Lifetime Subscription Deal

Spyware on my PC! kingduuba a (Trojan.Agent), winhelp32 (Backdoor.Hupigon)

Started by henceforth , May 24 2009 05:39 AM

This topic is locked

27 replies to this topic

#1 henceforth

Members
24 posts
OFFLINE

Local time:05:11 PM

Posted 24 May 2009 - 05:39 AM

Greetings to all the wizards here and a request to help!

My PC has definitely ben infected by some spyware - maybe a trojan or something bad like that!

Could you please help?

I have Zone Alarm firewall and also use their spyware antivirus.

I also have programs like Malwarebytes' Anti-Malware, Super Anti Spyware Spybot but this spyware seems to be really malicious and would not go away!

Please help me get rid of it.

Thanks in advance and have a good day!

henceforth

Here is the DDS.txt

DDS (Ver_09-05-14.01) - FAT32x86
Run by All Mankind at 15:59:29.12 on Sun 05/24/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.508 [GMT 5.5:30]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated)

{5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\clfileeFilename.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe -k krnlsrvc
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\All Mankind\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.in/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download

manager\iefdm2.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} -

c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
TCP: {00625B36-378C-4E4C-B1A3-DD19A0F20596} = 218.248.240.208 218.248.255.193
TCP: {BE0879DC-2C8A-4BBD-AA8F-61210777E326} = 218.248.240.208,218.248.255.193
TCP: {D7B79D92-E866-473A-952D-D5EFBB928073} = 218.248.240.208,218.248.255.193
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web

folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program

files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\allman~1\applic~1\mozilla\firefox\profiles\ze70e4pm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - component: c:\documents and settings\all mankind\application

data\mozilla\firefox\profiles\ze70e4pm.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\winnt_x8

6-msvc\components\libchm.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-5-6 150544]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-5 353672]
R2 MediaqCentern;MS Median Control qCenter;c:\windows\system32\svchost.exe -k krnlsrvc [2004-8-3 14336]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service -->

c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [2008-3-23 18004]
S2 awp;Kaspersky Internet Security;c:\windows\system32\36O.exe [2009-5-23 15360]
S2 clddos0Nameeeee;clddosTestppppp;c:\windows\clfileeFilename.exe [2009-5-18 12288]
S2 ddd;dddd;c:\windows\ddd.exe --> c:\windows\ddd.exe [?]
S2 feos Service;feos soft Service;c:\windows\system32\f3tct53fwìn€\j001.exe -->

c:\windows\system32\f3tct53fwìn€\J001.exe [?]
S2 hdds Service;hdds soft Service;c:\windows\system32\v3c77jaozìn€\J001.exe [2009-5-18 16106]
S2 jmrovk;jmrovk;c:\windows\system32\SVCHOST.EXE -k jmrovk [2004-8-3 14336]
S2 lpjbht;lpjbht;c:\windows\system32\svchost.exe -k lpjbht [2004-8-3 14336]
S2 MediaCenter server;MS Media Control Centers;c:\windows\system32\svchost.exe -k krnlsrvc [2004-8-3 14336]
S2 oicxcm;§icxcm;c:\windows\system32\svchost.exe -k oicxcm [2004-8-3 14336]
S2 RouSvc;Routing Service;c:\program files\r_server\RemoteAbc.exe [2009-5-23 296448]
S2 SmbApSrv;SMB Performance Adapter;c:\windows\system32\svchost.exe -k LocalSystem [2004-8-3 14336]
S2 ymrovkru;ymrovkru;\??\c:\windows\system32\drivers\bdlovf.rxr --> c:\windows\system32\drivers\bdlovf.rxr [?]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\NPF.sys [?]
S4 bfddos;bfddos;c:\windows\system32\g0ss8432eìn€\H001.exe [2009-5-20 67584]
S4 dkaron;dkaron;c:\windows\system32\v3c77jaozìn€\h002.exe --> c:\windows\system32\v3c77jaozìn€\H002.exe [?]
S4 ihzaq;ihzaq;c:\windows\system32\ihzaq.exe --> c:\windows\system32\ihzaq.exe [?]
S4 ijzab;ijzab;c:\windows\system32\ijzab.exe --> c:\windows\system32\ijzab.exe [?]
S4 ijzaq;ijzaq;c:\windows\system32\ijzaq.exe --> c:\windows\system32\ijzaq.exe [?]
S4 wedr;wedr;c:\windows\system32\wedr.exe --> c:\windows\system32\wedr.exe [?]
S4 Windows Media Service;Windows Media Service;c:\windows\system32\154o0ldu5ìn€\H001.exe [2009-5-19 33280]

=============== Created Last 30 ================

2009-05-24 15:16 4,480 a------- c:\windows\system32\drivers\PCIDump.sys
2009-05-24 08:16 <DIR> --d----- c:\docume~1\allman~1\applic~1\Free Download Manager
2009-05-24 08:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\FreeDownloadManager.ORG
2009-05-24 08:16 <DIR> --d----- c:\program files\Free Download Manager
2009-05-23 18:45 <DIR> --d----- c:\program files\R_Server
2009-05-23 18:43 <DIR> --d----- c:\windows\system32\1QE14LCZAìn€
2009-05-23 15:54 108,544 a------- c:\windows\system32\smbsvc.dll
2009-05-23 15:54 <DIR> --d----- c:\windows\system32\18R6IUQ04ìn€
2009-05-23 08:57 15,360 -------- c:\windows\system32\36O.exe
2009-05-23 08:44 695,284 a------- c:\windows\system32\libmysql.dll
2009-05-23 08:44 <DIR> --d----- c:\windows\system32\GSVKM88Q6ìn€
2009-05-23 06:33 <DIR> --d----- c:\windows\system32\OCHLH2UKZìn€
2009-05-23 05:52 <DIR> --d----- c:\windows\system32\F3TCT53FWìn€
2009-05-22 22:03 1,528 a------- c:\windows\system32\ajtbqi.key
2009-05-22 22:02 1 a------- c:\windows\system32\0005a26f.ini
2009-05-22 22:01 <DIR> --d----- c:\windows\system32\M56CHOT81ìn€
2009-05-22 15:26 <DIR> --d----- c:\windows\system32\9X5T5EQCPìn€
2009-05-22 11:48 <DIR> --d----- c:\windows\system32\YTV773FQAìn€
2009-05-20 19:34 1,866 a------- c:\windows\system32\oicxcmD@.key
2009-05-20 19:34 1,864 a------- c:\windows\system32\rltwsoD@.key
2009-05-20 19:26 1 a------- c:\windows\system32\00054615.ini
2009-05-20 19:25 1 a------- c:\windows\system32\0004d289.ini
2009-05-20 19:24 <DIR> --d----- c:\windows\system32\G0SS8432Eìn€
2009-05-19 11:39 3,866 a------- c:\windows\system32\bdlovf.key
2009-05-19 11:39 1 a------- c:\windows\system32\3a353.imj
2009-05-19 11:39 96,904 -------- c:\windows\system32\bdlovf.gtm
2009-05-19 11:36 <DIR> --d----- c:\windows\system32\154O0LDU5ìn€
2009-05-19 07:11 <DIR> --d----- c:\windows\system32\GEQISRQM8ìn€
2009-05-18 17:22 <DIR> --d----- c:\windows\system32\IDMNTRTNPìn€
2009-05-18 14:20 12,288 a------- c:\windows\clfileeFilename.exe
2009-05-18 14:17 <DIR> --d----- c:\windows\system32\EV27MH0KDìn€
2009-05-18 12:50 <DIR> --d----- c:\windows\system32\V3C77JAOZìn€
2009-05-18 10:23 <DIR> --d----- c:\windows\system32\i
2009-05-18 09:01 81 a------- c:\windows\system32\asr_zuqdc
2009-05-17 17:19 <DIR> --d----- c:\program files\Real Alternative
2009-05-17 16:43 168,448 a------- c:\windows\system32\unrar.dll
2009-05-17 16:43 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-05-06 07:42 <DIR> --d----- c:\program files\SonicWallES
2009-05-06 06:11 1,122 a------- C:\rollback.ini
2009-05-05 22:32 <DIR> --d----- c:\docume~1\allman~1\applic~1\MailFrontier
2009-05-05 22:31 4,212 a---hr-- c:\windows\system32\zllictbl.dat
2009-05-05 22:20 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-05 22:20 32 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-05 22:14 72,584 a------- c:\windows\zllsputility.exe
2009-05-05 22:14 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-05-05 22:14 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-05-05 22:14 <DIR> --d----- c:\program files\Zone Labs
2009-05-05 22:14 351,219 a------- c:\windows\system32\vsconfig.xml
2009-05-05 19:33 713,216 -------- c:\windows\system32\dllcache\sxs.dll
2009-05-04 22:53 87,608 a------- c:\docume~1\allman~1\applic~1\inst.exe
2009-04-29 21:52 <DIR> --dsh--- C:\FOUND.001
2009-04-28 14:23 25,600 a------- c:\windows\system32\drivers\usbser.sys
2009-04-28 14:23 25,600 a------- c:\windows\system32\dllcache\usbser.sys
2009-04-28 14:23 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-04-28 14:23 0 a---h---

c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-04-28 14:23 14,640 -------- c:\windows\system32\spmsgXP_2k3.dll
2009-04-28 13:27 <DIR> --d----- c:\program files\common files\PCSuite
2009-04-28 13:27 <DIR> --d----- c:\program files\common files\Nokia
2009-04-28 13:22 18,816 a------- c:\windows\system32\drivers\pccsmcfd.sys
2009-04-28 13:21 <DIR> --d----- c:\program files\PC Connectivity Solution
2009-04-28 13:20 7,808 a------- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-04-28 13:20 7,808 a------- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-04-28 13:20 22,016 a------- c:\windows\system32\drivers\ccdcmbo.sys
2009-04-28 13:20 1,112,288 a------- c:\windows\system32\wdfcoinstaller01007.dll
2009-04-28 13:20 659,968 a------- c:\windows\system32\nmwcdcocls.dll
2009-04-28 13:20 17,664 a------- c:\windows\system32\drivers\ccdcmb.sys
2009-04-28 10:02 <DIR> --d----- c:\program files\Nokia

==================== Find3M ====================

2009-05-04 22:53 47,360 a------- c:\docume~1\allman~1\applic~1\pcouffin.sys
2009-04-29 21:41 90,112 a------- c:\windows\DUMP6c22.tmp
2009-04-29 21:39 90,112 a------- c:\windows\DUMP1d68.tmp
2009-04-29 21:33 90,112 a------- c:\windows\DUMP12e7.tmp
2009-04-29 21:31 90,112 a------- c:\windows\DUMP4532.tmp
2009-04-29 21:28 90,112 a------- c:\windows\DUMP1d76.tmp
2009-04-29 21:25 90,112 a------- c:\windows\DUMP1d96.tmp
2009-04-29 21:23 90,112 a------- c:\windows\DUMP1d67.tmp
2009-04-29 21:20 90,112 a------- c:\windows\DUMP1d66.tmp
2009-04-29 21:18 90,112 a------- c:\windows\DUMP1db4.tmp
2009-04-29 16:51 90,112 a------- c:\windows\DUMP1d95.tmp
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 14:44 67,792 a------- c:\docume~1\allman~1\applic~1\GDIPFONTCACHEV1.DAT
2008-04-25 13:07 87,608 a------- c:\docume~1\allman~1\applic~1\ezpinst.exe
2002-11-04 14:54 3,392 a------- c:\windows\inf\other\cmiainfo.sys
2009-02-17 10:19 2 a--shr-- c:\windows\winstart.bat
2004-08-17 20:00 67,584 ---sh--- c:\windows\system32\TxmgtdD.dll

============= FINISH: 16:01:33.93 ===============

Attached Files

Attach.txt 15.34KB 1 downloads

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 fenzodahl512

Members
6,738 posts
OFFLINE

Local time:07:41 PM

Posted 24 May 2009 - 08:58 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

------------------------------------------------------------------------------------------------------------------

NOTE: IMPORTANT! To other lurkers who see this topic, if you ever want to use ComboFix, please have a look at below tutorial.. You have been warned!

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#3 henceforth

Topic Starter

Members
24 posts
OFFLINE

Local time:05:11 PM

Posted 24 May 2009 - 09:37 PM

Thanks fenzodahl512 for the prompt response!

I am afraid I need further help ...

Downloaded combofix! Have it ready to run on my desktop.

Problem is I just cannot disable zone alarm!

I disabled the ZA firewall, ZA antivirus and ZA spyware in the program.
After that I right clicked the ZA tray icon and shutdown zone alarm completely!

And when I fire up combofix it warns me Zone Alarm Anti Virus is still running! :cool:

Rebooted a dozen times and searched for tutorials to disable Zone Alarm completely with no luck!
The link you provided does not list Zone Alarm.

Should I UNINSTALL Zone Alarm completely?

I have found a complicated method to do it online and I can manage.
Or do you recommend any other firewall/antivirus combination?

Sorry for these elementary queries - I am sure you would understand.

Please guide and thanks in advance for all the help. :thumbup2:

#4 fenzodahl512

Members
6,738 posts
OFFLINE

Local time:07:41 PM

Posted 24 May 2009 - 10:52 PM

Should I UNINSTALL Zone Alarm completely?

Yup.. Firstly please do below first..

Please download The Comedian.exe by Rorschach112 to your desktop

Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
Double click the program to run it. It will only take around several minutes to run.
It will do a series of tasks and tell you when each one is finished.
You will be prompted to press any key after each step
When it is done it will close and exit itself automatically.
You can delete The_Comedian.exe once it is finished

STOP! if you can't complete this step.. Tell me more about it..

Then please uninstall Zone Alarm completely.. You can either use their internal uninstaller, or Revo Uninstaller (link below) or use the technique I give you in a link (below Revo Uninstaller link)..

Revo Uninstaller: http://www.revouninstaller.com/revo_uninst...e_download.html
Alternative technique: http://www.suggestafix.com/index.php?showtopic=7102

Then run ComboFix and post the log here :thumbup2:

#5 henceforth

Topic Starter

Members
24 posts
OFFLINE

Local time:05:11 PM

Posted 25 May 2009 - 01:43 AM

Hi fenzodahl512!

Managed to do all the steps!

Downloaded comedian which ran fine.

Disabled all spyware proggys and Zone Alarm too [I think I did! ;)]

Ran comedian. He cracked some jokes, scanned the PC and installed ERUNT and left a reg file called NTREGOPT on the desktop.

Uninstalled Zone Alarm using Revo. Worked fine. Restarted PC.

Ran combofix which ran without any warnings about Zone Alarm :cool:

combofix downloaded something from Microsoft and also restarted the PC and generated the log file below!

I also ran hijackthis after that and am appending that log too below! Do you want a hijackthis startup log too?

Trust we are going in the right direction behind the nasty spyware.

All strength to ye!
Am feeling a tad insecure about not having any firewall or antivirus right now!

But guess it should be all ok soon!

Thanks so much for your help. Await further orders fenzodahl512 sir! :thumbup2:

henceforth

The logs:

The combofix log:

ComboFix 09-05-23.04 - All Mankind 05/25/2009 11:51.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.735 [GMT 5.5:30]
Running from: c:\documents and settings\All Mankind\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Mankind\Application Data\inst.exe
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\windows\system32\1QE14LCZAìn€\001.exe
c:\windows\system32\drivers\pcidump.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GRAYPIGEON_HACKER.COM.CN
-------\Legacy_KINGDUUBA_A
-------\Legacy_WINHELP32
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-25 06:07 . 2009-05-25 06:07 -------- d-----w c:\program files\ERUNT
2009-05-24 02:46 . 2009-05-24 02:46 -------- d-----w c:\documents and settings\All Mankind\Application Data\Free Download Manager
2009-05-24 02:46 . 2009-05-24 02:46 -------- d-----w c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2009-05-24 02:46 . 2009-05-24 02:46 -------- d-----w c:\program files\Free Download Manager
2009-05-23 13:15 . 2009-05-23 13:15 -------- d-----w c:\program files\R_Server
2009-05-23 13:13 . 2009-05-23 13:13 -------- d-----w c:\windows\system32\1QE14LCZAìn€
2009-05-23 10:24 . 2009-05-23 13:13 108544 ----a-w c:\windows\system32\smbsvc.dll
2009-05-23 10:24 . 2009-05-23 10:24 -------- d-----w c:\windows\system32\18R6IUQ04ìn€
2009-05-23 03:14 . 2009-05-23 13:13 695284 ----a-w c:\windows\system32\libmysql.dll
2009-05-23 03:14 . 2009-05-23 03:14 -------- d-----w c:\windows\system32\GSVKM88Q6ìn€
2009-05-23 01:03 . 2009-05-23 01:03 -------- d-----w c:\windows\system32\OCHLH2UKZìn€
2009-05-23 00:22 . 2009-05-23 00:22 -------- d-----w c:\windows\system32\F3TCT53FWìn€
2009-05-22 16:31 . 2009-05-22 16:31 -------- d-----w c:\windows\system32\M56CHOT81ìn€
2009-05-22 09:56 . 2009-05-22 09:56 -------- d-----w c:\windows\system32\9X5T5EQCPìn€
2009-05-22 06:18 . 2009-05-22 06:18 -------- d-----w c:\windows\system32\YTV773FQAìn€
2009-05-20 13:54 . 2009-05-20 13:54 -------- d-----w c:\windows\system32\G0SS8432Eìn€
2009-05-19 06:06 . 2009-05-19 06:06 -------- d-----w c:\windows\system32\154O0LDU5ìn€
2009-05-19 01:41 . 2009-05-19 01:41 -------- d-----w c:\windows\system32\GEQISRQM8ìn€
2009-05-18 11:52 . 2009-05-18 11:52 -------- d-----w c:\windows\system32\IDMNTRTNPìn€
2009-05-18 08:50 . 2009-05-18 08:50 12288 ----a-w c:\windows\clfileeFilename.exe
2009-05-18 08:47 . 2009-05-18 08:47 -------- d-----w c:\windows\system32\EV27MH0KDìn€
2009-05-18 07:20 . 2009-05-18 07:20 -------- d-----w c:\windows\system32\V3C77JAOZìn€
2009-05-18 04:53 . 2009-05-18 04:53 -------- d-----w c:\windows\system32\i
2009-05-17 11:49 . 2009-05-17 11:49 -------- d-----w c:\program files\Real Alternative
2009-05-17 11:49 . 2009-05-17 11:49 -------- d-----w c:\documents and settings\All Mankind\Local Settings\Application Data\Real
2009-05-17 11:13 . 2008-09-16 19:23 168448 ----a-w c:\windows\system32\unrar.dll
2009-05-17 11:13 . 2009-05-17 11:13 -------- d-----w c:\program files\K-Lite Codec Pack
2009-05-06 02:12 . 2009-05-06 02:12 -------- d-----w c:\program files\SonicWallES
2009-05-05 17:01 . 2009-05-05 17:03 4212 ---ha-r c:\windows\system32\zllictbl.dat
2009-05-05 16:44 . 2009-05-05 16:44 -------- d-----w c:\windows\system32\ZoneLabs
2009-05-05 14:03 . 2008-01-17 17:59 713216 ------w c:\windows\system32\dllcache\sxs.dll
2009-04-29 16:22 . 2009-04-29 16:22 -------- d-sh--w C:\FOUND.001
2009-04-28 16:36 . 2008-06-08 19:52 94208 ----a-w c:\documents and settings\All Mankind\Application Data\Mozilla\Firefox\Profiles\ze70e4pm.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\WINNT_x86-msvc\components\libchm.dll
2009-04-28 08:53 . 2004-08-03 17:38 25600 ----a-w c:\windows\system32\drivers\usbser.sys
2009-04-28 08:53 . 2004-08-03 17:38 25600 ----a-w c:\windows\system32\dllcache\usbser.sys
2009-04-28 08:53 . 2008-03-21 08:27 14640 ------w c:\windows\system32\spmsgXP_2k3.dll
2009-04-28 07:57 . 2009-04-28 07:57 -------- d-----w c:\program files\Common Files\PCSuite
2009-04-28 07:57 . 2009-04-28 07:57 -------- d-----w c:\program files\Common Files\Nokia
2009-04-28 07:52 . 2008-08-26 04:56 18816 ----a-w c:\windows\system32\drivers\pccsmcfd.sys
2009-04-28 07:51 . 2009-04-28 07:51 -------- d-----w c:\program files\PC Connectivity Solution
2009-04-28 07:50 . 2009-02-09 02:07 7808 ----a-w c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-04-28 07:50 . 2009-02-09 02:07 7808 ----a-w c:\windows\system32\drivers\usbser_lowerflt.sys
2009-04-28 07:50 . 2009-02-09 02:07 22016 ----a-w c:\windows\system32\drivers\ccdcmbo.sys
2009-04-28 07:50 . 2009-02-09 02:07 659968 ----a-w c:\windows\system32\nmwcdcocls.dll
2009-04-28 07:50 . 2009-02-09 02:07 17664 ----a-w c:\windows\system32\drivers\ccdcmb.sys
2009-04-28 07:50 . 2009-02-09 02:02 1112288 ----a-w c:\windows\system32\wdfcoinstaller01007.dll
2009-04-28 07:46 . 2009-04-28 07:43 34396584 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng_web.exe
2009-04-28 07:46 . 2009-04-28 07:46 8192 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-04-28 07:46 . 2009-04-28 07:46 61440 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-04-28 07:46 . 2009-04-28 07:46 10240 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-04-28 07:45 . 2009-04-28 07:45 -------- d-----w c:\documents and settings\All Users\Application Data\Installations
2009-04-28 04:32 . 2009-04-28 04:32 -------- d-----w c:\program files\Nokia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 02:44 . 2009-03-18 09:52 117760 ----a-w c:\documents and settings\All Mankind\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-25 01:54 . 2009-05-25 01:54 113091 ------w c:\windows\Internet Logs\vsmon_2nd_2009_05_25_07_16_22_small.dmp.zip
2009-05-24 15:51 . 2009-05-24 15:51 3942391 ------w c:\windows\Internet Logs\tvDebug.Zip
2009-05-24 02:01 . 2009-05-24 01:58 19321598 ------w c:\windows\Internet Logs\vsmon_on_demand_thread_2009_05_24_05_14_05_full.dmp.zip
2009-05-23 00:22 . 2009-05-23 00:22 158589 ------w c:\windows\Internet Logs\vsmon_2nd_2009_05_22_23_15_02_small.dmp.zip
2009-05-15 07:35 . 2008-03-23 09:41 63928 ----a-w c:\documents and settings\All Mankind\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-04 17:23 . 2008-04-25 07:37 47360 ----a-w c:\documents and settings\All Mankind\Application Data\pcouffin.sys
2009-05-04 17:23 . 2008-04-25 07:37 47360 ----a-w c:\documents and settings\All Mankind\Application Data\pcouffin.sys
2009-04-29 16:11 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP6c22.tmp
2009-04-29 16:09 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d68.tmp
2009-04-29 16:03 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP12e7.tmp
2009-04-29 16:01 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP4532.tmp
2009-04-29 15:58 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d76.tmp
2009-04-29 15:55 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d96.tmp
2009-04-29 15:53 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d67.tmp
2009-04-29 15:50 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d66.tmp
2009-04-29 15:48 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1db4.tmp
2009-04-29 11:21 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d95.tmp
2009-04-28 08:53 . 2009-04-28 08:53 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-04-28 08:53 . 2009-04-28 08:53 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-04-24 03:36 . 2009-04-24 03:36 -------- d-----w c:\program files\CCleaner
2009-04-20 15:55 . 2009-04-20 15:55 -------- d-----w c:\documents and settings\All Users\Application Data\Bluetooth
2009-04-20 15:49 . 2009-04-20 15:49 -------- d-----w c:\program files\IVT Corporation
2009-04-16 01:23 . 2009-04-16 01:23 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-06 10:02 . 2009-01-08 04:05 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 10:02 . 2009-01-08 04:05 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 09:45 . 2009-04-02 09:45 -------- d-----w c:\program files\Lonely Cat Games
2009-04-01 09:27 . 2009-04-01 09:27 -------- d-----w c:\program files\GPLGS
2009-04-01 09:21 . 2009-04-01 09:21 -------- d-----w c:\program files\Acro Software
2009-02-17 04:49 . 2009-02-17 04:49 2 --sha-r c:\windows\winstart.bat
2004-08-17 14:30 . 2004-08-17 14:30 67584 --sh--w c:\windows\system32\TxmgtdD.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\All Mankind\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mdm.exe]
"Debugger"=rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/15/2009 4:17 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 4:17 PM 55024]
R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [3/23/2008 3:25 PM 18004]
S2 awp;Kaspersky Internet Security;c:\windows\system32\36O.exe --> c:\windows\system32\36O.exe [?]
S2 clddos0Nameeeee;clddosTestppppp;c:\windows\clfileeFilename.exe [5/18/2009 2:20 PM 12288]
S2 ddd;dddd;c:\windows\ddd.exe --> c:\windows\ddd.exe [?]
S2 feos Service;feos soft Service;c:\windows\system32\F3TCT53FWìn€\J001.exe --> c:\windows\system32\F3TCT53FWìn€\J001.exe [?]
S2 hdds Service;hdds soft Service;c:\windows\system32\V3C77JAOZìn€\J001.exe [5/18/2009 12:54 PM 16106]
S2 jmrovk;jmrovk;c:\windows\system32\SVCHOST.EXE -k jmrovk [8/3/2004 7:26 PM 14336]
S2 lpjbht;lpjbht;c:\windows\system32\svchost.exe -k lpjbht [8/3/2004 7:26 PM 14336]
S2 MediaCenter server;MS Media Control Centers;c:\windows\System32\svchost.exe -k krnlsrvc [8/3/2004 7:26 PM 14336]
S2 MediaqCentern;MS Median Control qCenter;c:\windows\System32\svchost.exe -k krnlsrvc [8/3/2004 7:26 PM 14336]
S2 oicxcm;§icxcm;c:\windows\system32\svchost.exe -k oicxcm [8/3/2004 7:26 PM 14336]
S2 RouSvc;Routing Service;c:\program files\R_Server\RemoteAbc.exe --> c:\program files\R_Server\RemoteAbc.exe [?]
S2 SmbApSrv;SMB Performance Adapter;c:\windows\System32\svchost.exe -k LocalSystem [8/3/2004 7:26 PM 14336]
S2 ymrovkru;ymrovkru;\??\c:\windows\system32\DRiVeRs\bdlovf.rxr --> c:\windows\system32\DRiVeRs\bdlovf.rxr [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 4:17 PM 7408]
S4 bfddos;bfddos;c:\windows\system32\G0SS8432Eìn€\H001.exe [5/20/2009 7:25 PM 67584]
S4 dkaron;dkaron;c:\windows\system32\V3C77JAOZìn€\H002.exe --> c:\windows\system32\V3C77JAOZìn€\H002.exe [?]
S4 ihzaq;ihzaq;c:\windows\system32\ihzaq.exe --> c:\windows\system32\ihzaq.exe [?]
S4 ijzab;ijzab;c:\windows\system32\ijzab.exe --> c:\windows\system32\ijzab.exe [?]
S4 ijzaq;ijzaq;c:\windows\system32\ijzaq.exe --> c:\windows\system32\ijzaq.exe [?]
S4 wedr;wedr;c:\windows\system32\wedr.exe --> c:\windows\system32\wedr.exe [?]
S4 Windows Media Service;Windows Media Service;c:\windows\system32\154O0LDU5ìn€\H001.exe [5/19/2009 11:38 AM 33280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystem REG_MULTI_SZ SmbApSrv SMB
jmrovk REG_MULTI_SZ jmrovk
oicxcm REG_MULTI_SZ oicxcm
lpjbht REG_MULTI_SZ lpjbht

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\WinXP Manager Live Update.job
- c:\program files\Yamicsoft\WinXP Manager\LiveUpdate.exe [2007-09-21 20:13]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
TCP: {00625B36-378C-4E4C-B1A3-DD19A0F20596} = 218.248.240.208 218.248.255.193
TCP: {BE0879DC-2C8A-4BBD-AA8F-61210777E326} = 218.248.240.208,218.248.255.193
TCP: {D7B79D92-E866-473A-952D-D5EFBB928073} = 218.248.240.208,218.248.255.193
FF - ProfilePath - c:\documents and settings\All Mankind\Application Data\Mozilla\Firefox\Profiles\ze70e4pm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - component: c:\documents and settings\All Mankind\Application Data\Mozilla\Firefox\Profiles\ze70e4pm.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\WINNT_x86-msvc\components\libchm.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 11:56
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jmrovk]
"ServiceDll"="%SystemRoot%\System32\bdlovf.gtm"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ymrovkru]
"ImagePath"="\??\c:\windows\system32\DRiVeRs\bdlovf.rxr"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\BGSVCGEN.EXE
c:\program files\COMMON FILES\MACROVISION SHARED\FLEXNET PUBLISHER\FNPLICENSINGSERVICE.EXE
c:\windows\SYSTEM32\WDFMGR.EXE
c:\program files\CANON\CAL\CALMAIN.EXE
.
**************************************************************************
.
Completion time: 2009-05-25 11:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-25 06:29
ComboFix2.txt 2009-01-08 17:33

Pre-Run: 10,522,804,224 bytes free
Post-Run: 10,490,413,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
225

The hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:39, on 5/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\clfileeFilename.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
H:\downloadsoft\hijackthis\30122008\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{00625B36-378C-4E4C-B1A3-DD19A0F20596}: NameServer = 218.248.240.208 218.248.255.193
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE0879DC-2C8A-4BBD-AA8F-61210777E326}: NameServer = 218.248.240.208,218.248.255.193
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7B79D92-E866-473A-952D-D5EFBB928073}: NameServer = 218.248.240.208,218.248.255.193
O17 - HKLM\System\CS3\Services\Tcpip\..\{00625B36-378C-4E4C-B1A3-DD19A0F20596}: NameServer = 218.248.240.208 218.248.255.193
O17 - HKLM\System\CS4\Services\Tcpip\..\{00625B36-378C-4E4C-B1A3-DD19A0F20596}: NameServer = 218.248.240.208 218.248.255.193
O23 - Service: Kaspersky Internet Security (awp) - Unknown owner - C:\WINDOWS\system32\36O.exe (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: clddosTestppppp (clddos0Nameeeee) - Unknown owner - C:\WINDOWS\clfileeFilename.exe
O23 - Service: dddd (ddd) - Unknown owner - C:\WINDOWS\ddd.exe (file missing)
O23 - Service: feos soft Service (feos Service) - Unknown owner - C:\WINDOWS\system32\F3TCT53FWìn€\J001.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hdds soft Service (hdds Service) - Unknown owner - C:\WINDOWS\system32\V3C77JAOZìn€\J001.exe
O23 - Service: Routing Service (RouSvc) - Unknown owner - C:\Program Files\R_Server\RemoteAbc.exe (file missing)

--
End of file - 3987 bytes

Should I UNINSTALL Zone Alarm completely?

Yup.. Firstly please do below first..

Please download The Comedian.exe by Rorschach112 to your desktop
Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
Double click the program to run it. It will only take around several minutes to run.
It will do a series of tasks and tell you when each one is finished.
You will be prompted to press any key after each step
When it is done it will close and exit itself automatically.
You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..

Then please uninstall Zone Alarm completely.. You can either use their internal uninstaller, or Revo Uninstaller (link below) or use the technique I give you in a link (below Revo Uninstaller link)..

Revo Uninstaller: http://www.revouninstaller.com/revo_uninst...e_download.html
Alternative technique: http://www.suggestafix.com/index.php?showtopic=7102

Then run ComboFix and post the log here

#6 fenzodahl512

Members
6,738 posts
OFFLINE

Local time:07:41 PM

Posted 25 May 2009 - 02:15 AM

Before I gave a next fixes, do you use Radmin program?.. A program to control your computer remotely?

#7 henceforth

Topic Starter

Members
24 posts
OFFLINE

Local time:05:11 PM

Posted 25 May 2009 - 02:46 AM

Before I gave a next fixes, do you use Radmin program?.. A program to control your computer remotely?

No fenzodahl512!

That was a quick response! Thanks chief! :thumbup2:

I do not use Radmin nor have I installed it.

In fact, I had tried deleting it before ... but no luck!

#8 fenzodahl512

Members
6,738 posts
OFFLINE

Local time:07:41 PM

Posted 25 May 2009 - 04:04 AM

edited.. fixing script

Edited by fenzodahl512, 25 May 2009 - 04:09 AM.

#9 henceforth

Topic Starter

Members
24 posts
OFFLINE

Local time:05:11 PM

Posted 25 May 2009 - 04:10 AM

Thanks fenzodahl512! :thumbup2:

Following the steps and will revert in 5 mins!

Thanks again!

henceforth

#10 henceforth

Topic Starter

Members
24 posts
OFFLINE

Local time:05:11 PM

Posted 25 May 2009 - 04:11 AM

edited.. fixing script

Should I wait chief? :thumbup2:

#11 fenzodahl512

Members
6,738 posts
OFFLINE

Local time:07:41 PM

Posted 25 May 2009 - 04:15 AM

Sorry, my internet connection is always disconnect :thumbup2:

Do below...

Please copy/paste below code into Notepad

@ECHO OFF
FOR %%G IN (
"c:\program files\R_Server"
"c:\windows\system32\1QE14LCZAìn€"
"c:\windows\system32\smbsvc.dll"
"c:\windows\system32\18R6IUQ04ìn€"
"c:\windows\system32\libmysql.dll"
"c:\windows\system32\GSVKM88Q6ìn€"
"c:\windows\system32\OCHLH2UKZìn€"
"c:\windows\system32\F3TCT53FWìn€"
"c:\windows\system32\M56CHOT81ìn€"
"c:\windows\system32\9X5T5EQCPìn€"
"c:\windows\system32\YTV773FQAìn€"
"c:\windows\system32\G0SS8432Eìn€"
"c:\windows\system32\154O0LDU5ìn€"
"c:\windows\system32\GEQISRQM8ìn€"
"c:\windows\system32\IDMNTRTNPìn€"
"c:\windows\clfileeFilename.exe"
"c:\windows\system32\EV27MH0KDìn€"
"c:\windows\system32\V3C77JAOZìn€"
"c:\windows\system32\i"
"c:\windows\winstart.bat"
"c:\windows\system32\TxmgtdD.dll"
"c:\windows\system32\36O.exe"
"c:\windows\clfileeFilename.exe"
"c:\windows\ddd.exe"
"c:\windows\system32\DRiVeRs\bdlovf.rxr"
"c:\windows\system32\ihzaq.exe"
"c:\windows\system32\ijzab.exe"
"c:\windows\system32\ijzaq.exe"
"c:\windows\system32\wedr.exe"
) DO Zip -Sr UpLoadTheseFolders.zip %%G
DEL %0

After that, go to File >> Save as... >> do below instruction

At Save in: choose Desktop
At File name: write ask.bat
At Save as type: choose All Files

Then press Enter.. A batch file will be created on your Desktop (ask.bat) and it would look like this: Posted Image

Double-click that file, a new zipfile (UpLoadTheseFolders.zip) will be created on your Desktop.. Please upload that zipped file to this site. Don't forget to link it with here..

1. Please open Notepad

If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

NetSvc::
jmrovk
lpjbht
oicxcm

Driver::
lpjbht
awp
clddos0Nameeeee
ddd
feos Service
hdds Service
jmrovk
MediaqCentern
MediaCenter server
oicxcm
RouSvc
SmbApSrv
ymrovkru
bfddos
dkaron
ihzaq
ijzab
ijzaq
wedr
Windows Media Service

Rootkit::
c:\windows\winstart.bat
c:\windows\system32\TxmgtdD.dll
c:\windows\system32\36O.exe
c:\windows\clfileeFilename.exe
c:\windows\ddd.exe
c:\windows\system32\DRiVeRs\bdlovf.rxr
c:\windows\system32\ihzaq.exe
c:\windows\system32\ijzab.exe
c:\windows\system32\ijzaq.exe
c:\windows\system32\wedr.exe
c:\windows\system32\smbsvc.dll
c:\windows\System32\bdlovf.gtm

Folder::
c:\program files\R_Server
c:\windows\system32\1QE14LCZAìn€
c:\windows\system32\18R6IUQ04ìn€
c:\windows\system32\GSVKM88Q6ìn€
c:\windows\system32\OCHLH2UKZìn€
c:\windows\system32\F3TCT53FWìn€
c:\windows\system32\M56CHOT81ìn€
c:\windows\system32\9X5T5EQCPìn€
c:\windows\system32\YTV773FQAìn€
c:\windows\system32\G0SS8432Eìn€
c:\windows\system32\154O0LDU5ìn€
c:\windows\system32\GEQISRQM8ìn€
c:\windows\system32\IDMNTRTNPìn€
c:\windows\system32\EV27MH0KDìn€
c:\windows\system32\V3C77JAOZìn€
c:\windows\system32\i

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"LocalSystem"=-
"jmrovk"=-
"oicxcm"=-
"lpjbht"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jmrovk]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ymrovkru]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#12 henceforth

Topic Starter

Members
24 posts
OFFLINE

Local time:05:11 PM

Posted 25 May 2009 - 04:17 AM

Sure chief! Thanks! :thumbup2:

Will do that and revert in 5 mins!

#13 henceforth

Topic Starter

Members
24 posts
OFFLINE

Local time:05:11 PM

Posted 25 May 2009 - 04:29 AM

Hi fenzodahl512!

Have uploaded UpLoadTheseFolders.zip

Also given the link reference of this thread!

Now doing the second step and might reboot my PC.

Will revert as soon as it is done with the combofix and hijackthis logs.

Thanks for your speedy responses pal! :thumbup2:

#14 fenzodahl512

Members
6,738 posts
OFFLINE

Local time:07:41 PM

Posted 25 May 2009 - 04:36 AM

Ok.. no problem :thumbup2:

#15 henceforth

Topic Starter

Members
24 posts
OFFLINE

Local time:05:11 PM

Posted 25 May 2009 - 04:48 AM

Hi fenzodahl512! :thumbup2:

Done both steps fine!

Thanks for your help!

henceforth

Here are BOTH the combofix and hijackthis logs below:

1. Combofix log:

ComboFix 09-05-23.04 - All Mankind 05/25/2009 15:03.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.710 [GMT 5.5:30]
Running from: c:\documents and settings\All Mankind\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\All Mankind\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\R_Server
c:\windows\clfileeFilename.exe
c:\windows\system32\154O0LDU5ìn€
c:\windows\system32\154O0LDU5ìn€\H001.exe
c:\windows\system32\18R6IUQ04ìn€
c:\windows\system32\18R6IUQ04ìn€\Q001.exe
c:\windows\system32\1QE14LCZAìn€
c:\windows\system32\1QE14LCZAìn€\Q001.exe
c:\windows\system32\9X5T5EQCPìn€
c:\windows\system32\9X5T5EQCPìn€\Q001.exe
c:\windows\System32\bdlovf.gtm
c:\windows\system32\EV27MH0KDìn€
c:\windows\system32\EV27MH0KDìn€\H001.exe
c:\windows\system32\F3TCT53FWìn€
c:\windows\system32\F3TCT53FWìn€\Q001.exe
c:\windows\system32\G0SS8432Eìn€
c:\windows\system32\G0SS8432Eìn€\H001.exe
c:\windows\system32\G0SS8432Eìn€\J001.exe
c:\windows\system32\GEQISRQM8ìn€
c:\windows\system32\GSVKM88Q6ìn€
c:\windows\system32\GSVKM88Q6ìn€\H001.exe
c:\windows\system32\GSVKM88Q6ìn€\J001.exe
c:\windows\system32\GSVKM88Q6ìn€\Q001.exe
c:\windows\system32\i
c:\windows\system32\i\A001.exe
c:\windows\system32\i\R.bat
c:\windows\system32\IDMNTRTNPìn€
c:\windows\system32\M56CHOT81ìn€
c:\windows\system32\M56CHOT81ìn€\Q001.exe
c:\windows\system32\OCHLH2UKZìn€
c:\windows\system32\OCHLH2UKZìn€\Q001.exe
c:\windows\system32\smbsvc.dll
c:\windows\system32\TxmgtdD.dll
c:\windows\system32\V3C77JAOZìn€
c:\windows\system32\V3C77JAOZìn€\J001.exe
c:\windows\system32\YTV773FQAìn€
c:\windows\system32\YTV773FQAìn€\H002.exe
c:\windows\system32\YTV773FQAìn€\Q001.exe
c:\windows\winstart.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AWP
-------\Legacy_BFDDOS
-------\Legacy_CLDDOS0NAMEEEEE
-------\Legacy_DDD
-------\Legacy_DKARON
-------\Legacy_FEOS_SERVICE
-------\Legacy_HDDS_SERVICE
-------\Legacy_IHZAQ
-------\Legacy_IJZAB
-------\Legacy_IJZAQ
-------\Legacy_JMROVK
-------\Legacy_LPJBHT
-------\Legacy_MEDIACENTER_SERVER
-------\Legacy_MEDIAQCENTERN
-------\Legacy_OICXCM
-------\Legacy_ROUSVC
-------\Legacy_SMBAPSRV
-------\Legacy_WEDR
-------\Legacy_WINDOWS_MEDIA_SERVICE
-------\Legacy_YMROVKRU
-------\Service_awp
-------\Service_bfddos
-------\Service_clddos0Nameeeee
-------\Service_ddd
-------\Service_dkaron
-------\Service_feos Service
-------\Service_hdds Service
-------\Service_ihzaq
-------\Service_ijzab
-------\Service_ijzaq
-------\Service_lpjbht
-------\Service_MediaCenter server
-------\Service_MediaqCentern
-------\Service_oicxcm
-------\Service_RouSvc
-------\Service_SmbApSrv
-------\Service_wedr
-------\Service_Windows Media Service

((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-25 06:07 . 2009-05-25 06:07 -------- d-----w c:\program files\ERUNT
2009-05-24 02:46 . 2009-05-24 02:46 -------- d-----w c:\documents and settings\All Mankind\Application Data\Free Download Manager
2009-05-24 02:46 . 2009-05-24 02:46 -------- d-----w c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2009-05-24 02:46 . 2009-05-24 02:46 -------- d-----w c:\program files\Free Download Manager
2009-05-23 03:14 . 2009-05-23 13:13 695284 ----a-w c:\windows\system32\libmysql.dll
2009-05-17 11:49 . 2009-05-17 11:49 -------- d-----w c:\program files\Real Alternative
2009-05-17 11:49 . 2009-05-17 11:49 -------- d-----w c:\documents and settings\All Mankind\Local Settings\Application Data\Real
2009-05-17 11:13 . 2008-09-16 19:23 168448 ----a-w c:\windows\system32\unrar.dll
2009-05-17 11:13 . 2009-05-17 11:13 -------- d-----w c:\program files\K-Lite Codec Pack
2009-05-06 02:12 . 2009-05-06 02:12 -------- d-----w c:\program files\SonicWallES
2009-05-05 17:01 . 2009-05-05 17:03 4212 ---ha-r c:\windows\system32\zllictbl.dat
2009-05-05 16:44 . 2009-05-05 16:44 -------- d-----w c:\windows\system32\ZoneLabs
2009-05-05 14:03 . 2008-01-17 17:59 713216 ------w c:\windows\system32\dllcache\sxs.dll
2009-04-29 16:22 . 2009-04-29 16:22 -------- d-sh--w C:\FOUND.001
2009-04-28 16:36 . 2008-06-08 19:52 94208 ----a-w c:\documents and settings\All Mankind\Application Data\Mozilla\Firefox\Profiles\ze70e4pm.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\WINNT_x86-msvc\components\libchm.dll
2009-04-28 08:53 . 2004-08-03 17:38 25600 ----a-w c:\windows\system32\drivers\usbser.sys
2009-04-28 08:53 . 2004-08-03 17:38 25600 ----a-w c:\windows\system32\dllcache\usbser.sys
2009-04-28 08:53 . 2008-03-21 08:27 14640 ------w c:\windows\system32\spmsgXP_2k3.dll
2009-04-28 07:57 . 2009-04-28 07:57 -------- d-----w c:\program files\Common Files\PCSuite
2009-04-28 07:57 . 2009-04-28 07:57 -------- d-----w c:\program files\Common Files\Nokia
2009-04-28 07:52 . 2008-08-26 04:56 18816 ----a-w c:\windows\system32\drivers\pccsmcfd.sys
2009-04-28 07:51 . 2009-04-28 07:51 -------- d-----w c:\program files\PC Connectivity Solution
2009-04-28 07:50 . 2009-02-09 02:07 7808 ----a-w c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-04-28 07:50 . 2009-02-09 02:07 7808 ----a-w c:\windows\system32\drivers\usbser_lowerflt.sys
2009-04-28 07:50 . 2009-02-09 02:07 22016 ----a-w c:\windows\system32\drivers\ccdcmbo.sys
2009-04-28 07:50 . 2009-02-09 02:07 659968 ----a-w c:\windows\system32\nmwcdcocls.dll
2009-04-28 07:50 . 2009-02-09 02:07 17664 ----a-w c:\windows\system32\drivers\ccdcmb.sys
2009-04-28 07:50 . 2009-02-09 02:02 1112288 ----a-w c:\windows\system32\wdfcoinstaller01007.dll
2009-04-28 07:46 . 2009-04-28 07:43 34396584 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng_web.exe
2009-04-28 07:46 . 2009-04-28 07:46 8192 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-04-28 07:46 . 2009-04-28 07:46 61440 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-04-28 07:46 . 2009-04-28 07:46 10240 ----a-w c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-04-28 07:45 . 2009-04-28 07:45 -------- d-----w c:\documents and settings\All Users\Application Data\Installations
2009-04-28 04:32 . 2009-04-28 04:32 -------- d-----w c:\program files\Nokia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 02:44 . 2009-03-18 09:52 117760 ----a-w c:\documents and settings\All Mankind\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-25 01:54 . 2009-05-25 01:54 113091 ------w c:\windows\Internet Logs\vsmon_2nd_2009_05_25_07_16_22_small.dmp.zip
2009-05-24 15:51 . 2009-05-24 15:51 3942391 ------w c:\windows\Internet Logs\tvDebug.Zip
2009-05-24 02:01 . 2009-05-24 01:58 19321598 ------w c:\windows\Internet Logs\vsmon_on_demand_thread_2009_05_24_05_14_05_full.dmp.zip
2009-05-23 00:22 . 2009-05-23 00:22 158589 ------w c:\windows\Internet Logs\vsmon_2nd_2009_05_22_23_15_02_small.dmp.zip
2009-05-15 07:35 . 2008-03-23 09:41 63928 ----a-w c:\documents and settings\All Mankind\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-04 17:23 . 2008-04-25 07:37 47360 ----a-w c:\documents and settings\All Mankind\Application Data\pcouffin.sys
2009-05-04 17:23 . 2008-04-25 07:37 47360 ----a-w c:\documents and settings\All Mankind\Application Data\pcouffin.sys
2009-04-29 16:11 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP6c22.tmp
2009-04-29 16:09 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d68.tmp
2009-04-29 16:03 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP12e7.tmp
2009-04-29 16:01 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP4532.tmp
2009-04-29 15:58 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d76.tmp
2009-04-29 15:55 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d96.tmp
2009-04-29 15:53 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d67.tmp
2009-04-29 15:50 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d66.tmp
2009-04-29 15:48 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1db4.tmp
2009-04-29 11:21 . 2008-03-23 08:35 90112 ----a-w c:\windows\DUMP1d95.tmp
2009-04-28 08:53 . 2009-04-28 08:53 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-04-28 08:53 . 2009-04-28 08:53 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-04-24 03:36 . 2009-04-24 03:36 -------- d-----w c:\program files\CCleaner
2009-04-20 15:55 . 2009-04-20 15:55 -------- d-----w c:\documents and settings\All Users\Application Data\Bluetooth
2009-04-20 15:49 . 2009-04-20 15:49 -------- d-----w c:\program files\IVT Corporation
2009-04-16 01:23 . 2009-04-16 01:23 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-06 10:02 . 2009-01-08 04:05 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 10:02 . 2009-01-08 04:05 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 09:45 . 2009-04-02 09:45 -------- d-----w c:\program files\Lonely Cat Games
2009-04-01 09:27 . 2009-04-01 09:27 -------- d-----w c:\program files\GPLGS
2009-04-01 09:21 . 2009-04-01 09:21 -------- d-----w c:\program files\Acro Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\All Mankind\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mdm.exe]
"Debugger"=rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/15/2009 4:17 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 4:17 PM 55024]
R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [3/23/2008 3:25 PM 18004]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 4:17 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\WinXP Manager Live Update.job
- c:\program files\Yamicsoft\WinXP Manager\LiveUpdate.exe [2007-09-21 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
TCP: {BE0879DC-2C8A-4BBD-AA8F-61210777E326} = 218.248.240.208,218.248.255.193
TCP: {D7B79D92-E866-473A-952D-D5EFBB928073} = 218.248.240.208,218.248.255.193
FF - ProfilePath - c:\documents and settings\All Mankind\Application Data\Mozilla\Firefox\Profiles\ze70e4pm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - component: c:\documents and settings\All Mankind\Application Data\Mozilla\Firefox\Profiles\ze70e4pm.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\WINNT_x86-msvc\components\libchm.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 15:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\bgsvcgen.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2009-05-25 15:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-25 09:41
ComboFix3.txt 2009-01-08 17:33
ComboFix2.txt 2009-05-25 06:29

Pre-Run: 10,511,515,648 bytes free
Post-Run: 10,484,531,200 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
231

2. And this is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:12:26, on 5/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
H:\downloadsoft\hijackthis\30122008\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE0879DC-2C8A-4BBD-AA8F-61210777E326}: NameServer = 218.248.240.208,218.248.255.193
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7B79D92-E866-473A-952D-D5EFBB928073}: NameServer = 218.248.240.208,218.248.255.193
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

--
End of file - 2908 bytes