HJT log (Resolved)

andyc · Aug 29, 2009

i found the reason the run command wouldnt work... when i downloaded a new combofix, i made a shortcut to it on the desktop rather than move the file. once moved, run command worked. but i still get a blue screen. i also tried the bat file and still get a blue screen

katana · Aug 29, 2009

Avenger

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please download The Avenger2 by SwanDog46.
Unzip avenger.exe to your desktop.
Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
Code:
```
Drivers to disable:
kbiwkmpkbmwnli
```
Now start The Avenger2 by double clicking avenger.exe on your desktop.
Read the prompt that appears, and press OK.
Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
Press the "Execute" button.
You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
Note: It is possible that Avenger will reboot your system TWICE.
Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Please post the Avenger log along with a fresh Sysprot log

andyc · Aug 30, 2009

ran avenger, but no command promt of log was produced

new sysprot log

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\kbiwkmfqrnmsjp.sys
Service Name: kbiwkmpkbmwnli
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \SystemRoot\system32\drivers\aqix.sys
Service Name: ---
Module Base: B6190000
Module End: B619F000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8065628D
Jump To: 8A08521A
Module Name: _unknown_

Hooked Function: ZwSaveKey
At Address: 806561A2
Jump To: 8A0751FA
Module Name: _unknown_

Hooked Function: ZwFlushInstructionCache
At Address: 80587BFB
Jump To: 89FF812C
Module Name: _unknown_

Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: 88FD7634
Module Name: _unknown_

Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 892186DB
Module Name: _unknown_

Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 892026DB
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

katana · Aug 30, 2009

This is being stubborn !!!

What happened the last time you tried GMER ?
Did any error messages appear ?

Open the gmer folder and double click gmer.exe to run the program
On starting GMER will run a short scan, allow it to complete this, then click No if it asks you to run a full scan.

Click on the > > > tab to open the menus

Click on the Services tab

Scroll down until you find the following Service (Note: This may be highlighted in red)

kbiwkmpkbmwnli
Click on the Service Name to Highlight it, then right click and choose Delete...
Click OK at the first confirmation dialog to remove the service
Click OK to the second confirmation dialog to remove the file
Click OK to exit the program

Please post a fresh Sysprot log from after running GMER, and let me know what happens during the GMER instructions.

andyc · Aug 30, 2009

last time i ran GMER, everything went according to your instructions. no extra messages appeared or anything not in your instructions.

same again this time

it just doesnt want to give up!

new sysprot log

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\kbiwkmfqrnmsjp.sys
Service Name: kbiwkmpkbmwnli
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aujasnkj.sys
Service Name: aujasnkj
Module Base: AB89A000
Module End: AB8AF000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8065628D
Jump To: 8A017152
Module Name: _unknown_

Hooked Function: ZwSaveKey
At Address: 806561A2
Jump To: 8A0201CA
Module Name: _unknown_

Hooked Function: ZwFlushInstructionCache
At Address: 80587BFB
Jump To: 8A02124C
Module Name: _unknown_

Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: 8A01A26C
Module Name: _unknown_

Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 89E497BB
Module Name: _unknown_

Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 8A0814A3
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

katana · Aug 30, 2009

A colleague has offered a suggestion, so let's give it a twirl.

It's GMER again, but a little bit different.

1. Start GMER and do a quick scan. It should give a message about rootkit activity.
2. If it asks for full scan, select "no".
3. Right click kbiwk********* and select "disable service". You'll be most likely asked to reboot system. Please, let it do so.
4. After reboot, open GMER again and see if the corresponding service is in disabled state.

andyc · Aug 30, 2009

Anything is worth a try.

done that, and restarted. after opening GMER again, it says about rootkit activity and do i want to scan, i selected no and kbiw... is still highlighted in red, but under 'value', it says '[DISABLED] kbiw...'

Combofix next?

katana · Aug 30, 2009

andyc said:
Combofix next?

Can you say "Yes" repeatedly and getting higher pitched in excitement ?

>calms down a bit<
Yes please, try running Combofix now. :bigthumb:

andyc · Aug 30, 2009

katana said:
Can you say "Yes" repeatedly and getting higher pitched in excitement ?

>calms down a bit<
Yes please, try running Combofix now. :bigthumb:

i think you can be excited... disabling the file rather than deleting seems to have worked, and combofix ran with no problems. since running malware bytes, computer seemed much better, except firefox was still slow to load, its now back to normal, and everything else appears as it was before (well, much better than before!)

combofix log

ComboFix 09-08-30.01 - Administrator 30/08/2009 21:45.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1596 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}
c:\documents and settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}\install.rdf
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1077
c:\recycler\S-1-5-21-0654824076-2271733286-061959106-4265
c:\recycler\S-1-5-21-1455334118-7554324804-828036648-8874
c:\recycler\S-1-5-21-2290957554-5505888447-933951797-3188
c:\recycler\S-1-5-21-2380437479-5536403761-104314317-2417
c:\recycler\S-1-5-21-2613669275-9719516027-093846808-3690
c:\recycler\S-1-5-21-2929841525-6134098029-813005384-3575
c:\recycler\S-1-5-21-3844252530-4614738533-477353064-6135
c:\recycler\S-1-5-21-4517616521-8748245048-747018591-5431
c:\recycler\S-1-5-21-5287203404-2150996276-361785036-2026
c:\recycler\S-1-5-21-5632783334-8520549607-717420526-9624
c:\recycler\S-1-5-21-7448197631-6742576296-211950483-1438
c:\recycler\S-1-5-21-8587057549-8691970124-785860918-1339
c:\recycler\S-1-5-21-9273069312-5560226816-759346965-4048
c:\recycler\S-1-5-21-9708960352-6255341383-697539535-9729
c:\recycler\S-1-5-21-9983706840-2963835987-531995240-8120
c:\windows\E88D4.exe
c:\windows\Fonts\FRE3OF9X.TTF
c:\windows\Fonts\FREE3OF9.TTF
c:\windows\las31l71.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\drivers\kbiwkmfqrnmsjp.sys
c:\windows\system32\drivers\kbiwkmjwrowkya.sys
c:\windows\system32\drivers\kbiwkmrqpyqydm.sys
c:\windows\system32\drivers\kbiwkmsdjnkvxf.sys
c:\windows\system32\drivers\kbiwkmspfthxwy.sys
c:\windows\system32\kbiwkmanmqiemu.dll
c:\windows\system32\kbiwkmavsvaewf.dat
c:\windows\system32\kbiwkmekqhrqcj.dll
c:\windows\system32\kbiwkmfuciorjq.dll
c:\windows\system32\kbiwkmfwbwuxxn.dat
c:\windows\system32\kbiwkmfypdivrx.dll
c:\windows\system32\kbiwkmibgimbjt.dat
c:\windows\system32\kbiwkmiqboieml.dll
c:\windows\system32\kbiwkmmemwmasu.dll
c:\windows\system32\kbiwkmnmxtynxn.dat
c:\windows\system32\kbiwkmnnxbqnen.dat
c:\windows\system32\kbiwkmnvsivtth.dll
c:\windows\system32\kbiwkmogytenin.dll
c:\windows\system32\kbiwkmoieewmxn.dat
c:\windows\system32\kbiwkmpfuyqrcj.dll
c:\windows\system32\kbiwkmqoodlalb.dat
c:\windows\system32\kbiwkmrersappp.dat
c:\windows\system32\kbiwkmrxripfya.dat
c:\windows\system32\kbiwkmspxcbfol.dll
c:\windows\system32\kbiwkmumuyxwbd.dll
c:\windows\system32\kbiwkmvcdivrcr.dll
c:\windows\system32\kbiwkmvmxnsmnt.dat
c:\windows\system32\kbiwkmvpucbvpf.dll
c:\windows\system32\kbiwkmvxsdkbxv.dll
c:\windows\system32\kbiwkmwqwevpsy.dll
c:\windows\system32\kbiwkmxsmkbmqr.dll
c:\windows\system32\kbiwkmyouevvky.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmpkbmwnli
-------\Service_kbiwkmpkbmwnli

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.

2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\windows\system32\xircom
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\windows\system32\wbem\snmp
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\program files\microsoft frontpage
2009-08-29 13:02 . 2009-08-29 13:03 -------- d-s---w- C:\CleanMe
2009-08-27 21:11 . 2009-08-27 21:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-27 21:11 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-27 21:11 . 2009-08-29 11:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-27 21:11 . 2009-08-27 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-27 21:11 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-25 11:36 . 2009-08-25 11:36 -------- d-----w- c:\program files\Trend Micro
2009-08-23 22:07 . 2009-08-23 22:07 -------- d-----w- c:\program files\CCleaner
2009-08-23 21:06 . 2009-08-27 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 21:06 . 2009-08-23 21:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 16:22 . 2009-08-23 16:22 -------- d-----w- c:\program files\Microsoft Games
2009-08-23 15:57 . 2009-08-23 15:57 -------- d-----w- c:\program files\Your Company Name
2009-08-23 12:46 . 2009-08-23 12:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-22 19:27 . 2009-08-22 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard
2009-08-22 19:27 . 2009-08-22 20:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\BullGuard
2009-08-22 18:34 . 2009-08-22 18:34 -------- d-----w- c:\program files\Alwil Software
2009-08-22 17:53 . 2009-08-22 17:53 -------- d-----w- c:\program files\AVG
2009-08-22 17:49 . 2009-08-23 21:19 120 ----a-w- c:\windows\Snuhacokuvomuy.dat
2009-08-22 17:46 . 2009-08-27 18:53 0 ----a-w- c:\windows\system32\drivers\57852f5b.sys
2009-08-22 17:22 . 2009-08-22 17:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Hagel Technologies
2009-08-22 17:21 . 2009-08-22 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Hagel Technologies
2009-08-22 17:21 . 2009-08-22 17:21 -------- d-----w- c:\program files\DU Meter
2009-08-22 17:04 . 2009-08-22 17:04 -------- d-----w- c:\program files\KONAMI
2009-08-03 18:56 . 2009-08-03 18:58 -------- d-----w- c:\program files\Microsoft AutoRoute
2009-08-01 18:21 . 2009-08-28 21:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2009-08-01 15:47 . 2006-09-07 15:11 73728 ----a-w- c:\windows\system32\Sgdt32.dll
2009-08-01 15:47 . 2003-09-23 13:43 532480 ----a-w- c:\windows\system32\SdoEng100.dll
2009-08-01 15:47 . 2002-12-06 11:53 507904 ----a-w- c:\windows\system32\SdoEng90.dll
2009-08-01 15:47 . 2002-11-28 13:15 471040 ----a-w- c:\windows\system32\SdoEng80.dll
2009-08-01 15:47 . 2001-04-11 15:23 454656 ----a-w- c:\windows\system32\SdoEng70.dll
2009-08-01 15:47 . 2000-11-22 12:54 122880 ----a-w- c:\windows\system32\SGRegister.dll
2009-08-01 15:47 . 2004-08-24 11:43 1089536 ----a-w- c:\windows\system32\SdoEng110.dll
2009-08-01 15:47 . 2004-08-24 09:29 253952 ----a-w- c:\windows\system32\SDOApp.dll
2009-08-01 15:47 . 2002-12-06 11:16 86016 ----a-w- c:\windows\system32\Sgcom32.dll
2009-08-01 15:47 . 2001-03-12 11:18 227840 ----a-w- c:\windows\system32\Sdoeng.dll
2009-08-01 15:47 . 2005-08-23 11:30 2785280 ----a-w- c:\windows\system32\SdoEng120.dll
2009-08-01 15:47 . 2009-08-01 15:47 -------- d-----w- c:\program files\Clik

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 20:44 . 2009-03-07 18:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-08-30 20:26 . 2009-03-07 18:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-08-28 14:10 . 2009-03-17 18:39 -------- d-----w- c:\program files\jStock
2009-08-25 11:33 . 2009-03-13 07:53 256 ----a-w- c:\windows\system32\pool.bin
2009-08-24 16:39 . 2009-03-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-24 16:39 . 2009-03-12 20:45 100944 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 16:20 . 2009-03-12 17:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-27 18:12 . 2009-04-29 10:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
2009-07-22 20:14 . 2009-04-15 17:43 -------- d-----w- c:\program files\EasyCert
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\program files\PDF Editor 2
2009-07-22 20:03 . 2009-07-22 20:03 75776 ----a-w- c:\windows\cadkasdeinst01e.exe
2009-07-22 20:00 . 2009-07-22 20:00 -------- d-----w- c:\program files\Ask.com
2009-06-21 16:44 . 2009-06-19 19:01 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-03 21:58 . 2009-06-03 21:58 61440 ----a-w- c:\windows\SSEUninstaller.exe
.

------- Sigcheck -------

[-] 2008-12-30 04:52 361600 5AE1C2695F6523AD98B948F2887D8C5E c:\windows\system32\drivers\tcpip.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-12 21741864]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2009-08-22 2645528]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-08-23 304464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-08-23 304464]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-02-26 16125440]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-04-14 99840]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:1260e6ed8901

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bgmainsvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^kill.bat]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\kill.bat
backup=c:\windows\pss\kill.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^mel.bat183242.bat]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\mel.bat183242.bat
backup=c:\windows\pss\mel.bat183242.batStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 bdfilespy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [14/03/2009 20:37 55504]
R2 bsfilescan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
R2 bsfire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [22/08/2009 18:21 1386008]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\Afw.sys [10/11/2008 14:51 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [23/03/2009 13:07 257304]
S1 57852f5b;57852f5b;c:\windows\system32\drivers\57852f5b.sys [22/08/2009 18:46 0]
S2 bsmailproxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 bgrasvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\BGRaSvc.exe [01/06/2009 12:50 79184]
S3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [14/03/2009 22:00 457856]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Administrator\Desktop\temp downloaded stuff\SysProt\SysProt\SysProtDrv.sys [29/08/2009 18:54 44288]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASPI32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsFire
.
Contents of the 'Scheduled Tasks' folder

2009-08-30 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-04-02 18:50]
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\BGLsp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b1seu9e4.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 21:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1264)
c:\windows\system32\BGLsp.dll

- - - - - - - > 'explorer.exe'(4092)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-08-30 21:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-30 20:52

Pre-Run: 192,161,538,048 bytes free
Post-Run: 192,243,597,312 bytes free

317

katana · Aug 30, 2009

Looking good

:thanks: Big thanks to Blade81 for the disable tip :thanks:

Now then, a quick question for you ...

Do you know what mel.bat183242.bat is ?

andyc · Aug 30, 2009

katana said:
Looking good

:thanks: Big thanks to Blade81 for the disable tip :thanks:

Now then, a quick question for you ...

Do you know what mel.bat183242.bat is ?

i have no idea what mel.bat183242.bat is

katana · Aug 31, 2009

We would like some of those files for analysis if you don't mind.

----------------------------------------------------------------------------------------
Step 1

Please Submit a file

Download suspicious file packer from here

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

C:\Qoobox\Quarantine\c\windows\system32\drivers\*.*.*
C:\Qoobox\Quarantine\c\windows\system32\*.*.*

Please open LINK >>> THIS PAGE <<<LINK in a new window.

In the box marked Link to topic where this file was requested: please put this text

Code:

http://forums.spybot.info/showthread.php?p=332396#post332396

Click the Browse button and navigate to the cab file that was created on your desktop.
Select this file and click Open

In the Largest box please put

Code:

File Requested By Katana
BSOD files

Finally click SendFile
You can now delete SFP (exe and Zip) along with the .cab file that was created

----------------------------------------------------------------------------------------
Step 2

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

http://forums.spybot.info/showthread.php?p=332396#post332396
Suspect::[4]
c:\windows\Snuhacokuvomuy.dat
c:\windows\system32\drivers\57852f5b.sys
c:\windows\pss\mel.bat183242.batStartup
File::
c:\windows\Snuhacokuvomuy.dat
c:\windows\pss\mel.bat183242.batStartup
Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^mel.bat183242.bat]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
ADS::

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

----------------------------------------------------------------------------------------
Step 3

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Combofix Log
Kaspersky Log
How are things running now ?

andyc · Aug 31, 2009

Files sent

combofix ran. kaspersky ran. no threats found. no log produced?

bullguard & malware bytes all come back clean

everything seems back to normal now, although there is a slight delay in loading certain websites (most load immediately, some take a little longer)

Combofix log

ComboFix 09-08-30.04 - Administrator 31/08/2009 10:59.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1509 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"c:\windows\pss\mel.bat183242.batStartup"
"c:\windows\Snuhacokuvomuy.dat"

file zipped: c:\windows\pss\mel.bat183242.batStartup
file zipped: c:\windows\Snuhacokuvomuy.dat
file zipped: c:\windows\system32\drivers\57852f5b.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\pss\mel.bat183242.batStartup
c:\windows\Snuhacokuvomuy.dat

.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\windows\system32\xircom
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\windows\system32\wbem\snmp
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\program files\microsoft frontpage
2009-08-29 13:02 . 2009-08-29 13:03 -------- d-s---w- C:\CleanMe
2009-08-27 21:11 . 2009-08-27 21:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-27 21:11 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-27 21:11 . 2009-08-29 11:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-27 21:11 . 2009-08-27 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-27 21:11 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-25 11:36 . 2009-08-25 11:36 -------- d-----w- c:\program files\Trend Micro
2009-08-23 22:07 . 2009-08-23 22:07 -------- d-----w- c:\program files\CCleaner
2009-08-23 21:06 . 2009-08-27 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 21:06 . 2009-08-23 21:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 16:22 . 2009-08-23 16:22 -------- d-----w- c:\program files\Microsoft Games
2009-08-23 15:57 . 2009-08-23 15:57 -------- d-----w- c:\program files\Your Company Name
2009-08-23 12:46 . 2009-08-23 12:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-22 19:27 . 2009-08-22 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard
2009-08-22 19:27 . 2009-08-22 20:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\BullGuard
2009-08-22 18:34 . 2009-08-22 18:34 -------- d-----w- c:\program files\Alwil Software
2009-08-22 17:53 . 2009-08-22 17:53 -------- d-----w- c:\program files\AVG
2009-08-22 17:46 . 2009-08-27 18:53 0 ----a-w- c:\windows\system32\drivers\57852f5b.sys
2009-08-22 17:22 . 2009-08-22 17:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Hagel Technologies
2009-08-22 17:21 . 2009-08-22 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Hagel Technologies
2009-08-22 17:21 . 2009-08-22 17:21 -------- d-----w- c:\program files\DU Meter
2009-08-22 17:04 . 2009-08-22 17:04 -------- d-----w- c:\program files\KONAMI
2009-08-03 18:56 . 2009-08-03 18:58 -------- d-----w- c:\program files\Microsoft AutoRoute
2009-08-01 18:21 . 2009-08-30 20:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2009-08-01 15:47 . 2006-09-07 15:11 73728 ----a-w- c:\windows\system32\Sgdt32.dll
2009-08-01 15:47 . 2003-09-23 13:43 532480 ----a-w- c:\windows\system32\SdoEng100.dll
2009-08-01 15:47 . 2002-12-06 11:53 507904 ----a-w- c:\windows\system32\SdoEng90.dll
2009-08-01 15:47 . 2002-11-28 13:15 471040 ----a-w- c:\windows\system32\SdoEng80.dll
2009-08-01 15:47 . 2001-04-11 15:23 454656 ----a-w- c:\windows\system32\SdoEng70.dll
2009-08-01 15:47 . 2000-11-22 12:54 122880 ----a-w- c:\windows\system32\SGRegister.dll
2009-08-01 15:47 . 2004-08-24 11:43 1089536 ----a-w- c:\windows\system32\SdoEng110.dll
2009-08-01 15:47 . 2004-08-24 09:29 253952 ----a-w- c:\windows\system32\SDOApp.dll
2009-08-01 15:47 . 2002-12-06 11:16 86016 ----a-w- c:\windows\system32\Sgcom32.dll
2009-08-01 15:47 . 2001-03-12 11:18 227840 ----a-w- c:\windows\system32\Sdoeng.dll
2009-08-01 15:47 . 2005-08-23 11:30 2785280 ----a-w- c:\windows\system32\SdoEng120.dll
2009-08-01 15:47 . 2009-08-01 15:47 -------- d-----w- c:\program files\Clik

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 09:49 . 2009-03-07 18:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-08-31 09:48 . 2009-03-07 18:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-08-28 14:10 . 2009-03-17 18:39 -------- d-----w- c:\program files\jStock
2009-08-25 11:33 . 2009-03-13 07:53 256 ----a-w- c:\windows\system32\pool.bin
2009-08-24 16:39 . 2009-03-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-24 16:39 . 2009-03-12 20:45 100944 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 16:20 . 2009-03-12 17:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-27 18:12 . 2009-04-29 10:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
2009-07-22 20:14 . 2009-04-15 17:43 -------- d-----w- c:\program files\EasyCert
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\program files\PDF Editor 2
2009-07-22 20:03 . 2009-07-22 20:03 75776 ----a-w- c:\windows\cadkasdeinst01e.exe
2009-07-22 20:00 . 2009-07-22 20:00 -------- d-----w- c:\program files\Ask.com
2009-06-21 16:44 . 2009-06-19 19:01 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-03 21:58 . 2009-06-03 21:58 61440 ----a-w- c:\windows\SSEUninstaller.exe
.

------- Sigcheck -------

[-] 2008-12-30 04:52 361600 5AE1C2695F6523AD98B948F2887D8C5E c:\windows\system32\drivers\tcpip.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-12 21741864]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2009-08-22 2645528]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-08-23 304464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-08-23 304464]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-02-26 16125440]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:1260e6ed8901

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bgmainsvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^kill.bat]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\kill.bat
backup=c:\windows\pss\kill.batStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 bdfilespy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [14/03/2009 20:37 55504]
R2 bsfilescan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
R2 bsfire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [22/08/2009 18:21 1386008]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\Afw.sys [10/11/2008 14:51 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [23/03/2009 13:07 257304]
S1 57852f5b;57852f5b;c:\windows\system32\drivers\57852f5b.sys [22/08/2009 18:46 0]
S2 bsmailproxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 bgrasvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\BGRaSvc.exe [01/06/2009 12:50 79184]
S3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [14/03/2009 22:00 457856]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASPI32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsFire
.
Contents of the 'Scheduled Tasks' folder

2009-08-30 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-04-02 18:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\BGLsp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b1seu9e4.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 11:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1088)
c:\windows\system32\BGLsp.dll
.
Completion time: 2009-08-31 11:03
ComboFix-quarantined-files.txt 2009-08-31 10:02
ComboFix2.txt 2009-08-30 20:52

Pre-Run: 192,210,362,368 bytes free
Post-Run: 192,179,752,960 bytes free

229
Upload was successful

katana · Aug 31, 2009

Thanks for that, it will help us counter this infection in the future.

Right, just a couple of leftovers now. I've left them till last as there have been problems removing them from some machines.

WARNING
You must Copy/Paste (to a notepad file) or Print the information under Step 2 BEFORE YOU DO ANYTHING

----------------------------------------------------------------------------------------
Step 1

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code:
```
File::
c:\windows\system32\drivers\57852f5b.sys
Driver::
57852f5b
ADS::
```
Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------------------------------------
Step 2

If you are unable to access the internet after step #1, please do the following.

Double click on C:\WINDOWS\ERDNT\Hiv-backup\erdnt.exe
The do this.

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code:
```
DeQuarantine::
C:\Qoobox\Quarantine\c\windows\system32\drivers\57852f5b.sys.vir
Quit::
```
Save this as CFScript.txt and place it on your desktop.

andyc · Aug 31, 2009

Ran combofix, no problems, internet works after step 1, so step 2 not done

combofix log

ComboFix 09-08-30.04 - Administrator 31/08/2009 14:55.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1393 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\57852f5b.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\57852f5b.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_57852f5b

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-31 12:50 . 2009-08-31 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Hagel Technologies
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\windows\system32\xircom
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\windows\system32\wbem\snmp
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\program files\microsoft frontpage
2009-08-29 13:02 . 2009-08-29 13:03 -------- d-s---w- C:\CleanMe
2009-08-27 21:11 . 2009-08-27 21:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-27 21:11 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-27 21:11 . 2009-08-29 11:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-27 21:11 . 2009-08-27 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-27 21:11 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-25 11:36 . 2009-08-25 11:36 -------- d-----w- c:\program files\Trend Micro
2009-08-23 22:07 . 2009-08-23 22:07 -------- d-----w- c:\program files\CCleaner
2009-08-23 21:06 . 2009-08-27 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 21:06 . 2009-08-23 21:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 16:22 . 2009-08-23 16:22 -------- d-----w- c:\program files\Microsoft Games
2009-08-23 15:57 . 2009-08-23 15:57 -------- d-----w- c:\program files\Your Company Name
2009-08-23 12:46 . 2009-08-23 12:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-22 19:27 . 2009-08-22 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard
2009-08-22 19:27 . 2009-08-22 20:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\BullGuard
2009-08-22 18:34 . 2009-08-22 18:34 -------- d-----w- c:\program files\Alwil Software
2009-08-22 17:53 . 2009-08-22 17:53 -------- d-----w- c:\program files\AVG
2009-08-22 17:22 . 2009-08-22 17:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Hagel Technologies
2009-08-22 17:04 . 2009-08-22 17:04 -------- d-----w- c:\program files\KONAMI
2009-08-03 18:56 . 2009-08-03 18:58 -------- d-----w- c:\program files\Microsoft AutoRoute
2009-08-01 18:21 . 2009-08-30 20:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2009-08-01 15:47 . 2006-09-07 15:11 73728 ----a-w- c:\windows\system32\Sgdt32.dll
2009-08-01 15:47 . 2003-09-23 13:43 532480 ----a-w- c:\windows\system32\SdoEng100.dll
2009-08-01 15:47 . 2002-12-06 11:53 507904 ----a-w- c:\windows\system32\SdoEng90.dll
2009-08-01 15:47 . 2002-11-28 13:15 471040 ----a-w- c:\windows\system32\SdoEng80.dll
2009-08-01 15:47 . 2001-04-11 15:23 454656 ----a-w- c:\windows\system32\SdoEng70.dll
2009-08-01 15:47 . 2000-11-22 12:54 122880 ----a-w- c:\windows\system32\SGRegister.dll
2009-08-01 15:47 . 2004-08-24 11:43 1089536 ----a-w- c:\windows\system32\SdoEng110.dll
2009-08-01 15:47 . 2004-08-24 09:29 253952 ----a-w- c:\windows\system32\SDOApp.dll
2009-08-01 15:47 . 2002-12-06 11:16 86016 ----a-w- c:\windows\system32\Sgcom32.dll
2009-08-01 15:47 . 2001-03-12 11:18 227840 ----a-w- c:\windows\system32\Sdoeng.dll
2009-08-01 15:47 . 2005-08-23 11:30 2785280 ----a-w- c:\windows\system32\SdoEng120.dll
2009-08-01 15:47 . 2009-08-01 15:47 -------- d-----w- c:\program files\Clik

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 14:02 . 2009-03-07 18:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-08-31 13:31 . 2009-03-12 20:45 100160 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-31 13:26 . 2009-03-07 18:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-08-28 14:10 . 2009-03-17 18:39 -------- d-----w- c:\program files\jStock
2009-08-25 11:33 . 2009-03-13 07:53 256 ----a-w- c:\windows\system32\pool.bin
2009-08-24 16:39 . 2009-03-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-23 16:20 . 2009-03-12 17:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-27 18:12 . 2009-04-29 10:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
2009-07-22 20:14 . 2009-04-15 17:43 -------- d-----w- c:\program files\EasyCert
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\program files\PDF Editor 2
2009-07-22 20:03 . 2009-07-22 20:03 75776 ----a-w- c:\windows\cadkasdeinst01e.exe
2009-07-22 20:00 . 2009-07-22 20:00 -------- d-----w- c:\program files\Ask.com
2009-06-21 16:44 . 2009-06-19 19:01 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-03 21:58 . 2009-06-03 21:58 61440 ----a-w- c:\windows\SSEUninstaller.exe
.

------- Sigcheck -------

[-] 2008-12-30 04:52 361600 5AE1C2695F6523AD98B948F2887D8C5E c:\windows\system32\drivers\tcpip.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-08-30_20.50.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-31 14:01 . 2009-08-31 14:01 16384 c:\windows\temp\Perflib_Perfdata_634.dat
+ 2009-08-31 14:01 . 2009-08-31 14:01 16384 c:\windows\temp\Perflib_Perfdata_26c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-12 21741864]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-08-23 304464]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-08-23 304464]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-02-26 16125440]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:1260e6ed8901

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bgmainsvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^kill.bat]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\kill.bat
backup=c:\windows\pss\kill.batStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 bdfilespy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [14/03/2009 20:37 55504]
R2 bsfilescan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
R2 bsfire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\Afw.sys [10/11/2008 14:51 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [23/03/2009 13:07 257304]
S2 bsmailproxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 bgrasvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\BGRaSvc.exe [01/06/2009 12:50 79184]
S3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [14/03/2009 22:00 457856]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASPI32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsFire
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-04-02 18:50]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DU Meter - c:\program files\DU Meter\DUMeter.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\BGLsp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b1seu9e4.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 15:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1092)
c:\windows\system32\BGLsp.dll

- - - - - - - > 'explorer.exe'(1404)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-08-31 15:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-31 14:04
ComboFix2.txt 2009-08-31 10:03
ComboFix3.txt 2009-08-30 20:52

Pre-Run: 192,084,692,992 bytes free
Post-Run: 192,118,636,544 bytes free

243

katana · Aug 31, 2009

Ran combofix, no problems, internet works after step 1

Excellent

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

Your logs show that Beep.sys is missing, it's not an urgently needed file, but if you have the XP pro disc or access to another XP Pro machine you can replace it in System32 folder.
(just let me know if you need any help with that )

Uninstall Combofix

This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

Uninstall OTScanIt (OTS.exe)

Open OTScanIt Click Cleanup,
If a box pops up click YES.

You can also delete any other tools we used and any logs we have produced.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware <<< A New and effective program
a-squared Free <<< A good "realtime" or "on demand" scanner
superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    - Change the Download signed ActiveX controls to Prompt
    - Change the Download unsigned ActiveX controls to Disable
    - Change the Initialise and script ActiveX controls not marked as safe to Disable
    - Change the Installation of desktop items to Prompt
    - Change the Launching programs and files in an IFRAME to Prompt
    - Change the Navigate sub-frames across different domains to Prompt
    - When all these settings have been made, click on the OK button.
    - If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
- FireFox
  - With many addons available that make customization easy this is a very popular choice
  - NoScript and AdBlockPlus addons are essential
- Opera
  - Another popular alternative
- Netscape
  - Another popular alternative
  - Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

andyc · Aug 31, 2009

i have removed programs/logs

all working fine now. i will keep a note of the programs you have suggested, and download some of them i dont already (now) have.

Thanks for all your help. just before i found this place, i was about to look for all the CD's to re-install windows. much easier now that i dont have to do that. Expect a donation later

If its all the same to you, id rather not have to come back here!

andyc · Aug 31, 2009

Forgot to say, you can now close this thread, i think were all done now

HJT log (Resolved)

andyc

New member

katana

Security Expert-Emeritus

andyc

New member

katana

Security Expert-Emeritus

andyc

New member

katana

Security Expert-Emeritus

andyc

New member

katana

Security Expert-Emeritus

andyc

New member

katana

Security Expert-Emeritus

andyc

New member

katana

Security Expert-Emeritus

andyc

New member

katana

Security Expert-Emeritus

andyc

New member

katana

Security Expert-Emeritus

andyc

New member

andyc

New member