i found the reason the run command wouldnt work... when i downloaded a new combofix, i made a shortcut to it on the desktop rather than move the file. once moved, run command worked. but i still get a blue screen. i also tried the bat file and still get a blue screen
Avenger
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Please download The Avenger2 by SwanDog46.
- Unzip avenger.exe to your desktop.
- Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
Code:Drivers to disable: kbiwkmpkbmwnli- Now start The Avenger2 by double clicking avenger.exe on your desktop.
- Read the prompt that appears, and press OK.
- Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
- Press the "Execute" button.
- You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
Note: It is possible that Avenger will reboot your system TWICE.- Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
Please post the Avenger log along with a fresh Sysprot log
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
ran avenger, but no command promt of log was produced
new sysprot log
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\kbiwkmfqrnmsjp.sys
Service Name: kbiwkmpkbmwnli
Module Base: ---
Module End: ---
Hidden: Yes
Module Name: \SystemRoot\system32\drivers\aqix.sys
Service Name: ---
Module Base: B6190000
Module End: B619F000
Hidden: Yes
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8065628D
Jump To: 8A08521A
Module Name: _unknown_
Hooked Function: ZwSaveKey
At Address: 806561A2
Jump To: 8A0751FA
Module Name: _unknown_
Hooked Function: ZwFlushInstructionCache
At Address: 80587BFB
Jump To: 89FF812C
Module Name: _unknown_
Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: 88FD7634
Module Name: _unknown_
Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 892186DB
Module Name: _unknown_
Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 892026DB
Module Name: _unknown_
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
This is being stubborn !!!
What happened the last time you tried GMER ?
Did any error messages appear ?
- Open the gmer folder and double click gmer.exe to run the program
- On starting GMER will run a short scan, allow it to complete this, then click No if it asks you to run a full scan.
- Click on the > > > tab to open the menus
- Click on the Services tab
- Scroll down until you find the following Service (Note: This may be highlighted in red)
kbiwkmpkbmwnli- Click on the Service Name to Highlight it, then right click and choose Delete...
- Click OK at the first confirmation dialog to remove the service
- Click OK to the second confirmation dialog to remove the file
- Click OK to exit the program
Please post a fresh Sysprot log from after running GMER, and let me know what happens during the GMER instructions.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
last time i ran GMER, everything went according to your instructions. no extra messages appeared or anything not in your instructions.
same again this time
it just doesnt want to give up!
new sysprot log
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\kbiwkmfqrnmsjp.sys
Service Name: kbiwkmpkbmwnli
Module Base: ---
Module End: ---
Hidden: Yes
Module Name: \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aujasnkj.sys
Service Name: aujasnkj
Module Base: AB89A000
Module End: AB8AF000
Hidden: Yes
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8065628D
Jump To: 8A017152
Module Name: _unknown_
Hooked Function: ZwSaveKey
At Address: 806561A2
Jump To: 8A0201CA
Module Name: _unknown_
Hooked Function: ZwFlushInstructionCache
At Address: 80587BFB
Jump To: 8A02124C
Module Name: _unknown_
Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: 8A01A26C
Module Name: _unknown_
Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 89E497BB
Module Name: _unknown_
Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 8A0814A3
Module Name: _unknown_
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
A colleague has offered a suggestion, so let's give it a twirl.
It's GMER again, but a little bit different.
1. Start GMER and do a quick scan. It should give a message about rootkit activity.
2. If it asks for full scan, select "no".
3. Right click kbiwk********* and select "disable service". You'll be most likely asked to reboot system. Please, let it do so.
4. After reboot, open GMER again and see if the corresponding service is in disabled state.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Anything is worth a try.
done that, and restarted. after opening GMER again, it says about rootkit activity and do i want to scan, i selected no and kbiw... is still highlighted in red, but under 'value', it says '[DISABLED] kbiw...'
Combofix next?
Can you say "Yes" repeatedly and getting higher pitched in excitement ?Originally Posted by andyc
>calms down a bit<
Yes please, try running Combofix now.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
i think you can be excited... disabling the file rather than deleting seems to have worked, and combofix ran with no problems. since running malware bytes, computer seemed much better, except firefox was still slow to load, its now back to normal, and everything else appears as it was before (well, much better than before!)Can you say "Yes" repeatedly and getting higher pitched in excitement ?
>calms down a bit<
Yes please, try running Combofix now.
combofix log
ComboFix 09-08-30.01 - Administrator 30/08/2009 21:45.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1596 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}
c:\documents and settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}\install.rdf
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1077
c:\recycler\S-1-5-21-0654824076-2271733286-061959106-4265
c:\recycler\S-1-5-21-1455334118-7554324804-828036648-8874
c:\recycler\S-1-5-21-2290957554-5505888447-933951797-3188
c:\recycler\S-1-5-21-2380437479-5536403761-104314317-2417
c:\recycler\S-1-5-21-2613669275-9719516027-093846808-3690
c:\recycler\S-1-5-21-2929841525-6134098029-813005384-3575
c:\recycler\S-1-5-21-3844252530-4614738533-477353064-6135
c:\recycler\S-1-5-21-4517616521-8748245048-747018591-5431
c:\recycler\S-1-5-21-5287203404-2150996276-361785036-2026
c:\recycler\S-1-5-21-5632783334-8520549607-717420526-9624
c:\recycler\S-1-5-21-7448197631-6742576296-211950483-1438
c:\recycler\S-1-5-21-8587057549-8691970124-785860918-1339
c:\recycler\S-1-5-21-9273069312-5560226816-759346965-4048
c:\recycler\S-1-5-21-9708960352-6255341383-697539535-9729
c:\recycler\S-1-5-21-9983706840-2963835987-531995240-8120
c:\windows\E88D4.exe
c:\windows\Fonts\FRE3OF9X.TTF
c:\windows\Fonts\FREE3OF9.TTF
c:\windows\las31l71.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\drivers\kbiwkmfqrnmsjp.sys
c:\windows\system32\drivers\kbiwkmjwrowkya.sys
c:\windows\system32\drivers\kbiwkmrqpyqydm.sys
c:\windows\system32\drivers\kbiwkmsdjnkvxf.sys
c:\windows\system32\drivers\kbiwkmspfthxwy.sys
c:\windows\system32\kbiwkmanmqiemu.dll
c:\windows\system32\kbiwkmavsvaewf.dat
c:\windows\system32\kbiwkmekqhrqcj.dll
c:\windows\system32\kbiwkmfuciorjq.dll
c:\windows\system32\kbiwkmfwbwuxxn.dat
c:\windows\system32\kbiwkmfypdivrx.dll
c:\windows\system32\kbiwkmibgimbjt.dat
c:\windows\system32\kbiwkmiqboieml.dll
c:\windows\system32\kbiwkmmemwmasu.dll
c:\windows\system32\kbiwkmnmxtynxn.dat
c:\windows\system32\kbiwkmnnxbqnen.dat
c:\windows\system32\kbiwkmnvsivtth.dll
c:\windows\system32\kbiwkmogytenin.dll
c:\windows\system32\kbiwkmoieewmxn.dat
c:\windows\system32\kbiwkmpfuyqrcj.dll
c:\windows\system32\kbiwkmqoodlalb.dat
c:\windows\system32\kbiwkmrersappp.dat
c:\windows\system32\kbiwkmrxripfya.dat
c:\windows\system32\kbiwkmspxcbfol.dll
c:\windows\system32\kbiwkmumuyxwbd.dll
c:\windows\system32\kbiwkmvcdivrcr.dll
c:\windows\system32\kbiwkmvmxnsmnt.dat
c:\windows\system32\kbiwkmvpucbvpf.dll
c:\windows\system32\kbiwkmvxsdkbxv.dll
c:\windows\system32\kbiwkmwqwevpsy.dll
c:\windows\system32\kbiwkmxsmkbmqr.dll
c:\windows\system32\kbiwkmyouevvky.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_kbiwkmpkbmwnli
-------\Service_kbiwkmpkbmwnli
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\windows\system32\xircom
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\windows\system32\wbem\snmp
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\program files\microsoft frontpage
2009-08-29 13:02 . 2009-08-29 13:03 -------- d-s---w- C:\CleanMe
2009-08-27 21:11 . 2009-08-27 21:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-27 21:11 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-27 21:11 . 2009-08-29 11:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-27 21:11 . 2009-08-27 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-27 21:11 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-25 11:36 . 2009-08-25 11:36 -------- d-----w- c:\program files\Trend Micro
2009-08-23 22:07 . 2009-08-23 22:07 -------- d-----w- c:\program files\CCleaner
2009-08-23 21:06 . 2009-08-27 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 21:06 . 2009-08-23 21:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 16:22 . 2009-08-23 16:22 -------- d-----w- c:\program files\Microsoft Games
2009-08-23 15:57 . 2009-08-23 15:57 -------- d-----w- c:\program files\Your Company Name
2009-08-23 12:46 . 2009-08-23 12:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-22 19:27 . 2009-08-22 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard
2009-08-22 19:27 . 2009-08-22 20:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\BullGuard
2009-08-22 18:34 . 2009-08-22 18:34 -------- d-----w- c:\program files\Alwil Software
2009-08-22 17:53 . 2009-08-22 17:53 -------- d-----w- c:\program files\AVG
2009-08-22 17:49 . 2009-08-23 21:19 120 ----a-w- c:\windows\Snuhacokuvomuy.dat
2009-08-22 17:46 . 2009-08-27 18:53 0 ----a-w- c:\windows\system32\drivers\57852f5b.sys
2009-08-22 17:22 . 2009-08-22 17:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Hagel Technologies
2009-08-22 17:21 . 2009-08-22 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Hagel Technologies
2009-08-22 17:21 . 2009-08-22 17:21 -------- d-----w- c:\program files\DU Meter
2009-08-22 17:04 . 2009-08-22 17:04 -------- d-----w- c:\program files\KONAMI
2009-08-03 18:56 . 2009-08-03 18:58 -------- d-----w- c:\program files\Microsoft AutoRoute
2009-08-01 18:21 . 2009-08-28 21:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2009-08-01 15:47 . 2006-09-07 15:11 73728 ----a-w- c:\windows\system32\Sgdt32.dll
2009-08-01 15:47 . 2003-09-23 13:43 532480 ----a-w- c:\windows\system32\SdoEng100.dll
2009-08-01 15:47 . 2002-12-06 11:53 507904 ----a-w- c:\windows\system32\SdoEng90.dll
2009-08-01 15:47 . 2002-11-28 13:15 471040 ----a-w- c:\windows\system32\SdoEng80.dll
2009-08-01 15:47 . 2001-04-11 15:23 454656 ----a-w- c:\windows\system32\SdoEng70.dll
2009-08-01 15:47 . 2000-11-22 12:54 122880 ----a-w- c:\windows\system32\SGRegister.dll
2009-08-01 15:47 . 2004-08-24 11:43 1089536 ----a-w- c:\windows\system32\SdoEng110.dll
2009-08-01 15:47 . 2004-08-24 09:29 253952 ----a-w- c:\windows\system32\SDOApp.dll
2009-08-01 15:47 . 2002-12-06 11:16 86016 ----a-w- c:\windows\system32\Sgcom32.dll
2009-08-01 15:47 . 2001-03-12 11:18 227840 ----a-w- c:\windows\system32\Sdoeng.dll
2009-08-01 15:47 . 2005-08-23 11:30 2785280 ----a-w- c:\windows\system32\SdoEng120.dll
2009-08-01 15:47 . 2009-08-01 15:47 -------- d-----w- c:\program files\Clik
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 20:44 . 2009-03-07 18:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-08-30 20:26 . 2009-03-07 18:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-08-28 14:10 . 2009-03-17 18:39 -------- d-----w- c:\program files\jStock
2009-08-25 11:33 . 2009-03-13 07:53 256 ----a-w- c:\windows\system32\pool.bin
2009-08-24 16:39 . 2009-03-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-24 16:39 . 2009-03-12 20:45 100944 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 16:20 . 2009-03-12 17:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-27 18:12 . 2009-04-29 10:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
2009-07-22 20:14 . 2009-04-15 17:43 -------- d-----w- c:\program files\EasyCert
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\program files\PDF Editor 2
2009-07-22 20:03 . 2009-07-22 20:03 75776 ----a-w- c:\windows\cadkasdeinst01e.exe
2009-07-22 20:00 . 2009-07-22 20:00 -------- d-----w- c:\program files\Ask.com
2009-06-21 16:44 . 2009-06-19 19:01 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-03 21:58 . 2009-06-03 21:58 61440 ----a-w- c:\windows\SSEUninstaller.exe
.
------- Sigcheck -------
[-] 2008-12-30 04:52 361600 5AE1C2695F6523AD98B948F2887D8C5E c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-12 21741864]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2009-08-22 2645528]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-08-23 304464]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-08-23 304464]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-02-26 16125440]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-04-14 99840]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:1260e6ed8901
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bgmainsvc]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^kill.bat]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\kill.bat
backup=c:\windows\pss\kill.batStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^mel.bat183242.bat]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\mel.bat183242.bat
backup=c:\windows\pss\mel.bat183242.batStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R2 bdfilespy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [14/03/2009 20:37 55504]
R2 bsfilescan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
R2 bsfire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [22/08/2009 18:21 1386008]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\Afw.sys [10/11/2008 14:51 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [23/03/2009 13:07 257304]
S1 57852f5b;57852f5b;c:\windows\system32\drivers\57852f5b.sys [22/08/2009 18:46 0]
S2 bsmailproxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 bgrasvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\BGRaSvc.exe [01/06/2009 12:50 79184]
S3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [14/03/2009 22:00 457856]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Administrator\Desktop\temp downloaded stuff\SysProt\SysProt\SysProtDrv.sys [29/08/2009 18:54 44288]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ASPI32
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsFire
.
Contents of the 'Scheduled Tasks' folder
2009-08-30 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-04-02 18:50]
.
- - - - ORPHANS REMOVED - - - -
Notify-avgrsstarter - avgrsstx.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\BGLsp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b1seu9e4.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 21:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1264)
c:\windows\system32\BGLsp.dll
- - - - - - - > 'explorer.exe'(4092)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-08-30 21:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-30 20:52
Pre-Run: 192,161,538,048 bytes free
Post-Run: 192,243,597,312 bytes free
317
Looking good
Big thanks to Blade81 for the disable tip
Now then, a quick question for you ...
Do you know what mel.bat183242.bat is ?
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Posting Permissions
