The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

My gmer results - help needed

Posted 8/30/2009 8:41 PM
#76715
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
I'm back . I had shut off my computer normally , now I just started it , so I updated the drweb and ran a quick scan and it was clean
so I then did a gmer scan , first I did just that initial scan the results are below (I tried to disable them and 2 of them disabled the other wouldn't
I hope that doesn't screw things up ) Then I tried to do a complete scan and before I think it would only scan for about 2 seconds and disappear ,
this time it scanned for maybe about a minute but when it started to scan the $kbwhatever$ files it disappeared . So I'll just look towards your next response
. Thanks again for the help.


GMER 1.0.15.15077 [tioo.exe] - https://www.gmer.net
Rootkit quick scan 2009-08-30 16:25:20
Windows 5.1.2600 Service Pack 3


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs dwprot.sys (DrWeb Protection for Windows/Doctor Web, Ltd.)
AttachedDevice \FileSystem\Ntfs \Ntfs BdFileSpy.sys (BullGuard File Monitor (x86)/BullGuard Ltd.)
AttachedDevice \FileSystem\Ntfs \Ntfs spider.sys (SpIDer Guard File System Monitor/Doctor Web, Ltd.)
AttachedDevice \FileSystem\Fastfat \Fat dwprot.sys (DrWeb Protection for Windows/Doctor Web, Ltd.)
AttachedDevice \FileSystem\Fastfat \Fat BdFileSpy.sys (BullGuard File Monitor (x86)/BullGuard Ltd.)
AttachedDevice \FileSystem\Fastfat \Fat spider.sys (SpIDer Guard File System Monitor/Doctor Web, Ltd.)

Device \Driver\Tcpip \Device\Ip AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Ip dwprot.sys (DrWeb Protection for Windows/Doctor Web, Ltd.)

Device \Driver\Tcpip \Device\Tcp AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Tcp dwprot.sys (DrWeb Protection for Windows/Doctor Web, Ltd.)
AttachedDevice \Driver\Tcpip \Device\Tcp BdFileSpy.sys (BullGuard File Monitor (x86)/BullGuard Ltd.)
AttachedDevice \Driver\Tcpip \Device\Tcp spider.sys (SpIDer Guard File System Monitor/Doctor Web, Ltd.)

Device \Driver\Tcpip \Device\Udp AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Udp dwprot.sys (DrWeb Protection for Windows/Doctor Web, Ltd.)
AttachedDevice \Driver\Tcpip \Device\Udp BdFileSpy.sys (BullGuard File Monitor (x86)/BullGuard Ltd.)
AttachedDevice \Driver\Tcpip \Device\Udp spider.sys (SpIDer Guard File System Monitor/Doctor Web, Ltd.)

Device \Driver\Tcpip \Device\RawIp AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\RawIp dwprot.sys (DrWeb Protection for Windows/Doctor Web, Ltd.)
AttachedDevice \Driver\Tcpip \Device\RawIp BdFileSpy.sys (BullGuard File Monitor (x86)/BullGuard Ltd.)
AttachedDevice \Driver\Tcpip \Device\RawIp spider.sys (SpIDer Guard File System Monitor/Doctor Web, Ltd.)

---- Services - GMER 1.0.15 ----

Service system32\drivers\kbiwkmepwaomsn.sys (*** hidden *** ) [DISABLED] kbiwkmuwwiyvnk <-- ROOTKIT !!!
Service system32\drivers\TDSSmaxt.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!
Service system32\drivers\UACxjjqbhgmec.sys (*** hidden *** ) [DISABLED] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
Posted 8/31/2009 4:45 AM
#76729
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
It´s some nasty stuff you´ve got there.

Start->Run-> Devmgmt.msc ->ok
On the toolbar, Click on View -> "Show hidden devices"
2.
Scroll down and locate Non-plug and Play Drivers
Click the + sign to expand
3.
tdss(other random characters)
uac(other random characters)
SKYNET(other random characters)
ab56sy26 (or similar 8 character random name)

Right click on it/them, and select “Disable”

Any you locate that you think I might want to review write those down and post them back here please




4. Restart your computer





[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 8/31/2009 10:08 PM
#76747
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
what I did here was typed out all the non pnp drivers and then
their device instance and then their start up type . so on the
first one "abp480n5" is what is listed and it's device instance is
"root\legacy_abp480n5\0000" and it's startup type is boot .
they all follow this format "root\legacy_abp480n5\0000 "
so where I put "same" the listed name is what's in the device instance
example for "aha154x" its' device instance reads
"root\legacy_aha154x\0000 "
on some of the instances the name in the device instance
doesn't match the listed name .
example for "amd agp bus filter driver" it's the same format -
as "root\legacy_ \0000 " but whatever goes in the blank space
is listed after the word "same" so , in the case of
"amd agp bus filter driver" Ive typed
"amd agp bus filter driver same amdagp boot"
so the actual device instance looks like this:

"root\legacy_amdagp\0000 " . It's startup type is boot.
I think you'll understand that . 3 of them are disabled
so after there listed name I put "(disabled)".
I didn't know what to start disabling so I thought you could mark
what you think I should disable and I'll go from there . I hope all this
makes sense. Thanks again for your help.



non plug and play drivers

"abp480n5" root\legacy_abp480n5\0000 boot
"adpu160m" root\legacy_adpu160m\0000 boot
"afd" root\legacy_afd\0000 system
"agnitum firewall core driver" root\legacy_afwcore\0000 demand
"aha154x" same boot
"aic78u2" same boot
"aic78xx" same boot
"ali agp bus filter" same alim1541 boot
"aliide" same boot
"amd agp bus filter driver" same amdagp boot
"amsint" same boot
"asc" same boot
"asc3350p" same boot
"asc3550" same boot
"aspi32" same automatic
"atm arp client protocol" same atmarpc automatic
"bullguard file monitor driver" same bdfilespy automatic
"cbidf" same boot
"cd20xrnt" same boot
"cmdide" same boot
"compaq agp bus filter" same agpcpq boot
"cpqarray" same boot
"creative ac3 software decoder" same ctac32k demand
"creative dvd-audio device driver" same ctdvda2k demand
"creative hardware abstract layer driver" same ha10kx2k
demand
"creative os services driver" same ossrv demand
"creative p16v hal driver" same hap16v2k demand
"creative p17v hal driver" same hap17v2k demand
"creative proxy driver" same ctprxy2k demand
"creative soundfont management device driver" same ctsfm2k
demand

"dac2w2k" same boot
"dac960nt" same boot
"dpti2o" same boot
"e-mu plug-in architecture driver" same emupia demand
"fips" same system
"floppy disk controller driver" same fdc demand
"floppy disk driver" same flpydisk demand
"generic packet classifier" same gpc demand
"hpn" same boot
"http" same demand
"i2omgmt" same system
"i2omp" same boot
"ini910u" same boot
"intel agp bus filter" same agp440 boot
"intelide" same boot
"ip in ip tunnel driver" same ipinip demand
"ip network address translator" same ipnat demand
"ip traffic filter driver" same ipfilterdriver demand
"ipsec driver" same ipsec system
"ipv6 windows firewall driver" same ip6fw demand
"ipx traffic filter driver" same nwlnkflt demand
"ipx traffic forwarder driver" same nwlnkfwd demand
"ir enumerator service" same irenum demand
"ksecdd" same boot
"macronix mx987xx family fast ethernet nt driver" same mxnic
demand
"microsoft usb universal host controller miniport driver" same usbuhcl
demand
"mnmdd" same system
"modem" same demand
"mountmgr" same boot
"mraid35x" same boot
"ndis system driver" same ndis boot
"ndis usermode i/o protocol" same ndisuio demand
"ndproxy" same demand
on this one under driver it gives display name of ndisproxy

"netbios over tcpip" same netbt system
"null" (disabled) same system
"nvidia nforce networking controller driver" same nvenetfd demand
"partmgr" same on this one they list display name as partition manager
boot
"perc2" same boot
"perc2hib" same boot
"profos" same demand
"ql1080" same boot
"ql10wnt" same boot
"ql12160" same boot
"ql1240" same boot
"ql1280" same boot
"ras asynchronous media driver" same asyncmac demand
"rdpcdd" same system
"rdpwd" same demand
"remote access auto connection driver" same rasacd system
"remote access ip arp driver" same wanarp demand
"secdrv" same demand
"sis agp bus filter" same sisagp boot
"soundfusion(tm) wdm driver" same cwrwdm demand
"sparrow" same boot
"sym_hi" same boot
"sym_u3" same boot
"symc810" same boot
"symc8xx" same boot
"tcp/ip protocol driver" same tcpip system
"tdpipe" same demand
"tdtcp" same demand
"terminal server device redirector driver" same rdpdr demand
"toside" same boot
"trufos" same demand
"ultra" same boot
"vgasave" same system
they list display name as vga display controller

"via agp bus filter" same viaagp boot
"viaide" same boot
"volsnap" same boot
"wan miniport (atw)" same wanatw demand
"wfjutr" (disabled) same automatic
"windows driver foundation-user-mode driver framework platform driver"
same wudfpf demand
"windows driver foundation-user-mode driver framework reflector"
same wudfrd demand
"windows socket 2.0 non-ifs service provider support enviroment"
same ws2ifsl system
"xyxh" (disabled) same automatic
Posted 9/1/2009 3:08 AM
#76751
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
I was able to do a partial (I think) run of catchme from gmer . When it got to the scanning files part it only went about
2 more seconds and then disappeared but a catch me log was on my desktop . Note that after it says scanning files
there is no more info . That's when it disappeared . Also , I ran across some sort of results from system scan and in those results just about all of
the non plug and play devices were disabled . Only 2 or 3 of them were on boot and a few others were demand but all of the
others are disabled. I am worried I may disable something that is needed for the computer to start and I will be unable
to change it because I won't be able to get it started . Is that possible ? Here is the partial log that it did give me .


catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-08-31 23:01:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbiwkmuwwiyvnk]
"start"=dword:00000004
"type"=dword:00000001
"group"="file system"
"imagepath"=str(2):"\systemroot\system32\drivers\kbiwkmepwaomsn.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbiwkmuwwiyvnk\main]
"aid"="10002"
"sid"="1"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbiwkmuwwiyvnk\modules]
"kbiwkmrk.sys"="\systemroot\system32\drivers\kbiwkmepwaomsn.sys"
"kbiwkmcmd.dll"="\systemroot\system32\kbiwkmsmivppfd.dll"
"kbiwkmlog.dat"="\systemroot\system32\kbiwkmspipmbcr.dat"
"kbiwkmwsp.dll"="\systemroot\system32\kbiwkmjkhoyrtf.dll"
"kbiwkm.dat"="\systemroot\system32\kbiwkmqitnesmp.dat"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSmaxt.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules]
"TDSSserv"=""
"TDSSl"=""
"tdssservers"=""
"tdssmain"=""
"tdsslog"="\systemroot\system32\TDSSriqp.dll"
"tdssadw"="\systemroot\system32\TDSScfgb.dll"
"tdssinit"=""
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsbhc.dll"
"tdssserf"="\systemroot\system32\TDSSthym.dll"
"tdsserrors"="\systemroot\system32\TDSStkdv.log"
"TDSSproc"="\systemroot\system32\TDSSbubx.log"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys]
"start"=dword:00000004
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\UACxjjqbhgmec.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\modules]
"UACd"="\\?\globalroot\systemroot\system32\drivers\UACxjjqbhgmec.sys"
"UACc"="\\?\globalroot\systemroot\system32\UACwkbabiysbt.dll"
"uacbbr"="\\?\globalroot\systemroot\system32\UACyugewtvccr.dll"
"uacsr"="\\?\globalroot\systemroot\system32\UACppyobffwro.dat"
"uacmal"="\\?\globalroot\systemroot\system32\UACskxvnlrjkw.db"
"uacrem"="\\?\globalroot\systemroot\system32\UACqftpibmkdw.dll"
"uacserf"="\\?\globalroot\systemroot\system32\UACyrbxpkospb.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSmaxt.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules]
"TDSSserv"=""
"TDSSl"=""
"tdssservers"=""
"tdssmain"=""
"tdsslog"="\systemroot\system32\TDSSriqp.dll"
"tdssadw"="\systemroot\system32\TDSScfgb.dll"
"tdssinit"=""
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsbhc.dll"
"tdssserf"="\systemroot\system32\TDSSthym.dll"
"tdsserrors"="\systemroot\system32\TDSStkdv.log"
"TDSSproc"="\systemroot\system32\TDSSbubx.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kbiwkmuwwiyvnk]
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=str(2):"\systemroot\system32\drivers\kbiwkmepwaomsn.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kbiwkmuwwiyvnk\main]
"aid"="10002"
"sid"="1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kbiwkmuwwiyvnk\modules]
"kbiwkmrk.sys"="\systemroot\system32\drivers\kbiwkmepwaomsn.sys"
"kbiwkmcmd.dll"="\systemroot\system32\kbiwkmsmivppfd.dll"
"kbiwkmlog.dat"="\systemroot\system32\kbiwkmspipmbcr.dat"
"kbiwkmwsp.dll"="\systemroot\system32\kbiwkmjkhoyrtf.dll"
"kbiwkm.dat"="\systemroot\system32\kbiwkmqitnesmp.dat"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSmaxt.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules]
"TDSSserv"=""
"TDSSl"=""
"tdssservers"=""
"tdssmain"=""
"tdsslog"="\systemroot\system32\TDSSriqp.dll"
"tdssadw"="\systemroot\system32\TDSScfgb.dll"
"tdssinit"=""
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsbhc.dll"
"tdssserf"="\systemroot\system32\TDSSthym.dll"
"tdsserrors"="\systemroot\system32\TDSStkdv.log"
"TDSSproc"="\systemroot\system32\TDSSbubx.log"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\UACxjjqbhgmec.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys\modules]
"UACd"="\\?\globalroot\systemroot\system32\drivers\UACxjjqbhgmec.sys"
"UACc"="\\?\globalroot\systemroot\system32\UACwkbabiysbt.dll"
"uacbbr"="\\?\globalroot\systemroot\system32\UACyugewtvccr.dll"
"uacsr"="\\?\globalroot\systemroot\system32\UACppyobffwro.dat"
"uacmal"="\\?\globalroot\systemroot\system32\UACskxvnlrjkw.db"
"uacrem"="\\?\globalroot\systemroot\system32\UACqftpibmkdw.dll"
"uacserf"="\\?\globalroot\systemroot\system32\UACyrbxpkospb.dll"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...
Posted 9/1/2009 5:03 AM
#76753
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
You´ve got 3 different rootkits :rolleyes:



Start Avenger




[code]
Begin copying here:
Files to delete:
C:\WINDOWS\system32\drivers\kbiwkmepwaomsn.sys
C:\WINDOWS\system32\kbiwkmsmivppfd.dll
C:\WINDOWS\system32\kbiwkmspipmbcr.dat
C:\WINDOWS\system32\kbiwkmjkhoyrtf.dll
C:\WINDOWS\system32\kbiwkmqitnesmp.dat
C:\WINDOWS\system32\drivers\TDSSmaxt.sys
C:\WINDOWS\system32\TDSSriqp.dll
C:\WINDOWS\system32\TDSScfgb.dll
C:\WINDOWS\system32\TDSSnmxh.log
C:\WINDOWS\system32\TDSSsbhc.dll
C:\WINDOWS\system32\TDSSthym.dll
C:\WINDOWS\system32\TDSStkdv.log
C:\WINDOWS\system32\TDSSbubx.log
C:\WINDOWS\system32\drivers\UACxjjqbhgmec.sys
C:\WINDOWS\system32\drivers\UACxjjqbhgmec.sys
C:\WINDOWS\system32\UACwkbabiysbt.dll
C:\WINDOWS\system32\UACyugewtvccr.dll
C:\WINDOWS\system32\UACppyobffwro.dat
C:\WINDOWS\system32\UACskxvnlrjkw.db
C:\WINDOWS\system32\UACqftpibmkdw.dll
C:\WINDOWS\system32\UACyrbxpkospb.dll

Drivers to delete:
UACxjjqbhgmec
TDSSserv
Kbiwkmuwwiyvnk
TDSSmaxt
kbiwkmepwaomsn

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbiwkmuwwiyvnk\modules
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kbiwkmuwwiyvnk\modules
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys\modules
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbiwkmuwwiyvnk\main
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys

[/code]
Copy/Paste all the text in the above code box into the main window

Click Execute



The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)



On reboot, it will briefly open a black command window on your desktop, this is normal.

After the restart, it creates a log file that should open with the results of Avenger’s actions.



This log file will be located at C:\avenger.txt



Post C:\avenger.txt in next reply




[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/1/2009 6:19 AM
#76758
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
it ran but at the start it said it's dangerous to use something or other so it skipped a line . When it was finally done on top of the log
popped up a thing that looked like this
"windows - no disk
exception processing message c000003 parameters 75b6bf7c4 75b6bf7 75b6bf7c4
cancel try again continue "


I chose continue but nothing happened so I just clicked its "x" in the upper right corner and it disappeared . The avenger log is below .
Thanks again for the help



//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Tue Sep 01 02:07:33 2009

02:07:27: Warning: Skipping potentially dangerous line:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbiwkmuwwiyvnk\modules" (Registry key deletion mode)
02:07:33: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Tue Sep 01 02:08:49 2009

02:08:34: Warning: Skipping potentially dangerous line:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbiwkmuwwiyvnk\main" (Registry key deletion mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
https://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\drivers\kbiwkmepwaomsn.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\kbiwkmepwaomsn.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\kbiwkmsmivppfd.dll" deleted successfully.
File "C:\WINDOWS\system32\kbiwkmspipmbcr.dat" deleted successfully.
File "C:\WINDOWS\system32\kbiwkmjkhoyrtf.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\kbiwkmqitnesmp.dat" not found!
Deletion of file "C:\WINDOWS\system32\kbiwkmqitnesmp.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\TDSSmaxt.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmaxt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSriqp.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSriqp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSScfgb.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSScfgb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSnmxh.log" not found!
Deletion of file "C:\WINDOWS\system32\TDSSnmxh.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSsbhc.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSsbhc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSthym.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSthym.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!
Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSbubx.log" not found!
Deletion of file "C:\WINDOWS\system32\TDSSbubx.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\UACxjjqbhgmec.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\UACxjjqbhgmec.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\UACxjjqbhgmec.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\UACxjjqbhgmec.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\UACwkbabiysbt.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\UACyugewtvccr.dll" not found!
Deletion of file "C:\WINDOWS\system32\UACyugewtvccr.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\UACppyobffwro.dat" deleted successfully.
File "C:\WINDOWS\system32\UACskxvnlrjkw.db" deleted successfully.
File "C:\WINDOWS\system32\UACqftpibmkdw.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\UACyrbxpkospb.dll" not found!
Deletion of file "C:\WINDOWS\system32\UACyrbxpkospb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACxjjqbhgmec" not found!
Deletion of driver "UACxjjqbhgmec" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv" not found!
Deletion of driver "TDSSserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "Kbiwkmuwwiyvnk" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSmaxt" not found!
Deletion of driver "TDSSmaxt" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\kbiwkmepwaomsn" not found!
Deletion of driver "kbiwkmepwaomsn" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbiwkmuwwiyvnk\modules" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbiwkmuwwiyvnk\modules" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\modules" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kbiwkmuwwiyvnk\modules" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys\modules" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Posted 9/1/2009 6:37 AM
#76761
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
See if you can run combofix from safe mode with network:



Please download combofix here ->

https://download.bleepingcomputer.com/sUBs/ComboFix.exe <<Rigthclick, save target as.

Before Saving it to Desktop, please rename it to alg.exe to stop malware from disabling it.



Now, please make sure no other programs are running, close all other windows.


Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted.

Usually located in c:\combofix.txt, please post it to your next reply, along with C:\avenger.txt.



The logs will be reasonably large so you may have to divide them into sections and make several posts to post them.


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/1/2009 8:14 AM
#76763
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
here is everything . combofix appeared to work like it should.

ComboFix 09-08-31.03 - Owner 09/01/2009 3:55.1.1 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\al-g.exe
AV: BullGuard Antivirus *On-access scanning disabled* (Outdated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: BullGuard Firewall *disabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
ADS - explorer.exe: deleted 88 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Application Data\{C720B391-FD4E-4007-9961-68855EB744A5}
c:\documents and settings\Owner\Local Settings\Application Data\{C720B391-FD4E-4007-9961-68855EB744A5}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{C720B391-FD4E-4007-9961-68855EB744A5}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{C720B391-FD4E-4007-9961-68855EB744A5}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{C720B391-FD4E-4007-9961-68855EB744A5}\install.rdf
c:\recycler\S-1-5-21-4110985211-1758993271-3769943490-1003
c:\windows\AUTOLNCH.REG
c:\windows\Installer\1324b.msi
c:\windows\system32\AVR09.exe
c:\windows\system32\kbiwkmatmnpuvr.dat
c:\windows\system32\kbiwkmftkospxj.dll
c:\windows\system32\kbiwkmhagofovc.dat
c:\windows\system32\kbiwkmorabvfvn.dll
c:\windows\system32\kbiwkmpfonjkgp.dll
c:\windows\system32\kbiwkmpspwticq.dat
c:\windows\system32\kbiwkmsgywqgtr.dll
c:\windows\system32\kbiwkmyymdriww.dat
c:\windows\system32\tajf83ikdmf.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\winhelper.dll
F:\Autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NEW_DRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-08-30 00:45 . 2009-08-30 03:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 23:59 . 2009-08-29 23:59 -------- d-----w- c:\program files\ESET
2009-08-29 20:10 . 2009-09-01 07:40 -------- d-----w- c:\program files\Panda Security
2009-08-29 10:13 . 2009-08-29 10:13 31896 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 11:41 . 2009-08-28 11:41 -------- d-----w- C:\rsit
2009-08-28 11:40 . 2009-08-28 11:40 120 ----a-w- c:\windows\Ymaqa.dat
2009-08-28 10:01 . 2009-08-28 10:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-08-28 05:03 . 2009-08-05 23:29 3036024 ----a-w- c:\documents and settings\Owner\Application Data\Simply Super Software\Trojan Remover\bte8.exe
2009-08-28 04:09 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-08-28 04:09 . 2009-08-28 04:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Simply Super Software
2009-08-28 01:20 . 2009-08-28 01:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-21 04:22 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-21 04:16 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-21 04:16 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 07:55 . 2006-08-10 21:25 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-09-01 07:45 . 2008-05-31 03:18 -------- d-----w- c:\program files\Coupons
2009-09-01 07:42 . 2009-08-30 07:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Doctor Web
2009-09-01 07:41 . 2006-08-12 04:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-01 07:41 . 2006-08-12 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-01 07:39 . 2009-08-30 07:37 -------- d-----w- c:\program files\DrWeb
2009-09-01 06:08 . 2009-09-01 06:08 874 ----a-w- C:\6.reg
2009-09-01 06:08 . 2009-09-01 06:08 1234 ----a-w- C:\8.reg
2009-09-01 06:08 . 2009-09-01 06:08 1108 ----a-w- C:\7.reg
2009-09-01 06:08 . 2009-09-01 06:08 1506 ----a-w- C:\avexport.bat
2009-08-30 09:02 . 2009-08-30 09:02 -------- d-----w- c:\documents and settings\Owner\Application Data\SampleView
2009-08-29 19:18 . 2008-03-01 03:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-29 19:13 . 2006-08-10 20:30 1033728 ----a-w- c:\windows\explorer.exe
2009-08-28 03:31 . 2006-08-12 04:40 -------- d-----w- c:\program files\SpywareBlaster
2009-08-21 04:53 . 2008-08-02 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\RFA_Backups
2009-08-13 05:03 . 2009-03-02 14:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Vidalia
2009-08-13 05:03 . 2009-03-02 14:34 -------- d-----w- c:\documents and settings\Owner\Application Data\tor
2009-08-05 09:01 . 2006-08-10 20:31 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2006-08-10 20:32 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2006-08-10 20:30 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 19:01 . 2006-08-10 20:29 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2006-08-10 20:32 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 01:27 . 2009-07-08 01:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Canon
2009-07-08 01:06 . 2009-07-08 00:58 -------- d-----w- c:\program files\Canon
2009-07-08 01:04 . 2009-07-08 01:04 -------- d-----w- c:\program files\Common Files\CANON
2009-07-08 01:01 . 2009-07-08 01:01 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-07-08 00:59 . 2009-07-08 00:59 -------- d--h--w- c:\program files\CanonBJ
2009-07-03 17:09 . 2006-08-10 20:32 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2006-08-10 20:32 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2006-08-10 20:32 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2006-08-10 20:32 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2006-08-10 20:31 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2006-08-10 20:31 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2006-08-10 20:30 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2006-08-10 20:30 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-23 00:07 . 2009-06-23 00:07 1878984 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-12 12:31 . 2006-08-10 20:32 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2006-08-10 20:29 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2006-08-10 20:31 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2006-08-10 20:32 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-08 02:26 . 2006-09-13 15:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-08 02:20 . 2009-06-08 02:20 466944 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\MusicLoad.dll
2009-06-08 02:20 . 2009-06-08 02:20 197912 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgSoundclick.dll
2009-06-08 02:20 . 2009-06-08 02:20 177432 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgIJigg.dll
2009-06-08 02:20 . 2009-06-08 02:20 169240 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgPandora.dll
2009-06-08 02:20 . 2009-06-08 02:20 136472 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgLastfm.dll
2009-06-08 02:20 . 2009-06-08 02:20 197912 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgImeem.dll
2009-06-08 02:20 . 2009-06-08 02:19 1258776 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\RadioRip.dll
2009-06-08 02:18 . 2009-06-08 02:18 409600 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\DailyMotion.dll
2009-06-08 02:18 . 2009-06-08 02:18 413696 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\YouTube.dll
2009-06-03 19:09 . 2006-08-10 20:32 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Diagnostic Manager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Resurections

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

R1 SASKUTIL;SASKUTIL; [x]
R2 asurscsi;asurscsi; [x]
R2 wfjutr;wfjutr;c:\windows\system32\drivers\skqhbjy.sys [x]
R2 xyxh;xyxh;c:\windows\system32\drivers\jifizq.sys [x]
R3 BGRaSvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\bgrasvc.exe [2009-05-30 79184]
R3 cwrwdm;SoundFusion(tm) WDM Driver;c:\windows\system32\DRIVERS\cwrwdm.sys [2004-08-04 48640]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [x]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [x]
S2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [2009-01-27 55504]
S2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe [2008-04-14 14336]
S2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe [2008-04-14 14336]
S2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe [2008-04-14 14336]
S3 afw;Agnitum firewall driver;c:\windows\system32\DRIVERS\afw.sys [2009-04-07 31128]
S3 AfwCore;Agnitum Firewall Core Driver;c:\windows\system32\Drivers\AfwCore.sys [2009-04-07 257304]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-04-23 16640]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2009-04-23 16640]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2009-04-23 16640]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2009-04-23 16640]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2009-04-23 16640]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3418
IE: E&xport to Microsoft Excel
LSP: c:\windows\system32\bglsp.dll
DPF: Microsoft XML Parser for Java
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ty8zdb5t.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-09-01 03:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2648)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\locator.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-01 4:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-01 08:02

Pre-Run: 118,585,364,480 bytes free
Post-Run: 118,604,058,624 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /noguiboot /usepmtimer

230




do you mean the avenger log from what I ran previously ? That is all I have it is below



//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Tue Sep 01 02:07:33 2009

02:07:27: Warning: Skipping potentially dangerous line:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbiwkmuwwiyvnk\modules" (Registry key deletion mode)
02:07:33: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Tue Sep 01 02:08:49 2009

02:08:34: Warning: Skipping potentially dangerous line:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbiwkmuwwiyvnk\main" (Registry key deletion mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
https://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\drivers\kbiwkmepwaomsn.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\kbiwkmepwaomsn.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\kbiwkmsmivppfd.dll" deleted successfully.
File "C:\WINDOWS\system32\kbiwkmspipmbcr.dat" deleted successfully.
File "C:\WINDOWS\system32\kbiwkmjkhoyrtf.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\kbiwkmqitnesmp.dat" not found!
Deletion of file "C:\WINDOWS\system32\kbiwkmqitnesmp.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\TDSSmaxt.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmaxt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSriqp.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSriqp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSScfgb.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSScfgb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSnmxh.log" not found!
Deletion of file "C:\WINDOWS\system32\TDSSnmxh.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSsbhc.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSsbhc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSthym.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSthym.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!
Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSbubx.log" not found!
Deletion of file "C:\WINDOWS\system32\TDSSbubx.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\UACxjjqbhgmec.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\UACxjjqbhgmec.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\UACxjjqbhgmec.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\UACxjjqbhgmec.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\UACwkbabiysbt.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\UACyugewtvccr.dll" not found!
Deletion of file "C:\WINDOWS\system32\UACyugewtvccr.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\UACppyobffwro.dat" deleted successfully.
File "C:\WINDOWS\system32\UACskxvnlrjkw.db" deleted successfully.
File "C:\WINDOWS\system32\UACqftpibmkdw.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\UACyrbxpkospb.dll" not found!
Deletion of file "C:\WINDOWS\system32\UACyrbxpkospb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACxjjqbhgmec" not found!
Deletion of driver "UACxjjqbhgmec" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv" not found!
Deletion of driver "TDSSserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "Kbiwkmuwwiyvnk" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSmaxt" not found!
Deletion of driver "TDSSmaxt" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\kbiwkmepwaomsn" not found!
Deletion of driver "kbiwkmepwaomsn" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbiwkmuwwiyvnk\modules" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbiwkmuwwiyvnk\modules" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\modules" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kbiwkmuwwiyvnk\modules" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys\modules" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Posted 9/1/2009 9:03 AM
#76765
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
It was avenger log indicate that it should de able to run combofix.



Open notepad and copy/paste the bold text in the codebox below into it:

Name the file as CFScript
and Save it on the desktop



Code:

Killall::

Snapshot::

File::
c:\windows\Ymaqa.dat


c:\windows\system32\drivers\skqhbjy.sys

c:\windows\system32\drivers\jifizq.sys

C:\6.reg
C:\8.reg
C:\7.reg
C:\avexport.bat


Driver::

asurscsi
wfjutr
xyxh




User image



Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.



Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please post it to your next reply


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/1/2009 10:14 AM
#76766
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
before I got your reply I uninstalled malwarebytes and did a fresh install
then I updated it and did a quick scan and it found nothing then I did
a full scan and it found 4 items so that log is below . Then below
that is the combofix log . I don't seem to be getting redirected in
my google searches and I can click on an exe file more than once
and it will still work .I still have a problem with all of the
exe programs that I had clicked on once and then wouldn't have
permission to click them again still won't let me do anything with them.
Other than that I think things are back to normal. How did all that
stuff get past bullguard in the first place ?


Malwarebytes' Anti-Malware 1.40
Database version: 2724
Windows 5.1.2600 Service Pack 3

9/1/2009 5:46:29 AM
mbam-log-2009-09-01 (05-46-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 135424
Time elapsed: 35 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmftkospxj.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmorabvfvn.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmpfonjkgp.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmsgywqgtr.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.









ComboFix 09-08-31.03 - Owner 09/01/2009 5:55.2.1 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\al-g.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt
AV: BullGuard Antivirus *On-access scanning disabled* (Outdated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: BullGuard Firewall *disabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

FILE ::
"C:\6.reg"
"C:\7.reg"
"C:\8.reg"
"C:\avexport.bat"
"c:\windows\system32\drivers\jifizq.sys"
"c:\windows\system32\drivers\skqhbjy.sys"
"c:\windows\Ymaqa.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\6.reg
C:\7.reg
C:\8.reg
C:\avexport.bat
c:\windows\Ymaqa.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASURSCSI
-------\Legacy_WFJUTR
-------\Legacy_XYXH
-------\Service_asurscsi
-------\Service_wfjutr
-------\Service_xyxh


((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-09-01 09:03 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 09:03 . 2009-09-01 09:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-01 09:03 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 08:39 . 2009-09-01 09:03 -------- d-----w- c:\documents and settings\Owner\Application Data\BullGuard
2009-09-01 08:38 . 2009-01-23 13:48 55504 ----a-w- c:\windows\system32\drivers\BdFileSpy.sys
2009-09-01 08:38 . 2009-09-01 08:38 -------- d-----w- c:\program files\BullGuard Ltd
2009-09-01 02:52 . 2009-09-01 02:52 -------- d-----w- C:\SDFix
2009-09-01 02:39 . 2009-09-01 03:04 -------- d-----w- C:\gojo
2009-08-30 09:02 . 2009-08-30 09:02 -------- d-----w- c:\documents and settings\Owner\Application Data\SampleView
2009-08-30 07:37 . 2009-09-01 07:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Doctor Web
2009-08-30 07:24 . 2009-08-30 07:40 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2009-08-30 05:55 . 2009-09-01 07:50 -------- d-----w- c:\windows\RegLooks
2009-08-29 23:59 . 2009-08-29 23:59 -------- d-----w- c:\program files\ESET
2009-08-29 10:13 . 2009-08-29 10:13 31896 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 11:41 . 2009-08-28 11:41 -------- d-----w- C:\rsit
2009-08-28 10:01 . 2009-08-28 10:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-08-28 05:03 . 2009-08-05 23:29 3036024 ----a-w- c:\documents and settings\Owner\Application Data\Simply Super Software\Trojan Remover\bte8.exe
2009-08-28 04:09 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-08-28 04:09 . 2009-08-28 04:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Simply Super Software
2009-08-28 01:20 . 2009-08-28 01:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-21 04:22 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-21 04:16 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-21 04:16 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 10:01 . 2009-01-17 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard
2009-09-01 07:55 . 2006-08-10 21:25 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-09-01 07:45 . 2008-05-31 03:18 -------- d-----w- c:\program files\Coupons
2009-09-01 07:41 . 2006-08-12 04:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-01 07:41 . 2006-08-12 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-29 19:18 . 2008-03-01 03:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-29 19:13 . 2006-08-10 20:30 1033728 ------w- c:\windows\explorer.exe
2009-08-28 03:31 . 2006-08-12 04:40 -------- d-----w- c:\program files\SpywareBlaster
2009-08-21 04:53 . 2008-08-02 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\RFA_Backups
2009-08-13 05:03 . 2009-03-02 14:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Vidalia
2009-08-13 05:03 . 2009-03-02 14:34 -------- d-----w- c:\documents and settings\Owner\Application Data\tor
2009-08-05 09:01 . 2006-08-10 20:31 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2006-08-10 20:32 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2006-08-10 20:30 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 19:01 . 2006-08-10 20:29 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2006-08-10 20:32 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 01:27 . 2009-07-08 01:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Canon
2009-07-08 01:06 . 2009-07-08 00:58 -------- d-----w- c:\program files\Canon
2009-07-08 01:04 . 2009-07-08 01:04 -------- d-----w- c:\program files\Common Files\CANON
2009-07-08 01:01 . 2009-07-08 01:01 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-07-08 00:59 . 2009-07-08 00:59 -------- d--h--w- c:\program files\CanonBJ
2009-07-03 17:09 . 2006-08-10 20:32 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2006-08-10 20:32 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2006-08-10 20:32 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2006-08-10 20:32 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2006-08-10 20:31 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2006-08-10 20:31 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2006-08-10 20:30 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2006-08-10 20:30 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-23 00:07 . 2009-06-23 00:07 1878984 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-12 12:31 . 2006-08-10 20:32 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2006-08-10 20:29 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2006-08-10 20:31 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2006-08-10 20:32 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-08 02:26 . 2006-09-13 15:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-08 02:20 . 2009-06-08 02:20 466944 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\MusicLoad.dll
2009-06-08 02:20 . 2009-06-08 02:20 197912 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgSoundclick.dll
2009-06-08 02:20 . 2009-06-08 02:20 177432 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgIJigg.dll
2009-06-08 02:20 . 2009-06-08 02:20 169240 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgPandora.dll
2009-06-08 02:20 . 2009-06-08 02:20 136472 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgLastfm.dll
2009-06-08 02:20 . 2009-06-08 02:20 197912 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgImeem.dll
2009-06-08 02:20 . 2009-06-08 02:19 1258776 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\RadioRip.dll
2009-06-08 02:18 . 2009-06-08 02:18 409600 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\DailyMotion.dll
2009-06-08 02:18 . 2009-06-08 02:18 413696 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\YouTube.dll
2009-06-03 19:09 . 2006-08-10 20:32 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-09-01 304464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-09-01 304464]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

R1 SASKUTIL;SASKUTIL; [x]
R3 BGRaSvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\bgrasvc.exe [2009-06-01 79184]
R3 cwrwdm;SoundFusion(tm) WDM Driver;c:\windows\system32\DRIVERS\cwrwdm.sys [2004-08-04 48640]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [x]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [x]
S2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [2009-01-23 55504]
S2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe [2008-04-14 14336]
S2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe [2008-04-14 14336]
S2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe [2008-04-14 14336]
S3 afw;Agnitum firewall driver;c:\windows\system32\DRIVERS\afw.sys [2009-03-23 31128]
S3 afwcore;afwcore;c:\windows\system32\DRIVERS\afwcore.sys [2009-03-23 257304]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-04-23 16640]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2009-04-23 16640]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2009-04-23 16640]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2009-04-23 16640]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2009-04-23 16640]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3418
IE: E&xport to Microsoft Excel
LSP: c:\windows\system32\BGLsp.dll
DPF: Microsoft XML Parser for Java
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ty8zdb5t.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-09-01 06:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3584)
c:\windows\system32\WININET.dll
c:\program files\BullGuard Ltd\BullGuard\antispam\PluginHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\BullGuard Ltd\BullGuard\res\en\PluginHookRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\locator.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-09-01 6:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-01 10:03
ComboFix2.txt 2009-09-01 08:15

Pre-Run: 119,008,837,632 bytes free
Post-Run: 118,953,394,176 bytes free

219
Posted 9/1/2009 11:16 AM
#76771
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
"I still have a problem with all of the
exe programs that I had clicked on once and then wouldn't have
permission to click them again still won't let me do anything with them."


Is it missing admin rights ?

I can´t tell why they get through Bullguard :rolleyes:

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/1/2009 5:35 PM
#76778
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
I'm not sure I know what you mean ? Am I logged in as administrator , yes . I think it's something to do with -- when I click my computer
tools , folder options and then file types , this gives me the list of registered file types but EXE isn't on the list . I try to add it to the list
with application being it's associated file type but the apply button does not highlight for me to click on . If I try to add EXE with a different
associated file type it gives me a warning EXE is already associated with a different file type. When I'm in the file type window if I click on
new and then advanced and then select the drop down arrow I get a long list of associated file types . The item first on the list is
%ADS_SECURITY_UTILITY_OBJECT% and I don't think thats supposed to be there . let me know what you think . I thought I may be able to
put the files I want to delete but I can't into avenger and delete them on reboot ? Almost got this fixed finally . Thanks again for all of your
help.
Posted 9/3/2009 3:35 AM
#76837
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Ok. Let´s see if Superantispyware can fix it ->



Please download https://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE (SAS)

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes, Let it through your firewall!
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:

Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining.
Ignore System Restore/Volume Information on ME and XP
Please leave the others unchecked.

On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click
Yes.



Reboot normally.


  • After reboot, double-click the SUPERAntispyware icon on your desktop.

  • Click Preferences . Click the Statistics/Logs tab .

  • Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .

  • It will open in your default text editor (such as Notepad/Wordpad).

  • Please highlight everything , then right-click and choose copy.

  • Click close and close again to exit the program.


Post Superantispyware log.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/3/2009 6:38 AM
#76849
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
I got the exe stuff all straightened out . I used malwarebytes file assasin to
delete the ones it wouldn't let me do anything with . Super anti spyware found 1 item
log is below thanks for all of your help.






SUPERAntiSpyware Scan Log
https://www.superantispyware.com

Generated 09/03/2009 at 02:32 AM

Application Version : 4.27.1002

Core Rules Database Version : 4083
Trace Rules Database Version: 2023

Scan type : Complete Scan
Total Scan Time : 00:35:41

Memory items scanned : 432
Memory threats detected : 0
Registry items scanned : 4919
Registry threats detected : 0
File items scanned : 18188
File threats detected : 1

Trojan.Agent/Gen
C:\WINDOWS\PEV.EXE
Posted 9/3/2009 6:39 AM
#76850
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
It´s sounds like your computer are running fine now ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/3/2009 7:06 AM
#76851
User avatar

jsdspif Valued member

Date Joined Nov 2016
Total Posts: 26
seems to be good now . I had just scanned with spybot search and destroy but it didn't find anything . Guess I'll rely more on the sas .. Thanks again for all of your help.
Posted 9/3/2009 9:36 AM
#76853
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
That´s really good news :yeah:


"Guess I'll rely more on the sas" It´s an good idea.




Now your computer problems are solved, it is time for the clean-up procedure

You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:

Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.





Click START then RUN

Now type Combofix /u in the runbox and click OK.

Note the space between the X and the U, it needs to be there.


The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present.
The C:\Deckard folder, if present.
The C:_OtMoveIt folder, if present.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.


To find out what programs need to be updated, please download and run the:

https://secunia.com/vulnerability_scanning/personal/








To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
How did I get infected in the first place?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Saturday, October 1, 2022, 2:09 PM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,573 registered members. Please welcome our newest member, iAwake.
43 Guest(s), 0 Registered Member(s) are currently online.