Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

!THIS WILL BE THE WORST U've seen maybe ever! Probable BIOS rootkit mebromi/Rakshasha var.ZeroDay? w/GPU-Paravirtualization, W7/BSD/Linux/16bit vuln


  • Please log in to reply
4 replies to this topic

#1 theashesstir

theashesstir

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 04 December 2012 - 11:25 PM

I am at the end of my rope. Most of the steps covered and discussed on similar forums I have already tried, but never w/ the consult of someone in the know about the inner workings of ComboFix and the like. ComboFix seems to calm the problems temporarily. But they invariably recur as the BIOS rootkit persists.

If someone is able to instruct me on a viable cleaning route - short of dissection of all machine components and seperate flashing (impossible w/ these highly integrated laptops),I will shoot them $100-200 or donate to a charity of their choice, or pay it forward in whatever way they deem best. As I've already sacrificed 2 months business productivity, and have among those succumbed to it: 3 desktop workstations, a Dell Studio, a toughbook, an acer and Emachines Laptop, a top of the line Alienware m17xr4, and a toughbook
I am myself a fairly seasoned IT Pro, MCP, MCSA, A+, Network+, Server+ - and was team lead for Shaw Cablesystems (Western Canada's largest cable ISP)'s malware removal/support team for 3 yrs from 2007-2010. several drives, and suspect a Linksys router and a SonicWall could be infected (such that I cannot trust exposing a clean machine to them).


This story begins in the last week of August 2012. Two possible infection vectors, 1) one with local root access to the physical machine. and another 2) involving a remote vector via international intrigue and a subsidiary of the Chinese State owned Electrical Company who one of my IT clients tells me had declared incentive in kiboshing the sale of my clients' patents to another buyer. Yes I know, many times I've stopped to question my own sanity in this run around. Anyway:

VECTOR 1) immediately before first symtoms began, (vector 2 was more or less the same week or two) A sketchy friend of a friend was over at my apartment and briefly had local root access to my production machine (now disassembled). He wanted to research rooting his android phone. Connected it via USB with me distracted for a few minutes and checked a few websites. Later that evening I noticed strange frame buffering in my Win7 UI and Aero kicking in and out as if a VNC/Terminal Service driver was loaded. System Became unstable... System rebooted w/o any halt or bluescreen.
On reboot immediately afterboot: BLACK Screen... white cursor.. flashing for ~10 seconds, two Carriage Returns... cursor moves slightly to the right. System restarts again.

ever since, I see the same original BIOS POST flashes for like 1/10 of a second, then for 1-2 seconds that blackscreen + cursor appears.. then SATA driver info then return to BIOS POST (now interactable for regular post period of a few seconds... and system loads...

SYMPTOMS:
-INSTALLING W7 home premium from retail pressed DVD, on fresh from static bag HDD = Group Policy Service Started by default (group Policy is not part of home premium as only pro/ultimate can join a domain).
-Similarly BitLocker service and driver is installed started from boot and set to enabled.
-ditto for RPC Server, and a few others NetBios, NetBT, some SSDP related services. Interface on this services at Services.msc shows them started, and greyed out to stop or change behavior.
setting them to disabled in Device Manager > Show Hidden Devices > Non Plug and Play Devices causes repeated bluescreen on restart. Even for just group policy or netbios which should not be essential to system stability.

-Event logs show group policy updates from \\WIN-123ALPHAHEX corresponds to registry hey HKEY\Current User\Volatile Environment\LOGONSERVER .
--> This only happens if i allow the 100MB recovery partition to be created at boottime.
Booting from the Same Retail Disc immediately shows a few oddities:
1) Windows is Loading Files... Horizontal Progress Bar fills twice.. once very quickly over 1-3 seconds.. and again in about 30-45 seconds as per usual (its been theorized this represents the expansion of the malware from the BIOS/vBIOS onto the Installers RAM drive)
and selecting REPAIR > CMD > and browsing the DVD / RAM drive reveals. a product.ini file w/ Product Keys for virtually every Windows Sever product since XP/2000. and a winPE folder, clg and answer files for all editions of windows relevant to the DVD just inserted.

---> Multiple windows alerts saying: Recycle bin is corrupt do you want to empty it? This appears to be a way for it out of active memory. Exploring the bin reveals it to be empty. even w/ System, Hidden and OS files set to show. going to admin CMD prompt and saying attrib -h -s * /s /d reveals a number of files named $R#A#A#.exe/zip .. in fulminant form = ~300MB from what i can tell some of this goes to GPU vBIOS, rest to BIOS, MBR gets flashed on the way.

Running anything w/ admin priveleges, running Sysinternals applications causes a ~10-20 second delay before UAC prompt comes up then another 5-10 secs before the program loads. Same thing with freshly downloaded exe's.


- some applications like GMER just trigger bluescreens or wont run. Other ones clearly run gutted. Get intermittent RedLight Attention Required prompts in McAfee Security Center. New (but not enabled) allow rules keep appearing in Win Firewall after I switch all rules to deny and turn them on. Many are redundant. Given alternate / bs named but invoke same process/port/protocol/applications/environment device and behavior as that i just set to deny.

-removing all hard drives and booting from Hirems boot CD, Ubuntu, Mint, or Knoppix, Live DVDs result in those live OSes quickly being rooted... new scripts hidden files appearing in /root/ partition. mount points changed etc. etc.
Even with the device offline and all network devices disabled in BIOS.

Flashing BIOS from DOS boot disk (even tried 16bit hobby dos like FREEDOS) or from in BIOS UI shows progress to about 90% then system halt or restart.. no visible change. Blind flash from USB using single .hdr file causes BIOS flash to apparently take.. (ie version and Post screen/image/options change) but on first boot == extra long 30s sitting at black screen with flashing white cursor, 2-3 carriage return then system restarts w/ the fresh bios. and same behavior persists... assumption is that the BIOS is being reflashed from the GPU.. but how to flash GPU and BIOS in same reboot cycle w/o already being in virtual environment under a hypervisor?? Also one of these machines, the alienware is an Ivy Core. w/ integrated HD-4000 GPU integrated into CPU + an nVidia Geforce 660 2GB... cant really take out the integrated GPU... furthermore... some of the reading i've done seem to indicate these new mebromi/rakshasha variants will flash all accessible peripherals... so that would imply integrated network controllers, GPUs, Optical drives, HDD FM etc. etc? amiright?

any help. even a positive ID would be very greatly appreciated. Here are some general logs that may be useful. Note Combofix has already been run 2-3x to just get the machine stable and useable. Otherwise- beforehand, i would get random carraige returns and text inserted while typing.. weird ghost Alt-Tabs.. SysInternals suite would have all Exe's removed from the folder the second i expanded the archive. etc etc. Even now its sketchy - but usuable.. mostly.... mostly...
Think I'm insane? Please ... show me - I would welcome that diagnosis at this point...

BC AdBot (Login to Remove)

 


#2 theashesstir

theashesstir
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 04 December 2012 - 11:40 PM

Runs at Boot: gatherNetworkInfo.vbs
**not sure how to attach a txt***
Dim FSO, shell, xslProcessor

Sub RunCmd(CommandString, OutputFile)
cmd = "cmd /c " + CommandString + " >> " + OutputFile
shell.Run cmd, 0, True
End Sub

Sub GetOSInfo(outputFileName)
On Error Resume Next
strComputer = "."
HKEY_LOCAL_MACHINE = &H80000002

Dim objReg, outputFile
Dim buildDetailNames, buildDetailRegValNames

buildDetailNames = Array("Product Name", "Version", "Build Lab", "Type")
buildDetailRegValNames = Array("ProductName", "CurrentVersion", "BuildLabEx", "CurrentType")

Set outputFile = FSO.OpenTextFile(outputFileName, 2, True)

Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")

outputFile.WriteLine("[Architecture/Processor Information]")
outputFile.WriteLine()
outputFile.Close
cmd = "cmd /c set processor >> " & outputFileName
shell.Run cmd, 0, True

Set outputFile = FSO.OpenTextFile(outputFileName, 8, True)

outputFile.WriteLine()
outputFile.WriteLine("[Operating System Information]")
outputFile.WriteLine()

strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion"
for I = 0 to UBound(buildDetailNames)
objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath, buildDetailRegValNames(I), info
outputFile.WriteLine(buildDetailNames(I) + " = " + info)
Next

outputFile.WriteLine()
strKeyPath = "SYSTEM\SETUP"
objReg.GetDWordValue HKEY_LOCAL_MACHINE, strKeyPath, "Upgrade", upgradeInfo
if IsNull(upgradeInfo) Then
outputFile.WriteLine("This is a clean installed system")
Else
outputFile.WriteLine("This is an upgraded system")
End If

outputFile.WriteLine(buildDetailNames(I) + " = " + info)

outputFile.WriteLine()
outputFile.WriteLine("[File versions]")
outputFile.WriteLine()

Set shell = WScript.CreateObject( "WScript.Shell" )
windir = shell.ExpandEnvironmentStrings("%windir%\system32\")

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Dim FileSet
FileSet = Array("onex.dll", "l2nacp.dll", "wlanapi.dll", "wlancfg.dll", "wlanconn.dll", "wlandlg.dll", "wlanext.exe", "wlangpui.dll", "wlanhc.dll", "wlanhlp.dll", "wlaninst.dll", "wlanmm.dll", "wlanmmhc.dll", "wlanmsm.dll", "wlanpref.dll", "wlansec.dll", "wlansvc.dll", "wlanui.dll")

For Each file in FileSet
filename = windir + file
strQuery = "Select * from CIM_Datafile Where Name = '" + Replace(filename, "\", "\\") + "'"
Set fileProp = objWMIService.ExecQuery _
(strQuery)

For Each objFile in fileProp
outputFile.WriteLine(file + " " + objFile.Version)
Next
Next

Dim Dot3FileSet
Dot3FileSet = Array("onex.dll", "dot3api.dll", "dot3cfg.dll", "dot3dlg.dll", "dot3gpclnt.dll", "dot3gpui.dll", "dot3msm.dll", "dot3svc.dll", "dot3ui.dll")

For Each file in Dot3FileSet
filename = windir + file
strQuery = "Select * from CIM_Datafile Where Name = '" + Replace(filename, "\", "\\") + "'"
Set fileProp = objWMIService.ExecQuery _
(strQuery)

For Each objFile in fileProp
outputFile.WriteLine(file + " " + objFile.Version)
Next
Next

call GetBatteryInfo(outputFile)
outputFile.Close

Set outputFile = FSO.OpenTextFile(outputFileName, 8, True)
outputFile.WriteLine("")
outputFile.WriteLine("[System Information]")
outputFile.WriteLine("")
outputFile.Close

'Comments: Dumping System Information using "systeminfo" command

cmd = "cmd /c systeminfo >> " & outputFileName
shell.Run cmd, 0, True

Set outputFile = FSO.OpenTextFile(outputFileName, 8, True)
outputFile.WriteLine("")
outputFile.WriteLine("[User Information]")
outputFile.WriteLine("")
outputFile.Close

cmd = "cmd /c set u >> " & outputFileName
shell.Run cmd, 0, True

End Sub

Sub GetBatteryInfo(outputFile)
On Error Resume Next
strComputer = "."
outputFile.WriteLine()
outputFile.WriteLine("[Power Information]")
outputFile.WriteLine()
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Battery")
if colItems.Count = 0 Then
outputFile.WriteLine("It is a Desktop running on AC")
Else
For Each objItem in colItems
if objItem.Availability = 2 Then
outputFile.WriteLine("Machine is running on AC Adapter")
Else
if objitem.Availability = 3 Then
outputFile.WriteLine("Machine is running on Battery")
End If
End If
Next
End If
End Sub



Sub GetWcnInfo(outputFileName)
On Error Resume Next
Dim WcnInfoFile

Set WcnInfoFile= FSO.OpenTextFile(outputFileName, 8, True)
WcnInfoFile.WriteLine("-------------------------------------")
WcnInfoFile.WriteLine("---------+ WCN Information +---------")
WcnInfoFile.WriteLine("-------------------------------------")
WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine("-----------------")
WcnInfoFile.WriteLine("+ Services Status")
WcnInfoFile.WriteLine("-----------------")
WcnInfoFile.WriteLine("")
WcnInfoFile.Close

Set objShell = WScript.CreateObject( "WScript.Shell" )

cmd = "cmd /c sc query wcncsvc >> " & outputFileName
objShell.Run cmd, 0, True

cmd = "cmd /c sc query wlansvc >> " & outputFileName
objShell.Run cmd, 0, True

cmd = "cmd /c sc query eaphost >> " & outputFileName
objShell.Run cmd, 0, True

cmd = "cmd /c sc query fdrespub >> " & outputFileName
objShell.Run cmd, 0, True

cmd = "cmd /c sc query upnphost >> " & outputFileName
objShell.Run cmd, 0, True

cmd = "cmd /c sc query eaphost >> " & outputFileName
objShell.Run cmd, 0, True


Set WcnInfoFile= FSO.OpenTextFile(outputFileName, 8, True)
WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine("-----------------------")
WcnInfoFile.WriteLine("+ WCN Files Information ")
WcnInfoFile.WriteLine("-----------------------")
WcnInfoFile.WriteLine("")

strComputer = "."

Set shell = WScript.CreateObject( "WScript.Shell" )
windir = shell.ExpandEnvironmentStrings("%windir%\system32\")

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Dim FileSet
FileSet = Array("wcncsvc.dll", "wcnapi.dll", "fdwcn.dll", "wcneapauthproxy.dll", "wcneappeerproxy.dll", "wcnwiz.dll", "wcnnetsh.dll", "wczdlg.dll")

For Each file in FileSet
filename = windir + file
strQuery = "Select * from CIM_Datafile Where Name = '" + Replace(filename, "\", "\\") + "'"
Set fileProp = objWMIService.ExecQuery _
(strQuery)

For Each objFile in fileProp
WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine("---------------------")
WcnInfoFile.WriteLine(file)
WcnInfoFile.WriteLine("---------------------")
WcnInfoFile.WriteLine(" - Version : " + objFile.Version )
WcnInfoFile.WriteLine(" - Creation Date : " + objFile.CreationDate )
WcnInfoFile.WriteLine(" - Description : " + objFile.Description )
WcnInfoFile.WriteLine(" - Installation Date : " + objFile.InstallDate )
WcnInfoFile.WriteLine(" - In Use Count : " + objFile.InUseCount )
WcnInfoFile.WriteLine(" - Last Accessed : " + objFile.LastAccessed )
WcnInfoFile.WriteLine(" - Last Modified : " + objFile.LastModified )
WcnInfoFile.WriteLine(" - Status : " + objFile.Status )
Next
Next




WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine("-------------------------------")
WcnInfoFile.WriteLine("+ Network Adapters Information ")
WcnInfoFile.WriteLine("-------------------------------")
WcnInfoFile.WriteLine("")

strQuery = "Select * from Win32_NetworkAdapter "

Set AdapterProp = objWMIService.ExecQuery _
(strQuery)


For Each objFile in AdapterProp
WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine("---------------------")
WcnInfoFile.WriteLine("DeviceID : " + objFile.DeviceID )
WcnInfoFile.WriteLine("---------------------")
WcnInfoFile.WriteLine(" - Adapter Type : " + objFile.AdapterType )
WcnInfoFile.WriteLine(" - Auto Sense : " + objFile.AutoSense )
WcnInfoFile.WriteLine(" - Description : " + objFile.Description )
WcnInfoFile.WriteLine(" - NetConnectionID : " + objFile.NetConnectionID )
WcnInfoFile.WriteLine(" - GUID : " + objFile.GUID )
WcnInfoFile.WriteLine(" - MACAddress : " + objFile.MACAddress )
WcnInfoFile.WriteLine(" - Manufacturer : " + objFile.Manufacturer )
WcnInfoFile.WriteLine(" - MaxSpeed : " + objFile.MaxSpeed )
WcnInfoFile.WriteLine(" - Speed : " + objFile.Speed )
WcnInfoFile.WriteLine(" - Name : " + objFile.Name )

Select Case objFile.NetConnectionStatus
Case 0 strAvail= "Disconnected"
Case 1 strAvail= "Connecting"
Case 2 strAvail= "Connected"
Case 3 strAvail= "Disconnecting"
Case 4 strAvail= "Hardware not present"
Case 5 strAvail= "Hardware disabled"
Case 6 strAvail= "Hardware malfunction"
Case 7 strAvail= "Media disconnected"
Case 8 strAvail= "Authenticating"
Case 9 strAvail= "Authentication succeeded"
Case 10 strAvail= "Authentication failed"
Case 11 strAvail= "Invalid address"
Case 12 strAvail= "Credentials required"
End Select


WcnInfoFile.WriteLine(" - NetConnectionStatus : " + strAvail )
WcnInfoFile.WriteLine(" - NetEnabled : " + objFile.NetEnabled )
WcnInfoFile.WriteLine(" - NetworkAddresses : " + objFile.NetworkAddresses )
WcnInfoFile.WriteLine(" - PermanentAddress : " + objFile.PermanentAddress )
WcnInfoFile.WriteLine(" - PhysicalAdapter : " + objFile.PhysicalAdapter )
WcnInfoFile.WriteLine(" - PNPDeviceID : " + objFile.PNPDeviceID )
WcnInfoFile.WriteLine(" - ProductName : " + objFile.ProductName )
WcnInfoFile.WriteLine(" - ServiceName : " + objFile.ServiceName )

WcnInfoFile.WriteLine(" - SystemName : " + objFile.SystemName )
WcnInfoFile.WriteLine(" - TimeOfLastReset : " + objFile.TimeOfLastReset )
WcnInfoFile.WriteLine(" - Status : " + objFile.Status )

Select Case objFile.StatusInfo
Case 1 strAvail= "Other"
Case 2 strAvail= "Unknown"
Case 3 strAvail= "Enabled"
Case 4 strAvail= "Disabled"
Case 5 strAvail= "Not Applicable"
End Select

WcnInfoFile.WriteLine(" - StatusInfo : " + strAvail )

Select Case objFile.Availability
Case 1 strAvail= "Other"
Case 2 strAvail= "Unknown"
Case 3 strAvail= "Running or Full Power"
Case 4 strAvail= "Warning"
Case 5 strAvail= "In test"
Case 6 strAvail= "Not Applicable"
Case 7 strAvail= "Power Off"
Case 8 strAvail= "Off Line"
Case 9 strAvail= "Off Duty"
Case 10 strAvail= "Degraded"
Case 11 strAvail= "Not Installed"
Case 12 strAvail= "Install Error"
Case 13 strAvail= "Power Save - Unknown"
Case 14 strAvail= "Power Save - Low Power Mode"
Case 15 strAvail= "Power Save - Standby"
Case 16 strAvail= "Power Cycle"
Case 17 strAvail= "Power Save - Warning"
End Select

WcnInfoFile.WriteLine(" - Availability : " + strAvail )
WcnInfoFile.WriteLine(" - Caption : " + objFile.Caption )

Select Case objFile.ConfigManagerErrorCode
Case 0 strAvail= "Device is working properly"
Case 1 strAvail= "Device is not configured correctly"
Case 2 strAvail= "Windows cannot load the driver for this device"
Case 3 strAvail= "Driver for this device might be corrupted, or the system may be low on memory or other resources"
Case 4 strAvail= "Device is not working properly. One of its drivers or the registry might be corrupted."
Case 5 strAvail= "Driver for the device requires a resource that Windows cannot manage."
Case 6 strAvail= "Boot configuration for the device conflicts with other devices"
Case 7 strAvail= "Cannot filter"
Case 8 strAvail= "Driver loader for the device is missing"
Case 9 strAvail= "Device is not working properly. The controlling firmware is incorrectly reporting the resources for the device"
Case 10 strAvail= "Device cannot start"
Case 11 strAvail= "Device failed"
Case 12 strAvail= "Device cannot find enough free resources to use"
Case 13 strAvail= "Windows cannot verify the device's resources"
Case 14 strAvail= "Device cannot work properly until the computer is restarted"
Case 15 strAvail= "Device is not working properly due to a possible re-enumeration problem"
Case 16 strAvail= "Windows cannot identify all of the resources that the device uses"
Case 17 strAvail= "Device is requesting an unknown resource type."
Case 18 strAvail= "Device drivers must be reinstalled"
Case 19 strAvail= "Failure using the VxD loader"
Case 20 strAvail= "Registry might be corrupted."
Case 21 strAvail= "System failure. If changing the device driver is ineffective, see the hardware documentation. Windows is removing the device"
Case 22 strAvail= "Device is disabled"
Case 23 strAvail= "System failure. If changing the device driver is ineffective, see the hardware documentation"
Case 24 strAvail= "Device is not present, not working properly, or does not have all of its drivers installed."
Case 25 strAvail= "Windows is still setting up the device"
Case 27 strAvail= "Device does not have valid log configuration."
Case 28 strAvail= "Device drivers are not installed."
Case 29 strAvail= "Device is disabled. The device firmware did not provide the required resources."
Case 30 strAvail= "Device is using an IRQ resource that another device is using."
Case 31 strAvail= "Device is not working properly. Windows cannot load the required device drivers."
End Select

WcnInfoFile.WriteLine(" - ConfigManagerErrorCode: " + strAvail )
WcnInfoFile.WriteLine(" - Error Cleared : " + objFile.ErrorCleared )
WcnInfoFile.WriteLine(" - Error Description : " + objFile.ErrorDescription)
WcnInfoFile.WriteLine(" - LastErrorCode : " + objFile.LastErrorCode)
WcnInfoFile.WriteLine(" - Index : " + objFile.Index)
WcnInfoFile.WriteLine(" - Installed : " + objFile.Installed )
WcnInfoFile.WriteLine(" - Install Date : " + objFile.InstallDate )
WcnInfoFile.WriteLine(" - InterfaceIndex : " + objFile.InterfaceIndex )
Next
WcnInfoFile.Close





Set WcnInfoFile = FSO.OpenTextFile(outputFileName, 8, True)
WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine("-----------------------")
WcnInfoFile.WriteLine("+ ipconfig information")
WcnInfoFile.WriteLine("-----------------------")
WcnInfoFile.WriteLine("")
WcnInfoFile.Close


cmd = "cmd /c ipconfig /all >> " & outputFileName
objShell.Run cmd, 0, True



Set WcnInfoFile = FSO.OpenTextFile(outputFileName, 8, True)
WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine("----------------------")
WcnInfoFile.WriteLine("+ Softap Capabilities ")
WcnInfoFile.WriteLine("----------------------")
WcnInfoFile.WriteLine("")
WcnInfoFile.Close

cmd = "cmd /c netsh wlan show device >> " & outputFileName
objShell.Run cmd, 0, True

Set WcnInfoFile = FSO.OpenTextFile(outputFileName, 8, True)
WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine("----------------------")
WcnInfoFile.WriteLine("+ Dump wcncsvc RegKey ")
WcnInfoFile.WriteLine("----------------------")
WcnInfoFile.WriteLine("")
WcnInfoFile.Close

cmd = "cmd /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc\Parameters >> " & outputFileName
objShell.Run cmd, 0, True



' Set shell = WScript.CreateObject( "WScript.Shell" )
' windir = shell.ExpandEnvironmentStrings("%windir%\system32\")
' filename = windir + "wcnwiz.dll"
' commandname = windir + "rundll32.exe"

' cmd = "cmd /c "& commandname &" "& filename &" , RunDumpWcnCache >> " & outputFileName
' objShell.Run cmd, 0, True


Set WcnInfoFile = FSO.OpenTextFile(outputFileName, 8, True)
WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine("--------------------------------")
WcnInfoFile.WriteLine("+ Network Discovery Information.")
WcnInfoFile.WriteLine("--------------------------------")
WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine("------------------------------")
WcnInfoFile.WriteLine("- Current Profile information")
WcnInfoFile.WriteLine("------------------------------")
WcnInfoFile.WriteLine("")

' Profile Type
Const NET_FW_PROFILE2_DOMAIN = 1
Const NET_FW_PROFILE2_PRIVATE = 2
Const NET_FW_PROFILE2_PUBLIC = 4

' Direction
Const NET_FW_RULE_DIR_IN = 1
Const NET_FW_RULE_DIR_OUT = 2


' Create the FwPolicy2 object.
Dim fwPolicy2
Dim ProfileType
ProfileType = Array("Domain", "Private", "Public")

Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")

CurrentProfile = fwPolicy2.CurrentProfileTypes

WcnInfoFile.WriteLine ("Current firewall profile is: ")

'// The returned 'CurrentProfiles' bitmask can have more than 1 bit set if multiple profiles
'// are active or current at the same time

if ( CurrentProfile AND NET_FW_PROFILE2_DOMAIN ) then
WcnInfoFile.WriteLine(ProfileType(0))
end if

if ( CurrentProfile AND NET_FW_PROFILE2_PRIVATE ) then
WcnInfoFile.WriteLine(ProfileType(1))
end if

if ( CurrentProfile AND NET_FW_PROFILE2_PUBLIC ) then
WcnInfoFile.WriteLine(ProfileType(2))
end if
WcnInfoFile.Close


cmd = "cmd /c netsh advfirewall show currentprofile >> " & outputFileName
objShell.Run cmd, 0, True


Set WcnInfoFile = FSO.OpenTextFile(outputFileName, 8, True)
WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine("----------------------------------------------")
WcnInfoFile.WriteLine("- Network discovery status for current profile")
WcnInfoFile.WriteLine("----------------------------------------------")
WcnInfoFile.WriteLine("")

Dim rule
' Get the Rules object
Dim RulesObject
Set RulesObject = fwPolicy2.Rules


For Each rule In Rulesobject
if rule.Grouping = "@FirewallAPI.dll,-32752" then
WcnInfoFile.WriteLine("")
WcnInfoFile.WriteLine(" Rule Name: " & rule.Name)
WcnInfoFile.WriteLine(" ----------------------------------------------")
WcnInfoFile.WriteLine(" Enabled: " & rule.Enabled)
WcnInfoFile.WriteLine(" Description: " & rule.Description)
WcnInfoFile.WriteLine(" Application Name: " & rule.ApplicationName)
WcnInfoFile.WriteLine(" Service Name: " & rule.ServiceName)

Select Case rule.Direction
Case NET_FW_RULE_DIR_IN WcnInfoFile.WriteLine(" Direction: In")
Case NET_FW_RULE_DIR_OUT WcnInfoFile.WriteLine(" Direction: Out")
End Select

end if
Next

WcnInfoFile.Close



End Sub



Sub GetWirelessAdapterInfo(outputFile)
On Error Resume Next
Dim adapters, objReg
Dim adapterDetailNames, adapterDetailRegValNames

adapterDetailNames = Array("Driver Description", "Adapter Guid", "Hardware ID", "Driver Date", "Driver Version", "Driver Provider")
adapterDetailRegValNames = Array("DriverDesc", "NetCfgInstanceId", "MatchingDeviceId", "DriverDate", "DriverVersion", "ProviderName")

IHVDetailNames = Array("ExtensibilityDLL", "UIExtensibilityCLSID", "GroupName", "DiagnosticsID")
IHVDetailRegValNames = Array("ExtensibilityDLL", "UIExtensibilityCLSID", "GroupName", "DiagnosticsID")

HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."

Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")


strKeyPath = "SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\"

objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, adapterSet

For Each adapter In adapterSet
If StrComp("Properties", adapter) Then
fullstrKeyPath = strKeyPath + adapter
objReg.GetDWORDValue HKEY_LOCAL_MACHINE, fullstrKeyPath, "*IfType", ifType
If ifType = 71 Then
for I = 0 to UBound(adapterDetailNames)
objReg.GetStringValue HKEY_LOCAL_MACHINE, fullstrKeyPath, adapterDetailRegValNames(I), info
outputFile.WriteLine(adapterDetailNames(I) + " = " + info)
Next

ihvKeyPath = fullstrKeyPath + "\Ndi\IHVExtensions"
For J = 0 to UBound(IHVDetailNames)
objReg.GetStringValue HKEY_LOCAL_MACHINE, ihvKeyPath, IHVDetailRegValNames(J), ihvInfo
outputFile.WriteLine(IHVDetailNames(J) + " = " + ihvInfo)
Next
objReg.GetDWordValue HKEY_LOCAL_MACHINE, ihvKeyPath, "AdapterOUI", ihvInfo
outputFile.WriteLine("AdapterOUI = " + CSTR(ihvInfo))
outputFile.WriteLine()
End If
End If
Next

Set objShell = WScript.CreateObject( "WScript.Shell" )

tempFile = "tempfile.txt"
cmd = "cmd /c tasklist > " & tempFile
objShell.Run cmd, 0, True

Set objTextFile = FSO.OpenTextFile(tempFile, 1)
strIHVOutput = objTextFile.ReadAll()

Set regEx = New RegExp
regEx.Pattern = "^wlanext.exe[\s|a-z|A-Z|\d]*"
regEx.Multiline = True
regEx.IgnoreCase = True
regEx.Global = True

Set Matches = regEx.Execute(strIHVOutput)

For Each match in Matches
outputFile.WriteLine(match.Value)
Next

End Sub

Sub GetWirelessAutoconfigLog(logFileName)
On Error Resume Next

Set objShell = WScript.CreateObject( "WScript.Shell" )

'Export the operational log
cmd = "cmd /c wevtutil epl ""Microsoft-Windows-WLAN-AutoConfig/Operational"" " & logFileName
objShell.Run cmd, 0, True

'Archive the log so that it can be read on different machines
cmd = "cmd /c wevtutil al " & logFileName
objShell.Run cmd, 0, True
End Sub

Sub GetWiredAdapterInfo(outputFile)
On Error Resume Next
Dim adapters, objReg
Dim adapterDetailNames, adapterDetailRegValNames

adapterDetailNames = Array("Driver Description", "Adapter Guid", "Hardware ID", "Driver Date", "Driver Version", "Driver Provider")
adapterDetailRegValNames = Array("DriverDesc", "NetCfgInstanceId", "MatchingDeviceId", "DriverDate", "DriverVersion", "ProviderName")


HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."

Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")


strKeyPath = "SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\"

objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, adapterSet

For Each adapter In adapterSet
If StrComp("Properties", adapter) Then
fullstrKeyPath = strKeyPath + adapter
objReg.GetDWORDValue HKEY_LOCAL_MACHINE, fullstrKeyPath, "*IfType", ifType
If ifType = 6 Then
for I = 0 to UBound(adapterDetailNames)
objReg.GetStringValue HKEY_LOCAL_MACHINE, fullstrKeyPath, adapterDetailRegValNames(I), info
outputFile.WriteLine(adapterDetailNames(I) + " = " + info)
Next
outputFile.WriteLine()
End If
End If
Next
End Sub


Sub GetEnvironmentInfo(outputFileName)
On Error Resume Next
Dim envInfoFile

Set objShell = WScript.CreateObject( "WScript.Shell" )

cmd = "cmd /c netsh wlan show all > " & outputFileName
objShell.Run cmd, 0, True

cmd = "cmd /c netsh lan show interfaces >> " & outputFileName
objShell.Run cmd, 0, True

cmd = "cmd /c netsh lan show settings >> " & outputFileName
objShell.Run cmd, 0, True

cmd = "cmd /c netsh lan show profiles >> " & outputFileName
objShell.Run cmd, 0, True

cmd = "cmd /c ipconfig /all >> " & outputFileName
objShell.Run cmd, 0, True

RunCmd "echo.", outputFileName
RunCmd "echo ROUTE PRINT:", outputFileName
RunCmd "route print", outputFileName

Set envInfoFile = FSO.OpenTextFile(outputFileName, 8, True)
envInfoFile.WriteLine("")
envInfoFile.WriteLine("Machine certificates...")
envInfoFile.WriteLine("")
envInfoFile.Close

cmd = "cmd /c certutil -v -store -silent My >> " & outputFileName
objShell.Run cmd, 0, True

Set envInfoFile = FSO.OpenTextFile(outputFileName, 8, True)
envInfoFile.WriteLine("")
envInfoFile.WriteLine("User certificates...")
envInfoFile.WriteLine("")
envInfoFile.Close

cmd = "cmd /c certutil -v -store -silent -user My >> " & outputFileName
objShell.Run cmd, 0, True
End Sub

'Comments: Function to dump a tree under a registry path into a file
Sub DumpRegKey(outputFileName,regpath)
On Error Resume Next
Dim cmd

Set objShell = WScript.CreateObject( "WScript.Shell" )

cmd = "cmd /c reg export " & regpath & " " & outputFileName & " /y"
objShell.Run cmd, 0, True

End Sub

Sub DumpAllKeys
On Error Resume Next
Dim NotifRegFile, RegFolder, Key

RegFolder = "Reg"

if Not FSO.FolderExists(RegFolder) Then
FSO.CreateFolder RegFolder
End If

' Dump WLAN registry keys
AllCredRegFile = RegFolder + "\AllCred.reg.txt"
AllCredFilterFile = RegFolder + "\AllCredFilter.reg.txt"
CredRegFileA = RegFolder + "\{07AA0886-CC8D-4e19-A410-1C75AF686E62}.reg.txt"
CredRegFileB = RegFolder + "\{33c86cd6-705f-4ba1-9adb-67070b837775}.reg.txt"
CredRegFileC = RegFolder + "\{edd749de-2ef1-4a80-98d1-81f20e6df58e}.reg.txt"
APIPermRegFile = RegFolder + "\APIPerm.reg.txt"
NotifRegFile = RegFolder + "\Notif.reg.txt"
GPTRegFile = RegFolder + "\GPT.reg.txt"
CUWlanSvcRegFile = RegFolder + "\HKCUWlanSvc.reg.txt"
LMWlanSvcRegFile = RegFolder + "\HKLMWlanSvc.reg.txt"
NidRegFile = RegFolder + "\NetworkProfiles.reg.txt"

call DumpRegKey(NotifRegFile ,"""HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications""")
call DumpRegKey(AllCredRegFile ,"""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers""")
call DumpRegKey(AllCredFilterFile,"""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters""")
call DumpRegKey(CredRegFileA ,"""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{07AA0886-CC8D-4e19-A410-1C75AF686E62}""")
call DumpRegKey(CredRegFileB ,"""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{33c86cd6-705f-4ba1-9adb-67070b837775}""")
call DumpRegKey(CredRegFileC ,"""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{edd749de-2ef1-4a80-98d1-81f20e6df58e}""")
call DumpRegKey(APIPermRegFile ,"""HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters\WlanAPIPermissions""")

call DumpRegKey(GPTRegFile , """HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy""")
call DumpRegKey(CUWlanSvcRegFile ,"""HKCU\SOFTWARE\Microsoft\Wlansvc""")
call DumpRegKey(LMWlanSvcRegFile ,"""HKLM\SOFTWARE\Microsoft\Wlansvc""")

' Dump Dot3 registry keys
LMDot3SvcRegFile = RegFolder + "\HKLMDot3Svc.reg.txt"
CUDot3SvcRegFile = RegFolder + "\HKCUDot3Svc.reg.txt"
LGPPolicyFile = RegFolder + "\L2GP.reg.txt"

call DumpRegKey(LMDot3SvcRegFile ,"""HKLM\SOFTWARE\Microsoft\dot3svc""")
call DumpRegKey(CUDot3SvcRegFile ,"""HKCU\SOFTWARE\Microsoft\dot3svc""")
call DumpRegKey(LGPPolicyFile ,"""HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy""")

call DumpRegKey(NidRegFile ,"""HKLM\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\NetworkList""")

End Sub

' Dump Winsock LSP catalog
Sub DumpWinsockCatalog(outputFileName)
On Error Resume Next
Dim envInfoFile

Set objShell = WScript.CreateObject( "WScript.Shell" )

cmd = "cmd /c netsh winsock show catalog > " & outputFileName
objShell.Run cmd, 0, True
End Sub

' Dump the Windows Firewall Configuration
Sub GetWindowsFirewallInfo(configFileName, logFileName, effectiveRulesFileName, consecLogFileName, logFileNameVerbose, consecLogFileNameVerbose)
On Error Resume Next
Dim envInfoFile

Set objShell = WScript.CreateObject( "WScript.Shell" )

cmd = "cmd /c echo Current Profiles: > " & configFileName
objShell.Run cmd, 0, True
cmd = "cmd /c echo ------------------------------------------------------------------------ >> " & configFileName
objShell.Run cmd, 0, True

'Dump the current profiles
cmd = "cmd /c netsh advfirewall monitor show currentprofile >> " & configFileName
objShell.Run cmd, 0, True

cmd = "cmd /c echo Firewall Configuration: >> " & configFileName
objShell.Run cmd, 0, True
cmd = "cmd /c echo ------------------------------------------------------------------------ >> " & configFileName
objShell.Run cmd, 0, True

' Dump the firewall configuration
cmd = "cmd /c netsh advfirewall monitor show firewall >> " & configFileName
objShell.Run cmd, 0, True

cmd = "cmd /c echo Connection Security Configuration: >> " & configFileName
objShell.Run cmd, 0, True
cmd = "cmd /c echo ------------------------------------------------------------------------ >> " & configFileName
objShell.Run cmd, 0, True

'Dump the connection security configuration
cmd = "cmd /c netsh advfirewall monitor show consec >> " & configFileName
objShell.Run cmd, 0, True

cmd = "cmd /c echo Firewall Rules : >> " & configFileName
objShell.Run cmd, 0, True
cmd = "cmd /c echo ------------------------------------------------------------------------ >> " & configFileName
objShell.Run cmd, 0, True

'Dump the firewall rules
cmd = "cmd /c netsh advfirewall firewall show rule name=all verbose >> " & configFileName
objShell.Run cmd, 0, True

cmd = "cmd /c echo Connection Security Rules : >> " & configFileName
objShell.Run cmd, 0, True
cmd = "cmd /c echo ------------------------------------------------------------------------ >> " & configFileName
objShell.Run cmd, 0, True

'Dump the connection security rules
cmd = "cmd /c netsh advfirewall consec show rule name=all verbose >> " & configFileName
objShell.Run cmd, 0, True

'Dump the firewall rules from Dynamic Store

cmd = "cmd /c echo Firewall Rules currently enforced : > " & effectiveRulesFileName
objShell.Run cmd, 0, True
cmd = "cmd /c echo ------------------------------------------------------------------------ >> " & effectiveRulesFileName
objShell.Run cmd, 0, True

cmd = "cmd /c netsh advfirewall monitor show firewall rule name=all >> " & effectiveRulesFileName
objShell.Run cmd, 0, True

'Dump the connection security rules from Dynamic Store

cmd = "cmd /c echo Connection Security Rules currently enforced : >> " & effectiveRulesFileName
objShell.Run cmd, 0, True
cmd = "cmd /c echo ------------------------------------------------------------------------ >> " & effectiveRulesFileName
objShell.Run cmd, 0, True

cmd = "cmd /c netsh advfirewall monitor show consec rule name=all >> " & effectiveRulesFileName
objShell.Run cmd, 0, True



'Export the operational log
cmd = "cmd /c wevtutil epl ""Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"" " & logFileName
objShell.Run cmd, 0, True

'Archive the log so that it could be read on different machines
cmd = "cmd /c wevtutil al " & logFileName
objShell.Run cmd, 0, True

'Export the operational log
cmd = "cmd /c wevtutil epl ""Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"" " & consecLogFileName
objShell.Run cmd, 0, True

'Archive the log so that it could be read on different machines
cmd = "cmd /c wevtutil al " & consecLogFileName
objShell.Run cmd, 0, True


'Export the operational log
cmd = "cmd /c wevtutil epl ""Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"" " & logFileNameVerbose
objShell.Run cmd, 0, True

'Archive the log so that it could be read on different machines
cmd = "cmd /c wevtutil al " & logFileNameVerbose
objShell.Run cmd, 0, True

'Export the operational log
cmd = "cmd /c wevtutil epl ""Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"" " & consecLogFileNameVerbose
objShell.Run cmd, 0, True

'Archive the log so that it could be read on different machines
cmd = "cmd /c wevtutil al " & consecLogFileNameVerbose
objShell.Run cmd, 0, True

End Sub

Sub GetWfpInfo(outputFileName, logFileName)
On Error Resume Next

Set objShell = WScript.CreateObject( "WScript.Shell" )

cmd = "cmd /c netsh wfp show filters file=" & outputFileName & " > " & logFileName
objShell.Run cmd, 0, True

End Sub

' Dump Netio State
Sub GetNetioInfo(outputFileName)
On Error Resume Next

Set objShell = WScript.CreateObject( "WScript.Shell" )

cmd = "cmd /c netsh interface teredo show state > " & outputFileName
objShell.Run cmd, 0, True

cmd = "cmd /c netsh interface httpstunnel show interface >> " & outputFileName
objShell.Run cmd, 0, True

cmd = "cmd /c netsh interface httpstunnel show statistics >> " & outputFileName
objShell.Run cmd, 0, True

End Sub

Sub GetDnsInfo(logFileName)
On Error Resume Next

Set objShell = WScript.CreateObject( "WScript.Shell" )

RunCmd "echo IPCONFIG /DISPLAYDNS: ", logFileName
RunCmd "ipconfig /displaydns", logFileName

RunCmd "echo. ", logFileName
RunCmd "echo NETSH NAMESPACE SHOW EFFECTIVE:", logFileName
RunCmd "netsh namespace show effective", logFileName

RunCmd "echo.", logFileName
RunCmd "echo NETSH NAMESPACE SHOW POLICY:", logFileName
RunCmd "netsh namespace show policy", logFileName

End Sub

Sub GetNeighborInfo(logFileName)
On Error Resume Next

Set objShell = WScript.CreateObject( "WScript.Shell" )

RunCmd "echo ARP -A:", logFileName
RunCmd "arp -a", logFileName

RunCmd "echo.", logFileName
RunCmd "echo NETSH INT IPV6 SHOW NEIGHBORS:", logFileName
RunCmd "netsh int ipv6 show neigh", logFileName

End Sub

Sub GetFileSharingInfo(logFileName)
On Error Resume Next

Set objShell = WScript.CreateObject( "WScript.Shell" )

RunCmd "echo NBTSTAT -N:", logFileName
RunCmd "nbtstat -n", logFileName

RunCmd "echo.", logFileName
RunCmd "echo NBTSTAT -C:", logFileName
RunCmd "nbtstat -c", logFileName

RunCmd "echo.", logFileName
RunCmd "echo NET CONFIG RDR:", logFileName
RunCmd "net config rdr", logFileName

RunCmd "echo.", logFileName
RunCmd "echo NET CONFIG SRV:", logFileName
RunCmd "net config srv", logFileName

RunCmd "echo.", logFileName
RunCmd "echo NET SHARE:", logFileName
RunCmd "net share", logFileName

End Sub

Sub GetGPResultInfo(logFileName)
On Error Resume Next

Set objShell = WScript.CreateObject( "WScript.Shell" )

cmd = "cmd /c gpresult /scope:computer /v 1> " & logFileName & " 2>&1"
objShell.Run cmd, 0, True

End Sub

Sub GetNetEventsInfo(outputFileName, logFileName)
On Error Resume Next

Set objShell = WScript.CreateObject( "WScript.Shell" )

cmd = "cmd /c netsh wfp show netevents file=" & outputFileName & " 1> " & logFileName & " 2>&1"
objShell.Run cmd, 0, True

End Sub

Sub GetShowStateInfo(outputFileName, logFileName)
On Error Resume Next

Set objShell = WScript.CreateObject( "WScript.Shell" )

cmd = "cmd /c netsh wfp show state file=" & outputFileName & " 1> " & logFileName & " 2>&1"
objShell.Run cmd, 0, True

End Sub

Sub GetSysPortsInfo(outputFileName, logFileName)
On Error Resume Next

Set objShell = WScript.CreateObject( "WScript.Shell" )

cmd = "cmd /c netsh wfp show sysports file=" & outputFileName & " 1> " & logFileName & " 2>&1"
objShell.Run cmd, 0, True

End Sub


On Error Resume Next

Dim adapterInfoFile, netInfoFile, WcnInfoFile

Set FSO = CreateObject("Scripting.FileSystemObject")
Set shell = WScript.CreateObject( "WScript.Shell" )
sysdrive = shell.ExpandEnvironmentStrings("%SystemDrive%\")

configFolder = "config"
osinfoFileName = configFolder + "\osinfo.txt"
adapterinfoFileName = configFolder + "\adapterinfo.txt"
envinfoFileName = configFolder + "\envinfo.txt"
wirelessAutoconfigLogFileName = configFolder + "\WLANAutoConfigLog.evtx"
wscatFileName = configFolder + "\WinsockCatalog.txt"
wcnFileName = configFolder + "\WcnInfo.txt"
wcncachedumpFile= sysdrive + "\wcncachedump.txt"
windowsFirewallConfigFileName = configFolder + "\WindowsFirewallConfig.txt"
windowsFirewallEffectiveRulesFileName = configFolder + "\WindowsFirewallEffectiveRules.txt"
windowsFirewallLogFileName = configFolder + "\WindowsFirewallLog.evtx"
windowsFirewallConsecLogFileName = configFolder + "\WindowsFirewallConsecLog.evtx"
windowsFirewallVerboseLogFileName = configFolder + "\WindowsFirewallLogVerbose.evtx"
windowsFirewallConsecVerboseLogFileName = configFolder + "\WindowsFirewallConsecLogVerbose.evtx"
wfpfiltersfilename=configFolder + "\wfpfilters.xml"
wfplogfilename=configFolder + "\wfplog.log"
netioStateFilename=configFolder + "\netiostate.txt"
dnsInfoFileName = configFolder + "\Dns.txt"
neighborsFileName = configFolder + "\Neighbors.txt"
filesharingFileName = configFolder + "\FileSharing.txt"
gpresultFileName = configFolder + "\gpresult.txt"
neteventsFileName = configFolder + "\netevents.xml"
neteventsFileLog = configFolder + "\neteventslog.txt"
showstateFileName = configFolder + "\wfpstate.xml"
showstateFileLog = configFolder + "\wfpstatelog.txt"
sysportsFileName = configFolder + "\sysports.xml"
sysportsFileLog = configFolder + "\sysportslog.txt"


if Not FSO.FolderExists(configFolder) Then
FSO.CreateFolder configFolder
End If

call DumpAllKeys

call GetOSInfo(osinfoFileName)

Set adapterInfoFile = FSO.OpenTextFile(adapterInfoFileName, 2, True)

call GetWirelessAdapterInfo(adapterInfoFile)
call GetWiredAdapterInfo(adapterInfoFile)

adapterInfoFile.Close

call GetWirelessAutoconfigLog(wirelessAutoConfigLogFileName)

call GetEnvironmentInfo(envinfoFileName)

call DumpWinsockCatalog(wscatFileName)

call GetWindowsFirewallInfo(windowsFirewallConfigFileName, windowsFirewallLogFileName, windowsFirewallEffectiveRulesFileName,windowsFirewallConsecLogFileName, windowsFirewallVerboseLogFileName, windowsFirewallConsecVerboseLogFileName)

call GetWcnInfo(wcnFileName)

call GetWfpInfo(wfpfiltersfilename, wfplogfilename)

call GetNetioInfo(netioStateFilename)

call GetDnsInfo(dnsInfoFileName)

call GetNeighborInfo(neighborsFileName)

call GetFileSharingInfo(filesharingFileName)

call GetGPResultInfo(gpresultFileName)

call GetNetEventsInfo(neteventsFileName, neteventsFileLog)

call GetShowStateInfo(showstateFileName, showstateFileLog)

call GetSysPortsInfo(sysportsFileName, sysportsFileLog)

#3 theashesstir

theashesstir
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 05 December 2012 - 06:19 PM

ANY Advice - even a clear ID, diagnosis, prognosis - would be welcome.

*** PLEASE HELP*** I'm an IT Manager, w/ 5+ yrs in Sys Admin, Network Admin, Support & Tech. Was Team Lead For Shaw Secure Team (Western Canada's largest Cable ISP's malware removal team for 3 yrs from 2007-2010. I normally slice through rootkits, but have tossed drives and systematically managed to infect, 3 desktops, a brand new alienware laptop, a Dell Studio, A dell vostro netbook running ubuntu, and an emachines and Asus latop also... spreads via any USB or attached storage device. appears to have rooted an Android Samsung Galaxy III and an iPhone 4, appaers to have also succesfully infected connected wifi clients despite havnig all NetBIOS, file & Printer Sharing, Server, Workstation, Browser, Network Location awareness services disabled in services.msc, blocked in firewall. TCPView still shows it listening and transfering data on those ports primarily through system process.


Suspected Blue-Pill Variant mebromi/Rakshaka BIOS Rootkit w/ GPU Paravirtualization Technology. All OS's vulnerable, Persists in BIOS flash persumably due to persistence in Flashed Peripheral Firmware.

--Dropper drops files starting with $R#A#A##.exe/bin/zip file names ranging from 10k to 300mb in size in $recycle.bin under -s -h S-I-D subdirectory... says "Recycle bin is corrupted" Do you want to empty it? Saying OK seems to be a vecotor for dropper to exit managed disk space / memory, lines it up a for an MBR/ and/or substequent BIOS / peripheral firmware/flash/patch/update after it encouters threatening user tools in windows... example.. last time it happened and i accidentally hit empty bin, the system restarted and i now have a boot level driver i cant stop loading. called PROCEXP14.SYS
say it before on another computer... not yet on this one... result.. cant access strings in image or memory of or System process and other low level processes anymore via proocess explorer, process properties anymore, even when run as admin ..

Removing all physical discs and booting from HIREMS boot CD causes the above behaviors to persist.
--BIOS post indicated: Post Shows > message : BIOS SHADOWED /// Video BIOS SHADOWED boots as normal. Bios interface appears normal except for the brief black screen white cursor at every boot. Sometimes bios screen flashes for brief second, no interaction allowed, cursor flashes for 2-3 seconds, then BIOS returns, is now interactable... Hypervisor in BIOS? BIOS redirect to load from GPU.
--This is a small toughbook laptop. Hard to seperate/ onboard components. but removing GPU on Alienware M17xR4 causes the flashing screen cursor to time out for several minutes... Same for desktop PCI-X GPUs...
--Secure wiped/freshly dbanned disks w/ hirems or pressed Linux Parted Magic discs still seem to infect clean machines when connected via USB to SATA bridge. same for memory keys.
Removing all harddrives etc. and booting off a single locked DVD-R burnt on clean machine after checksum verfied using HiRems Boot CD --> Tiny XP --> Causes many tools to crash on load.
Other tools delay 30+ seconds on opening or on providing access to UAC option, before and after prompt, as if content is being wiped/ secured.
Parsing Dll,s ini's text files sometimes reveals parsable data. and assembly info... but literally 4 seconds later screen will referesh with familiar tags at beginnig and end including fraudulent verisign and other certificates... but with rest of content suddenly encrypted..

- Booting off a Fresh Retail Windows 7 Home Premium CD. shows Windows is loading files... Horizontal Scroll Progress Bar.. fills twice.. once very quicky 1-4 seconds (suspect, and have read maybe rootkit, expanding dropper into RAM drive for install) --> then normal progress bar fills again at 30-45 seconds. Install never prompts for key even though its a retail not VLK disc and has never been installed on freshly dbanned drive (if I boot w/ an HDD inserted) ... but even w/ no physical HDDs.. just install Retail Disc... booting off the CD.. if cvhoose repair... and CMD prompt.. and browse the disc.. I see $WinPE$ folder in both X: Ramdisk drive and on DVD... not present on a clean machine. I see a product.ini file with VLK keys for everything from Win2000, to XP Home, to server 2003 Datacenter, SBS, Mediacenter, Enterprise Server, SBS 2011, you name it. Clg and WIMS / answer files for W7 Basic, Starter, Home Premium, Pro, and Ultimate (its a legit store bought from Best Buy w7 Pro DVD.. Same w/ Alienware Branded OEM Home Premium.
both install and brand as Pro/Home Premium in all areas of Explorer UI. Registry, services, and drivers show Group Policy (not included with Home Premium) both devices are in a workgroup of 1, no network connections active out of box, no drivers even installed for any NICs,
Running Automatic from boot or system, Same w/ NetBios, IP6, ARP over IP6, RPC, ENDPoint Mappers for RPC and Video + Audio Endpoint Mappers over RPC, Bitlocker(also not included w/ Pro or Home Premium)Despite all of the above being unchecked from NIC Protocol Stack, stopped disabled in Services(option to stop disable, endpoint mappers, RPC, Bitlocker, FileFilters, Group Policy are disabled / greyed out in services.msc - disabling driver from Device Manager = hidden = non plug abnd play devices causes blue screen on reboot.). and blocked in/out all connections/all network types/all protocols in FireWall. also blocked lssass. winit, crss and dwm and System Process from any in/out traffic on any protocol or port on any inteface.. still it shows it transfering and receiving via loopback... to remote host * on remote port * link state * but packet data and Byte Data shows transfers, usually same sent on one port/instance as received on another... making me think the hypervisor is using some kind of forced network connectivity to monitor data.

Ran ComboFix a few times already to just get the system stable... have its logs.







then classic black screen white cursor blinks for a few seconds (previously unseen) ---> then boot loads. sometime prompts me to edit BCD argument /OPTIN line.
--Flashing BIOS by blind flash via USB w/ single .hdr file causes a number of reboots + a 45 second persistent black screen carriage return. Suspect BIOS infection image is being redropped/flashed to BIOS from GPU. SysInternals forums and other advisories indicate all Non-Volative Writable Peripherables w/ Firmware (GPUs, Network Devices, Optical Firmware, HDD FW, other MOBO firmware,
results in system reboot at ~90% progress when attempted via in BIOS utility. or Bootable DOS utilit.


Driver/ Boot LoadOrder from Sys Internals ...

Many of these cannot be stopped from services.msc // disabling in Device Manager > Show Hidden > Non Plug and Play Causes System to Reboot.


Boot WdfLoadGroup n/a* Wdf01000 @%SystemRoot%\system32\drivers\Wdf01000.sys,-1000 *** THIS IMPLIES A HYPER-V Hypervisor???
Boot Boot Bus Extender 1 ACPI Microsoft ACPI Driver
Boot Boot Bus Extender 2 msisadrv
Boot Boot Bus Extender 3 pci PCI Bus Driver
Boot Boot Bus Extender 6 vdrvroot Microsoft Virtual Drive Enumerator Driver
Boot Boot Bus Extender n/a* partmgr @%SystemRoot%\system32\drivers\partmgr.sys,-100
Boot System Bus Extender 7 Compbatt Microsoft Composite Battery Driver
Boot System Bus Extender 9 volmgr Volume Manager Driver
Boot System Bus Extender 10 volmgrx @%SystemRoot%\system32\drivers\volmgrx.sys,-100
Boot System Bus Extender 6 intelide
Boot System Bus Extender 15 pcmcia
Boot System Bus Extender n/a* mountmgr @%SystemRoot%\system32\drivers\mountmgr.sys,-100
Boot SCSI Miniport 33 atapi IDE Channel
Boot SCSI Miniport 64 msahci
Boot SCSI miniport n/a* amdxata
Boot FSFilter Infrastructure 1 FltMgr @%SystemRoot%\system32\drivers\fltmgr.sys,-10001
Boot FSFilter Bottom n/a* FileInfo @%SystemRoot%\system32\drivers\fileinfo.sys,-100

Boot FSFilter Anti-Virus n/a* mfehidk McAfee Inc. mfehidk
Boot Filter 1 CLFS @%SystemRoot%\system32\clfs.sys,-100
Boot Base 1 KSecDD
Boot Base 2 CNG
Boot Base n/a* pcw Performance Counters for Windows Driver
Boot File System n/a* Fs_Rec
Boot NDIS Wrapper n/a* NDIS @%SystemRoot%\system32\drivers\ndis.sys,-200
Boot Cryptography 2 KSecPkg
Boot PNP_TDI 3 Tcpip @%SystemRoot%\system32\tcpipcfg.dll,-50003
Boot PNP_TDI 4 mfewfpk McAfee Inc. mfewfpk
Boot Extended Base n/a* storflt @%SystemRoot%\system32\vmstorfltres.dll,-1000
Boot n/a* n/a* Disk Disk Driver
Boot PnP Filter* 5* fvevol @%SystemRoot%\system32\drivers\fvevol.sys,-100
Boot n/a* n/a* hwpolicy @%systemroot%\system32\drivers\hwpolicy.sys,-101
Boot Network* n/a* Mup @%systemroot%\system32\drivers\mup.sys,-101
Boot PnP Filter* 2* rdyboost ReadyBoost
Boot n/a* n/a* spldr Security Processor Loader Driver
Boot n/a* n/a* volsnap Storage volumes
System SCSI CDROM Class 3 cdrom CD-ROM Driver
System Base 1 Null
System Base 2 Beep Beep
System Video Save 1 VgaSave
System Video Save n/a* RDPCDD @%systemroot%\system32\DRIVERS\RDPCDD.sys,-100
System Video Save n/a* RDPENCDD @%systemroot%\system32\drivers\RDPENCDD.sys,-101
System Video Save n/a* RDPREFMP @%systemroot%\system32\drivers\RdpRefMp.sys,-101

System File system n/a* Msfs
System File system n/a* Npfs
System PNP_TDI 4 tdx @%SystemRoot%\system32\tcpipcfg.dll,-50004
System PNP_TDI 9 NetBT @%SystemRoot%\system32\drivers\netbt.sys,-2
System PNP_TDI n/a* AFD @%systemroot%\system32\drivers\afd.sys,-1000
System PNP_TDI n/a* ws2ifsl @%systemroot%\System32\drivers\ws2ifsl.sys,-1000
System NDIS 16 WfpLwf WFP Lightweight Filter
System NDIS 18 Psched @%SystemRoot%\System32\drivers\pacer.sys,-101
System NetBIOSGroup 2 NetBIOS NetBIOS Interface
System n/a* n/a* blbdrive
System network* 9* CSC @%systemroot%\system32\cscsvc.dll,-202
System Network* n/a* DfsC @%systemroot%\system32\drivers\dfsc.sys,-101
System n/a* n/a* discache @%systemroot%\system32\drivers\discache.sys,-102
System n/a* n/a* mssmbios Microsoft System Management BIOS Driver
System n/a* n/a* nsiproxy @%SystemRoot%\system32\drivers\nsiproxy.sys,-2

System Network* 4* rdbss @%systemroot%\system32\wkssvc.dll,-1000
System n/a* n/a* TermDD Terminal Device Driver
System n/a* n/a* Wanarpv6 @%systemroot%\system32\rascfg.dll,-32012
Automatic FSFilter Virtualization n/a* luafv @%systemroot%\system32\drivers\luafv.sys,-100
Automatic COM Infrastructure n/a* DcomLaunch @oleres.dll,-5012
Automatic COM Infrastructure n/a* RpcEptMapper @%windir%\system32\RpcEpMap.dll,-1001
Automatic COM Infrastructure n/a* RpcSs @oleres.dll,-5010

Automatic Event Log n/a* eventlog @%SystemRoot%\system32\wevtsvc.dll,-200
Automatic AudioGroup n/a* AudioEndpointBuilder @%SystemRoot%\system32\audiosrv.dll,-204
Automatic AudioGroup n/a* Audiosrv @%SystemRoot%\system32\audiosrv.dll,-200
Automatic ProfSvc_Group n/a* gpsvc @gpapi.dll,-112
Automatic profsvc_group n/a* ProfSvc @%systemroot%\system32\profsvc.dll,-300
Automatic ProfSvc_Group n/a* SENS @%SystemRoot%\system32\Sens.dll,-200
Automatic ProfSvc_Group n/a* Themes @%SystemRoot%\System32\themeservice.dll,-8192
Automatic UIGroup n/a* UxSms @%SystemRoot%\system32\dwm.exe,-2000
Automatic MS_WindowsLocalValidation n/a* SamSs @%SystemRoot%\system32\samsrv.dll,-1
Automatic PlugPlay n/a* PlugPlay @%SystemRoot%\system32\umpnpmgr.dll,-100
Automatic Plugplay n/a* Power @%SystemRoot%\system32\umpo.dll,-100

Automatic PlugPlay n/a* TabletInputService @%SystemRoot%\system32\TabSvc.dll,-100
Automatic NDIS 14 rspndr Link-Layer Topology Discovery Responder
Automatic NDIS 15 lltdio Link-Layer Topology Discovery Mapper I/O Driver

Automatic TDI n/a* Dhcp @%SystemRoot%\system32\dhcpcore.dll,-100
Automatic TDI n/a* Dnscache @%SystemRoot%\System32\dnsapi.dll,-101
Automatic ShellSvcGroup n/a* ShellHWDetection @%SystemRoot%\System32\shsvcs.dll,-12288
Automatic SchedulerGroup n/a* Schedule @%SystemRoot%\system32\schedsvc.dll,-100
Automatic SpoolerGroup n/a* Spooler Print Spooler
Automatic NetworkProvider n/a* BFE @%SystemRoot%\system32\bfe.dll,-1001
Automatic NetworkProvider n/a* MpsSvc @%SystemRoot%\system32\FirewallAPI.dll,-23090
Automatic Extended Base n/a* Parvdm
Automatic n/a* n/a* 0106141354491425mcinstcleanup McAfee Application Installer Cleanup (0106141354491425)
Automatic n/a* n/a* BITS @%SystemRoot%\system32\qmgr.dll,-1000
Automatic n/a* n/a* CryptSvc @%SystemRoot%\system32\cryptsvc.dll,-1001
Automatic n/a* n/a* DPS @%systemroot%\system32\dps.dll,-500

Automatic n/a* n/a* EventSystem @comres.dll,-2450
Automatic n/a* n/a* IKEEXT @%SystemRoot%\system32\ikeext.dll,-501
Automatic n/a* n/a* iphlpsvc @%SystemRoot%\system32\iphlpsvc.dll,-500
Automatic n/a* n/a* KSS Kaspersky Security Scan Service
Automatic n/a* n/a* McAfee SiteAdvisor Service McAfee SiteAdvisor Service
Automatic n/a* n/a* mcmscsvc McAfee Services
Automatic n/a* n/a* McNaiAnn McAfee VirusScan Announcer
Automatic n/a* n/a* McNASvc McAfee Network Agent
Automatic n/a* n/a* McProxy McAfee Proxy Service
Automatic n/a* n/a* McShield McAfee McShield
Automatic n/a* n/a* mfefire McAfee Firewall Core Service
Automatic n/a* n/a* mfevtp McAfee Validation Trust Protection Service
Automatic n/a* n/a* MMCSS @%systemroot%\system32\mmcss.dll,-100
Automatic n/a* n/a* MSK80Service McAfee Anti-Spam Service
Automatic n/a* n/a* NlaSvc @%SystemRoot%\System32\nlasvc.dll,-1
Automatic n/a* n/a* nsi @%SystemRoot%\system32\nsisvc.dll,-200

Automatic n/a* n/a* PEAUTH PEAUTH
Automatic n/a* n/a* secdrv Security Driver
Automatic n/a* n/a* seclogon @%SystemRoot%\system32\seclogon.dll,-7001
Automatic n/a* n/a* SharedAccess @%SystemRoot%\system32\ipnathlp.dll,-106
Automatic n/a* n/a* sppsvc @%SystemRoot%\system32\sppsvc.exe,-101

Automatic n/a* n/a* tcpipreg TCP/IP Registry Compatibility
Automatic n/a* n/a* Winmgmt Windows Management Instrumentation
Automatic n/a* n/a* wscsvc @%SystemRoot%\System32\wscsvc.dll,-200

Automatic n/a* n/a* wuauserv @%systemroot%\system32\wuaueng.dll,-105

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:07 PM

Posted 05 December 2012 - 07:49 PM

Merged posts and moved to Virus, Trojan, Spyware, and Malware Removal Logs
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 theashesstir

theashesstir
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 09 December 2012 - 05:05 AM

I'm an MCP, Sr Sys/Network Admin & IT Manager for a startup w/ +250 users under my pervue. Was team-lead for Virus/Malware Response team for Shaw Cablesystems ISP (western Canada's largest) from 2007-2010. I typically have no problems cleaning with rootkits. I have so far removed all drives, multiple times and started w/ a brand new drive fresh out of static bag, with a retail official W7 DVD, only to find the same problem occuring. on First Boot.
Now ~8 machines, multiple external storage devices. Have all succumbed to this malware.
Removing all drives and booting from a HIREMS boot CD or Knoppix/Ubuntu LiveCD results in Linux OS being rooted within minutes.
Even when network devices are disconnnected/disabled in BIOS and router is powered off.
Booting from Windows 7 Home Premium official Retail DVDs show "Windows is Loading Files..." horizontal Progress Bar filling twice. Once Quickly in 1-3 seconds, and again normally over 30-45 seconds.
This is consistent with other discusssions of BIOS kits and theories that this is the malware expanding onto the RAM drive for the installer.
Clicking Repair instead of install, and browsing the DVD or RAM drive (X: drive) shows $PE$ folder w/ WIM and .clg files for all editions of W7. product.ini on the disk (which is absent on a clean machine shows answer file product keys for everything from Windows BASIC to Server 2003, to SBS 2011, to Enterprise 2008, MCE, etc. etc.
BIOS shows something about "BIOS is shadowed" Video BIOS or vBIOS is shadowed.
Survives blind flash with .hdr BIOS file. suspect image in PARAVIRTUALIZED in GPU BIOS as a totally clean machine. with no infected drives, mobo or peripherals. just an xfered PCIx ATI RADEON 5420 card also displayed this behavior after a few failed boots.
BIOS shows black screen with flashing white cursor for 1-4 seconds at BOOT time, after infection. Lingers for 10-30 seconds upon initial infection, often showing 1-3 carriage returns.


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16455
Run by dixieflatline at 1:50:11 on 2012-12-09
#Option Extended Search is enabled.
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Users\dixieflatline\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dixieflatline\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dixieflatline\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dixieflatline\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dixieflatline\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dixieflatline\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dixieflatline\AppData\Local\Google\Chrome\Application\chrome.exe
c:\PROGRA~1\mcafee\SITEAD~1\saui.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Users\dixieflatline\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dixieflatline\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dixieflatline\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\dixieflatline\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20121204211140.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
uRun: [Google Update] "c:\users\dixieflatline\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [KSS] "c:\program files\kaspersky lab\kaspersky security scan 2.0\kss.exe" /autorun
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 10.0.0.254
TCP: Interfaces\{8FD60B3F-9CAC-4775-B8DE-56F1165E62CD} : DHCPNameServer = 10.0.0.254
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dixieflatline\appdata\roaming\mozilla\firefox\profiles\dmi2xe1u.default\
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\users\dixieflatline\appdata\local\google\update\1.3.21.124\npGoogleUpdate3.dll
FF - ExtSQL: 2012-12-02 22:51; {D19CA586-DD6C-4a0a-96F8-14644F340D60}; c:\program files\common files\mcafee\SystemCore
FF - ExtSQL: 2012-12-03 00:24; {4ED1F68A-5463-4931-9384-8FFF5ED91D92}; c:\program files\mcafee\SiteAdvisor
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 60 ================
.
2012-12-07 11:00:47 -------- d-----w- C:\ac108e94f4f8ce2fc1dd3344a6
2012-12-05 13:32:39 -------- d-----w- c:\programdata\Kaspersky Lab
2012-12-05 13:32:39 -------- d-----w- c:\program files\Kaspersky Lab
2012-12-05 02:59:20 5009299 ----a-r- c:\users\dixieflatline\Co.exe
2012-12-05 02:55:36 -------- d-----w- c:\users\dixieflatline\fZilla3602w32
2012-12-04 21:24:47 -------- d-----w- c:\users\dixieflatline\appdata\local\Adobe
2012-12-04 21:20:10 -------- d-----w- c:\users\dixieflatline\appdata\local\CutePDF Writer
2012-12-04 17:23:28 -------- d-----w- c:\program files\GPLGS
2012-12-04 17:23:09 88688 ----a-w- c:\windows\system32\cpwmon2k.dll
2012-12-04 17:23:08 -------- d-----w- c:\program files\Acro Software
2012-12-04 11:03:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-12-04 11:03:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-12-04 11:03:00 194048 ----a-w- c:\program files\internet explorer\IEShims.dll
2012-12-04 11:03:00 140960 ----a-w- c:\program files\internet explorer\sqmapi.dll
2012-12-04 06:01:54 33944 ----a-w- c:\program files\mozilla firefox\ScriptFF.dll
2012-12-03 21:57:32 -------- d-----w- c:\users\dixieflatline\appdata\local\Google
2012-12-03 21:19:15 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-12-03 21:19:15 317440 ----a-w- c:\windows\system32\spoolsv.exe
2012-12-03 21:19:10 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-12-03 21:19:09 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-12-03 21:18:26 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2012-12-03 21:18:25 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2012-12-03 21:18:25 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2012-12-03 21:18:21 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-12-03 21:18:18 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-12-03 21:18:16 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-12-03 21:18:11 31232 ----a-w- c:\windows\system32\prevhost.exe
2012-12-03 21:15:35 2048 ----a-w- c:\windows\system32\tzres.dll
2012-12-03 21:15:01 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2012-12-03 21:15:01 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2012-12-03 21:13:03 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-12-03 21:13:03 1159680 ----a-w- c:\windows\system32\crypt32.dll
2012-12-03 21:13:02 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-12-03 21:12:23 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-12-03 21:12:07 75776 ----a-w- c:\windows\system32\psisrndr.ax
2012-12-03 21:12:06 465408 ----a-w- c:\windows\system32\psisdecd.dll
2012-12-03 21:12:03 478720 ----a-w- c:\windows\system32\timedate.cpl
2012-12-03 21:10:54 1211760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-12-03 21:09:56 1019904 ----a-w- c:\program files\common files\system\ado\msado15.dll
2012-12-03 21:08:43 542208 ----a-w- c:\windows\system32\kerberos.dll
2012-12-03 21:08:36 2616320 ----a-w- c:\windows\explorer.exe
2012-12-03 21:08:07 2342400 ----a-w- c:\windows\system32\msi.dll
2012-12-03 21:08:02 3968880 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-12-03 21:08:01 3914096 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-12-03 21:06:57 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-12-03 21:06:49 44032 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-12-03 21:06:49 193536 ----a-w- c:\windows\system32\dhcpcore6.dll
2012-12-03 21:06:34 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2012-12-03 21:06:34 1137664 ----a-w- c:\windows\system32\mfc42.dll
2012-12-03 21:06:28 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2012-12-03 21:06:18 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2012-12-03 21:05:15 123904 ----a-w- c:\windows\system32\poqexec.exe
2012-12-03 21:05:10 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2012-12-03 11:25:33 -------- d-----w- c:\windows\system32\Wat
2012-12-03 11:08:18 1002008 ----a-w- c:\windows\system32\igxpun.exe
2012-12-03 11:08:18 -------- d-----w- c:\windows\system32\x64
2012-12-03 11:04:34 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-12-03 11:04:34 526952 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-12-03 11:04:34 47720 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-12-03 11:03:51 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-12-03 11:03:51 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-12-03 11:03:50 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-12-03 11:03:50 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-12-03 11:03:50 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-12-03 11:03:49 613888 ----a-w- c:\windows\system32\WUDFx.dll
2012-12-03 11:03:49 196608 ----a-w- c:\windows\system32\WUDFHost.exe
2012-12-03 11:03:16 5120 ----a-w- c:\windows\system32\wmi.dll
2012-12-03 11:03:16 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-12-03 11:03:16 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-12-03 09:05:50 -------- d-----w- c:\windows\PCHEALTH
2012-12-03 09:04:14 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-12-03 09:03:34 -------- d-----w- c:\users\dixieflatline\appdata\local\Microsoft Help
2012-12-03 06:32:35 -------- d-sh--w- C:\$RECYCLE.BIN
2012-12-03 06:22:08 -------- d-----w- C:\Co32241C
2012-12-03 00:11:41 -------- d-----w- C:\Co16764C
2012-12-02 23:49:01 98816 ----a-w- c:\windows\sed.exe
2012-12-02 23:49:01 256000 ----a-w- c:\windows\PEV.exe
2012-12-02 23:49:01 208896 ----a-w- c:\windows\MBR.exe
2012-12-02 23:48:53 -------- d-----w- C:\Co
2012-12-02 23:36:46 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-12-02 23:36:03 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-12-02 23:36:03 61912 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-12-02 23:36:03 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-12-02 23:36:03 360792 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-12-02 23:36:03 230224 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-12-02 23:35:52 -------- d-----w- c:\program files\common files\Mcafee
2012-12-02 23:35:47 -------- d-sh--w- c:\windows\Installer
2012-12-02 23:35:44 -------- d-----w- c:\program files\McAfee.com
2012-12-02 23:35:40 -------- d-----w- c:\program files\McAfee
2012-12-02 23:29:49 6812136 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9947c5aa-df37-4e99-b395-d55a360600d2}\mpengine.dll
2012-12-02 23:29:48 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-12-02 23:29:24 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-12-02 23:29:23 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-12-02 23:25:17 166320 ----a-w- c:\windows\system32\mfevtps.exe
2012-12-02 23:24:05 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-12-02 23:23:55 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-12-02 23:23:46 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-12-02 23:23:46 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-12-02 22:01:06 -------- d-----w- c:\windows\Panther
2012-10-31 23:10:14 773968 ----a-w- c:\windows\system32\msvcr100.dll
2012-10-31 23:10:14 138056 ----a-w- c:\windows\system32\atl100.dll
.
==================== Find6M ====================
.
2012-10-18 17:59:05 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-10-16 07:39:52 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-10-08 07:56:24 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-10-08 07:48:03 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-10-08 07:47:44 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-10-08 07:44:05 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-10-03 16:58:30 1293680 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-10-03 16:42:26 52224 ----a-w- c:\windows\system32\nlaapi.dll
2012-10-03 16:42:26 242176 ----a-w- c:\windows\system32\nlasvc.dll
2012-10-03 16:42:24 18944 ----a-w- c:\windows\system32\netevent.dll
2012-10-03 16:42:24 175104 ----a-w- c:\windows\system32\netcorehc.dll
2012-10-03 16:42:23 156672 ----a-w- c:\windows\system32\ncsi.dll
2012-10-03 16:40:35 499712 ----a-w- c:\windows\system32\iphlpsvc.dll
2012-10-03 15:21:38 35328 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2012-09-25 22:47:43 78336 ----a-w- c:\windows\system32\synceng.dll
2012-08-22 17:16:46 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16:36 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-20 17:40:31 169984 ----a-w- c:\windows\system32\winsrv.dll
2012-08-20 17:40:01 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-08-20 17:37:58 271360 ----a-w- c:\windows\system32\conhost.exe
2012-08-20 15:33:28 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-08-02 16:57:20 490496 ----a-w- c:\windows\system32\d3d10level9.dll
2012-07-26 03:26:03 2560 ----a-w- c:\windows\system32\drivers\en-us\wdf01000.sys.mui
2012-07-17 23:09:42 206784 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2012-07-17 23:07:00 554048 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-07-17 23:04:46 127992 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-07-04 21:14:34 41984 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 21:14:34 102912 ----a-w- c:\windows\system32\browser.dll
.
============= FINISH: 1:51:25.83 ===============

Edited by Budapest, 09 December 2012 - 08:57 PM.
New topic merged ~Budapest





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users