Rootkit

Referred here from: http://www.bleepingcomputer.com/forums/t/212090/windowsclick-redirect/ ~ OB

I have a rootkit deeply entrenched?


DDS (Ver_09-03-16.01) - NTFSx86
Run by 1001532 at 15:52:36.09 on Wed 03/25/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1006.591 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\1001532\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.csuohio.edu/
uInternet Settings,ProxyOverride = ;*.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\landesk\ldclient\softmon.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [AsioReg] REGSVR32 /S CTASIO.DLL
mRun: [CTHelper] CTHELPER.EXE
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" BOOT
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IntelAPMClient] "c:\program files\landesk\ldclient\amclient.exe" /apm /s /ro
mRun: [LANDeskInventoryClient] "c:\program files\landesk\ldclient\LDIScn32.exe" /NTT=LANMAN:5007 /S=LANMAN

/I=HTTP://LANMAN/ldlogon/ldappl3.ldz /NOUI
mRun: [LANDeskVulscanClient] "c:\program files\landesk\ldclient\vulScan.exe" /noreboot /agentBehavior=3
mRun: [SDClientMonitor] "c:\program files\landesk\ldclient\webportal\sdclientmonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program

files\java\jre1.5.0_11\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/b/e/5/be592e3e-4442-4588-b01e-8fe3a2e104ac/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162318525840
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://medsvc.cats.ohiou.edu/AxisCamControl.ocx
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\1001532\applic~1\mozilla\firefox\profiles\7rg0ginx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

============= SERVICES / DRIVERS ===============

P2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2007-11-26 221191]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-10-31 59904]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 CBA8;LANDesk® Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2005-6-9 122880]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe

[2006-10-31 104000]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2007-11-26

29184]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2006-10-31 5120]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2006-10-31 6656]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-10-31 117024]

=============== Created Last 30 ================

2009-03-23 11:13 --d----- c:\program files\Avira GmbH
2009-03-20 14:03 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-03-20 14:01 --d----- c:\windows\ERUNT
2009-03-20 13:57 --d----- C:\SDFix
2009-03-20 08:50 4,274 a------- c:\windows\system32\tmp.reg
2009-03-19 10:29 --d----- c:\docume~1\1001532\applic~1\Malwarebytes
2009-03-19 10:08 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-19 10:08 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-18 15:09 --d----- c:\program files\Trend Micro
2009-03-18 14:59 389,120 a------- c:\windows\system32\CF18104.exe
2009-03-18 12:41 --d----- C:\Malwarebytes' Anti-Malware
2009-03-18 11:33 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-18 11:19 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-17 07:59 1,896,749 a------- c:\windows\system32\uactmp.db
2009-03-16 10:56 414,144 a------- c:\windows\system32\UACrmhpxjrp.db

==================== Find3M ====================

2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2007-05-18 14:57 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\application

data\microsoft\feeds cache\index.dat

============= FINISH: 15:52:58.12 ===============

Attached Files

•  Attach.txt   11.97KB   20 downloads

Edited by Orange Blossom, 26 March 2009 - 08:09 PM.

Hello.

Let's run GMER and see what's left. It seems most of it was already removed.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.

• Download gmer.zip and save to your desktop.
  Alternate Download Site 1
  Alternate Download Site 2
  Alternate Download Site 3
  
• Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
• When you have done this, disconnect from the Internet and close all running programs.
  There is a small chance this application may crash your computer so save any work you have open.

• Double-click on Gmer.exe to start the program.
• Allow the gmer.sys driver to load if asked.
  If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
• When it's done scanning, you may receive another notice. Click OK if prompted.
• Click on Save ... to save the log on your desktop.
  Save the log as GMER.txt when you save it on your desktop.
• Close Gmer and copy and paste the contents of GMER.txt in your next reply.

• If you receive no notice, click on the Scan button near the bottom.
• It will start scanning again like before.
• When it is done, Click on Save ... to save the log on your desktop.
  Save the log as GMER.txt when you save it on your desktop.
• Close Gmer and copy and paste the contents of GMER.txt in your next reply.If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running

Important!:Please do not select the Show all checkbox during the scan.

Post back with a new DDS log as well.

With Regards,
Extremeboy

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy