Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Agent CW


  • This topic is locked This topic is locked
2 replies to this topic

#1 peapie

peapie

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 03 April 2009 - 11:44 AM

I am running AVG on Windows XP and got a message that it was infected with this Rootkit Agent CW. I try to remove it but it says it can't find the file specified or it heals it but it keeps on popping back up. Here are the reports:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Compaq_Administrator at 11:36:14.98 on Fri 04/03/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.198 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\wamp\apache2\bin\Apache.exe
C:\wamp\mysql\bin\mysqld-nt.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\wamp\apache2\bin\Apache.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dds.scr
C:\Documents and Settings\Compaq_Administrator\Compaq_Administrator.exe

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.gmail.com/
uSearch Page =
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Bar =
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
{11d23544-0051-43a9-9f56-a7ce4cc7cf9e}
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\avgtoolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\avgtoolbar.dll
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [73596864045461468822365469900083] c:\program files\antivirus 2009\av2009.exe
uRun: [Compaq_Administrator] c:\documents and settings\compaq_administrator\Compaq_Administrator.exe /i
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [SetDefPrt] c:\program files\brother\brmfl05b\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - c:\program files\travelaxe\Travelaxe.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://www.stonyfield.com/coupons/scriptX/smsx.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: byxxYRKC - byxxYRKC.dll
STS: cinnamomum - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\nnnoopOE

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\03z7xt4c.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/|http://www.google.com/ig?hl=en
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\compaq_administrator\application data\mozilla\firefox\profiles\03z7xt4c.default\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: c:\documents and settings\compaq_administrator\application data\mozilla\firefox\profiles\03z7xt4c.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-27 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-28 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-28 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-28 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-28 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-28 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SSIPDDP;SSIPDDP: Parallel port device driver;c:\windows\system32\drivers\SSIPDDP.SYS [2006-6-13 54784]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
S2 acpi32;acpi32;\??\c:\windows\system32\drivers\acpi32.sys --> c:\windows\system32\drivers\acpi32.sys [?]
S2 amd64si;amd64si;\??\c:\windows\system32\drivers\amd64si.sys --> c:\windows\system32\drivers\amd64si.sys [?]
S2 i386si;i386si;c:\windows\system32\drivers\i386si.sys [2009-4-3 30464]
S2 netsik;netsik;\??\c:\windows\system32\drivers\netsik.sys --> c:\windows\system32\drivers\netsik.sys [?]
S2 port135sik;port135sik;\??\c:\windows\system32\drivers\port135sik.sys --> c:\windows\system32\drivers\port135sik.sys [?]
S2 securentm;securentm;\??\c:\windows\system32\drivers\securentm.sys --> c:\windows\system32\drivers\securentm.sys [?]
S3 m_hook;Empty;\??\c:\documents and settings\compaq_administrator\application data\hidires\m_hook.sys --> c:\documents and settings\compaq_administrator\application data\hidires\m_hook.sys [?]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-04-03 11:17 30,464 a------- c:\windows\system32\drivers\i386si.sys
2009-04-03 11:05 <DIR> --d----- c:\program files\Trend Micro
2009-04-03 11:00 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Malwarebytes
2009-04-03 11:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-03 11:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 11:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-03 11:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-03 08:28 20,419 ----h--- c:\documents and settings\compaq_administrator\Compaq_Administrator.exe
2009-04-01 08:33 2,560 a------- c:\windows\_MSRSTRT.EXE
2009-04-01 08:33 <DIR> --dsh--- C:\INCINERATE
2009-03-30 18:29 <DIR> --d----- c:\windows\system32\Adobe
2009-03-28 20:28 148,896 a------- C:\Bleeding_Cowboys.ttf
2009-03-28 11:09 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-28 11:05 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-28 11:05 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-28 11:05 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-28 11:05 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-28 11:05 <DIR> --d----- c:\docume~1\compaq~1\applic~1\AVGTOOLBAR
2009-03-28 11:05 <DIR> --d----- c:\program files\AVG
2009-03-28 11:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-26 09:35 <DIR> --d----- c:\program files\common files\xing shared
2009-03-10 20:24 <DIR> --d----- c:\program files\WordBiz
2009-03-09 16:01 <DIR> --d----- c:\docume~1\compaq~1\applic~1\TheScruffs
2009-03-09 16:01 <DIR> --d----- c:\program files\Cubis Gold 2
2009-03-09 16:01 <DIR> --d----- c:\program files\ReflexiveArcade

==================== Find3M ====================

2009-03-06 15:30 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-06 15:30 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-28 16:47 737,280 a------- c:\windows\iun6002.exe
2009-02-18 12:56 441,760 a------- c:\windows\system32\drivers\timntr.sys
2009-02-18 12:56 44,384 a------- c:\windows\system32\drivers\tifsfilt.sys
2009-02-18 12:56 132,224 a------- c:\windows\system32\drivers\snapman.sys
2009-02-18 12:56 368,480 a------- c:\windows\system32\drivers\tdrpman.sys
2009-02-10 13:34 4,214 a------- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\dllcache\win32k.sys
2009-01-12 09:42 1,617 a--sh--- c:\windows\system32\EOpoonnn.ini2
2008-08-14 08:30 103,536 a------- c:\program files\bigfishgames_p19861096_s1_l1.exe
2008-05-24 17:32 0 a------- c:\program files\temp01
2007-10-22 10:56 55,216 a------- c:\docume~1\compaq~1\applic~1\GDIPFONTCACHEV1.DAT
2007-06-07 12:02 774,144 a------- c:\program files\RngInterstitial.dll
2007-02-13 12:56 66,469 a------- c:\program files\INSTALL.LOG
2006-10-19 18:02 24,192 a------- c:\documents and settings\compaq_administrator\usbsermptxp.sys
2006-10-19 18:02 22,768 a------- c:\documents and settings\compaq_administrator\usbsermpt.sys

============= FINISH: 11:37:05.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:03:47 PM

Posted 07 April 2009 - 02:14 PM

Hello,

I apologize for the delay in response, we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know. As its been a while since you posted your log, I will need an updated one.

Please take a look at the Preparation Guide for a download link to DDS and instructions on how you should ask for help.

Thanks and again sorry for the delay.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:03:47 PM

Posted 11 April 2009 - 05:47 AM

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please send me a message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users