Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Rootkit-Agent.DI with AVG


  • This topic is locked This topic is locked
2 replies to this topic

#1 LSMAN

LSMAN

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 06 May 2009 - 02:50 PM

Yesterday my work computer started to act up and it can't install AVG or any online scan.
The IE or Firefox will close very soon after a few search or google result hijacked to other site.

I first run the Malewarebytes Anti-Male and got rid of some (one quick and one in-depth).
Do a combofix and it fix some.
Do a safe boot and install AVG and scan.
It get ride of some Trojan etc and it looks fine.

However, during the afternoon, the AVG resident shield report:

Trojan horse Rootkit-Agent.DI c:\WINDOWS\system32\drives\ndis.sys Process: c:\WINDOWS\system32\MRT.exe


So look like I am not out of the woods. My network admin say the email server IP got bad listed and can't see out email all morning.

Here is the DDS.txt, I only edit out an internal DHS ip address and site. Thank you very much in advance for any help.



DDS (Ver_09-03-16.01) - NTFSx86
Run by sli at 15:16:49.10 on 05/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2031.1151 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\Program Files\Intel\AMT\atchksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\ClickOff\Clickoff.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
\\printserv2\Temp\Window Udates\Microsoft Malicious Software Removal Tool\windows-kb890830-v2.8.exe
c:\a8ed8d3d068998b189\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Documents and Settings\sli\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: HP Credential Manager for ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hpq\iam\bin\ItIeAddIN.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: SearchPerks! Follow-On Study Assistant: {d1a1fd57-93fc-45fe-bc2a-b3a5d47d6674} - c:\program files\searchperks! follow-on study assistant\Bmbho.dll
TB: Live Search Club Toolbar: {719d74ab-1af9-43a1-8c62-d8750628d93e} - c:\program files\live search club toolbar\Toolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {2787EA8E-8D87-48AF-88AD-B30246C917AB} - No File
EB: Web Test Recorder: {8c84b9f5-3d9e-4204-bb0b-f85d46455868} - mscoree.dll
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\sli\startm~1\programs\startup\clickoff.lnk - c:\program files\clickoff\Clickoff.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\visio2~1\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201794480156
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201794474484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://myXXXXX.webex.com/client/T25L/webex/ieatgpc.cab
TCP: {AC628CA0-C4C9-41EA-8282-FE0E1D026B7C} = 160.XX.X.XXX,160.XX.X.XXX
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: OneCard - c:\program files\hpq\iam\bin\AsWlnPkg.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sli\applic~1\mozilla\firefox\profiles\1zuf2ee0.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2008-2-15 3968]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-6 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-6 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-6 108552]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 31192]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2000-9-11 10816]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2006-4-7 31104]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-27 14336]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-6 298776]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2008-11-24 203616]
R2 MSSQL$SLQ2000;MSSQL$SLQ2000;c:\progra~1\micros~4\mssql$~2\binn\sqlservr.exe -sslq2000 --> c:\progra~1\micros~4\mssql$~2\binn\sqlservr.exe -sSLQ2000 [?]
R2 SQLAgent$SLQ2000;SQLAgent$SLQ2000;c:\program files\microsoft sql server\mssql$slq2000\binn\sqlagent.exe -i slq2000 --> c:\program files\microsoft sql server\mssql$slq2000\binn\sqlagent.exe -i SLQ2000 [?]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-3-24 36608]
S1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\starportlite.sys --> c:\windows\system32\drivers\StarPortLite.sys [?]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2001-11-2 110651]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-2-7 44928]
S3 VSPerfDrv;Performance Tools Driver;c:\program files\microsoft visual studio 8\team tools\performance tools\VSPerfDrv.sys [2006-12-2 48128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2009-05-06 14:33 <DIR> --d----- c:\docume~1\sli\applic~1\Windows Live Writer
2009-05-06 14:17 <DIR> --d----- C:\a8ed8d3d068998b189
2009-05-06 11:21 <DIR> --d----- c:\docume~1\sli\applic~1\AVGTOOLBAR
2009-05-06 10:15 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-06 10:15 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-06 10:15 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-06 10:14 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-06 09:14 <DIR> a-dshr-- C:\cmdcons
2009-05-06 09:13 161,792 a------- c:\windows\SWREG.exe
2009-05-06 09:13 98,816 a------- c:\windows\sed.exe
2009-05-06 09:12 <DIR> --d----- C:\for clean
2009-05-05 17:11 111,100 a------- c:\windows\system32\drivers\45a419ae.sys
2009-05-05 17:11 578,048 a------- c:\windows\system32\qafw
2009-05-05 17:06 578,048 a------- c:\windows\system32\hjipuym
2009-05-05 17:05 182,912 a------- c:\windows\system32\dllcache\ndis.sys
2009-05-05 17:02 111,100 a------- c:\windows\system32\drivers\5f8f3ba.sys
2009-05-05 17:02 2 a------- C:\197547372
2009-05-05 16:57 <DIR> --d----- c:\docume~1\sli\applic~1\ptidle
2009-05-05 11:43 202,072 a----r-- c:\windows\system32\cpnprt2.cid
2009-05-04 11:18 <DIR> --d----- c:\program files\Live Search Club Toolbar
2009-05-03 15:02 <DIR> --d----- c:\documents and settings\sli\pnlinks
2009-04-23 11:54 146,432 a------- c:\windows\reg3edit.exe
2009-04-22 16:05 <DIR> --d----- c:\windows\~pcA.sav
2009-04-18 02:56 <DIR> --d----- C:\lanalt
2009-04-17 13:37 <DIR> --d----- c:\program files\SearchPerks! Follow-On Study Assistant

==================== Find3M ====================

2009-05-06 09:17 578,048 a------- c:\windows\system32\user32.dll
2009-05-06 09:17 578,048 a------- c:\windows\system32\dllcache\user32.dll
2009-05-05 17:05 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-08-20 10:14 722,176 a------- c:\documents and settings\sli\gotomypc_428.exe
2007-05-18 13:23 3,820,104 a------- c:\documents and settings\sli\gosetup.exe

============= FINISH: 15:17:22.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:09:54 PM

Posted 21 May 2009 - 07:34 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:09:54 PM

Posted 26 May 2009 - 04:44 AM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users