Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Agent Problem


  • Please log in to reply
3 replies to this topic

#1 BryanSWP

BryanSWP

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 09 June 2009 - 11:23 AM

I don't know what it's doing to my computer as performance is no different, but I know that rootkits are dangerous. I tried to follow the steps I could in the "how to" thread, my apologies if I messed something up.

Here's the DDS.txt log...

DDS (Ver_09-05-14.01) - NTFSx86
Run by GMICT Bill at 9:15:33.04 on Tue 06/09/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.147 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\AOL\1160154599\ee\AOLSoftware.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
svchost.exe
C:\PROGRA~1\COSIDS\BIN\TbMux32.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\spnsrvnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\GMICT Bill\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc-rel&channel=us
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc-rel&channel=us
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Performance Center] c:\program files\ascentive\performance center\APCMain.exe -m
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_01\bin\jusched.exe"
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [HostManager] c:\program files\common files\aol\1160154599\ee\AOLSoftware.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} - hxxp://na.inquiero.com/inquiero/mod/setup/ntractivex118_24.cab
DPF: {F11BFF96-CC7A-4482-819B-91EAE4C454EF} - hxxp://na.inquiero.com/inquiero/mod/setup/ntractivex116_14.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214024]
R2 COSIDS_TB;COSIDS_TB;c:\progra~1\cosids\bin\TbMux32.exe [2008-2-19 165376]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-6 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-6 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-6 144704]
R2 SSIPDDP;SSIPDDP: Parallel port device driver;c:\windows\system32\drivers\SSIPDDP.SYS [2008-11-3 48128]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-6 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-6 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-6 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-6 40552]
S2 IDSS Web Updater;IDSS Web Updater;c:\program files\idss\idssupdater.exe --> c:\program files\idss\IDSSUpdater.exe [?]
S2 zlrhp;zlrhp;c:\windows\system32\drivers\jfdgknphogf.sys [2009-6-9 71168]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-6 34216]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2007-11-1 58240]

=============== Created Last 30 ================

2009-06-09 03:52 224 a------- c:\windows\system32\UACxtbwqbayyiovyqj.dat
2009-06-08 22:35 3,371,360 a------- C:\mbam-setup.exe
2009-06-06 13:54 6,341 a------- c:\windows\system32\Config.MPF
2009-06-06 13:47 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-06-06 13:47 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-06-06 13:47 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-06-06 13:46 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-06-06 13:45 <DIR> --d----- c:\program files\common files\McAfee
2009-06-06 13:45 <DIR> --d----- c:\program files\McAfee.com
2009-06-06 13:45 <DIR> --d----- c:\program files\McAfee
2009-06-06 13:41 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-06-06 13:22 <DIR> --d----- c:\docume~1\gmictb~1\applic~1\Malwarebytes
2009-06-06 13:22 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-06 13:22 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-06 13:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 13:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-06 12:14 278,528 a------- c:\windows\system32\hpdj5600
2009-06-06 12:13 247,136 a------- c:\windows\hpdj5600.hi2
2009-06-06 12:13 11,122 a------- c:\windows\hpdj5600.bu2
2009-06-06 04:13 2,560 a------- c:\windows\syssvc.exe

==================== Find3M ====================

2009-03-30 20:25 5,238,880 a------- c:\program files\MP3Rocket-Win.exe
2009-03-30 09:04 88,375 ac------ c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-28 17:13 1,223,680 a------- c:\program files\wmp_plugin.msi
2008-10-31 09:40 5,391,760 a------- c:\program files\ps2pdf995.exe
2008-10-31 09:29 2,659,728 a------- c:\program files\pdf995s.exe
2008-10-14 10:32 1,099,708 a------- c:\program files\vltc2.zip
2008-08-19 13:59 1,077,632 a------- c:\program files\RegCureSetup_1501_RW.exe
2007-10-12 11:47 16,074,512 a------- c:\program files\5600_enu_win2k_xp.exe
2007-10-12 11:38 0 a------- c:\program files\5600_enu_win9x_me.exe
2006-11-16 17:21 21,290,704 ac------ c:\program files\AdbeRdr708_en_US.exe

============= FINISH: 9:16:55.06 ===============

Attached Files


Edited by BryanSWP, 09 June 2009 - 11:25 AM.


BC AdBot (Login to Remove)

 


m

#2 shelf life

shelf life

  • Malware Response Team
  • 2,645 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:01 AM

Posted 18 June 2009 - 06:29 PM

hi BryanSWP,

sorry for delay. No shortage of posters. If you still need help, reply to my post.

How Can I Reduce My Risk to Malware?


#3 BryanSWP

BryanSWP
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 18 June 2009 - 06:32 PM

Yes, I still need help. Thank you for replying, I didn't want to bump this since I know you guys are always in high demand as it is.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,645 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:01 AM

Posted 19 June 2009 - 06:09 PM

hi BryanSWP

ok we will use combofix. there is a guide to read first. Read the guide, download combofix to your desktop, disable any AV as explained in the guide, double click the combofix icon on your desktop and follow the prompts. post the combofix log in your reply.

The guide to read:

The Guide

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users