Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Trojan.Agent and Rootkit.Trace

  • This topic is locked This topic is locked
2 replies to this topic

#1 cynicist


  • Members
  • 1 posts
  • Local time:07:33 AM

Posted 25 July 2009 - 02:46 AM

Had system security virus a while back, and computer has been nuts ever since. System security is gone, seemingly, but I still have Trojan.Agent and Rootkit.Trace. These show up on a malewarebytes scan, but can't be removed.
My computer shuts down on it's own frequently, google sometimes stops working, I often get a message that says "The system has recovered from a serious error," among other problems

Ran DDS, and this was the log

DDS (Ver_09-06-26.01) - NTFSx86
Run by User at 1:37:11.84 on Sat 07/25/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.84 [GMT -4:00]

AV: AVG *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe Media Player\Adobe Media Player.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\8R8T1UY6\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = hxxp://www.google.com/
mSearchAssistant = hxxp://www.google.com
TB: BearShare MediaBar: {d3dee18f-db64-4beb-9ff1-e1f0a5033e4a} - c:\program files\bearshare applications\bearshare mediabar\BSMediaBar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BearSharePersonalization] "c:\program files\bearshare applications\personalization\BearSharePersonalization.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [c:\windows\system32\kdske.exe] c:\windows\system32\kdske.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Home Antivirus 2010] "c:\program files\homeantivirus2010\HomeAntivirus2010.exe" /hide
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\winlogon.exe" /runcleanupscript
StartupFolder: c:\docume~1\user\startm~1\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager/plugin/IEGetPlugin.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096453339343
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-3 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-3 26824]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-3 76040]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S3 getPlus® Installer;getPlus® Installer;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-4-3 59552]
S3 HwIOctl;HwIOctl;\??\c:\documents and settings\owner\desktop\hwioctl.sys --> c:\documents and settings\owner\desktop\HwIOctl.sys [?]
S3 Ktp3;Elantech TouchPad(KTP3);c:\windows\system32\drivers\Ktp3.sys [2002-1-24 24704]
S3 Memctl;Memctl;\??\c:\documents and settings\owner\desktop\memctl.sys --> c:\documents and settings\owner\desktop\Memctl.sys [?]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-10-23 27904]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

=============== Created Last 30 ================

2009-07-25 01:15 61,440 a------- c:\windows\system32\drivers\rkkqu.sys
2009-07-24 03:45 7,680 a--sh--- c:\windows\system32\Thumbs.db
2009-07-24 03:44 7,168 a--sh--- c:\windows\Thumbs.db
2009-07-24 03:17 <DIR> --dsh--- c:\documents and settings\user\PrivacIE
2009-07-24 02:39 <DIR> --dsh--- c:\documents and settings\user\IETldCache
2009-07-24 02:14 101,376 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-24 02:13 <DIR> --d----- c:\windows\ie8updates
2009-07-24 02:12 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-24 02:12 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-24 02:09 <DIR> -cd-h--- c:\windows\ie8
2009-07-23 23:57 14,247 a------- c:\docume~1\alluse~1\applic~1\uwipovataw.pif
2009-07-23 23:57 13,036 a------- c:\program files\common files\vifin.bat
2009-07-23 23:57 19,337 a------- c:\windows\zohamole.com
2009-07-23 23:57 18,384 a------- c:\windows\qytumij.dll
2009-07-23 23:57 18,166 a------- c:\windows\byradijefu.reg
2009-07-23 23:57 17,144 a------- c:\program files\common files\icera.dat
2009-07-23 23:57 16,768 a------- c:\windows\system32\unete.pif
2009-07-23 23:57 15,905 a------- c:\windows\byqequl.lib
2009-07-23 23:57 15,016 a------- c:\windows\system32\alewybutez._sy
2009-07-23 23:57 11,886 a------- c:\docume~1\alluse~1\applic~1\duverucone.bat
2009-07-23 23:57 10,355 a------- c:\docume~1\alluse~1\applic~1\mifove.com
2009-07-23 23:57 10,168 a------- c:\windows\system32\sixavobiv._dl
2009-07-23 23:47 205 a------- c:\windows\prxid93ps.dat
2009-07-11 04:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\13876874
2009-07-03 04:57 3,255 a------- c:\windows\system32\wbem\Outlook_01c9fbbc4fe18d18.mof

==================== Find3M ====================

2009-07-25 01:15 286 a------- c:\program files\qjqv.txt
2009-07-23 23:57 19,572 a------- c:\program files\common files\oqyzoteno.lib
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-03-12 05:44 109 ac-sh--- c:\windows\system32\2632823788.dat

============= FINISH: 1:38:32.98 ===============

Thank you for your help!

Attached Files

BC AdBot (Login to Remove)


#2 fenzodahl512


  • Members
  • 6,738 posts
  • Local time:07:33 PM

Posted 25 July 2009 - 11:04 AM

Go HERE and download SysProt AntiRootkit. Unzip it to your Desktop
  • Run SysProt >> Click on the Log tab
  • Tick ALL the boxes at the "Write to log" section (Do NOT tick the "Hidden Objects Only" options)
  • Hit the Create Log button
  • When it asked for scanning option, choose Scanning all drives >> Hit Start button (Do NOT hit "Ok" button)
  • Let it scan until finish
  • Find the log.txt inside the SysProt folder and attach the log here.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#3 fenzodahl512


  • Members
  • 6,738 posts
  • Local time:07:33 PM

Posted 05 August 2009 - 12:20 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users