Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with Rootkit.Agent and unknown other things

  • This topic is locked This topic is locked
3 replies to this topic

#1 corybev


  • Members
  • 2 posts
  • Local time:10:46 PM

Posted 13 December 2009 - 03:16 AM

About a week ago, I was on a site I have visited numerous times per week for multiple years when suddenly popups and installation windows appeared, and a system tray icon started harrassing me about being infected. The site is a legitimate webcomic so all I can assume is they were hacked or were displaying an infectious advertisement without their knowing. Anyway, I immediately recognized that my system had been compromised and tried to contain the outbreak. The Task Manager and things like msconfig and Process Explorer were either disabled, or would automatically close if I tried to open them - whatever it was had taken over the system. I shut down the system and restarted in safe mode and was able to actually function there. There were recently created exe files in the WINDOWS folder (logon.exe was one, I forget the name of the others), and DLLs with nonsense names recently added to WINDOWS\system32. I deleted those obviously infectious files, and then began running anti-malware software.

Here are things Malwarebytes' Anti-Malware found and removed:

Symantec AntiVirus found and removed:

Spybot S&D just found a long list of tracking cookies, though it always does that.

Re-running all 3 programs came up clean, HijackThis didn't show anything abnormal, msconfig/Autoruns didn't show anything abnormal, and I didn't see any more bad files in C:\WINDOWS, C:\WINDOWS\system32, and C:\WINDOWS\system\drivers, so I tried going back into normal mode. The desktop-hijack behavior was completely gone, but I still got pop-ups and redirects in both Firefox and Internet Explorer. I figured it was just leftover behavior so I left the system for the night and resolved to attack it again the next morning (leaving the system on over-night as I normally do). When I returned in the morning, there was desktop-hijack behavior again - apparently something left had downloaded more stuff in the night. I returned to safe mode and re-ran my scanning programs, deleting more of the same.

That is where I am now - safe mode, afraid to go back into normal mode and start the cycle over again. I've gone through everything I know to with a fine-toothed comb, but still I get pop-ups and redirects (even in safe mode). I've attempted to look for rootkits beyond what Malwarebytes exposed. In normal mode, RootkitRevealer ran without any illuminating results (it doesn't run in safe mode). Sophos Anti-Rootkit ran to similar results. GMER crashes about 10 seconds after running the exe - both in normal mode and safe mode. Rootkit Repealer crashes and actually causes the system to instantly reboot if I run certain reports - Hidden Services and Files being two of them. The only Rootkit Repealer scans I've gotten to work are Drivers and Processes (those are all that are reflected in the Rootkit Repealer log I'm posting).

Maybe I should not have gone into this myself without finding help since now I'm in the middle of a difficult removal without good documentation for the 1st part. In my defense, I worked as a computer technician who removed malware/viruses as a part-time job during my undergrad years and I was up-to-date on the latest developments at the time. Unfortunately, that is now about 2 years behind me so either my skills are now very out of date or this is just a real doozy of an infection. For better or worse, I am now stuck in this situation, so I'd appreciate any help you can offer. Thanks! :(

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Neo_Reloaded at 2:36:18.76 on Sun 12/13/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.643 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\DOCUME~1\NEO_RE~1\LOCALS~1\Temp\Temporary Directory 3 for ProcessExplorer.zip\procexp.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Neo_Reloaded\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://neoreloaded.blogspot.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [DellTouch] c:\windows\DELLMMKB.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\QTTask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38265.4746759259
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\neo_re~1\applic~1\mozilla\firefox\profiles\jwlb39eh.cory\
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2004-9-2 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2004-9-2 5248]
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2004-8-15 23035]
R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-22 130936]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-8-15 10240]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2007-7-6 6942]
R3 RegKill;RegKill;c:\windows\system32\drivers\RegKill.sys [2007-2-15 11984]
S0 si3112r;si3112r;c:\windows\system32\drivers\si3112r.sys [2004-8-15 89610]
S0 vrerb;vrerb;c:\windows\system32\drivers\qjcjlpj.sys --> c:\windows\system32\drivers\qjcjlpj.sys [?]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-9-27 3712]
S2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
S2 sdauxservice;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-8-22 348752]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-7-20 1258712]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]
S3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]
S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2008-5-18 13824]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-10-25 38224]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\A.tmp [2009-12-8 6144]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091202.006\naveng.sys [2009-12-3 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091202.006\navex15.sys [2009-12-3 1323568]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2006-8-11 31872]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]
S4 66c7e09b;66c7e09b;c:\windows\system32\drivers\66c7e09b.sys --> c:\windows\system32\drivers\66c7e09b.sys [?]
S4 DriveHealth;DriveHealth;c:\program files\helexis\drive health\dhcore.exe [2005-4-27 203264]
S4 ewdmaudn;ewdmaudn;\??\c:\docume~1\neo_re~1\locals~1\temp\ewdmaudn.sys --> c:\docume~1\neo_re~1\locals~1\temp\ewdmaudn.sys [?]
S4 EWGQQMZVEY;EWGQQMZVEY;c:\docume~1\neo_re~1\locals~1\temp\ewgqqmzvey.exe --> c:\docume~1\neo_re~1\locals~1\temp\EWGQQMZVEY.exe [?]
S4 haboejs;haboejs;c:\windows\system32\drivers\wptf.sys --> c:\windows\system32\drivers\wptf.sys [?]
S4 Itp4lptngndp;Itp4lptngndp; [x]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2007-7-6 28672]
S4 ONGJXVJ;ONGJXVJ;c:\docume~1\neo_re~1\locals~1\temp\ongjxvj.exe --> c:\docume~1\neo_re~1\locals~1\temp\ONGJXVJ.exe [?]
S4 QRC;QRC;c:\docume~1\neo_re~1\locals~1\temp\qrc.exe --> c:\docume~1\neo_re~1\locals~1\temp\QRC.exe [?]
S4 sdcoreservice;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-8-22 1097096]
S4 UJEZTQXWL;UJEZTQXWL;c:\docume~1\neo_re~1\locals~1\temp\ujeztqxwl.exe --> c:\docume~1\neo_re~1\locals~1\temp\UJEZTQXWL.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-17 24652]
S4 VJRTTDMU;VJRTTDMU;c:\docume~1\neo_re~1\locals~1\temp\vjrttdmu.exe --> c:\docume~1\neo_re~1\locals~1\temp\VJRTTDMU.exe [?]

=============== Created Last 30 ================

2009-12-09 03:19:37 6144 ------w- c:\windows\system32\A.tmp
2009-12-09 03:14:38 6144 ------w- c:\windows\system32\9.tmp
2009-12-09 03:14:28 6144 ------w- c:\windows\system32\8.tmp
2009-12-09 03:14:15 0 d-----w- c:\program files\Sophos
2009-12-03 23:58:41 94 ----a-w- c:\windows\wininit.ini
2009-12-03 22:38:58 696832 ----a-w- c:\windows\is-4JSQK.exe
2009-12-03 22:38:58 399 ----a-w- c:\windows\is-4JSQK.lst
2009-12-03 22:38:58 10498 ----a-w- c:\windows\is-4JSQK.msg
2009-12-01 09:17:29 0 d-----w- C:\Combo-Fix4940C
2009-12-01 09:15:53 0 d-----w- C:\Combo-Fix24632C
2009-11-20 10:09:53 0 d-----w- c:\program files\iPod
2009-11-20 10:09:48 0 d-----w- c:\program files\iTunes
2009-11-20 10:09:26 0 d-----w- c:\program files\Bonjour
2009-11-20 10:08:09 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-11-20 10:08:09 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-11-20 09:38:22 0 d-----w- c:\program files\Windows Installer Clean Up

==================== Find3M ====================

2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 06:47:57 260608 ----a-w- c:\windows\PEV.exe
2009-11-11 04:08:18 417792 ----a-w- C:\QTTask.exe
2009-10-25 23:47:42 8 ----a-w- c:\program files\dsqhp.txt
2009-10-25 11:11:34 77312 ----a-w- c:\windows\MBR.exe
2009-10-07 20:50:44 26844 ---ha-w- c:\windows\system32\mlfcache.dat
2004-08-27 14:31:21 12518 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 2:38:21.73 ===============

This log shows numerous obviously-bad files, for example:

S4 ONGJXVJ;ONGJXVJ;c:\docume~1\neo_re~1\locals~1\temp\ongjxvj.exe --> c:\docume~1\neo_re~1\locals~1\temp\ONGJXVJ.exe [?]
S4 QRC;QRC;c:\docume~1\neo_re~1\locals~1\temp\qrc.exe --> c:\docume~1\neo_re~1\locals~1\temp\QRC.exe [?]
S4 UJEZTQXWL;UJEZTQXWL;c:\docume~1\neo_re~1\locals~1\temp\ujeztqxwl.exe --> c:\docume~1\neo_re~1\locals~1\temp\UJEZTQXWL.exe [?]
S4 VJRTTDMU;VJRTTDMU;c:\docume~1\neo_re~1\locals~1\temp\vjrttdmu.exe --> c:\docume~1\neo_re~1\locals~1\temp\VJRTTDMU.exe

Those are files that I remember deleting - so I'm not sure why they're on the DDS report that I just ran 5 minutes ago. Perhaps it is a history of their infection, or they are not truly gone.

Attached Files

BC AdBot (Login to Remove)


#2 corybev

  • Topic Starter

  • Members
  • 2 posts
  • Local time:10:46 PM

Posted 14 December 2009 - 02:46 AM

I think svchost.exe is infected. There is only one copy in the correct folder, but it appears to be running very strangely. Right now in safe mode I have 5 svchost.exe instances, and one of them is using 155 MB of my system memory - that is very unusual for my system if my memory is correct.

#3 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:11:46 PM

Posted 24 December 2009 - 09:48 PM


My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.

For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.

Thanks again and we apologize for the delay.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:11:46 PM

Posted 29 December 2009 - 09:52 AM


Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users