Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"SQMServiceList@SQMServiceList netprofm,netman" Rootkit


  • This topic is locked This topic is locked
3 replies to this topic

#1 brent0324

brent0324

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 09 November 2010 - 12:07 AM

I would like to think that I am pretty savy IT software analyst, but apparently I'm not savy enough to figure out what is going on with this Rootkit found by GMER "SQMServiceList@SQMServiceList netprofm,netman". I have locked my computer down like Fort Knox since I found out I was having issues, but would like to get rid of this rootkit. Here are the logs, DDS then GMER:


DDS (Ver_10-11-09.01) - NTFS_AMD64
Run by brent0324 at 23:49:57.09 on Mon 11/08/2010
Internet Explorer: 9.0.7930.16406 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4094.2801 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\psxss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\snmp.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Users\brent0324\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=userinit.exe
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [ccleaner] "C:\Program Files (x86)\CCleaner\CCleaner64.exe" /AUTO
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [NBAgent] "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
mRun: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\BRENT0~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
LSP: C:\Program Files (x86)\VMware\VMware Workstation\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
mRun-x64: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h

============= SERVICES / DRIVERS ===============

R1 cmderd;COMODO Internet Security Eradication Driver;C:\Windows\System32\drivers\cmderd.sys [2010-9-10 20864]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\System32\drivers\cmdGuard.sys [2010-9-10 249496]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\System32\drivers\cmdhlp.sys [2010-9-10 33208]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2010-9-1 304464]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-7-9 248936]
R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-1-22 563760]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2010-8-31 24664]
R3 PsxDrv;PsxDrv;C:\Windows\System32\drivers\psxdrv.sys [2009-7-13 10240]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-9-1 347680]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 rspSanity;rspSanity;C:\Windows\System32\drivers\rspSanity64.sys [2010-11-7 29752]

=============== Created Last 30 ================

2010-11-08 04:41:03 -------- d-----w- C:\Temp
2010-11-08 04:36:20 295424 ----a-w- C:\temp\gmer.exe
2010-11-08 03:08:31 29752 ----a-w- C:\Windows\System32\drivers\rspSanity64.sys
2010-11-08 03:08:26 -------- d-----w- C:\Program Files\SanityCheck
2010-11-06 07:43:27 -------- d-----w- C:\Users\brent0324\New folder
2010-11-06 07:15:08 -------- d-----w- C:\Users\BRENT0~1\AppData\Roaming\netcitadel.com
2010-11-06 07:10:17 -------- d-----w- C:\FWBuilder41
2010-11-06 05:45:56 3209751 ----a-w- C:\Windows\System32\libkleo.dll
2010-11-06 05:42:51 -------- d-----w- C:\Users\BRENT0~1\AppData\Roaming\gnupg
2010-11-06 02:07:38 -------- d-----w- C:\Users\BRENT0~1\AppData\Roaming\Scooter Software
2010-11-06 02:07:05 -------- d-----w- C:\Program Files (x86)\Beyond Compare 3
2010-11-06 00:06:06 -------- d-----w- C:\W7RT
2010-11-04 00:11:38 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2010-11-04 00:11:38 641536 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2010-11-04 00:11:38 552960 ----a-w- C:\Windows\System32\msdri.dll
2010-11-04 00:11:37 288256 ----a-w- C:\Windows\System32\MSNP.ax
2010-11-04 00:11:37 258560 ----a-w- C:\Windows\System32\mpg2splt.ax
2010-11-04 00:11:37 204288 ----a-w- C:\Windows\SysWow64\MSNP.ax
2010-11-04 00:11:37 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
2010-11-04 00:11:21 27008 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2010-11-04 00:10:11 -------- d-----w- C:\Users\BRENT0~1\AppData\Roaming\Wireshark
2010-11-04 00:04:27 -------- d-----w- C:\Program Files (x86)\WinPcap
2010-11-04 00:03:50 -------- d-----w- C:\Program Files\Wireshark
2010-10-30 23:39:35 -------- d-----w- C:\Users\BRENT0~1\AppData\Roaming\.purple
2010-10-26 09:04:51 102400 ----a-w- C:\Windows\SysWow64\tsccvid.dll
2010-10-26 00:49:49 -------- d-----w- C:\Program Files (x86)\Universal Extractor
2010-10-24 05:43:17 -------- d-----w- C:\Windows\System32\RT 7 Lite
2010-10-24 02:47:37 -------- d-----w- C:\Program Files\Rockers Team
2010-10-24 02:47:00 -------- d-----w- C:\Users\BRENT0~1\AppData\Roaming\Rockers Team
2010-10-24 02:26:51 127808 ----a-w- C:\Windows\SysWow64\MSWINSCK.OCX
2010-10-24 02:26:51 10752 ----a-w- C:\Windows\SysWow64\aamd532.dll
2010-10-24 02:26:27 -------- d-----w- C:\apup
2010-10-24 01:23:08 90544 ----a-w- C:\Windows\System32\drivers\scdemu.sys
2010-10-24 01:23:08 -------- d-----w- C:\Program Files (x86)\PowerISO
2010-10-15 04:49:28 148992 ----a-w- C:\Windows\System32\t2embed.dll
2010-10-15 04:49:28 109056 ----a-w- C:\Windows\SysWow64\t2embed.dll
2010-10-15 04:49:07 4582912 ----a-w- C:\Program Files\Windows NT\Accessories\wordpad.exe
2010-10-15 04:49:07 4247040 ----a-w- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
2010-10-15 04:49:07 2085376 ----a-w- C:\Windows\System32\ole32.dll
2010-10-15 04:49:06 1413632 ----a-w- C:\Windows\SysWow64\ole32.dll
2010-10-15 04:48:43 483840 ----a-w- C:\Windows\System32\StructuredQuery.dll
2010-10-15 04:48:43 363520 ----a-w- C:\Windows\SysWow64\StructuredQuery.dll
2010-10-15 04:48:22 340992 ----a-w- C:\Windows\System32\schannel.dll
2010-10-15 04:48:22 224256 ----a-w- C:\Windows\SysWow64\schannel.dll
2010-10-15 04:48:01 633856 ----a-w- C:\Windows\System32\comctl32.dll
2010-10-15 04:48:00 530432 ----a-w- C:\Windows\SysWow64\comctl32.dll
2010-10-14 05:01:22 -------- d-----w- C:\Users\BRENT0~1\AppData\Local\Mozilla
2010-10-14 05:01:08 -------- d-----w- C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 6
2010-10-11 02:37:45 -------- d-----w- C:\Program Files (x86)\SpeedFan

==================== Find3M ====================

2010-10-14 05:01:41 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-09-11 03:41:40 362784 ----a-w- C:\Windows\System32\guard64.dll
2010-09-11 03:41:40 285480 ----a-w- C:\Windows\SysWow64\guard32.dll
2010-09-11 03:40:44 33208 ----a-w- C:\Windows\System32\drivers\cmdhlp.sys
2010-09-11 03:40:44 249496 ----a-w- C:\Windows\System32\drivers\cmdGuard.sys
2010-09-11 03:40:42 20864 ----a-w- C:\Windows\System32\drivers\cmderd.sys
2010-09-10 05:35:44 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2010-09-10 05:35:43 347648 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2010-09-09 15:35:32 46448 ----a-w- C:\Windows\apppatch\AppPatch64\EMET64.dll
2010-09-09 15:35:32 43888 ----a-w- C:\Windows\apppatch\EMET.dll
2010-09-01 07:12:23 1970176 ----a-w- C:\Windows\SysWow64\xRaidSetup.exe
2010-09-01 07:12:23 151552 ----a-w- C:\Windows\SysWow64\xRaidAPI.dll
2010-09-01 07:12:23 112240 ----a-w- C:\Windows\System32\drivers\jraid.sys
2010-09-01 05:12:09 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2010-09-01 04:46:36 1355264 ----a-w- C:\Windows\SysWow64\jscript9.dll
2010-09-01 04:44:32 367104 ----a-w- C:\Windows\SysWow64\html.iec
2010-09-01 04:44:30 1448448 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2010-09-01 04:44:24 1122304 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-09-01 04:44:06 424960 ----a-w- C:\Windows\SysWow64\vbscript.dll
2010-09-01 04:43:22 23552 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-09-01 04:43:12 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2010-09-01 04:43:12 114176 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2010-09-01 04:43:10 76800 ----a-w- C:\Windows\SysWow64\SetIEInstalledDate.exe
2010-09-01 04:43:10 74752 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2010-09-01 04:43:02 448512 ----a-w- C:\Windows\System32\html.iec
2010-09-01 04:41:56 601088 ----a-w- C:\Windows\System32\vbscript.dll
2010-09-01 04:40:56 76800 ----a-w- C:\Windows\System32\tdc.ocx
2010-09-01 04:40:40 215552 ----a-w- C:\Windows\System32\msls31.dll
2010-09-01 04:23:49 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2010-09-01 02:58:34 3123712 ----a-w- C:\Windows\System32\win32k.sys
2010-08-31 04:32:30 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll
2010-08-31 04:32:30 954288 ----a-w- C:\Windows\SysWow64\mfc40u.dll
2010-08-27 06:14:02 236032 ----a-w- C:\Windows\System32\srvsvc.dll
2010-08-27 05:46:48 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
2010-08-27 03:38:04 463360 ----a-w- C:\Windows\System32\drivers\srv.sys
2010-08-27 03:37:48 402944 ----a-w- C:\Windows\System32\drivers\srv2.sys
2010-08-27 03:37:26 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2010-08-21 06:38:47 1024512 ----a-w- C:\Windows\System32\wmpmde.dll
2010-08-21 06:29:47 558592 ----a-w- C:\Windows\System32\spoolsv.exe
2010-08-21 05:36:33 738816 ----a-w- C:\Windows\SysWow64\wmpmde.dll
2010-08-16 06:50:45 1137664 ----a-w- C:\Windows\System32\FntCache.dll
2010-08-16 06:50:43 1543168 ----a-w- C:\Windows\System32\DWrite.dll
2010-08-16 06:50:42 899072 ----a-w- C:\Windows\System32\d2d1.dll
2010-08-16 06:50:42 320512 ----a-w- C:\Windows\System32\d3d10_1core.dll
2010-08-16 06:50:42 1844224 ----a-w- C:\Windows\System32\d3d10warp.dll
2010-08-16 06:14:36 1076224 ----a-w- C:\Windows\SysWow64\DWrite.dll
2010-08-16 06:14:24 737280 ----a-w- C:\Windows\SysWow64\d2d1.dll
2010-08-16 06:14:24 218624 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2010-08-16 06:14:24 1172480 ----a-w- C:\Windows\SysWow64\d3d10warp.dll

============= FINISH: 23:50:25.89 ===============

GMER 1.0.15.15507 - http://www.gmer.net
Rootkit scan 2010-11-08 00:39:56
Windows 6.1.7600
Running: gmer.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\SQMServiceList@SQMServiceList netprofm,netman
Reg HKLM\SYSTEM\ControlSet002\Control\SQMServiceList@SQMServiceList netprofm,netman

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:35 PM

Posted 15 November 2010 - 08:39 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 brent0324

brent0324
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 17 November 2010 - 10:22 PM

I actually ended up formatting and doing a clean install. There were too many options that could have been very hard to determine so I figured why waste your time and mine. Thanks!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:35 PM

Posted 18 November 2010 - 05:11 PM

Thanks for letting me know :thumbup2:

-----------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users