[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1261
  • Last Modified:

How do I remove Rootkit.Agent ?

I've run MalwareBytes and have been notified of a Rootkit.Agent infection.  Can someone help with analyzing the MalwareBytes log and a ComboFix log.  MalwareBytes is finding the infection but not removing it.  ComboFix is not clearing it by default but I understand may be able to deal with it if fed a script with the right information in it.
0
vltsg
Asked:
vltsg
1 Solution
 
Corlie008Commented:
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
I have not used the tool specified in the page referenced by Corlie008, but I would suggest if that doesn't work, or even if it does, that you scan your computer with at least 2 other rootkit detectors.

Try the following:

Sophos: https://secure.sophos.com/products/free-tools/sophos-anti-rootkit/download/
F-Secure: http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/index.html

When you have done this and rebooted your system run a full antimalware check with malwarebytes.  If everything comes up clean, reboot again.  If you have no problem booting into a clean version of windows, you need to delete your system restore points as they are most likely infected as well.

NOTE: THIS WILL DELETE ALL SYSTEM RESTORE POINTS

Disable System Restore:
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
"You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?"
After a few moments, the System Properties dialog box closes.

restart your system
repeat the steps above to turn system restore back on

click start
all programs
accessories
system tools
system restore

choose to create a system restore point and follow the prompts.
0
 
greyknight17Commented:
Attach your Malwarebytes' and ComboFix log here for review.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
vltsgAuthor Commented:
Here are the Malwarebytes and ComboFix logs.  Thanks, DML

=================================================================
MALWAREBYTES:
=================================================================

Malwarebytes' Anti-Malware 1.42
Database version: 3385
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/21/2009 2:24:36 PM
mbam-log-2009-12-21 (14-24-36).txt

Scan type: Quick Scan
Objects scanned: 197700
Time elapsed: 9 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\mzolvgu.sys (Rootkit.Agent) -> Delete on reboot.


===================================================================
COMBOFIX
===================================================================

ComboFix 09-12-20.08 - gdavis 12/21/2009  13:03:07.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.396 [GMT -5:00]
Running from: c:\documents and settings\gdavis\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

(((((((((((((((((((((((((   Files Created from 2009-11-21 to 2009-12-21  )))))))))))))))))))))))))))))))
.

2009-12-21 13:15 . 2009-12-21 13:15      --------      d-----w-      c:\documents and settings\gdavis\Local Settings\Application Data\Apple_Inc
2009-12-18 19:50 . 2009-12-18 19:52      118128      ----a-w-      C:\MGlogs.zip
2009-12-18 19:50 . 2009-12-18 19:52      --------      d-----w-      C:\MGtools
2009-12-18 19:29 . 2009-12-18 19:29      0      ----a-w-      c:\windows\settings.dat
2009-12-18 19:27 . 2009-12-18 19:23      464491      ----a-w-      C:\RootRepeal.zip
2009-12-18 19:27 . 2009-12-18 19:23      2385327      ----a-w-      C:\MGtools.exe
2009-12-18 19:26 . 2009-10-29 15:21      7280672      ----a-w-      C:\SUPERAntiSpyware.exe
2009-12-18 18:32 . 2009-12-18 18:32      578560      -c--a-w-      c:\windows\system32\dllcache\user32.dll
2009-12-18 18:27 . 2009-12-18 18:27      --------      d-----w-      c:\windows\ERUNT
2009-12-18 18:26 . 2009-12-18 18:57      --------      d-----w-      C:\SDFix
2009-12-18 18:26 . 2009-08-05 19:42      1529241      ----a-w-      C:\SDFix.exe
2009-12-18 17:28 . 2009-06-29 21:01      91976      ----a-w-      c:\windows\system32\drivers\SysPlant.sys
2009-12-18 17:28 . 2009-12-18 17:28      60800      ----a-w-      c:\windows\system32\S32EVNT1.DLL
2009-12-18 17:26 . 2009-06-29 21:01      82360      -c--a-w-      c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{D689B418-235A-4290-A0A5-A75E490E0351}\program files\Symantec\SEP\I2ldvp3.dll
2009-12-18 17:16 . 2009-12-18 17:16      --------      d-----w-      c:\documents and settings\gdavis\Local Settings\Application Data\ICS
2009-12-18 17:16 . 2009-12-21 12:22      --------      d-----w-      c:\windows\LMIC.tmp
2009-12-13 23:01 . 2009-12-18 17:05      0      ----a-w-      c:\windows\Lzabez.bin
2009-12-13 23:01 . 2009-12-18 17:05      120      ----a-w-      c:\windows\Pgazisawanulam.dat
2009-12-13 22:59 . 2009-12-21 18:10      697856      ----a-w-      c:\windows\system32\drivers\mzolvgu.sys
2009-12-10 17:28 . 2009-12-10 17:28      116      ----a-w-      c:\windows\system32\fjhdyfhsn.bat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 18:00 . 2007-02-06 20:26      1890      --sha-w-      c:\windows\system32\KGyGaAvL.sys
2009-12-21 18:00 . 2009-07-17 18:34      256      ----a-w-      c:\windows\system32\pool.bin
2009-12-21 14:16 . 2009-11-16 17:47      185712      ----a-w-      c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-21 12:22 . 2007-02-06 21:19      --------      d-----w-      c:\program files\Common Files\AOL
2009-12-21 11:50 . 2007-02-06 21:20      --------      d-----w-      c:\documents and settings\All Users\Application Data\AOL
2009-12-18 19:28 . 2008-08-04 19:23      --------      d-----w-      c:\program files\Common Files\Wise Installation Wizard
2009-12-18 17:34 . 2009-06-29 21:01      149768      ----a-w-      c:\windows\system32\drivers\wpshelper.sys
2009-12-18 17:30 . 2007-02-06 21:14      --------      d-----w-      c:\program files\Common Files\Symantec Shared
2009-12-18 17:29 . 2007-02-06 21:14      --------      d-----w-      c:\documents and settings\All Users\Application Data\Symantec
2009-12-18 17:28 . 2007-02-06 19:09      --------      d-----w-      c:\program files\Symantec
2009-12-18 17:28 . 2009-12-18 17:27      805      ----a-w-      c:\windows\system32\drivers\SYMEVENT.INF
2009-12-18 17:28 . 2009-12-18 17:27      123952      ----a-w-      c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-18 17:28 . 2009-12-18 17:27      10563      ----a-w-      c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-18 16:47 . 2008-10-15 18:13      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2009-12-18 16:47 . 2008-12-31 14:02      4844295      ----a-w-      c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-16 15:47 . 2008-01-12 13:30      --------      d-----w-      c:\documents and settings\gdavis\Application Data\Apple Computer
2009-12-15 22:07 . 2009-11-16 17:46      2246      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\qbbackup.sys
2009-12-04 11:17 . 2009-11-16 17:07      --------      d-----w-      c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2009-12-03 21:14 . 2008-10-15 18:13      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2008-10-15 18:13      19160      ----a-w-      c:\windows\system32\drivers\mbam.sys
2009-11-25 05:49 . 2009-11-16 21:08      852784      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\dblgen11.dll
2009-11-25 05:49 . 2009-11-16 21:08      2168112      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
2009-11-25 05:49 . 2009-11-16 21:08      205576      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-11-25 05:49 . 2009-11-16 21:08      1087752      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-11-16 21:08 . 2009-11-16 21:08      296240      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2009-11-16 21:08 . 2009-11-16 21:08      787760      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2009-11-16 21:08 . 2009-11-16 21:08      570672      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2009-11-16 21:08 . 2009-11-16 21:08      496944      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2009-11-16 21:08 . 2009-11-16 21:08      423216      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2009-11-16 21:08 . 2009-11-16 21:08      263472      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2009-11-16 21:08 . 2009-11-16 21:08      1152304      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2009-11-16 21:08 . 2009-11-16 21:08      763184      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2009-11-16 21:08 . 2009-11-16 21:08      398640      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2009-11-16 21:08 . 2009-11-16 21:08      34056      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Interop.QBInstanceFinder.dll
2009-11-16 21:08 . 2009-11-16 21:08      192512      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll
2009-11-16 21:03 . 2009-11-16 21:03      975648      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\DownloadQB20\EPatch\qbpatch.exe
2009-11-16 21:03 . 2009-11-16 21:03      499712      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\DownloadQB20\EPatch\msvcp71.dll
2009-11-16 21:03 . 2009-11-16 21:03      348160      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\DownloadQB20\EPatch\msvcr71.dll
2009-11-16 17:09 . 2009-11-16 17:09      --------      d-----w-      c:\documents and settings\All Users\Application Data\Nuance
2009-11-16 17:09 . 2007-02-06 21:09      --------      d-----w-      c:\program files\Common Files\Intuit
2009-11-16 17:09 . 2007-02-06 21:09      --------      d-----w-      c:\documents and settings\All Users\Application Data\Intuit
2009-11-13 05:07 . 2009-04-29 15:47      205576      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-11-13 05:07 . 2009-04-29 15:47      1087240      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-11-13 02:52 . 2008-04-03 02:58      --------      d-----w-      c:\program files\Safari
2009-11-13 02:48 . 2009-11-13 02:48      79144      ----a-w-      c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-06 20:39 . 2009-04-28 18:03      3587      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\qbbackup.sys
2009-11-06 11:35 . 2007-02-16 13:54      --------      d-----w-      c:\program files\SipV7
2009-11-06 05:11 . 2009-08-12 09:45      787760      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2009-11-06 05:11 . 2009-08-12 09:45      763184      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2009-11-06 05:11 . 2009-08-12 09:45      570672      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2009-11-06 05:11 . 2009-08-12 09:45      496944      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2009-11-06 05:11 . 2009-08-12 09:45      423216      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2009-11-06 05:11 . 2009-08-12 09:45      398640      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2009-11-06 05:11 . 2009-08-12 09:45      296240      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2009-11-06 05:11 . 2009-08-12 09:45      263472      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2009-11-06 05:11 . 2009-08-12 09:45      1152304      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2009-11-01 16:28 . 2009-05-10 23:02      --------      d-----w-      c:\documents and settings\gdavis\Application Data\U3
2009-10-30 08:35 . 2009-10-30 08:34      --------      d-----w-      c:\program files\iTunes
2009-10-30 08:34 . 2009-10-30 08:34      --------      d-----w-      c:\program files\iPod
2009-10-30 08:34 . 2008-01-12 13:27      --------      d-----w-      c:\program files\Common Files\Apple
2009-10-30 08:28 . 2009-10-30 08:28      79144      ----a-w-      c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:46 . 2006-03-15 23:56      832512      ------w-      c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2006-03-15 23:55      78336      ----a-w-      c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2006-03-15 23:55      17408      ------w-      c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2006-03-15 23:56      75776      ----a-w-      c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-03-15 23:55      25088      ----a-w-      c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 23:00      265728      ----a-w-      c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2006-03-15 23:55      270336      ----a-w-      c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2006-03-15 23:56      149504      ----a-w-      c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-03-15 23:56      79872      ----a-w-      c:\windows\system32\raschap.dll
2007-02-06 20:26 . 2007-02-06 20:26      88      --sh--r-      c:\windows\system32\CD42E0A9AE.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-11-24 167936]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-12-14 217088]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-09-19 236016]
"PartSeal"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-07 7557120]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-08-31 996616]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdMgr.exe" [2006-03-16 61440]
"DISCover"="c:\program files\DISC\DISCover.exe" [2006-03-16 1077248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-06-29 115560]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-09-22 615696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"Act.Outlook.Service"="c:\program files\ACT\ACT for Windows\Act.Outlook.Service.exe" [2006-08-28 9728]
"Act! Preloader"="c:\program files\ACT\ACT for Windows\ActSage.exe" [2006-08-28 1015808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\gdavis\Start Menu\Programs\Startup\
Shortcut to login.lnk - C:\login.bat [2007-2-6 72]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-10-11 1724416]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2008-9-21 1545488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42      73728      ----a-w-      c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MyWebSearchService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [6/28/2006 8:48 PM 28952920]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/18/2009 12:34 PM 102448]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [3/15/2006 6:57 PM 29184]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [3/15/2006 6:57 PM 226304]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [2/6/2007 3:18 PM 90112]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [6/29/2009 4:00 PM 23888]
S3 PALYNFX;PALYNFX;c:\docume~1\gdavis\LOCALS~1\Temp\PALYNFX.exe --> c:\docume~1\gdavis\LOCALS~1\Temp\PALYNFX.exe [?]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [1/29/2008 12:24 PM 58240]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 UVEYYZNMHP;UVEYYZNMHP;c:\docume~1\gdavis\LOCALS~1\Temp\UVEYYZNMHP.exe --> c:\docume~1\gdavis\LOCALS~1\Temp\UVEYYZNMHP.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mzolvgu
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: trymedia.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2006\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2006\HelpAsyncPluggableProtocol.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 13:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mzolvgu]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1784)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(5876)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-12-21  13:13:25
ComboFix-quarantined-files.txt  2009-12-21 18:13
ComboFix2.txt  2009-12-21 17:50

Pre-Run: 118,850,416,640 bytes free
Post-Run: 118,816,006,144 bytes free

- - End Of File - - EF65316BBBD02BCA1D699F71E7DD48D8
0
 
rpggamergirlCommented:
Did ComboFix delete some files on its first run?

Run Combofix again using this script.
 
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\Lzabez.bin
c:\windows\Pgazisawanulam.dat
c:\windows\system32\drivers\mzolvgu.sys
c:\windows\system32\fjhdyfhsn.bat

Driver::

UVEYYZNMHP
PALYNFX

Registry::

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mzolvgu]
------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.



 c:\windows\system32\CD42E0A9AE.sys <-- also checks the properties of this file and see what it says.
0
 
xtreminatorCommented:
try to find suspicious thing using revealer

http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
0
 
vltsgAuthor Commented:
Thanks RPGGamergirl,

It's amazing that no other tool I could find could delete those files.  But I guess that is the nature of rootkits; working outside the Windows API.  Thanks for your expertise with ComboFix.  To answer your question about some files being deleted earlier, I was not the only one at my company working on this issue, several different tools were completed earlier in an attempt to clean the system, so other files could have been deleted then.  I am not sure if ComboFix deleted files on its first run.

DML
0
 
rpggamergirlCommented:
Glad to know the issue seems to be resolved.
ComboFix is a powerful tool and with its script function it can delete any bad files.

Files that Combofix had deleted are in the --> C:\Qoobox\Quarantine

If everything is fine and you no longer need ComboFix, you can then uninstall it.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall


Thanks!
Merry Christmas and happy Holidays!

0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now