HELP! System modified by rootkit activity...IE8/Firefox Disabled

chrissypie · 06-18-2009, 07:03 AM

My son infected his PC with some malware/viruses/trojans. I've successfully (I think anyway) removed them but now have a few residual problems.
1. Internet Explorer does not connect to any websites. When IE8 is opened, it appears to be connecting to the homepage (youtube) but all that is displayed is a white page. The same holds true for Mozilla Firefox.
2. My taskmanager has been corrupted/disabled as well. I've gone into gpedit.msc and checked the taskman properties ... all appears to be in order....however the taskmanager does not display when CTRL+ALT+DEL is implemented. I've gone to a command prompt as well and tried to run taskman.exe but nothing happens when the command is entered.
I'm currently running Windows XP Media Center Edition. I've posted my problem on the forums at bleepingcomputer.com but have posted here because your forums also wanted information on rootkits (something the other forum did not request). I'm curious as to what the problem could be...I've tried everything I could think of....
When the problem was first brought to my attention, the computer was recycling and never fully loading windows, so I think I've done OK up to this point. LOL. But this stumps me - I can't figure out what settings have been corrupted that have disabled IE8 and Firefox....not to mention I cannot figure out where my taskmanager went. HELP!
Any help would be tremendously appreciated.
Chrissy

DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 22:33:56.39 on Wed 06/17/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2312 [GMT -5:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearch Bar =
uSearch Page =
uStart Page = hxxp://www.youtube.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {338095E4-1806-4BA3-AB51-38A3179200E9} - hxxps://vdi.morainepark.edu/ui/plugin/msie/vmware-mks.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro2.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v5.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.31.3/ttinst.cab
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://cnn-5.vo.llnwd.net/c1/static/cab_headless/GameTapWebUpdater.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: Bmpaftcp - {24FAC130-4E00-4A10-9AC7-DD4684FFF511} - c:\windows\system32\seracdos.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\a0z3tdc7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gubb.net/user/login|https://pf.gatessolutions.com/csi/ma...ockonline.com/
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\paypal\paypal plug-in\components\PayPalPlugin.dll
FF - plugin: c:\program files\byond\bin\npbyond.dll
FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
============= SERVICES / DRIVERS ===============
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214024]
R2 CX88XBAR;AVerMedia AVerTV MPEG Crossbar (Dual-Input);c:\windows\system32\drivers\A88BarBB.sys [2007-12-12 10112]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-17 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-17 144704]
R3 CXAVSAUD;AVerMedia AVerTV AvStream Audio Capture;c:\windows\system32\drivers\A88AudBB.sys [2007-12-12 9216]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-17 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-17 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-17 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-17 40552]
S2 lbyyqcbk;lbyyqcbk;\??\c:\windows\system32\drivers\ozqzkxe.sys --> c:\windows\system32\drivers\ozqzkxe.sys [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-17 203280]
S3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 163840]
S3 lredbooo;lredbooo;\??\c:\docume~1\owner\locals~1\temp\lredbooo.sys --> c:\docume~1\owner\locals~1\temp\lredbooo.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-17 34216]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
S3 usbvm328;HP Camera;c:\windows\system32\drivers\usbvm326.sys [2008-11-19 219648]
S3 vmfilter323;VC0326 filter service for Serome;c:\windows\system32\drivers\vmfilter323.sys [2008-11-19 475264]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\bcswap.sys [2007-1-25 91496]
=============== Created Last 30 ================
2009-06-17 21:37 286,720 -------- c:\windows\Setup1.exe
2009-06-17 21:36 73,216 a------- c:\windows\ST6UNST.EXE
2009-06-17 21:35 <DIR> --d----- C:\Taskman
2009-06-17 20:47 <DIR> -cd-h--- c:\windows\ie8
2009-06-17 20:26 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache
2009-06-17 20:22 <DIR> --d----- c:\program files\ATT-SST
2009-06-17 19:46 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-06-17 15:55 135,680 ac------ c:\windows\system32\dllcache\taskmgr.exe
2009-06-17 09:03 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-06-17 08:56 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-17 08:56 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-17 08:56 <DIR> --d----- c:\windows\ie8updates
2009-06-17 08:56 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-17 08:49 118 a------- c:\windows\system32\MRT.INI
2009-06-17 08:39 8,121 a------- c:\windows\system32\Config.MPF
2009-06-17 08:34 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-06-17 08:34 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-06-17 08:34 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-06-17 08:34 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-06-17 08:33 <DIR> --d----- c:\program files\common files\McAfee
2009-06-17 08:33 <DIR> --d----- c:\program files\McAfee.com
2009-06-17 08:33 <DIR> --d----- c:\program files\McAfee
2009-06-17 08:28 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-06-16 23:55 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-06-16 23:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee(2)
2009-06-16 22:28 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-06-10 05:30 <DIR> --d----- c:\program files\att-prt22
2009-06-10 05:29 <DIR> --d----- c:\program files\ATT-PRT22-WISE
2009-06-07 22:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\99714996
2009-06-07 22:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\19705004
2009-06-07 22:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\97420616
2009-06-07 22:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\17410624
2009-06-07 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\95253116
2009-06-07 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\15243124
2009-06-07 22:13 2 a------- C:\-1474653410
2009-05-29 07:19 107,240 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2009-05-29 07:17 0 a------- c:\windows\AutoRun.INI
2009-05-26 15:24 <DIR> --d----- c:\program files\SIW
==================== Find3M ====================
2009-06-17 21:35 2,941,440 a------- c:\windows\system32\taskman.exe
2009-06-07 23:15 21,654 a------- c:\windows\system32\lanesdel.dll
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 14:40 8,976 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-26 20:54 253,440 a------- c:\windows\system32\rasixcmd.dll
2009-04-22 15:14 70,984 a------- c:\documents and settings\owner\g2mdlhlpx.exe
2009-04-17 04:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 10:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-03-30 16:48 122,801 a------- c:\windows\hpoins14.dat
2009-03-21 09:18 6,533,120 a------- c:\windows\system32\ripagdec.exe
2009-03-21 09:18 1,277,952 a------- c:\windows\system32\cpyivreg.dll
2009-03-21 09:18 884,736 a------- c:\windows\system32\seracdos.dll
2009-03-21 09:18 364,544 a------- c:\windows\system32\dxatmp3.dll
2009-03-21 09:18 203,952 a------- c:\windows\system32\ntipvip32.dll
2009-03-21 09:18 188,416 a------- c:\windows\system32\sapokdat.dll
2009-01-01 19:17 66,360 a------- c:\documents and settings\owner\g2ax_expert_downloadhelper_win32_x86.exe
2008-11-20 18:13 2,794 a------- c:\docume~1\owner\applic~1\SAS7_000.DAT
2008-11-13 20:02 66,360 a------- c:\documents and settings\owner\g2ax_customer_downloadhelper_win32_x86.exe
2007-12-13 07:51 22,328 a------- c:\docume~1\owner\applic~1\PnkBstrK.sys
2004-08-09 23:30 40,960 a------- c:\program files\Uninstall_CDS.exe
============= FINISH: 22:34:51.50 ===============

chrissypie · 06-22-2009, 06:59 AM

It's been approximately 96 hrs. since I posted so I'm bumping my thread back to the top.

chrissypie · 06-23-2009, 02:28 PM

Problem has been resolved. :-)

06-22-2009, 06:59 AM	#2 (permalink)
chrissypie Registered User Join Date: Jul 2007 Posts: 3 OS: XP	BUMP Re: HELP! System modified by rootkit activity...IE8/Firefox Disabled It's been approximately 96 hrs. since I posted so I'm bumping my thread back to the top.

06-23-2009, 02:28 PM	#3 (permalink)
chrissypie Registered User Join Date: Jul 2007 Posts: 3 OS: XP	Re: HELP! System modified by rootkit activity...IE8/Firefox Disabled Problem has been resolved. :-)