Possible Rootkit Infection that Malwarebytes Doesn't Detect?

[RyanVold]

Hi all, my computer at work is extremely slow and is bombarded by attacks from what Malwarebytes calls possibly malicious websites. Here are the DDS and MBAM logs.

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Nutrition City at 20:03:11 on 2011-05-29

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.303 [GMT -5:00]

.

AV: BitDefender Antivirus *Enabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: Norton Internet Worm Protection *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\BitDefender\BitDefender 2011\bdagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\WINDOWS\system32\ESDUSBMon.EXE

C:\Program Files\EPSON\ESM2\eEBSVC.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\COMODO\COMODO System-Cleaner\Cleaner_Validator.exe

C:\WINDOWS\system32\EpStsSrv.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\LxrSII1s.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\Documents and Settings\Nutrition City\My Documents\Downloads\dds(1).scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us

uSearch Page = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us

uSearch Bar = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us

uInternet Connection Wizard,ShellNext = iexplore

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

TB: Bitdefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2011\IEToolbar.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [bitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2011\ieshow.exe"

mRun: [bDAgent] "c:\program files\bitdefender\bitdefender 2011\bdagent.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll

Trusted Zone: plentyoffish.com\www

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx

DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} - hxxp://ncmpls.viewnetcam.com:50000/JpegInst.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203400379750

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {EAEFAD15-8753-45EF-94B0-1BAA7970CC21} - hxxp://ncmpls.viewnetcam.com/MpegInst.cab

DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} - hxxp://192.168.0.253/JpegInst.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\nutrition city\application data\mozilla\firefox\profiles\3f60xnqt.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://search.google.com/firefox/?fr=yff35-sfp

FF - plugin: c:\documents and settings\nutrition city\application data\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: content.notify.interval - 600000

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.switch.threshold - 600000

.

============= SERVICES / DRIVERS ===============

.

R1 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys [2010-12-9 66584]

R1 CFRPD;CFRPD;c:\windows\system32\drivers\CFRPD.sys [2010-12-9 33232]

R2 Cleaner_Validator;COMODO System - Cleaner Service;c:\program files\comodo\comodo system-cleaner\Cleaner_Validator.exe [2010-12-9 305600]

R2 EpsCe;EpsCe;c:\windows\system32\drivers\EpsCe.sys [2007-11-26 54784]

R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]

R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007-10-2 70016]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-5-26 363344]

R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2010-8-27 1051968]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-5-26 20952]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2010-2-24 10064]

S1 MpKsl1b814ff4;MpKsl1b814ff4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c7695176-e9cc-4950-b637-6d479ce35b5a}\mpksl1b814ff4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c7695176-e9cc-4950-b637-6d479ce35b5a}\MpKsl1b814ff4.sys [?]

S1 MpKsl2785e375;MpKsl2785e375;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1bdfed46-8d9a-497d-a581-3aae28844e29}\mpksl2785e375.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1bdfed46-8d9a-497d-a581-3aae28844e29}\MpKsl2785e375.sys [?]

S1 MpKsl3f83cdde;MpKsl3f83cdde;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1bdfed46-8d9a-497d-a581-3aae28844e29}\mpksl3f83cdde.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1bdfed46-8d9a-497d-a581-3aae28844e29}\MpKsl3f83cdde.sys [?]

S1 MpKsl4465fa6a;MpKsl4465fa6a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c7695176-e9cc-4950-b637-6d479ce35b5a}\mpksl4465fa6a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c7695176-e9cc-4950-b637-6d479ce35b5a}\MpKsl4465fa6a.sys [?]

S1 MpKsl7432cfd4;MpKsl7432cfd4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c7695176-e9cc-4950-b637-6d479ce35b5a}\mpksl7432cfd4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c7695176-e9cc-4950-b637-6d479ce35b5a}\MpKsl7432cfd4.sys [?]

S1 MpKslb1991a34;MpKslb1991a34;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1bdfed46-8d9a-497d-a581-3aae28844e29}\mpkslb1991a34.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1bdfed46-8d9a-497d-a581-3aae28844e29}\MpKslb1991a34.sys [?]

S1 MpKsldd30930c;MpKsldd30930c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b947d4c-a575-4ebb-b1f9-b8de7e0a3c09}\mpksldd30930c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6b947d4c-a575-4ebb-b1f9-b8de7e0a3c09}\MpKsldd30930c.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2011-5-28 11496]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-5-19 27064]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-11 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S3 XRNBO;XRNBO;c:\windows\system32\drivers\XRNBO.sys [2010-8-12 177152]

.

=============== Created Last 30 ================

.

2011-05-28 20:09:26 11264 ----a-w- c:\windows\DCEBoot.exe

2011-05-28 19:48:30 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-05-28 16:37:24 21480 ----a-w- c:\windows\system32\mv2.dll

2011-05-28 16:37:24 11496 ----a-w- c:\windows\system32\drivers\mv2.sys

2011-05-28 00:09:19 149520 ----a-w- c:\windows\system32\drivers\bdfm.sys

2011-05-28 00:07:37 -------- d-----w- c:\documents and settings\nutrition city\application data\BitDefender

2011-05-28 00:04:11 -------- d-----w- c:\program files\BitDefender

2011-05-27 23:52:06 -------- d-----w- c:\documents and settings\nutrition city\application data\QuickScan

2011-05-27 23:49:06 -------- d-----w- c:\program files\common files\BitDefender

2011-05-27 23:49:06 -------- d-----w- c:\documents and settings\all users\application data\BitDefender

2011-05-27 23:45:18 308296 ----a-w- c:\windows\system32\drivers\Trufos.sys

2011-05-27 23:45:10 12960 ----a-w- c:\windows\system32\drivers\bdrawpr.sys

2011-05-27 23:45:00 73683 ----a-w- c:\documents and settings\all users\application data\bdinstall.bin

2011-05-27 21:21:27 75599 ----a-w- c:\windows\cscmondump.bin

2011-05-27 21:19:07 2 --shatr- c:\windows\winstart.bat

2011-05-27 21:02:25 -------- d-----w- c:\program files\COMODO

2011-05-27 21:02:18 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-05-26 20:24:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-26 20:24:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-20 02:38:01 114688 ----a-w- c:\windows\system32\RicohMediadriverVer.dll

2011-05-20 00:24:17 -------- d-----w- c:\documents and settings\nutrition city\local settings\application data\uTorrent

2011-05-19 23:46:48 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-05-19 23:46:48 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-05-19 23:46:48 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-05-19 23:46:48 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll

2011-05-19 23:46:48 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll

2011-05-19 23:46:48 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-05-19 23:46:48 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-05-19 23:46:48 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-05-19 20:27:33 -------- d-----w- c:\documents and settings\nutrition city\local settings\application data\VS Revo Group

2011-05-19 20:27:16 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys

2011-05-19 20:27:08 -------- d-----w- c:\program files\VS Revo Group

2011-05-19 08:05:36 -------- d-----w- c:\program files\Best Uninstall Tool

2011-05-19 05:43:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-19 05:24:54 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-05-19 05:24:54 -------- d-----w- c:\windows\system32\wbem\Repository

2011-05-19 05:21:48 -------- d-----w- c:\program files\ScottradeELITE

2011-05-19 04:52:43 -------- d-----w- c:\windows\system32\Cache

2011-05-19 04:52:43 -------- d-----w- c:\documents and settings\nutrition city\WINDOWS

2011-05-14 23:43:12 -------- d-----w- c:\program files\Trend Micro

2011-05-07 18:27:27 -------- d-sh--w- C:\RECYCLER(2)

2011-05-07 18:26:20 -------- d-----w- c:\program files\Microsoft Security Client(2)

2011-05-07 17:52:46 -------- d-----w- C:\cmdcons

.

==================== Find3M ====================

.

2011-05-21 23:26:33 12080 ----a-w- c:\windows\system32\drivers\D7B90406.bin

2011-04-15 21:00:36 53248 ----a-w- c:\windows\system32\CSVer.dll

2011-03-24 20:36:20 353096 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys

2011-03-11 14:10:38 471552 ----a-w- c:\windows\apppatch\aclayers.dll

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2010-07-08 15:37:14 101544 ----a-w- c:\program files\common files\LinkInstaller.exe

.

============= FINISH: 20:06:01.20 ===============

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6717

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/29/2011 8:30:50 PM

mbam-log-2011-05-29 (20-30-49).txt

Scan type: Quick scan

Objects scanned: 171895

Time elapsed: 18 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

attach.zip

[screen317]

Hi and welcome to Malwarebytes.

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

This goes for uTorrent and anything else you may have installed.

[RyanVold]

I'm sorry. This is not my computer and I didn't realize uTorrent items were on the log. Does this mean I cannot get help then?

[screen317]

Alert whoever owns this computer. If they oblige to removing it, then I can help you..

[screen317]

Are you still with us??

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!