Question : Removing Rootkit.Agent on Windows XP SP3 ComboFix log attached

I have a XPP machine with RootKit.Agent on it detected by MalwareBytes.  I tried a bunch of times to get rid of with MWB but no success.  Ran ComboFix and here is the log.  It detected RootKit MBR hooks but I am not sure how to fix it.  Any thoughts?

ComboFix Log:

ComboFix 10-06-17.01 - ed 06/17/2010  14:45:42.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3071.2680 [GMT -4:00]
Running from: C:\New Folder\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\win.com
D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2010-05-17 to 2010-06-17  )))))))))))))))))))))))))))))))
.

2010-06-17 18:06:21 . 2010-06-17 18:06:21      27140      ---ha-w-      C:\WINDOWS\system32\mlfcache.dat
2010-06-17 18:03:54 . 2010-06-17 18:30:40      664      ----a-w-      C:\WINDOWS\system32\d3d9caps.dat
2010-06-17 16:24:04 . 2010-04-29 19:39:38      38224      ----a-w-      C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-06-17 16:24:02 . 2010-04-29 19:39:26      20952      ----a-w-      C:\WINDOWS\system32\drivers\mbam.sys
2010-06-17 16:17:24 . 2010-06-17 16:17:24      --------      d-----w-      C:\Documents and Settings\ed\Application Data\TeamViewer
2010-06-17 16:14:35 . 2010-06-17 16:14:35      --------      d-----w-      C:\Documents and Settings\ed\Local Settings\Application Data\PCHealth
2010-06-17 16:02:26 . 2010-06-17 16:03:24      --------      d-----w-      C:\Documents and Settings\LocalService\Local Settings\Application Data\Temp
2010-06-17 16:00:59 . 2010-06-17 16:00:59      --------      d-----w-      C:\WINDOWS\system32\wbem\Repository
2010-06-16 20:19:09 . 2010-06-16 20:19:09      --------      d-----w-      C:\Program Files\Sophos
2010-06-16 19:51:50 . 2010-06-17 15:58:17      --------      d-----w-      C:\Documents and Settings\HelpAssistant\_rpcs
2010-06-16 19:44:24 . 2009-11-11 18:00:27      --------      d-----w-      C:\Documents and Settings\HelpAssistant\IETldCache
2010-06-16 19:44:23 . 2010-06-17 15:58:26      --------      d-s---w-      C:\Documents and Settings\HelpAssistant
2010-06-16 19:38:52 . 2010-06-16 19:38:52      --------      d-----w-      C:\Documents and Settings\ed\Application Data\Malwarebytes
2010-06-16 19:38:43 . 2010-06-16 19:38:43      --------      d-----w-      C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-06-16 19:38:42 . 2010-06-17 16:24:06      --------      d-----w-      C:\Program Files\Malwarebytes' Anti-Malware

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 17:55:20 . 2009-10-19 16:37:42      --------      d-----w-      C:\Documents and Settings\ed\Application Data\Apple Computer
2010-06-17 16:02:35 . 2009-02-23 21:56:03      --------      d-----w-      C:\Documents and Settings\All Users\Application Data\Google Updater
2010-06-10 20:47:58 . 2008-09-12 13:09:28      --------      d-----w-      C:\Documents and Settings\All Users\Application Data\Microsoft Help
2010-06-01 12:29:28 . 2008-11-12 14:56:58      1682      --sha-w-      C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2010-06-01 12:29:28 . 2008-11-12 14:56:58      1682      --sha-w-      C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2010-05-26 14:39:08 . 2010-06-16 20:19:38      6144      ------w-      C:\WINDOWS\system32\5.tmp
2010-05-26 14:39:08 . 2010-06-16 20:19:27      6144      ------w-      C:\WINDOWS\system32\4.tmp
2010-05-26 14:39:08 . 2010-06-16 20:19:15      6144      ------w-      C:\WINDOWS\system32\3.tmp
2010-05-24 13:23:06 . 2009-02-23 21:56:01      --------      d-----w-      C:\Program Files\Google
2010-05-10 12:27:32 . 2008-09-25 18:42:19      --------      d-----w-      C:\Program Files\Common Files\Adobe
2010-03-24 18:17:47 . 2010-03-24 08:04:49      952768      ----a-w-      C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AdobeARM.exe
2010-03-24 18:17:47 . 2010-03-24 08:04:49      70584      ----a-w-      C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AdobeExtractFiles.dll
2010-03-24 18:17:47 . 2010-03-24 08:04:49      326056      ----a-w-      C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\ReaderUpdater.exe
2010-03-24 18:17:47 . 2010-03-24 08:04:49      326056      ----a-w-      C:\Documents and Settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AcrobatUpdater.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TSTimer"="C:\Program Files\Timeslips\TSTimer.exe" [2006-06-15 22:28:34 2429992]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-23 21:56:03 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-11-26 15:08:42 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-11-26 15:08:24 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-11-26 15:08:36 137752]
"PDF Complete"="C:\Program Files\PDF Complete\pdfsty.exe" [2008-04-07 14:10:52 318488]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 19:01:08 525824]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2006-05-12 19:50:16 1138688]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-31 21:44:26 761856]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-07-10 17:53:08 872448]
"Matrox PowerDesk SE"="c:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe" [2008-06-11 20:33:38 2630664]
"Act.Outlook.Service"="C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe" [2009-02-24 16:08:48 28672]
"Act! Preloader"="C:\Program Files\ACT\Act for Windows\ActSage.exe" [2009-02-24 16:09:14 393216]
"Google Quick Search Box"="C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-27 13:45:19 68592]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 20:51:42 177440]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2009-11-11 04:08:18 417792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2010-02-15 23:07:02 141608]
"KMCONFIG"="C:\Program Files\iHome\Mouse Driver\StartAutorun.exe" [2008-05-30 06:22:32 212992]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 18:46:26 69632]
"STFWebFormApp"="C:\Program Files\Common Files\STF Services Shared\WebFormApp.exe" [2010-04-08 19:10:34 85128]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 05:42:51 36272]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 18:17:52 952768]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2009-2-5 163840]
Directrec Configuration Tool.lnk - C:\Program Files\Olympus\DeviceDetector\DirectrecConfig.exe [2009-2-5 167936]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2010-3-25 809488]
MultiMon Taskbar.lnk - C:\Program Files\MMTaskbar\MultiMon.exe [2008-9-15 294912]
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 02:41:34 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 20:41:22      72208      ----a-w-      c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"7068:TCP"= 7068:TCP:Services
"4284:TCP"= 4284:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 Mtxparmx;Mtxparmx;C:\WINDOWS\system32\drivers\mtxparmx.sys [9/12/2008 8:22:20 AM 5504]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;C:\Program Files\iHome\Mouse Driver\KMWDSrv.exe [6/23/2008 10:28:08 PM 208896]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\drivers\LBeepKE.sys [3/25/2010 11:33:37 AM 10384]
R2 Matrox Centering Service;Matrox Centering Service;C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe [6/11/2008 4:29:26 PM 586760]
R2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe [6/11/2008 4:33:38 PM 189448]
R2 MSSQL$ACT7;SQL Server (ACT7);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27:04 AM 29262680]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files\PDF Complete\pdfsvc.exe [5/27/2008 5:19:14 AM 576024]
R3 MTXPAR;MTXPAR;C:\WINDOWS\system32\drivers\MTXPARM.sys [9/12/2008 8:22:20 AM 1485568]
S2 ACT! Scheduler;ACT! Scheduler;C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe [2/24/2009 12:08:50 PM 81920]
S2 gupdate1c9960193c6b225;Google Update Service (gupdate1c9960193c6b225);C:\Program Files\Google\Update\GoogleUpdate.exe [2/23/2009 5:56:27 PM 133104]
S2 TSScheduleBackup;TimeslipsBackup;C:\WINDOWS\system32\TSSchBkpService.exe [9/15/2008 12:47:43 PM 705024]
.
Contents of the 'Scheduled Tasks' folder

2010-03-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34:12 . 2008-07-30 16:34:12]

2010-06-17 C:\WINDOWS\Tasks\Google Software Updater.job
- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-23 21:56:01 . 2009-03-24 14:54:17]

2010-06-17 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-23 21:56:27 . 2009-02-23 21:56:24]

2010-06-17 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-23 21:56:27 . 2009-02-23 21:56:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {03A89EFD-E023-A200-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInstall.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-17 15:00:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8983C78A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> ntkrnlpa.exe @ 0x80586e11
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> 0x898a2b00
 PacketIndicateHandler -> NDIS.sys @ 0xb9e2aa21
 SendHandler -> NDIS.sys @ 0xb9e0887b
copy of MBR has been found in sector 0x03A380D80
malicious code @ sector 0x03A380D83 !
PE file found in sector at 0x03A380D99 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="C:\Program Files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(772)
C:\Program Files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-06-17  15:02:08
ComboFix-quarantined-files.txt  2010-06-17 19:02:06

Pre-Run: 464,428,068,864 bytes free
Post-Run: 464,632,573,952 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 8C319282DDFBE1A4552469747AD1DA29

Answer : Removing Rootkit.Agent on Windows XP SP3 ComboFix log attached


Benefits of Network Deployment
------------------------------

    * Build and deploy application services quickly and easily
    * Run services in the most secure, scalable, highly-available environment
    * Reuse software assets and extend their reach
    * Manage applications effortlessly
    * Grow as needs evolve, leveraging core assets and skills
    * WebSphere Application Server Network Deployment delivers the secure, scalable, highly-available application infrastructure you need for SOA.
    * Enhanced web serveices functions

What we can do with Network Deployment?
----------------------------------------

The main theme with network deoplyment is distributed applications. While the flow of an application remain the same, there are signigicant additions to the runtime of an application.


1) Network Deployment. This version supports deployment of a cell configuration with cluster and J2EE failover support. It now also includes Edge Components, previously known as Edge Server. This provides a proxy server, load balancing, and content-based routing.

2) IBM WebSphere Application Server Network Deployment  provides the administrative functionality to deploy and promote your application code to all the nodes in your application server cluster.

WAS ND provides flexibility for spreading your applications across cells, nodes, and application servers

WAS ND allows for many nodes, with multiple application servers on each node and multiple applications in each server.

3) clustering and failover support

4) webserver plugin-in supports weighted workload management


Network Deployment concepts?
---------------------------

Anode is a  logical grouping of application server

-- each node is managed by a single nodeagent process
-- mutiple nodes can exist on single machine through the use of profiles

A deployment manager ( dmgr) process manages the nodeagents
-- holds the configuration respoitory for the entire management domain, called a cell

-- within a cell the administrative console runs inside the dmgr using this console you can manage all nodes in a cell.

-- All updates to the configuration files should go through the deployment manager.
Random Solutions  
 
programming4us programming4us