TechSpot

8 Steps Done, need help with Rootkit, Vundo & Trojan.agent viruses

By jschiro329
Jun 1, 2009
  1. I've been trying (unsuccessfully) to rid myself of Rootkit.agent, and found that I have other viruses as well. When I first ran Malwarebytes, it listed that Rootkit.agent was in my System32 files. I didn't want to try to remove those files, because I was afraid I'd have to reinstall Windows and found your forum. I ran the 8 steps suggested, and I've attached the logs. The system is running slow, turning off my firewall and freezing. I also get a notice from Outlook Explorer asking if I want to compact my files (don't use OE, and I don't know if this has anything to do with the viruses, but this never happened before). Would really appreciate any help that can be provided. I'm not very technical, but I can get around when directed. (Plainer language is preferred if possible.)

    Thank you.
     

    Attached Files:

  2. jschiro329

    jschiro329 TS Rookie Topic Starter

    Really need help getting rid of viruses


    I'd really appreciate someone looking at my reports, I'm not sure what to do from here other than back up my files and reinstall windows from scratch.
    Malwarebytes is no longer finding anything.
    I also ran Windows Malicious Software Removal Tool twice, it kept telling me that it partially removed the rootkit and needed to reboot. It's still there.
    SAS finds not only a rootkit, but Vundo and Trojan.fakealert.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you take a look at the threads in this forum, it will help you realize that there are a lot of people who need help- more than there are volunteer helpers!

    Please download VundoFix.exe HERE and save to your desktop:
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the ‘Fix Vundo’ button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    Please attach the C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    Then Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Follow with new HijackThis scan include the log.
     
  4. jschiro329

    jschiro329 TS Rookie Topic Starter

    VundoFix found nothing

    Thanks for the reply, I apologize for my impatience. I finally backed up all my files and downloaded Vundofix. Scanned and it found nothing, so I'm not sure what to do. I ran HJT again & I'm attaching file. I will go ahead with Combofix and repost after running the scan.
     
  5. jschiro329

    jschiro329 TS Rookie Topic Starter

    Ran ComboFix and unfortunately it stalled after reboot (several System32.*dll files were deleted) because I forgot to disable SuperAnti-Spyware and it started when Windows restarted and also checked for updates. So I rebooted and scanned again, log attached as well as another HJT log. Please advise what steps I should take next. Thank you.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Your system is slow because you are loading too much at startup- all of those entries will run in the backgrouns. Eventually, they will slow you down. Combofix remove some inappropriate entries and the second HJ log looks better than the first.

    My first concern is the large number of 016 entries you have in The HijackThis log. Most are for games. These are Active X Objects- add-ons-and the fewer you have the better. I suggest you disable as many as you can:

    Open Internet Explorer> Tools> Manage Add-ons>> there are 2 sections> 1. Add-ons currently running and 2. Ad-ons previously running. Check bith sections by clicking on the small arrow point to the right of the dialog box. To disable, highlight first> disable> Apply> OK when finished.

    You have 24 of these running.

    I see you are running the Viewpoint Manager.Viewpoint is considered foistware and is not needed on your computer.I strongly suggest you remove it:

    Download and unzip the ViewpointKiller to own folder on Desktop HERE

    Run ViewpointKiller.exe

    Reboot.

    ViewpointKiller 1.2 FinalViewpointKiller does exactly what it's name says: Kills Viewpoint Media Player. Viewpoint Media Player is an adware that displays bandwith eating popup ads in IE and on your desktop. It comes silently with an install of AIM and will be reinstalled by AIM if uninstalled.ViewpointKiller fixes all of that. It takes off Viewpoint Media Player once and for all.
    (Thank you, touch)

    Please open HijackThis, and select Do a system scan only.

    Place a checkmark next to the following entries (if present):

    1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)


    Then, close all other open windows, leaving only HijackThis open, and select Fix checked.

    Please run a full system scan with your AV program and if anything is found, attack the log.

    Please tell me what system problems you are now having.
     
  7. jschiro329

    jschiro329 TS Rookie Topic Starter

    next steps?

    I did what you suggested in your last post, although I'm not really sure if I've disabled too many things, I know I had to go back and enable Shockwave after disabling it as some things did not work correctly. Opening a 2nd tab on IE7 looks a little strange, there's an odd search bar underneath the regular tool bars showing: 'Search For or Navigate To: (for example, "www.aim.com" or "mp3 players") ......powered by aim search' -don't really know where that came from?

    Ran viewpoint Killer (your link did not work, so I sought it out elsewhere), log attached. Did scan with Norton antivirus and nothing other than a cookie was found. Also ran another HJT after fixing the entries you suggested, log attached. Computer seems to be working better, but am I virus free? I've been hesitant about making any purchase/paying bills online for the last month since I found the virus, so is there anything else you can suggest? I appreciate all your assistance.

    Also, I have a 2nd computer that has been having problems, would I start a new thread for that computer?
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes. Please make a note it's a different computer.

    You can do this to check for the Rootkit, although it was only a trace and only found in SAS:
    Sorry about the Viewpoint file- just learned it's not being maintained any more. Will have to use manual remove next time.

    You can check the following for the Rootkit entry in SAS:

    • [1] Open up Device Manager(Start> Control Panel> Hardware tab> Device Manager button)
      [2] Click 'View' and select 'Show Hidden Devices'
      [3] Expand the 'Non-Plug and Play' Drivers category
      [4] Right-click and 'Disable' clbdriver.sys, tdsserv.sys (or tdssxyz.sys where xyz.sys are random characters), and/or seneka.sys (any that are present)
      [5] Restart computer to Safe Mode
      [6] After restart, go back to Device Manager and right-click 'Uninstall' the above drivers
      [7] Using Windows Explorer> navigate to 'C:\Windows\System32\Drivers' folder and delete these files if they exist They will be hidden so show hidden files>Tools> Folder Options> View tab> CHECK 'show hidden Files and Folders'> Apply> OK
      [8]Navigate to 'C:\Windows\System32\ directory, Sort By Date (click on frame above Date column), and remove any recently modified traces of files that resemble clb*.*, td*.*, and seneka*.* or any suspicious looking *.exe's/*.dll's modified in the past 24 hours ***
      [9] Run SDFIX in Safe Mode:
    • Download SDFix.exe from [*]HERE[/B] and save it to your desktop.
    • Double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
    • A window will now open showing SDFix being extracted into the C:\SDFix folder. Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions as shown. Follow the instructions and screen shots on the site.

      When you have finished, the log will open in Notepad which can be attached here.

      [10] Reboot to Normal mode, install SAS, update, and run a quick scan
      [12] Run an ESET (NOD32) online scan: http://www.eset.com/onlinescan/
      OR F-Secure online malware scan: http://support.f-secure.com/enu/home/ols.shtml

    Attach logs from SDFix and online scanner in next post.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...