TechSpot

I need help removing viruses, among them Rootkit.Agent

By startragic
Mar 29, 2010
  1. In the past 2 weeks, my PC laptop has grown more and more sluggish, right around the time my Norton Anti-Virus expired. Internet Explorer suddenly pops up without my doing so and dozens of tabs start popping up. Trying to close the program crashes my computer. I purchased and updated Norton which did a complete scan and showed that I had Rootkit.Agent (High Risk) and said it could not fix at this time. In addition, I downloaded and ran Malwarebytes which also indicated it found 1 RootKit Agent on my computer. I had the program "fix" the problem and then it told me to reboot. Upon subsequent scans, the same virus is still there. I need help getting rid of this problem, please. I don't use my computer for business or banking or anything like that but it is still VERY annoying. The OS for my computer is Windows Vista 32bit. I've gone through the 8 steps and have attached the required logs. PLEASE HELP. Thank you! **I was also wondering if I should keep my computer disconnected from wireless internet.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TewchSpot, startragic. I'll help you with the malware. I'd like you to run Combofix first. I should be able to help remove the offenders after reviewing the report you will leave for me:

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    Please don't run any other cleaning programs while I am helping you, except those I instruct you to run. Don't make any registry changes and disable a Registry cleaner if you're using one.
     
  3. startragic

    startragic TS Rookie Topic Starter Posts: 19

    I'm running ComboFix as instructed and I'm writing you from a different (non-diseased) computer. Towards the end of the scan, ComboFix rebooted my Windows (which is what it's doing now) so I haven't generated a log yet. But my question is, is it normal for ComboFix to reboot my computer?
     
  4. startragic

    startragic TS Rookie Topic Starter Posts: 19

    Hello again. My computer just finished running ComboFix. I've attached the log. Please tell me what to do next. THANK YOU!
     

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There is a group of processes for 3/28 and 3/29/2010. Most are 'programdata'. Do you have any idea what any of these are for?
    c:\programdata\pahabufa
    c:\programdata\numiwebo
    c:\programdata\bidojota
    c:\programdata\ganepeda
    c:\programdata\sebuwobi
    c:\programdata\piketipa
    c:\programdata\kufenaze
    c:\users\Kevin\AppData\Local\Pnasupoqoxevuqad.bin
    c:\users\Kevin\AppData\Local\Xzaxafojocet.dat
    c:\programdata\puzegini
    c:\programdata\wafosopi
    c:\programdata\zehesume
    c:\programdata\tP5544K4.dat


    You were active with SupportSoft on 3/28 and there are some Norton updates for that date, listed separately but I can't find anything else. You can open the log and have a look if you want. They are all in the section "Files created in the last 30 days/
     
  6. startragic

    startragic TS Rookie Topic Starter Posts: 19

    No, I don't know what they are. They might have unintentionally been generated while I've been attempting to rid my computer of its viruses all of yesterday and today.
     
  7. startragic

    startragic TS Rookie Topic Starter Posts: 19

    Bobbye,
    What is my next move? Please help. I really appreciate it.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I will be back later this afternoon to help you. Please be patient. We are all volunteers here and occasionally have to take time out for life.
     
  9. startragic

    startragic TS Rookie Topic Starter Posts: 19

    sorry - i wasn't trying to be a pest! i'll sit tight...
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36


    • [1]. Close any open browsers.
      2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\users\Kevin\AppData\Roaming\uTorrent
    c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
    c:\programdata\pahabufa
    c:\programdata\numiwebo
    c:\programdata\bidojota
    c:\programdata\ganepeda
    c:\programdata\sebuwobi
    c:\programdata\piketipa
    c:\programdata\kufenaze
    c:\users\Kevin\AppData\Local\Pnasupoqoxevuqad.bin
    c:\users\Kevin\AppData\Local\Xzaxafojocet.dat
    c:\programdata\puzegini
    C:\PROGRAMDATA\PUZEGINI\PUZEGINI.DLL
    c:\programdata\wafosopi
    c:\programdata\zehesume
    c:\programdata\tP5544K4.dat
    C:\Windows\system32\Drivers\onlldr.sys
    Folder::
    C:\temp
    
    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    
    Driver::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

    When this is finished, please run an online AV scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Then rescan with HijackThis and paste in a new log.

    Summary:
    Run CFFix and attach report
    Run Eset online scan and attach log
    Rerun HJT and paste in log.

    I see the main offender and have added it to the script fix. It may-or may not work. If you does not, I'll have you run a Rootkit program.

    I'll try to finish you up tonight.
     
  11. startragic

    startragic TS Rookie Topic Starter Posts: 19

    Hi Bobbye, I ran the ESET scanner but can't find the logfile. Would it automatically save to a txt doc to my C drive or do I need to go back on ESET online and find it there?
     
  12. startragic

    startragic TS Rookie Topic Starter Posts: 19

    Nevermind! Sorry, I found it. I've also rescanned with HiJackThis. All three requested logs are attached. Please advise. THANK YOU SO MUCH!
     

    Attached Files:

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Well, that didn't do much good- although I don't see any notice in the Combofix report of the Norton AV and firewall being either on or off.

    Download Dr.Web CureIt! and save it to your desktop.

    • [1] Double click to Run the utility and press the "Start" button in the opened window.
      [2] Confirm the launch by pressing the "OK" button and wait for the scanning results of the main memory and startup files. (this is express scan)
      [3] Click on the Green Arrow to the right to Select the Complete scan
      [4] When being scanned, infected files are cured, incurable files are moved to the quarantine directory.Answer Yes if asked to move or cure a file.
      [5] When the scanning is finished, save the report to your desktop: it is named DrWeb.csv.
    Close the program.
    Reboot the computer: this is important to complete the moves or deletions.
    Copy the DrWeb.cvs report to Notepad, then paste it in your next reply.
     
  14. startragic

    startragic TS Rookie Topic Starter Posts: 19

    My computer was running the Dr. Web complete scan when it rebooted itself. I don't think it finished scanning because I let the program run without watching it (it was taking a really long time). Should I follow the steps again? Does Dr. Web automatically generate logs the way the other programs do?
     
  15. startragic

    startragic TS Rookie Topic Starter Posts: 19

    I ran Dr. Web Cure It! again and when the scanning was finished, the window found 2 viruses, I believe. I selected all and clicked on "cure" but the window showed it wasn't able to cure it so I "moved" them. In my C: drive, the Doctor Web folder contains a "Quarantine" folder that contains three files "COUPON~1.OCX.vir", "descript.ion" and "npCouponPrinter.dll.vir". What am I supposed to do with this folder? Delete it (send to Recycle Bin)? Also, after finishing the scan, the program did not automatically generate a report called "DrWeb.csv". Instead, my computer rebooted itself and I manually searched for the report which was also in the same DoctorWeb folder on my C drive along with the Quarantine folder. In it, there was a Text document entitled "CureIt" which I resaved on my desktop as "DrWeb" but can't attach it. The txt file is 106 MB and I think is too large for the website. Should I cut and paste the report in the body of this reply? Did I do this correctly? Please help. Thank you for everything you've done thus far. Really want this resolved.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Find this:
    But modify this:
    Search for log, copy to Notepad, but instead of pasting, save to desktop. Then attach to next reply.

    See if that works,
     
  17. startragic

    startragic TS Rookie Topic Starter Posts: 19

    It didn't seem to work. The notepad txt file is still 106MB. I think the problem is, after scanning, I was never able to find the report named DrWeb.csv. You say that
    "[5] When the scanning is finished, save the report to your desktop: it is named DrWeb.csv." Does the program automatically generate it? In other words, like the other programs (Malwarebytes, HiJackThis, etc.) a window automatically pops up of the log, but in the case of Doctor Web, nothing like that happened. Is there something I am doing wrong?
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The unplanned reboot might have caused the problem.

    Run it again, taking care to do this:
    After the scan, in the Dr.Web CureIt menu on top, click file and choose Save Report list
    Save the report to your desktop. The report will be called DrWeb.csv

    Close Dr.Web Cureit.

    Find this file on the desktop, copy and paste into Notepad, attach here.
     
  19. startragic

    startragic TS Rookie Topic Starter Posts: 19

    I ran the scan again - I think I was able to get the log as you instructed. It's attached. Let me know how I should proceed. Thank you SO much.
     

    Attached Files:

  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\Users\Kevin\AppData\Local\VirtualStore\Windows\System32\C2H3
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    When finished, please delete the Combofix exe logs on the desktop. This will not remove the program itself- just the logs it created. So you can go offline and disable all security programs, such as antiviruses, antispywares, and firewalls.

    Then run Combo fix again-
    It's really important to get the best scan possible with Combofix. To do that, you must disable the security: antivirus, firewall, antimalware. I will write one more script from Combofix after I see the report and I want to be sure I can see everything.
     
  21. startragic

    startragic TS Rookie Topic Starter Posts: 19

    Bobbye, I'm on my other computer because after running OTMoveIt and ComboFix as instructed, I can no longer open any of my browsers (Firefox or Internet Explorer). A window pops up when I try to launch both saying "C:\ProgramFiles\Mozilla Firefox\firefox.exe" "Illegal operation attempted on a registry key that has been marked for deletion" and "C:\ProgramFiles\Internet Explorer\iexplorer.exe" "Illegal operation attempted on a registry key that has been marked for deletion". How can I fix this so that I'm able to send you the logs??
     
  22. startragic

    startragic TS Rookie Topic Starter Posts: 19

    In fact, none of the programs on my desktop will launch. I'm getting the same message about how they have been marked for deletion. This includes ITunes, Safari, Norton, etc. Please help!
     
  23. startragic

    startragic TS Rookie Topic Starter Posts: 19

    I was able to launch Firefox by running as administrator so I've attached the logs but I'm still wondering why I'm not able to launch any of my programs. THANK YOU.
     

    Attached Files:

  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    All I had you do was remove one malware entry. It was not a Registry key. In checking the Combofix logs and fix, I don't see any notice of the AV and firewall being disabled- or even enabled- but Norton is running.

    It is curious that you had to sign on as Administrator to get the browser to work. What account were you using previously? Something else is going on with your system. Nothing we did would have cause you to loss access to your programs.

    Try running this.I'll take a quick look and if I can spot it's a system problem, I'll have you remove the cleaning tools and old restore points and refer you to the Windows OS forum.

    Please download VEW and save it to your Desktop:

    Setting up the program

    Double-click VEW.exe then under Select log to query, select:
    • Application
      [*] System


      Under Select type to list, select:
    • Critical (Vista only)
    • Error

      Click the radio button for Number of events
    • Type 20 in the 1 to 20 box
    • Then click the Run button.
    • Notepad will open with the output log.

      Load the log
    • In Notepad, click Edit> Select all
    • Then press Edit > Copy
    • Press Ctrl+V on your keyboard to paste the log to your next reply.

    (Courtesy rev-Olie)
     
  25. startragic

    startragic TS Rookie Topic Starter Posts: 19

    I restarted my computer and that solved the problem that I was having launching my programs. Not sure why it happened but it seems to have been fixed.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...