[Inactive] Help on rootkit.agent how to delete

[kapoy08]

pls help on how to remove rootkit name rootkit.agent.bdov... this file is locked.. anti virus said it will be deleted in restart of my pc.. but my anti virus again keeps on detecting it... the virus is in my system ,,,C:\WINDOWS\system32\drivers\lgdrczay.sys..... i download top rated anti malware to delete it but again it keeps on coming back... i use also file assasin but stil the rootkit is still there.. plssss help... im really frustated....tnx...

 

[Bobbye]

It is in your best interest to let us guide you through removal programs. We'd like you to start by using the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, please attach the 3 logs for us to review. We will then have some idea of what the malware is and how best to handle it.

I would be interested to know how you know the files is locked and that it is a Rootkit. If you ran a recent antivirus scan, please include that with the other logs.

 

[kapoy08]

Here is my log's the rootkit is still there after I remove it...t_t

Here is my logs sir...tnx for the help...

 

[Bobbye]

You had several different malware infections:

P2P or 'file sharing Warning:

This is most likely a cause of much of the malware:
C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall LimeWire for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

Since this is loading at startup, I ask that you uninstall LimeWire while we're cleaning. If you do not, it leaves the potential to get more malware while I am helping you clean the present malware. This would be a wast of time for both of us.

Let me know..

 

[kapoy08]

About Limewire

Now i suCcesfully deleted the limewire sir... what is the next step...tnx a lot..!

 

[Bobbye]

Please Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.
Follow that with Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Then rescan with HJT. Include Combofix report, eset log and new HJT log with next reply.

 

[mossy95]

same thing happend to me

 

[Bobbye]

mossy95, If you need help for this, please start your own new thread. I see game/server related threads for you, but nit malware. Describe your problems and follow the steps in the Preliminary Virus and Malware Removal HERE.

When you have finished, attach the 3 logs for us to review.

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please start a new thread and follow the preliminary cleaning steps HERE. Attach the logs.

 

[kapoy08]

Tnx Sir here is my logs....

here is my logs sir...tnx

 

[Bobbye]

kspoy08, it's very important that you stay away from the online gaming and any downloads from LimeWire while I am helping clean the system. Your computer is badly infected. You have a "Anti-Spy.Info" running which is a rogue security program. You have infected game files (Prime Suspects) I am attempting to determine if enough can be moved and/or removed to prevent your having to reformat and reinstall.

Don't do any updates except antivirus, Don't do any installs, uninstall, etc. unless I instruct you to. You have at least one pirated program (NBA2k10) You have a SpySheriff infection- this is a Trojan disguised as an anti-spyware application. It installs stealthily onto a user's system, uses aggressive advertising, and produces false positives that may goad the user into purchasing the application.

• 
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the code below into it:

KILLALL::
File::
c:\windows\winstart.bat
C:\Documents and Settings\All Users\Application Data\AntiSpyInfo\_entreelist.dll
C:\Documents and Settings\All Users\Application Data\AntiSpyInfo\_enviewlist.dll
c:\documents and settings\USER\Local Settings\Application Data\.#
c:\documents and settings\All Users\Application Data\AntiSpyInfo\icn_D6461317C3DC4F04799BDCE9E42626FE.dll
c:\documents and settings\All Users\Application Data\AntiSpyInfo\icn_F60730A4A66673047777F5728467D401.dll
c:\documents and settings\All Users\Application Data\AntiSpyInfo\icn_D20352A90C039D93DBF6126ECE614057.dll
c:\documents and settings\All Users\Application Data\AntiSpyInfo\icn_8A0F842331866D117AB7000B0D610004.dll
c:\documents and settings\All Users\Application Data\AntiSpyInfo\icn_B8499BEA2FF49C7499E0741044290AEF.dll
c:\documents and settings\All Users\Application Data\AntiSpyInfo\icn_A28B4D68DEBAA244EB686953B7074FEF.dll
c:\documents and settings\All Users\Application Data\AntiSpyInfo\icn_8376B3491084289409CE4024FEA7BE61.dll
c:\windows\system32\3.tmp"
C:\Documents and Settings\USER\My Documents\Downloads\unlocker1.8.9.exe
E:\G A M E S\Mystery Case Files Prime Suspects\PrimeSuspects.exe	
E:\G A M E S\Mystery Case Files Prime Suspects\PrimeSuspects.exe.bak	
c:\windows\system32\3.tmp
c:\docume~1\USER\LOCALS~1\Temp\RZTA.tmp"
c:\windows\system32\GameMon.des

Folder:
c:\documents and settings\USER\Local Settings\Application Data\Help
c:\documents and settings\All Users\Application Data\AntiSpyInfo
c:\windows\popcinfot.dat
c:\documents and settings\USER\Application Data\LimeWire
C:\Documents and Settings\All Users\Start Menu\Programs\Anti-Spy.Info\
C:\Program Files\Anti-Spy.Info\

Driver::
MEMSWEEP2
npggsvc

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

 

[kapoy08]

Tnx Sir here is my log,,,

here is my log..

 

[kapoy08]

Tnx Sir here is my logs....

hir is my log sir

 

[Bobbye]

kapoy08, I'm leaving some information for you regarding online games. It's not my job to tell you what to do or not do with your system. But you've asked for help in finding and removing malware. It might not make any difference to you, but you should be aware that if you continue. you will be basically fighting a losing battle with nalware:

2010-03-08 17:15/2010-03-16 15:53: c:\program files\Cheat Engine

Cheat Engine is used for cheating in computer games, and is often modified and recompiled to evade detection. Cheat Engine can inject code into other processes, but doing so can cause anti virus software to mistake it for a virus. There are versions that avoid this false identification at the cost of many features (those which rely upon code injection).The most common reason for these false identifications is that earlier versions of the program are based on a trojan rootkit. Newer versions of Cheat Engine are less likely to be blocked by anti virus programs so features like code injection can be used without problems.

Cheat Engine also has a plugin architecture for those who do not wish to share their source code with the community. They are more commonly used for game specific features, as Cheat Engine's stated intent is to be a generic cheating tool. They often have viruses.

Source: http://en.wikipedia.org/wiki/Cheat_Engine

And additionally: Regarding popcinfot.dat
I did some more research and found that the file may be related to PopCap Games, a site for free online games. Is that a site you use?
2010-01-24 01:59/2010-02-11 00:22: c:\windows\popcinfot.dat

In many cases, online gaming sites are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. [/B]They can lead to other sites containing malware which you can inadvertently download without knowledge. Users visiting such sites may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Gaming sites can put you at risk to fraud, phishing and theft of personal data. Even if the gaming site is a clean site, there is always the potential of some type of malware making its way there and then onto your system. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. In those cases, recovery is not possible and the only option is to reformat/reinstall the OS.

Source: http://www.bleepingcomputer.com/forums/topic236341.html

Please run the Eset scan once more. I'll set up one more removal after that.

 

[Bobbye]

Closed due to lack of activity.