TechSpot

Need help removing a rookit.agent

By fckid212
Mar 22, 2010
  1. Hi,

    I've been looking around the forums and see that you all have had much success helping others with similar issues to mine. I would be greatly appreciative if somebody could help me out.

    My computer was infected by malware/virus when I clicked a bad link online. I had avast antivirus scanner (home edition freeware) running and it told me a bunch of viruses (trojans) were being detected. I got really nervous and hit "delete" in the avast window a bunch of times. This clearly did not actually remove any of the infected files. Whats worse is that my Malwarebytes was unactived. I tried to run the shortcut for the .exe on my deskt top for it and it said it could not find the executable. I realized the virus deleted it. I uninstalled Malwarebytes (stupidly). After experiencing sever slowness on the cpu, internet websites being redirected to fake sites about anti-spyware, not being able to go to some websites all together, my cpu eventually blue screened. I decided to run a repair (not reformat) with my Windows XP home edition and went to bed after doing the install. I left the computer off.

    On a side note, I was unable to edit options in 'view' so that i can see file extensions, (I knew i needed to block a .sys file and couldnt tell which ones were .sys- i had a very lucky guess). It looks like I have lost access to editing settings like seeing file extensions. I also thought about restoring my system to how it was a few days ago, but also could not do this because I got an error basically saying I did not have access and I need to get in touch with my domain admin.

    I woke up, restarted the computer. It started up and I was able to use it though it was very slow. I did a bunch of internet research and found that I was probably infected by a Verdumonde Trojan as users with that virus had the same symptoms (website redirects, no access to some websites, inability to install or run Malwarebytes). I discovered there was a way to get Malwarebytes to run by changing the names of the installer and exe, but it also said that i needed to block TDSSserv.sys in hidden devices too in my hardware devices. I looked and did not have TDSSserv.sys as an option, so I assume that I had a variant of verdumonde trojan. So, being frustrated, I decided to pick a process which looked most fishy and to choose it to be blocked (difficult to do because they all have weird names). It blocked the process I selected and I rebooted. I guess I made the right choice because upon reboot many of my startup programs started up (MSN Messenger, Steam, Avast). I again opened the malwarebytes exe and it actually installed and I was able to initiate a scan.

    Malwarebytes removed some 115 viruses from my system, but after 3 rescans, it seems it cannot delete one. It is in my C:\WINDOWS\system32\drivers\ folder. It's a rookit.agent file (C:\WINDOWS\system32\drivers\aqnyvv.sys (Rootkit.Agent) -> Delete on reboot.) . I have also downloaded (but not yet installed) installers for Combofix, Hijackthis, SuperAntiSpywarePro-trial- and windows malicious virus tool remover. I have them saved on my flashdrive for now. I am considering downloading fileassassin or rookitrepeal, but I figured I'd come here first for help.
    My infected cpu is turned on, not connected to the internet and ready to be worked on.

    Thanks in advance for assisting in getting this grimy virus off of my computer. Also, I am ready to run installers for any of the programs I mentioned on my computer and get a log to show you upon suggestion. Attached are my 3 Malwarebytes scans in order. The first one shows it deleted a lot of viruses and the next two show that it keeps detecting the rookit agent and cant delete it.
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

    ===========================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. fckid212

    fckid212 TS Rookie Topic Starter Posts: 27

    thanks for the quick response!

    I downloaded TDSSKiller.exe and extracted onto my desktop. I copy pasted the line into start>run. It did say there is a hidden service detected and lists my suspected rookit file. I press "enter" as instructed by you even though it says to type in "delete" to get rid of it. When i hit "enter", it only moves the cursor lower on the screen. What am i doing wrong?

    Thanks!

    sorry, i see now that the TDSkiller log file was saved on my c-drive even though the DOS window never closed. The contents of that log is here:

    21:29:28:015 0220 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
    21:29:28:015 0220 ================================================================================
    21:29:28:015 0220 SystemInfo:

    21:29:28:015 0220 OS Version: 5.1.2600 ServicePack: 2.0
    21:29:28:015 0220 Product type: Workstation
    21:29:28:015 0220 ComputerName: JMONEY09
    21:29:28:015 0220 UserName: Josh
    21:29:28:015 0220 Windows directory: C:\WINDOWS
    21:29:28:015 0220 Processor architecture: Intel x86
    21:29:28:015 0220 Number of processors: 2
    21:29:28:015 0220 Page size: 0x1000
    21:29:28:015 0220 Boot type: Normal boot
    21:29:28:015 0220 ================================================================================
    21:29:28:015 0220 ForceUnloadDriverW: Old driver(klmd21) unloaded successfully
    21:29:28:515 0220 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
    21:29:28:515 0220 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    21:29:28:515 0220 wfopen_ex: Trying to KLMD file open
    21:29:28:515 0220 wfopen_ex: File opened ok (Flags 2)
    21:29:28:515 0220 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
    21:29:28:515 0220 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    21:29:28:515 0220 wfopen_ex: Trying to KLMD file open
    21:29:28:515 0220 wfopen_ex: File opened ok (Flags 2)
    21:29:28:515 0220 Initialize success
    21:29:28:515 0220
    21:29:28:515 0220 Scanning Services ...
    21:29:28:906 0220 Raw services enum returned 297 services
    21:29:28:921 0220 Suspicious serv aqnyvv (h: 0, b: 1)
    21:29:28:921 0220
    21:29:28:921 0220 Hidden service detected!
    21:29:28:921 0220 Service name: aqnyvv
    21:29:28:921 0220 Image path:
    21:29:28:921 0220 Type "delete" (without quotes) to delete it:
     
  4. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    It looks like the program didn't finish.
    When you press "Enter", be patient afterwards. Let it run.
     
  5. fckid212

    fckid212 TS Rookie Topic Starter Posts: 27

    Thanks! I will give it some time. Is there anything that I should see happening? Like I mentioned before, hitting "enter" seems to only bring the cursor lower on the page in the tool. I dont see anything actually happening, like processes running or anything...
     
  6. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Leave it for now, please.
    Run Combofix and post its log along with HJT log.
     
  7. fckid212

    fckid212 TS Rookie Topic Starter Posts: 27

    i was running the TDSSKiller tool when I started up combofix, and at one point it restarted my computer so I will redo the TDSSKiller tool. attached are the combofix log and HJT log. I will run the TDSSkiller again and attach a log from that one when it completes.
     

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Don't run TDSSKiller for now.
     
  9. fckid212

    fckid212 TS Rookie Topic Starter Posts: 27

    shoot, i already did before I saw your post. sorry! hope it didnt screw anything up. its log is attached.
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    That's fine....

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    
    Folder::
    
    Driver::
    
    RenV::
    c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
    c:\program files\Alwil Software\Avast4\ashdisp .exe
    c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
    c:\program files\DAEMON Tools Lite\daemon  .exe
    c:\program files\Download Manager\dlm .exe
    c:\program files\Intel Audio Studio\intelaudiostudio    .exe
    c:\program files\iTunes\ituneshelper .exe
    c:\program files\Java\jre6\bin\jusched .exe
    c:\program files\McAfee\Common Framework\udaterui .exe
    c:\program files\Messenger\msmsgs .exe
    c:\program files\QuickTime\qttask     .exe
    c:\program files\Steam\steam .exe
    
    
    Registry::
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  11. fckid212

    fckid212 TS Rookie Topic Starter Posts: 27

    all done. the two logs are attached. how are we looking?
    thank you so so much for helping me with all this.

    edit. i figured i would run another mbam scan while i'm waiting, the log for that is also attached. looks like the rookit is still there =\
     

    Attached Files:

  12. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    No
    That is located in Combofix quarantine folder. Nothing to worry about.

    Combofix log looks much better. There is still one item left...

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    
    Folder::
    
    Driver::
    
    Registry::
    
    RegLockDel::
    
    RenV::
    c:\program files\Alwil Software\Avast4\ashdisp .exe
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  13. fckid212

    fckid212 TS Rookie Topic Starter Posts: 27

    Nice! Great news! Haha I didn't realize it was the quarantine box - sorry i've never taken a cpu class ever =)

    Okie, the new logs are attached.
     

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\program files\Alwil Software\Avast4\ashdisp .exe
    
    Folder::
    
    Driver::
    
    Registry::
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  15. fckid212

    fckid212 TS Rookie Topic Starter Posts: 27

    here we go.
     

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ==============================================================

    Re-run Malwarebytes quick scan and post its log.
     
  17. fckid212

    fckid212 TS Rookie Topic Starter Posts: 27

    combo is uninstalled and the log is attached. it seems im fixed?! yay!
     

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Just couple more steps to make sure, nothing is in hiding...

    Please run a BitDefender Online Scan

    • Disable your antivirus program.
    • Click Start Scanner button.
    • Click Start scan button
    • Allow browser plug-in to be installed when prompted.
    • Click I Agree to agree to the EULA.
    • Please refrain from using the computer until the scan is finished.
    • When the scan is finished, click on View log.
    • Notepad will open with scan results.
    • Save the report to your desktop and post its content in your next reply.

    Post fresh HJT log as well.
     
  19. fckid212

    fckid212 TS Rookie Topic Starter Posts: 27

    here we go
     

    Attached Files:

  20. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Please, uninstall AskBarDis (Ask Toolbar) (if present) through Add\Remove.

    ==========================================================================

    You have some McAfee leftovers.
    Download and run McAfee Consumer Product Removal Tool: http://www.softpedia.com/get/Tweak/Uninstallers/McAfee-Consumer-Product-Removal-Tool.shtml

    ======================================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit



    5. Click on Fix checked button.

    6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.

    7. Delete following files/folders (if present):

    McAfee folder from C:\Program Files

    Note. If deletion doesn't work, attempt it in Safe Mode - restart computer, and keep tapping F8 key, until menu appears.

    8. Restart computer.

    9. Post new HijackThis log.
     
  21. fckid212

    fckid212 TS Rookie Topic Starter Posts: 27

    i got rid of the ask tool bar and downloaded the McAfee uninstaller, but when i ran the uninstaller it randomly stopped and displayed this message: "Please exit the session. McAfee Enterprise software detected. Cannont continue. Please contact McAfee Technical Support." Any ideas on this part?
     
  22. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    I see. You have Enterprise edition, so that tool won't work.

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  23. fckid212

    fckid212 TS Rookie Topic Starter Posts: 27

    The logs are attached, i tried to paste them in but the forum told me that the text was too long. Should i hold off on the HJT instructions that you layed out?
     

    Attached Files:

  24. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    That's fine. Yeah, hold on with HJT. Let me review your logs.
     
  25. fckid212

    fckid212 TS Rookie Topic Starter Posts: 27

    got it. thanks.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...