Solved Need help removing a rookit.agent

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  PRC - [2008/03/14 05:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
  PRC - [2008/03/14 05:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\udaterui.exe
  PRC - [2008/03/14 05:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
  PRC - [2008/03/14 05:00:00 | 000,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
  O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
  C:\Program Files\McAfee
  
  
  :Services
  SRV - [2008/03/14 05:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
  
  
  :Reg
  
  :Files
  C:\Program Files\McAfee
  
  :Commands
  [purity]
  [emptytemp]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[fckid212]

The first attached is the log from the run fix which was autodisplayed after reboot. the second log is from the quick scan which I ran after reboot.

 

[Broni]

You're a free man


Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[fckid212]

awesome!!!! thank you so much for all the help. I will follow these steps and let you know how it all turns out. I also realized that i didnt have a firewall running at all (or installed for that matter) when i was infected, i will download zonealarm asap! thank you!

 

[Broni]

You're very welcome
Keep me posted...

 

[fckid212]

i guess i have one more question regarding the windows updates. it seems the last major update i dont have is service pack 3. a friend told me a few months back that pack 3 is unreliable and is too glitchy and suggested that i stay with service pack 2. do you agree or should i go ahead with the update?

on a side note, i tried to install internet explorer 8 since that is the only browser that i can use to check windowsupdate.com, but it failed to install and i think its because i dont have pack 3? thanks!

and now im seeing that zonealarm requires SP3, so i should probably just update, right?

 

[Broni]

Now, when your computer is clean, you have every reason to install SP3, especially because at the end of April, Microsoft is ending support for Windows XP without SP3. Means, no more updates after April.

 

[fckid212]

Wow! Thanks for the heads up, I had no idea! I got SP3 installed as well as zone alert and just defragged. The old girl is running like a champion again! Happy!

 

[Broni]

Excellent!
Enjoy and stay safe