TechSpot

Need help removing rootkit.agent

By Dobian
May 20, 2010
  1. It's very insidious and even pops up bogus windows when I try to log into my bank account to try and get my credit card and ssn. The file in question is kfmsfb.sys in windows\system32\drivers. Of course I can "find" the rootkit with malwarebytes and at least one other spyware program, but they can't remove it. I saw how Broni helped someone else get rid of a similar rootkit on another thread. I have already run combofix and can post it when someone is available. I know I will need help pasting the right information from that in to a text file to run against combofix again. I can see the locked registry keys in the log. Anyway, hope someone can jump in on this. Next step is reinstalling the OS if I can't get rid of this.
     
  2. Dobian

    Dobian TS Rookie Topic Starter Posts: 24

    Here is the combofix log file and the hijackthis log file.
     

    Attached Files:

  3. Dobian

    Dobian TS Rookie Topic Starter Posts: 24

    Need help removing rootkit.agent (bump)

    Anyone? Appreciate it.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,904   +344

  5. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\users\Genna\AppData\Local\Ylajovab.bin
    c:\windows\system32\bspl.dll
    c:\users\Genna\AppData\Roaming\jasltw.dat
    
    
    Folder::
    
    Driver::
    iMSPCLOj
    MEMSWEEP2
    
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kfmsfb]
    
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  6. Dobian

    Dobian TS Rookie Topic Starter Posts: 24

    Here they are, thanks for the help.
     

    Attached Files:

  7. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =======================================================================

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***


    STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2.
    Post fresh HijackThis log.
    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  8. Dobian

    Dobian TS Rookie Topic Starter Posts: 24

    I'm at work so I'll run it when I get home. I noticed last night, though, that I don't get a "run as admin" option when I right-click hijackthis like I do with other apps. I'll check the version and download it again, but I think it's current.
     
  9. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    OK :)......
     
  10. Dobian

    Dobian TS Rookie Topic Starter Posts: 24

    Okay, here they are.
     

    Attached Files:

  11. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    MBAM log reads "No action taken" after both lines.
    Please re-run MBAM, but this time fix all found issues.
    Post fresh log.
     
  12. Dobian

    Dobian TS Rookie Topic Starter Posts: 24

    Okay here's a log showing the removal.
     

    Attached Files:

  13. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Very good :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
  14. Dobian

    Dobian TS Rookie Topic Starter Posts: 24

    Okay I'll post the scan in the morning. You're in Daly City, that's right up 280 from me.
     
  15. Dobian

    Dobian TS Rookie Topic Starter Posts: 24

    Okay here's the latest.
     

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Hello neighbour :)

    It looks like Combofix didn't uninstall correctly, so delete manually anything, you can find from the list below:
    Delete Combofix, Qoobox folders,and Combofix.txt file from C:
    Delete Combofix from your desktop


    Please download OTM

    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes
    
    :Services
    
    :Reg
    
    :Files
    C:\Windows\Temp\d87befab.tmp
          
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [Reboot]
    
    • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
     
  17. Dobian

    Dobian TS Rookie Topic Starter Posts: 24

    oops I didn't uninstall combofix that's why.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    OK...........
     
  19. Dobian

    Dobian TS Rookie Topic Starter Posts: 24

    okay now it's uninstalled
     
  20. Dobian

    Dobian TS Rookie Topic Starter Posts: 24

    That OTM stops responding after I copy and move that text. I tried it a couple of times.
     
  21. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    That's fine.
    Make sure this file is gone (if present):
    C:\Windows\Temp\d87befab.tmp
    Empty recycle bin afterwards.

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - Startup: PowerReg Scheduler.exe



    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
    O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-21-2436300226-237071423-4138334345-1000\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'IUSR_NMPR')
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE


    5. Click on Fix checked button.

    6. Restart computer.

    7. Post new HijackThis log.
     
  22. Dobian

    Dobian TS Rookie Topic Starter Posts: 24

    I got OTM to run. Here it is and another hijackthis log.
     

    Attached Files:

  23. Dobian

    Dobian TS Rookie Topic Starter Posts: 24

    Here is another hijackthis log, I removed the things you said. So you have the OTM log, kasp log, and this one. I have to head out for awhile, I'll check back later. Thanks for the help.
     

    Attached Files:

  24. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    • Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
    • Click on the CleanUp! button and follow the prompts.
    • You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
    • After the reboot all the tools we used should be gone.
    • The tool will delete itself once it finishes.

    ======================================================================


    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  25. Dobian

    Dobian TS Rookie Topic Starter Posts: 24

    That rootkit.agent is still there. Here's the log.
     

    Attached Files:

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...