Solved Rootkit.Agent found

[Martijn]

Hello,

I recently installed Malwarebytes' Anti-Malware for no purpose other than to 'check', and discovered I have a nasty Rootkit.Agent nestled in my system. Software-updates (including vital windows 7 updates) have not been installed regularly, but should be up-to-date as of today. I have followed the 8-step guide and have included the 4 logs. I can tell the problem is found in eznmjfq.sys.

Would anyone please assist me?

Thank you in advance, I appreciate your time and effort.

 

[Broni]

Your MBAM log says "No action taken" after "rootkit" line.
Please, re-run quick scan, fix the issue and post new log.

 

[Martijn]

Heh, right.. MBAM kept coming up with the same infected file, even after removal several times. That's why I forgot to do it this time. Here's the log, thanks!

 

[Martijn]

And a quick-scan shows it's still there.

 

[Broni]

That's fine. I had be sure, this is what happens...

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Martijn]

Hey Broni, thanks for your reply.

I downloaded and ran Combofix yesterday (I think this is what allowed me to finally run my updates Windows-updates, which didn't work yesterday). I have included the log from yesterday - the MBAM-report has not changed since then, still the one file.

Here's the log:

 

[Broni]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
c:\users\Gebruiker\AppData\Local\iedmquitd


Driver::
rqnqoyll

NetSvc::
rqnqoyll

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eznmjfq]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[Martijn]

Ran the file, Combofix did ask for reboot.

Log is as follows..

 

[Broni]

Looks good
Re-run MBAM quick scan and post its log.

 

[Martijn]

Alas, quick-scan came up with the same file still infected. Want me to try and remove it again with MBAM?

This is the log.

 

[Broni]

Want me to try and remove it again with MBAM?

Yes. Always.
Re-scan, remove, restart computer, rescan and post fresh log.

 

[Martijn]

Heh ok. Removed, rebooted, rescanned, infection persists.

 

[Broni]

Why does the log still say "No action taken"?
It should say "Removed", or "Will be removed on reboot".
You may be posting a log from before a fix.

But first....

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eznmjfq]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[Martijn]

Why does the log still say "No action taken"?
It should say "Removed", or "Will be removed on reboot".
You may be posting a log from before a fix.

Ah, because I scanned again after I 'removed' it with MBAM. So it's a new log, unrelated to the previous 'removal'.

 

[Broni]

Go ahead with Combofix...

 

[Martijn]

Ah, it says '*Deregistered* - eznmjfq' now.. (Hope that's good?) Here's the log!
(Sorry for testing your patience so much )

 

[Martijn]

Quick-scan with MBAM shows it's still there.

 

[Broni]

Let's see. I just saw something, I didn't see before...

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\alcerotn.sys

Driver::
alcerotn

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eznmjfq]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[Martijn]

I noticed it removed something. This is the log.

 

[Broni]

One more time...

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eznmjfq]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[Martijn]

Hmm, not sure if that worked..

 

[Broni]

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

 

[Martijn]

MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

 

[Broni]

OK. We got it

Rerun MBRCheck and select option "2".
When asked for physical disk number, enter "0" (zero).
Next, enter 0 (zero) for MBR code.
Post resulting log and restart computer.

 

[Martijn]

That comment made me smile!

MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.



Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:

[ 0] Default (Windows 7)

[ 1] Windows XP

[ 2] Windows Server 2003

[ 3] Windows Vista

[ 4] Windows 2008

[ 5] Windows 7

[-1] Cancel



Please select the MBR code to write to this drive:

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

Please reboot your computer to complete the fix.





Done! Press ENTER to exit...