TechSpot

Rootkit.Agent found

By Martijn
Jul 17, 2010
  1. Hello,

    I recently installed Malwarebytes' Anti-Malware for no purpose other than to 'check', and discovered I have a nasty Rootkit.Agent nestled in my system. Software-updates (including vital windows 7 updates) have not been installed regularly, but should be up-to-date as of today. I have followed the 8-step guide and have included the 4 logs. I can tell the problem is found in eznmjfq.sys.

    Would anyone please assist me?

    Thank you in advance, I appreciate your time and effort.
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Your MBAM log says "No action taken" after "rootkit" line.
    Please, re-run quick scan, fix the issue and post new log.
     
  3. Martijn

    Martijn TS Rookie Topic Starter Posts: 34

    Heh, right.. MBAM kept coming up with the same infected file, even after removal several times. That's why I forgot to do it this time. Here's the log, thanks!
     

    Attached Files:

  4. Martijn

    Martijn TS Rookie Topic Starter Posts: 34

    And a quick-scan shows it's still there.
     

    Attached Files:

  5. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    That's fine. I had be sure, this is what happens...

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  6. Martijn

    Martijn TS Rookie Topic Starter Posts: 34

    Hey Broni, thanks for your reply.

    I downloaded and ran Combofix yesterday (I think this is what allowed me to finally run my updates Windows-updates, which didn't work yesterday). I have included the log from yesterday - the MBAM-report has not changed since then, still the one file.

    Here's the log:
     

    Attached Files:

  7. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Folder::
    c:\users\Gebruiker\AppData\Local\iedmquitd
    
    
    Driver::
    rqnqoyll
    
    NetSvc::
    rqnqoyll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eznmjfq]
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  8. Martijn

    Martijn TS Rookie Topic Starter Posts: 34

    Ran the file, Combofix did ask for reboot.

    Log is as follows..
     

    Attached Files:

  9. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Looks good :)
    Re-run MBAM quick scan and post its log.
     
  10. Martijn

    Martijn TS Rookie Topic Starter Posts: 34

    Alas, quick-scan came up with the same file still infected. Want me to try and remove it again with MBAM?

    This is the log.
     

    Attached Files:

  11. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Yes. Always.
    Re-scan, remove, restart computer, rescan and post fresh log.
     
  12. Martijn

    Martijn TS Rookie Topic Starter Posts: 34

    Heh ok. Removed, rebooted, rescanned, infection persists.
     

    Attached Files:

  13. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Why does the log still say "No action taken"?
    It should say "Removed", or "Will be removed on reboot".
    You may be posting a log from before a fix.

    But first....

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eznmjfq]
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  14. Martijn

    Martijn TS Rookie Topic Starter Posts: 34

    Ah, because I scanned again after I 'removed' it with MBAM. So it's a new log, unrelated to the previous 'removal'.
     
  15. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Go ahead with Combofix...
     
  16. Martijn

    Martijn TS Rookie Topic Starter Posts: 34

    Ah, it says '*Deregistered* - eznmjfq' now.. (Hope that's good?) Here's the log!
    (Sorry for testing your patience so much :))
     

    Attached Files:

  17. Martijn

    Martijn TS Rookie Topic Starter Posts: 34

    Quick-scan with MBAM shows it's still there.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Let's see. I just saw something, I didn't see before...

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\drivers\alcerotn.sys
    
    Driver::
    alcerotn
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eznmjfq]
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  19. Martijn

    Martijn TS Rookie Topic Starter Posts: 34

    I noticed it removed something. This is the log.
     

    Attached Files:

  20. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    One more time...

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eznmjfq]
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  21. Martijn

    Martijn TS Rookie Topic Starter Posts: 34

    Hmm, not sure if that worked..
     

    Attached Files:

  22. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  23. Martijn

    Martijn TS Rookie Topic Starter Posts: 34

    MBRCheck, version 1.1.1

    (c) 2010, AD



    \\.\C: --> \\.\PhysicalDrive0

    \\.\D: --> \\.\PhysicalDrive0



    Size Device Name MBR Status

    --------------------------------------------

    298 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





    Found non-standard or infected MBR.

    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
     
  24. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    OK. We got it :)

    Rerun MBRCheck and select option "2".
    When asked for physical disk number, enter "0" (zero).
    Next, enter 0 (zero) for MBR code.
    Post resulting log and restart computer.
     
  25. Martijn

    Martijn TS Rookie Topic Starter Posts: 34

    That comment made me smile!

    MBRCheck, version 1.1.1

    (c) 2010, AD



    \\.\C: --> \\.\PhysicalDrive0

    \\.\D: --> \\.\PhysicalDrive0



    Size Device Name MBR Status

    --------------------------------------------

    298 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





    Found non-standard or infected MBR.

    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Options:

    [1] Dump the MBR of a physical disk to file.

    [2] Restore the MBR of a physical disk with a standard boot code.

    [3] Exit.



    Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:

    [ 0] Default (Windows 7)

    [ 1] Windows XP

    [ 2] Windows Server 2003

    [ 3] Windows Vista

    [ 4] Windows 2008

    [ 5] Windows 7

    [-1] Cancel



    Please select the MBR code to write to this drive:

    Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

    Please reboot your computer to complete the fix.





    Done! Press ENTER to exit...
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...