Solved Rootkit.Agent found

[Martijn]

All processes killed
========== OTL ==========
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\Users\GEBRUI~1\AppData\Local\Temp\catchme.sys not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Gebruiker
->Temp folder emptied: 1120991 bytes
->Temporary Internet Files folder emptied: 135855 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 38095394 bytes
->Flash cache emptied: 2207 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 840 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 38,00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Gebruiker
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0,00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.9.1 log created on 07192010_135020

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...




There! I installed the correct version of Java (it just updates, there was no old version in the add/delete programs), removed the .20 version of Java in my Firefox, removed NOD.
What now?

 

[Martijn]

Aha! And you wanted me to do a quick-scan. Here's the log it produced.

 

[Broni]

Good

Last scan....

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[Martijn]

Wow, that scan is VERY slow. 17 mins in, only 2% (2800 files) scanned.. No alternative?

 

[Broni]

There are, but Kaspersky is the best one.
Be patient.
Post back only, if Kaspersky gets stuck.

 

[Martijn]

There! Scan done

 

[Martijn]

I did a quick-scan with OTL, here's what it shows.



It's created [2010-07-19 13:46:46 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt, which is the file detected by Kaspersky

 

[Broni]

It's created [2010-07-19 13:46:46 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt, which is the file detected by Kaspersky

Actually, it's a folder, not a file and...
The only file detected by Kaspersky is this one:
C:\Windows\winsxs\x86_microsoft-windows-t..llaboration-drivers_31bf3856ad364e35_6.1.7600.16385_none_06a5a17a3714c64d\RDPENCDD.sys
so, I'm not sure what you're saying

The above file is an important system file backup, so we'll have to replace it with a good file.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  RDPENCDD.sys
  :dir
  C:\Windows\System32\appmgmt /s

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[Martijn]

Guess I'm not that good at reading this sorta stuff Broni.. Never mind me, ha!


Here's the log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 09:55 on 21/07/2010 by Gebruiker (Administrator - Elevation successful)

========== filefind ==========

Searching for "RDPENCDD.sys"
C:\Windows\System32\drivers\rdpencdd.sys --a--- 6656 bytes [00:01 14/07/2009] [00:01 14/07/2009] 5A53CA1598DD4156D44196D200C94B8A
C:\Windows\winsxs\x86_microsoft-windows-t..llaboration-drivers_31bf3856ad364e35_6.1.7600.16385_none_06a5a17a3714c64d\RDPENCDD.sys --a--- 6656 bytes [00:01 14/07/2009] [00:01 14/07/2009] D2A9A2F755B256BE79203595886EBFAE

========== dir ==========

C:\Windows\System32\appmgmt - Parameters: "/s"

---Files---
None found.

C:\Windows\System32\appmgmt\MACHINE d----- [11:46 19/07/2010]

C:\Windows\System32\appmgmt\S-1-5-21-872059924-2603680743-1889634238-1000 d----- [11:46 19/07/2010]

-=End Of File=-

 

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Services
  
  :Reg
  
  :Files
  C:\Windows\winsxs\x86_microsoft-windows-t..llaboration-drivers_31bf3856ad364e35_6.1.7600.16385_none_06a5a17a3714c64d\RDPENCDD.sys|C:\Windows\System32\drivers\rdpencdd.sys /replace
  
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
  

 

[Martijn]

All processes killed
Error: Unable to interpret <OTL> in the current context!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File C:\Windows\winsxs\x86_microsoft-windows-t..llaboration-drivers_31bf3856ad364e35_6.1.7600.16385_none_06a5a17a3714c64d\RDPENCDD.sys successfully replaced with C:\Windows\System32\drivers\rdpencdd.sys
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Gebruiker
->Temp folder emptied: 127658097 bytes
->Temporary Internet Files folder emptied: 1258880 bytes
->Java cache emptied: 128094 bytes
->FireFox cache emptied: 97137098 bytes
->Flash cache emptied: 6693 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 12622 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 216,00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Gebruiker
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 07222010_123756

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

 

[Broni]

Very good

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[Martijn]

Thank you Broni. We ( .. ahum. You!) did it! Thanks a lot. I'll come back in a week or so, give you an update on how my system is holding up. I really appreciate the time you've spent on me.

Case solved!

 

[Broni]

We ( .. ahum. You!) did it!

You're right...WE did it. I can't do anything by myself

Cool

Good luck and stay safe