Rootkit.Agent Help

[CherryLyndz]

I finished watching a clip on the internet last night and then I got a bunch of viruses all of a sudden, I think I got all of them but one, and no anti-virus has been able to get it off. Please Help, Also, I followed the instructions and heres the logs. Thankz so much for your help.

 

[Bobbye]

1. Mbam says 'No Action Taken' for that one entry. That means you did not check the line for the program to remove what it found. Please update and run again, checking for removal.

2. What problems are you having?
3. Did you turn off system Restore? If yes, why?

I'll finish checking the logs and will be back.

 

[CherryLyndz]

For the Mbam it says no action taken because It was just the last file it saved, I ran it multiple takes before and it tryies to remove it then, when it restarts to remove, its back once again, so i decided 2 scan again and not do anything about it last time because i knew it wouldnt remove it, i scanned it so it would make a log and so i could upload it here, So thats why it says No action taken, So do you still want me to update and scan again?

Problems? Well besides having a Rootkit, random popups sometimes, and mbam (When i turn on protection) says that its blocking viruses whenever i click on like any link pretty much, i also cant open some applications, uhmm

and i turned off system restore a while ago before i had a virus (Stupid thing to do i know) cuz a friend told me to (stupid advice) cuz he said it would make it faster or something, (he obvioulsy doesnt know what he was talking about) but yeah. Thats about it.

 

[Bobbye]

I had added this to the reply but you picked it up to fast, so I'm making it a new reply and including your reply:

Problems? Well besides having a Rootkit, random popups sometimes, and mbam (When i turn on protection) says that its blocking viruses whenever i click on like any link pretty much, i also cant open some applications, uhmm

I need something a bit more detailed: when it come to problems, we need the information to be as specific as possible:
1. What kind of pop-ups are you having? Ads for Viagra? Security alerts telling you to click on some program to remove virus?
2. Is Mbam blocking a site? Read this please and tell me if this is what's happening:
https://www.techspot.com/vb/topic147469.html
3. What applications can't you open and what happens when you try?
4. I see several antimalware programs and system maintenance programs but no antivirus program. Do you have an AV program? What is it?
5. You have a program called Bot. What is that?
6. Please disable RegCure. Do not run any Registry cleaner or make any registry changes while I am helping you. It would also be a good idea to disable Tune Uo Utilities and Advanced System Care for now. These programs run in the background and may affect the scans and their results.

So do you still want me to update and scan again?

Yes, I do.

and i turned off system restore a while ago before i had a virus (Stupid thing to do i know) cuz a friend told me to (stupid advice) cuz he said it would make it faster or something, (he obvioulsy doesnt know what he was talking about) but yeah. Thats about it.

Don't listen to friends when it comes to malware.

I only see one entry that might be a problem.

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

 

[CherryLyndz]

Thankz for the reply!

1. Uhmm I think there ad, Most of the time I close them before they appear cuz I already know there popups, but there not security alerts (Actually I havent seen popups lately anymore so I might be wrong about those)

2.Yes actually, out of the page from the link on question 2 "Block" would describe the best I think, cuz when I try to open a page I usuallly am able to open it says "Unable to connect" "Firefox can't establish a connection to the server at (Whatever the site is)"

3.oh wow well, I just tryied 2 open an application that usually wouldnt open when the virus was still on (In this case I tryied 2 open Diablo 2 LoD) but this time it worked, so im not really sure, if I am not able 2 open other apps. So that symptom might be gone

4.uhm antivirus I would use would be the mbam protection thing, the one that if I virus tryies to do something it says on a popup "Oh mbam stopped this" kind of thing, but besides that, I dont really have one.

5.Bot is a bot for my diablo 2 game, its harmless as ive used it for years before, its called D2NT.

6.Will Do, If I can figure it out, cuz I dont see regcure being active, and I dont think ive used it for a while. (if I do have it, idk if I have it?)

(if im not specific enough im sorry im trying to be =[ )

KKz Heres the Logz

I updates and Scanned again and tryied to delete and theres the log, and Yes, Its still there, It has not been deleted.

Rawrr

Edit: Ahh I forgot to turn off malwarebyte protection when I did the combofix scan! Lemme rescan and reupload.

 

[CherryLyndz]

Heres The New Log.

 

[Bobbye]

2.Yes actually, out of the page from the link on question 2 "Block" would describe the best i think, cuz when i try to open a page i usuallly am able to open it says "Unable to connect" "Firefox can't establish a connection to the server at (Whatever the site is)"

This is not blocking. This is a problem with either the server or the internet connection. If a security program like Malwarebytes or a browser like Firefox blocks a site from loading, it will show you an alert that the site has been blocked because........."

4.uhm antivirus i would use would be the mbam protection thing, the one that if i virus tryies to do something it says on a popup "Oh mbam stopped this" kind of thing, but besides that, i dont really have one.

Antimalware is not antivirus. Please put one of the following on the system now. Both are free:
Avira Free
Avast Home

Please disable the following programs:
RegCure
Registry Reviver
Dr. Web
Iobit Advanced System Care
Tune Up Utilities

The Combofix report show that you ran it 4 times- why was that?
=======================================
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\82F5.tmp
c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
Folder::
c:\users\Lyndz\AppData\Local\xurpxhbcc
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\yaljeou]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]

Driver::
MEMSWEEP2
Stereo Service
FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

===============================
Please do not install any new programs while I am helping you unless I instruct you to. Do not use any Registry cleaners or programs that contain Registry ceaners. Do not make any Registry changes.

Please don't use chat talk- I don't understand it:
idk if i have it?)
KKz Heres the Logz

 

[CherryLyndz]

Sorry about the Combofix being used 4 times. My Roomate Tryied to fix my computer before I did, so She probably tryied using that.

I ran the script on ComboFix, Heres The Log.

And heres he Eset NOD32 Log.

And Yeah I still have the Rookit there. =[ (See Mbam Log?)

 

[Bobbye]

These are all still loading:

Please disable the following programs:
RegCure
Registry Reviver
Dr. Web
Iobit Advanced System Care
Tune Up Utilities

got a bunch of viruses all of a sudden, I think I got all of them but one, and no anti-virus has been able to get it off

Please describe what happened to make you think you 'got a bunch of viruses' and what you did to remove 'all of them but one.'

What is this remaining 'one.'

 

[CherryLyndz]

Sorry I cant figure out to to disable them, Help?

Well, When it started, a setup.exe application came on...
So I was like "Huh... Whats thats..."

And I didnt try to stop it because I didnt know what it was...
Then like 15-20 seconds later a bunch of popups started coming and
my computer kept stalling and then I knew I got a virus

So I shut the internet down So I Couldnt get anymore

Then I ran uhm.

Eset32 Nod, Advance Care System, Spyware Doctor, Dr Web, Sophos Anti Rootkit, Malwarebyte, CCLeaner, (Oh and ComboFix) and I think thats it, and i think Between all of them, It found like. 50 infections and not most of them were cookies, they were like actual trojans and such.

And Ive scanned my computer multiple times and some scans catch it and some dont but the only one left is the Rootkit.Agent which is this

C:\Windows\System32\drivers\yaljeou.sys

So.. yeah thats about it.

 

[CherryLyndz]

Sorry About to Double Post,
Im not sure if this will help,
but this is the log from where it removed a bunch of viruses.

 

[Bobbye]

Eset32 Nod, Advance Care System, Spyware Doctor, Dr Web, Sophos Anti Rootkit, Malwarebyte, CCLeaner, (Oh and ComboFix)

Plus 2 Registry cleaners!

Please do not run any other cleaning programs or scans while I am helping you except the ones I direct you to. Don't run a Registry cleaner and don't make any changes in the Registry.


Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program files\IObit\Advanced SystemCare 3\AWC.exe
c:\program files\TuneUp Utilities 2010\Integrator.exe
c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe
Folder::
c:\users\Lyndz\DoctorWeb
c:\program files\ReviverSoft
c:\programdata\ReviverSoft
c:\program files\Sophos
c:\programdata\RegCure

FolderLook::
C:\Device

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\yaljeou]
"yaljeou"
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

Driver::
FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
To take entries off of Startup:
1. Start> Run> type in msconfig>enter> Selective Startup> Startup menu> Uncheck any process related to the following programs:
RegCure
Registry Reviver
Dr. Web
Iobit Advanced System Care
Tune Up Utilities
NOTE: if you can't see enough to ID the program name, put your cursor over the dividing line at the top of the command column and move it to the right. See image below:

When through> Apply> OK> Reboot:
NOTE: you will get a 'nag' message about being in Selective Start-up. Check 'don't show me this message any more.'> Close on the X- you will need to stay in Selective Start-up after making changes. If you do not, it will revert back to Normal and include the programs you stopped.

You can then uninstall any of these programs you don't want in Add/Remove Programs in the Control Panel.

To stop any Services from restarting the program: Best done in Safe Mode:

• Start> Run> type in services.msc> OK
• Double click on Service to be changed
• Change Startup type as directed
• Exit from Services[/b]

Reboot the system into Normal Mode.

 

[CherryLyndz]

Heres The Log

 

[Bobbye]

Registry Cleaners:

Registry Reviver
RegCure
Advanced System Care.
TuneUp Utilities
So basically, you've had 4 different programs, all running at the same time, trying to decide which will remove what from the Registry! Not good.

Most of us don't recommend use of Registry cleaners. I removed some of these programs because you didn't know how to disable them and they needed to be stopped during cleaning. You will find that these types of programs use a lot of the system resources and frequently conflict with other running programs.

TuneUp Utilities is still on the system and does have some useful parts. I would recommend though that you open the program and disable both the TuneUp Registry Optimizer and the Memory Optomizer. These are high resource users.

I do not recommend that you reinstall RegCure. Registry Reviver or the Iobit Advanced System Care. The features they have can also be found free-within the operating system itself.You might want to reinstall the Sophos AntiRootkit program..

Are you experiencing any more of the original malware related problems?

 

[CherryLyndz]

No, Not really I guess.
I mean my computer is acting normal, How its suppose to.
But that file shows still infected. Should I Just Leave it there?

 

[Bobbye]

Reboot the computer.

Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
===================================
Follow with Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

If these are clean and/or if there are no bad entries in the HijackThis log, we will consider thi a False Positive.

Please leave the 2 logs in your next reply.

 

[CherryLyndz]

Highjack and Eset Logs

 

[Bobbye]

Okay, it looks like you went ahead and had Eset quarantine the entry. Good idea to empty the Java cache:

Start> Settings> Control Panel> Java> Temporary Internet Files section> Settings> Delete.

But the full Hijackthis log looks very lean. The only things running are the security programs, Windows Explorer and Internet Explorer. Does the system seem to be running okay? If so:

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if you need more help.

 

[CherryLyndz]

Uhg
Well.
I wanted the rootkit off, But I guess it will have to do for now.
Thankz for the help!

 

[Bobbye]

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

I'll check to see if any entries are new or suspect.

 

[CherryLyndz]

Heres the New log, sorry took so long, in process of moving.

 

[Bobbye]

I understand that you're busy. Please understand that I also have a life. You are leaving log here, one after the other and multiple of the same logs: You have used multiple cleaning programs with no supervision.
=====================
First Mbam after you reran and removed:
5/22/2010 5:21:24 PM
mbam-log-2010-05-22 (17-21-24).txt
Files Infected:
C:\Windows\System32\drivers\yaljeou.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

The following same log was left 3 different times:

5/23/2010 1:22:23 PM
mbam-log-2010-05-23 (13-22-23).txt
C:\Windows\System32\drivers\yaljeou.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
5/23/2010 1:22:23 PM
mbam-log-2010-05-23 (13-22-23).txt
Files Infected:
C:\Windows\System32\drivers\yaljeou.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
5/23/2010 1:22:23 PM
mbam-log-2010-05-23 (13-22-23).txt
Files Infected:
C:\Windows\System32\drivers\yaljeou.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

There are multiple Combofi logs> only 2 were run with the script:
Combofix:
ComboFix 10-05-22.01 - Lyndz 05/22/2010 17:27:11.4.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2445 [GMT -7:00]
Running from: c:\users\Lyndz\Desktop\ComboFix.exe

--- Other Services/Drivers In Memory ---*Deregistered* - yaljeou
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\yaljeou]

ComboFix 10-05-22.01 - Lyndz 05/22/2010 18:04:25.5.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2306 [GMT -7:00]
Running from: c:\users\Lyndz\Desktop\ComboFix.exe
--- Other Services/Drivers In Memory ---*Deregistered* - yaljeou

ComboFix 10-05-22.03 - Lyndz 05/23/2010 11:26:22.6.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2367 [GMT -7:00]
Running from: c:\users\Lyndz\Desktop\ComboFix.exe
Command switches used :: c:\users\Lyndz\Desktop\CFScript.txt
--- Other Services/Drivers In Memory ---*Deregistered* - yaljeou
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\yaljeou]

ComboFix 10-05-24.07 - Lyndz 05/25/2010 13:47:00.7.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2420 [GMT -7:00]
Running from: c:\users\Lyndz\Desktop\ComboFix.exe
Command switches used :: c:\users\Lyndz\Desktop\CFScript.txt
--- Other Services/Drivers In Memory ---*Deregistered* - yaljeou
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\yaljeou]

You were instructed not to check for removal in the Eset scan then you cheked for removal in each.

I don't think you have Rootkit.

Please Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Then run TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

Empty the Recycle Bin

This will end my support. This thread is closed.