TechSpot

Rootkit.Agent Help

By CherryLyndz
May 22, 2010
  1. I finished watching a clip on the internet last night and then I got a bunch of viruses all of a sudden, I think I got all of them but one, and no anti-virus has been able to get it off. Please Help, Also, I followed the instructions and heres the logs. Thankz so much for your help.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    1. Mbam says 'No Action Taken' for that one entry. That means you did not check the line for the program to remove what it found. Please update and run again, checking for removal.

    2. What problems are you having?
    3. Did you turn off system Restore? If yes, why?

    I'll finish checking the logs and will be back.
     
  3. CherryLyndz

    CherryLyndz TS Rookie Topic Starter

    For the Mbam it says no action taken because It was just the last file it saved, I ran it multiple takes before and it tryies to remove it then, when it restarts to remove, its back once again, so i decided 2 scan again and not do anything about it last time because i knew it wouldnt remove it, i scanned it so it would make a log and so i could upload it here, So thats why it says No action taken, So do you still want me to update and scan again?

    Problems? Well besides having a Rootkit, random popups sometimes, and mbam (When i turn on protection) says that its blocking viruses whenever i click on like any link pretty much, i also cant open some applications, uhmm

    and i turned off system restore a while ago before i had a virus (Stupid thing to do i know) cuz a friend told me to (stupid advice) cuz he said it would make it faster or something, (he obvioulsy doesnt know what he was talking about) but yeah. Thats about it.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I had added this to the reply but you picked it up to fast, so I'm making it a new reply and including your reply:

    I need something a bit more detailed: when it come to problems, we need the information to be as specific as possible:
    1. What kind of pop-ups are you having? Ads for Viagra? Security alerts telling you to click on some program to remove virus?
    2. Is Mbam blocking a site? Read this please and tell me if this is what's happening:
    http://www.techspot.com/vb/topic147469.html
    3. What applications can't you open and what happens when you try?
    4. I see several antimalware programs and system maintenance programs but no antivirus program. Do you have an AV program? What is it?
    5. You have a program called Bot. What is that?
    6. Please disable RegCure. Do not run any Registry cleaner or make any registry changes while I am helping you. It would also be a good idea to disable Tune Uo Utilities and Advanced System Care for now. These programs run in the background and may affect the scans and their results.

    Yes, I do.
    Don't listen to friends when it comes to malware.

    I only see one entry that might be a problem.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
     
  5. CherryLyndz

    CherryLyndz TS Rookie Topic Starter

    Thankz for the reply!

    1. Uhmm I think there ad, Most of the time i close them before they appear cuz i already know there popups, but there not security alerts (Actually I havent seen popups lately anymore so i might be wrong about those)

    2.Yes actually, out of the page from the link on question 2 "Block" would describe the best i think, cuz when i try to open a page i usuallly am able to open it says "Unable to connect" "Firefox can't establish a connection to the server at (Whatever the site is)"

    3.oh wow well, i just tryied 2 open an application that usually wouldnt open when the virus was still on (In this case i tryied 2 open Diablo 2 LoD) but this time it worked, so im not really sure, if i am not able 2 open other apps. So that symptom might be gone

    4.uhm antivirus i would use would be the mbam protection thing, the one that if i virus tryies to do something it says on a popup "Oh mbam stopped this" kind of thing, but besides that, i dont really have one.

    5.Bot is a bot for my diablo 2 game, its harmless as ive used it for years before, its called D2NT.

    6.Will Do, If i can figure it out, cuz i dont see regcure being active, and i dont think ive used it for a while. (if i do have it, idk if i have it?)

    (if im not specific enough im sorry im trying to be =[ )

    KKz Heres the Logz

    I updates and Scanned again and tryied to delete and theres the log, and Yes, Its still there, It has not been deleted.

    Rawrr

    Edit: Ahh I forgot to turn off malwarebyte protection when i did the combofix scan! Lemme rescan and reupload.
     

    Attached Files:

  6. CherryLyndz

    CherryLyndz TS Rookie Topic Starter

    Heres The New Log.
     

    Attached Files:

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This is not blocking. This is a problem with either the server or the internet connection. If a security program like Malwarebytes or a browser like Firefox blocks a site from loading, it will show you an alert that the site has been blocked because........."

    Antimalware is not antivirus. Please put one of the following on the system now. Both are free:
    Avira Free
    Avast Home

    Please disable the following programs:
    RegCure
    Registry Reviver
    Dr. Web
    Iobit Advanced System Care
    Tune Up Utilities

    The Combofix report show that you ran it 4 times- why was that?
    =======================================
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\82F5.tmp
    c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    Folder::
    c:\users\Lyndz\AppData\Local\xurpxhbcc
    Registry::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\yaljeou]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
    
    Driver::
    MEMSWEEP2
    Stereo Service
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===============================
    Please do not install any new programs while I am helping you unless I instruct you to. Do not use any Registry cleaners or programs that contain Registry ceaners. Do not make any Registry changes.

    Please don't use chat talk- I don't understand it:
    idk if i have it?)
    KKz Heres the Logz
     
  8. CherryLyndz

    CherryLyndz TS Rookie Topic Starter

    Sorry about the Combofix being used 4 times. My Roomate Tryied to fix my computer before I did, so She probably tryied using that.

    I ran the script on ComboFix, Heres The Log.

    And heres he Eset NOD32 Log.

    And Yeah I still have the Rookit there. =[ (See Mbam Log?)
     

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    These are all still loading:
    Please describe what happened to make you think you 'got a bunch of viruses' and what you did to remove 'all of them but one.'

    What is this remaining 'one.'
     
  10. CherryLyndz

    CherryLyndz TS Rookie Topic Starter

    Sorry I cant figure out to to disable them, Help?

    Well, When it started, a setup.exe application came on...
    So I was like "Huh... Whats thats..."

    And I didnt try to stop it because I didnt know what it was...
    Then like 15-20 seconds later a bunch of popups started coming and
    my computer kept stalling and then I knew I got a virus

    So I shut the internet down So I Couldnt get anymore

    Then I ran uhm.

    Eset32 Nod, Advance Care System, Spyware Doctor, Dr Web, Sophos Anti Rootkit, Malwarebyte, CCLeaner, (Oh and ComboFix) and I think thats it, and i think Between all of them, It found like. 50 infections and not most of them were cookies, they were like actual trojans and such.

    And Ive scanned my computer multiple times and some scans catch it and some dont but the only one left is the Rootkit.Agent which is this

    C:\Windows\System32\drivers\yaljeou.sys

    So.. yeah thats about it.
     
  11. CherryLyndz

    CherryLyndz TS Rookie Topic Starter

    Sorry About to Double Post,
    Im not sure if this will help,
    but this is the log from where it removed a bunch of viruses.
     

    Attached Files:

    • log.txt
      File size:
      11.9 KB
      Views:
      3
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Plus 2 Registry cleaners!

    Please do not run any other cleaning programs or scans while I am helping you except the ones I direct you to. Don't run a Registry cleaner and don't make any changes in the Registry.


    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\IObit\Advanced SystemCare 3\AWC.exe
    c:\program files\TuneUp Utilities 2010\Integrator.exe
    c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe
    Folder::
    c:\users\Lyndz\DoctorWeb
    c:\program files\ReviverSoft
    c:\programdata\ReviverSoft
    c:\program files\Sophos
    c:\programdata\RegCure
    
    FolderLook::
    C:\Device
    
    Registry::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\yaljeou]
    "yaljeou"
    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    
    Driver::
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    To take entries off of Startup:
    1. Start> Run> type in msconfig>enter> Selective Startup> Startup menu> Uncheck any process related to the following programs:
    RegCure
    Registry Reviver
    Dr. Web
    Iobit Advanced System Care
    Tune Up Utilities

    NOTE: if you can't see enough to ID the program name, put your cursor over the dividing line at the top of the command column and move it to the right. See image below:
    [​IMG]

    When through> Apply> OK> Reboot:
    NOTE: you will get a 'nag' message about being in Selective Start-up. Check 'don't show me this message any more.'> Close on the X- you will need to stay in Selective Start-up after making changes. If you do not, it will revert back to Normal and include the programs you stopped.

    You can then uninstall any of these programs you don't want in Add/Remove Programs in the Control Panel.

    To stop any Services from restarting the program: Best done in Safe Mode:
    • Start> Run> type in services.msc> OK
    • Double click on Service to be changed
    • Change Startup type as directed
    • Exit from Services[/b]
    Reboot the system into Normal Mode.
     
  13. CherryLyndz

    CherryLyndz TS Rookie Topic Starter

    Heres The Log
     

    Attached Files:

  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Registry Cleaners:

    Registry Reviver
    RegCure
    Advanced System Care.
    TuneUp Utilities

    So basically, you've had 4 different programs, all running at the same time, trying to decide which will remove what from the Registry! Not good.

    Most of us don't recommend use of Registry cleaners. I removed some of these programs because you didn't know how to disable them and they needed to be stopped during cleaning. You will find that these types of programs use a lot of the system resources and frequently conflict with other running programs.

    TuneUp Utilities is still on the system and does have some useful parts. I would recommend though that you open the program and disable both the TuneUp Registry Optimizer and the Memory Optomizer. These are high resource users.

    I do not recommend that you reinstall RegCure. Registry Reviver or the Iobit Advanced System Care. The features they have can also be found free-within the operating system itself.You might want to reinstall the Sophos AntiRootkit program..

    Are you experiencing any more of the original malware related problems?
     
  15. CherryLyndz

    CherryLyndz TS Rookie Topic Starter

    No, Not really I guess.
    I mean my computer is acting normal, How its suppose to.
    But that file shows still infected. Should I Just Leave it there?
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Reboot the computer.

    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    ===================================
    Follow with Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    If these are clean and/or if there are no bad entries in the HijackThis log, we will consider thi a False Positive.

    Please leave the 2 logs in your next reply.
     
  17. CherryLyndz

    CherryLyndz TS Rookie Topic Starter

    Highjack and Eset Logs
     

    Attached Files:

  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, it looks like you went ahead and had Eset quarantine the entry. Good idea to empty the Java cache:

    Start> Settings> Control Panel> Java> Temporary Internet Files section> Settings> Delete.

    But the full Hijackthis log looks very lean. The only things running are the security programs, Windows Explorer and Internet Explorer. Does the system seem to be running okay? If so:

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Let me know if you need more help.
     
  19. CherryLyndz

    CherryLyndz TS Rookie Topic Starter

    Uhg
    Well.
    I wanted the rootkit off, But I guess it will have to do for now.
    Thankz for the help!
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    I'll check to see if any entries are new or suspect.
     
  21. CherryLyndz

    CherryLyndz TS Rookie Topic Starter

    Heres the New log, sorry took so long, in process of moving.
     

    Attached Files:

  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I understand that you're busy. Please understand that I also have a life. You are leaving log here, one after the other and multiple of the same logs: You have used multiple cleaning programs with no supervision.
    =====================
    First Mbam after you reran and removed:
    5/22/2010 5:21:24 PM
    mbam-log-2010-05-22 (17-21-24).txt
    Files Infected:
    C:\Windows\System32\drivers\yaljeou.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

    The following same log was left 3 different times:
    There are multiple Combofi logs> only 2 were run with the script:
    Combofix:
    ComboFix 10-05-22.01 - Lyndz 05/22/2010 17:27:11.4.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2445 [GMT -7:00]
    Running from: c:\users\Lyndz\Desktop\ComboFix.exe

    --- Other Services/Drivers In Memory ---*Deregistered* - yaljeou
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\yaljeou]

    ComboFix 10-05-22.01 - Lyndz 05/22/2010 18:04:25.5.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2306 [GMT -7:00]
    Running from: c:\users\Lyndz\Desktop\ComboFix.exe
    --- Other Services/Drivers In Memory ---*Deregistered* - yaljeou

    ComboFix 10-05-22.03 - Lyndz 05/23/2010 11:26:22.6.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2367 [GMT -7:00]
    Running from: c:\users\Lyndz\Desktop\ComboFix.exe
    Command switches used :: c:\users\Lyndz\Desktop\CFScript.txt
    --- Other Services/Drivers In Memory ---*Deregistered* - yaljeou
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\yaljeou]

    ComboFix 10-05-24.07 - Lyndz 05/25/2010 13:47:00.7.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2420 [GMT -7:00]
    Running from: c:\users\Lyndz\Desktop\ComboFix.exe
    Command switches used :: c:\users\Lyndz\Desktop\CFScript.txt
    --- Other Services/Drivers In Memory ---*Deregistered* - yaljeou
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\yaljeou]

    You were instructed not to check for removal in the Eset scan then you cheked for removal in each.

    I don't think you have Rootkit.

    Please Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Then run TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    Empty the Recycle Bin

    This will end my support. This thread is closed.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...