TechSpot

Rootkit.agent Removal - Windows XP

By kael21
Sep 24, 2010
  1. Got the rootkit.agent virus in my computer. I have run NAV and Malwarebye to remove. Suprisingly Malware could not remove this virus..or trojan.

    What's happening due to this trojan is every time I plug in my Internet network cable into the modem, and try to surf, the death of blue screen appears. This screen, along with running Hijackthis has narrowed the infected file to C:\Windows\system32\drivers\hleeq.sys.

    Saw a similar post on the forums here and followed its instructions. Downloaded and followed these instructions for Comboxfix and have the report (attached).

    Need guidance on next steps. Please help.

    Kael
     

    Attached Files:

  2. kael21

    kael21 TS Rookie Topic Starter Posts: 16

    Original ComboFix log attached here.
     

    Attached Files:

  3. Broni

    Broni Malware Annihilator Posts: 52,898   +344

  4. kael21

    kael21 TS Rookie Topic Starter Posts: 16

    Will do. Walking thru that page now. Stay tuned
     
  5. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    OK :)...........
     
  6. kael21

    kael21 TS Rookie Topic Starter Posts: 16

    Almost done...hmmm...any chance we can do this thru skype? Faster and more efficient ;-)
     
  7. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Unfortunately this is a free help, you're not the only person I'm helping, Skype conversation wouldn't benefit others, so....the short answer is NO.
     
  8. kael21

    kael21 TS Rookie Topic Starter Posts: 16

    Ran through the steps.

    Logs attached below. Next steps?
     

    Attached Files:

  9. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  10. kael21

    kael21 TS Rookie Topic Starter Posts: 16

    Assuming you're referring to Malwarebytes app. Performed what you said...

    Cannot logon as admin as the software won't accept a blank password...which I used when I installed XP.

    So tried as the main user, me as I'm the only one on my comp. Got the following..

    Dialogue box error "An error has occurred. Please report this error code to our support team. MBAM_ERROR_EXPANDING_VARIABLES (0.9).

    Click ok

    Another dialoge box...

    MBAM_ERROR_MISSING_FILE (3,0, mbamswissarmy.sys). The system cannot find the path specified.

    Stuck...help?
     
  11. kael21

    kael21 TS Rookie Topic Starter Posts: 16

    Sorry...reread this...let me try downloading it first. Though the admin steps will still be an issue I assume.

    Stay tuned..
     
  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Let me know....
     
  13. kael21

    kael21 TS Rookie Topic Starter Posts: 16

    Here we go. Report attached.

    Next...
     

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    That looks good :)

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\drivers\hleeq.sys
    c:\windows\system32\drivers\oopuhnpkpjv.sys
    c:\windows\Ekemewere.bin
    c:\windows\Twuxeqe.dat
    
    
    Folder::
    c:\documents and settings\Michael\Application Data\Registry Mechanic
    
    
    Driver::
    hleeq
    oopuhnpkpjv
    khqlmxop
    MpKsl4ff52c47
    
    
    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hleeq]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  15. kael21

    kael21 TS Rookie Topic Starter Posts: 16

    Running the file...should be done shortly
     
  16. kael21

    kael21 TS Rookie Topic Starter Posts: 16

    Here you go...see attached (fingers crossed)
     

    Attached Files:

  17. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    It looks good :)

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  18. kael21

    kael21 TS Rookie Topic Starter Posts: 16

    Ok working on it. I'm on a Mac workbook for web access as the trojan is preventing the PC from going online without it crashing to the death of blue, so I'm swapping inbetween. Ok..onto the next step. Will advise you shortly of the results..
     
  19. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Did you restart computer after last Combofix run and tried connecting your computer to a modem again?
     
  20. kael21

    kael21 TS Rookie Topic Starter Posts: 16

    Two reports attached.

    Couldn't paste here as the forum has a limit on the number of characters it allows.
     

    Attached Files:

  21. kael21

    kael21 TS Rookie Topic Starter Posts: 16

    Yes - I can get online now (meaning I can plug in the modem network cable and access the web), but after not to long, the death of blue comes back. After all my research on this and 'thinking' I've narrowed the infected file to the C:\Windows\system32\drivers\hleeq.sys this file is still there (last I checked before we begun down this journey together) which I believe is causing these issues from a trojan.

    The two files produced from the last scan are attached above. Fingers crossed here hoping we're close.
     
  22. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    What about my last question?
     
  23. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    I didn't see your last reply, so hold on there....
     
  24. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    hleeq.sys infection is gone.
    Did any BSOD happen after last Combofix run?
     
  25. kael21

    kael21 TS Rookie Topic Starter Posts: 16

    Any success Broni?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...