Inactive Rootkit.agent Removal - Windows XP

[kael21]

Got the rootkit.agent virus in my computer. I have run NAV and Malwarebye to remove. Suprisingly Malware could not remove this virus..or trojan.

What's happening due to this trojan is every time I plug in my Internet network cable into the modem, and try to surf, the death of blue screen appears. This screen, along with running Hijackthis has narrowed the infected file to C:\Windows\system32\drivers\hleeq.sys.

Saw a similar post on the forums here and followed its instructions. Downloaded and followed these instructions for Comboxfix and have the report (attached).

Need guidance on next steps. Please help.

Kael

 

[kael21]

Original ComboFix log attached here.

 

[Broni]

Welcome aboard

First of all.....Do not run Combofix without our guidance

Secondly....

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[kael21]

Will do. Walking thru that page now. Stay tuned

 

[Broni]

OK ...........

 

[kael21]

Almost done...hmmm...any chance we can do this thru skype? Faster and more efficient ;-)

 

[Broni]

Unfortunately this is a free help, you're not the only person I'm helping, Skype conversation wouldn't benefit others, so....the short answer is NO.

 

[kael21]

Ran through the steps.

Logs attached below. Next steps?

 

[Broni]

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

 

[kael21]

Assuming you're referring to Malwarebytes app. Performed what you said...

Cannot logon as admin as the software won't accept a blank password...which I used when I installed XP.

So tried as the main user, me as I'm the only one on my comp. Got the following..

Dialogue box error "An error has occurred. Please report this error code to our support team. MBAM_ERROR_EXPANDING_VARIABLES (0.9).

Click ok

Another dialoge box...

MBAM_ERROR_MISSING_FILE (3,0, mbamswissarmy.sys). The system cannot find the path specified.

Stuck...help?

 

[kael21]

Sorry...reread this...let me try downloading it first. Though the admin steps will still be an issue I assume.

Stay tuned..

 

[Broni]

Let me know....

 

[kael21]

Here we go. Report attached.

Next...

 

[Broni]

That looks good

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\hleeq.sys
c:\windows\system32\drivers\oopuhnpkpjv.sys
c:\windows\Ekemewere.bin
c:\windows\Twuxeqe.dat


Folder::
c:\documents and settings\Michael\Application Data\Registry Mechanic


Driver::
hleeq
oopuhnpkpjv
khqlmxop
MpKsl4ff52c47


Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hleeq]

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[kael21]

Running the file...should be done shortly

 

[kael21]

Here you go...see attached (fingers crossed)

 

[Broni]

It looks good

How is computer doing?

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[kael21]

Ok working on it. I'm on a Mac workbook for web access as the trojan is preventing the PC from going online without it crashing to the death of blue, so I'm swapping inbetween. Ok..onto the next step. Will advise you shortly of the results..

 

[Broni]

as the trojan is preventing the PC from going online without it crashing to the death of blue

Did you restart computer after last Combofix run and tried connecting your computer to a modem again?

 

[kael21]

Two reports attached.

Couldn't paste here as the forum has a limit on the number of characters it allows.

 

[kael21]

Yes - I can get online now (meaning I can plug in the modem network cable and access the web), but after not to long, the death of blue comes back. After all my research on this and 'thinking' I've narrowed the infected file to the C:\Windows\system32\drivers\hleeq.sys this file is still there (last I checked before we begun down this journey together) which I believe is causing these issues from a trojan.

The two files produced from the last scan are attached above. Fingers crossed here hoping we're close.

 

[Broni]

What about my last question?

 

[Broni]

I didn't see your last reply, so hold on there....

 

[Broni]

hleeq.sys infection is gone.
Did any BSOD happen after last Combofix run?

 

[kael21]

Any success Broni?