TechSpot

Rootkit.agent removal

By omy
May 21, 2010
  1. i picked up this rootkit about a week ago..quite a few trojan etc came with it.ive run super anti spyware, avira antifvirus, kaspersky anti virus av anti virus, malwarebytes, windows defender threatfirew ,, spybot search and destry cc cleaner, ad aware as well as several anti root kit softwares ie sophos etc
    some of these programs run in safe mode as well as normal mode
    i seem to have gotten rid of most of the bad stuff...but i still get the rootkit showing up...i ran your programs you suggest ie the 8 steps..done it..and its still there ..i have the logs on file here..
    can you help me..i really dont want to reformat..but you may be my last hope before i do that
    tks in advance ..mike
     
  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

  3. omy

    omy TS Rookie Topic Starter

    ive already done it but on the dds program i was only able to gety a DDS.txt file, i have that file the anti virus one av report.txtg, a gmer.log and mbam-log.txt
     
  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Post DDS.txt, GMER and MBAM logs.
     
  5. omy

    omy TS Rookie Topic Starter

    here are the avast , dds grmer and mbam logs
     

    Attached Files:

  6. omy

    omy TS Rookie Topic Starter

    this incident occurred about 5 days ago..i disconnected that computer from the internet and tried disinfecting it..by using the programs on it and also ones i transferred into the computer such as the ones that produced the logs..the logs posted are from this afternoon
     
  7. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


    Download HijackThis:
    http://free.antivirus.com/hijackthis/
    by clicking on Installer under Version 2.0.4
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
  8. omy

    omy TS Rookie Topic Starter

    i have to leave the computer for some time..i will be back at it tomorrow moring and will do as you indicate regarding combo fix and highjack this...and give you another post..thank you for such a quick response..i really do appreciate your assistance
    mike
     
  9. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You're welcome :)
     
  10. omy

    omy TS Rookie Topic Starter

    hi Broni

    here are the logs
    highjack this came on right away and said it couldnt get into the hosts file..and asked me to log on as an administrator which i already did..i got out and went back in the program as administrator a second time and got the same box so i went ahead anyway..its possible i have something on the computer blocking entry into the hosts file..but i dont see any problem with it ie my home page etc are untouched..ill be here until about 2 pm today and then i am out till this evening.
    mike
     

    Attached Files:

  11. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Don't worry about it.

    Combofix says:
    My instructions clearly say, you should be running Combofix from your desktop, so please move Combofix to correct location.

    Do you still use ThreatFire?

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    
    Folder::
    
    Driver::
    BCASPROT
    cpuz128
    MEMSWEEP2
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hiybkqqi]
    
    
    RegLockDel::
    
    TDL::
    C:\Windows\system32\drivers\iastor.sys
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  12. omy

    omy TS Rookie Topic Starter

    in answer to your last post..yes i use threeatfire
    sorry about the desktop thing ie moving combofix to desktop
    that computer is not on the internet..so i dragged it over from my thumbdrive and it made a shortcut instead of dragging the file over..it dragged highjack this over no problem..
    here are the files from combo and highjack this as requested
     

    Attached Files:

  13. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Delete your GMER file, download fresh one and give me new log.
     
  14. omy

    omy TS Rookie Topic Starter

    ive now tried different things with the gmer file which i have downloaded a fresh copy of..and it goes so far and then shuts down the system..ive tried with and with admin privelage
    in safe mode and not in safe mode and it still shuts down \restarts the computer or just jambs it with a black screen and nothing else happens and i then have to hard shutddown the system
    the scans last different times each time i dont see anything in red
    i will try another fresh download of gmer if you thiink i should
    and the computer seems to work fine it is still not connected to the internet
     
  15. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.
    If it still doesn't work, run it in safe mode with only "Sections" checked.
     
  16. omy

    omy TS Rookie Topic Starter

    tried it again it failed..computer start it ran for a few mins and started finding stuff nothing in red ...then computer shut down by itself

    un checked devices same thing happened
    tried safe mode again shutdown
    tried in safe mode with sections only checked...ran and the program simply froze
    it gave me three lines\
    i copied it to clipboard and and then to notepad (appears a bit different than shown) but text is basically all there
     

    Attached Files:

  17. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    That's all I needed :)

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    TDL::
    C:\Windows\system32\drivers\iastor.sys
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  18. omy

    omy TS Rookie Topic Starter

    sorry i made a mistake and lost the combofix original file however combo fix restarted twice on the first run
    windows indicated the first time pev.exe was shutting down
    second time pev.clxxe was shutting down
    both times computer rebotted

    because i mistakenly lost the file i ran combo fix again
    i whipped right through quite fast
    i attach the log to this email
    i then ran highjackthis and attach its log
     

    Attached Files:

  19. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    It looks good :)
    How is your computer doing at the moment?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ==================================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  20. omy

    omy TS Rookie Topic Starter

    hi broni
    looks good here
    will run malwarbytes once more then connect to the interrnet..and do exactly what you are sughgesting tommorrow
    tks
    mike
     
  21. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    No problem :)
     
  22. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Are you still out there?
     
  23. omy

    omy TS Rookie Topic Starter

    hi broni
    im not sure what exactly happened or didnt happen...i did as you suggest..i ran kaspersky online..it came back negative and i posted the log to this site or so i thought ..i cant seem to locate it now so i assume i screwed up. but the computer is fine..any of the malware and virus protections i run all come up negative..tks again for a great assist
    mike
     
  24. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    I'm glad to hear good news, but you shouldn't leave your thread before I declare your computer being clean, because there is always one very important last step, you have to do to make sure, your computer won't get reinfected.
    Besides, it's always nice to have some word from you about your computer status, instead of just leaving :)


    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, you're done with the above.
     
  25. omy

    omy TS Rookie Topic Starter

    hi broni
    i did the system restore
    the windows update
    changed my passwords as suggested
    downloaded wot
    read and did all the steps on the bleeping computer site
    have completed everything as suggested
    mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...