TechSpot

Rootkit.Agent rooting around my system

By profwagstaff
Dec 27, 2008
  1. Hey guys,
    I managed to get ahold of some malware recently and, after going elsewhere and getting absolutely no help, decided to look around and find the place that actually helped me last time. Congratulations!
    As the subject says, I have Rootkit.Agent in my drivers folder. I've run Malwarebyte's Anti-Malware a few times and it seems to always find it even after it tells me that it needs to reboot the system to delete it.
    Any help here? Is there anything else I should look for? I ran AdAware, too, and it just found a couple of new things that, unfortunately, I just clicked through to get rid of. But I think they were pretty generic and are gone now.
    Thanks for the help!
    --Mark
     
  2. gillianbrown

    gillianbrown Banned Posts: 141

    Ok, please do the following.

    Download the Panda Antirootkit programme.

    Unzip it and run the PAVARK.exe file.

    Tick the box that says In depth scan and follow the on screen instructions.

    DO NOT remove any UNKNOWN ROOTKITS at this stage. Instead, let me know your results in your reply.

    Make sure you have the LATEST version of HJT (currently 2.0.0.2) from HERE.

    Double-click on the file you just downloaded.
    Click on the "Install" button to install.
    It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
    Please do not change the default install location.

    Very Important.

    You need to rename HijackThis.exe to Crusty.exe. This is because some malware can hide from HijackThis.exe. Follow these instructions in order to do so.

    Go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe file and right click on HijackThis.exe. Choose rename. Click in the title box and hit the enter key to clear what`s there.

    Now type Crusty.exe into the title box and hit the enter key. Right click on the Crusty.exe file and choose "Send to desktop Create Shortcut".

    You can now close the HJT directory.

    Run Hijackthis

    Next click on the "Do a system scan and save a log file" button.
    Hijackthis will scan and then a log will open in notepad.
    Attach the HJT log into your post.

    Under no circumstances, should you add anything to the HJT ignore list.
     
  3. profwagstaff

    profwagstaff TS Rookie Topic Starter Posts: 20

    Hijack This file

    Panda came up snake eyes on the rootkits. I'm a little surprised by that, but whatever.
    Here's the logfile.
    Thanks.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:07:51 PM, on 12/27/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Moderator Edit:
    Pasted logs removed
    All logs must be attached
     
  4. gillianbrown

    gillianbrown Banned Posts: 141

    Please post all log files as attachments and not copy and pasted.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O18 - Protocol: mediaman - {F00B23B6-E372-4227-BCD9-CDC32EA1521E} - C:\Program Files\MediaMan\CoMProt.dll

    O20 - Winlogon Notify: bwkpsd - bwkpsd.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Please download Malwarebytes' Anti-Malware to your desktop use any of these links.
    Malwarebytes
    MajorGeeks

    Double-click mbam-setup.exe and follow the prompts to install the program.

    At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

    If an update is found, it will download and install the latest version.
    Once the program has loaded, select Perform Quick Scan, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.

    Be sure that everything is checked, and click Remove Selected.
    When completed, a log will open in Notepad. Please attach that log into your next reply, along with a fresh HJT log..
     
  5. profwagstaff

    profwagstaff TS Rookie Topic Starter Posts: 20

    Sorry about that.
    Anti-Malware didn't come up with anything, but I've included it's log just in case.
     
  6. gillianbrown

    gillianbrown Banned Posts: 141

    Your logs are clean.

    Can you give me details of the Rootkit you think you have as well as telling me how you found out about it?
     
  7. profwagstaff

    profwagstaff TS Rookie Topic Starter Posts: 20

    Honestly, it was a while ago when all of my anti-virus programs started setting off fireworks. I ran them a few times and they pretty much always said that something was wrong, but they couldn't take care of it. It happened after I downloaded a program via torrents. Something was apparently embedded...of course.
    I ran AdAware, Anti-Malware, Spyware Blaster and AVG and at least two of them said that they were finding things, but didn't seem to want to kill them.
    That's when I sent the info to that other website, got busy with work and ended up forgetting what happened with my computer. I finally got some time to deal with it and messaged you guys.
    This is my message to the other website:

    I have apparently become a host to some viruses. I have run AVG and Anti-Malware a few times. AVG told me that there were no threats, but then popped up an alert saying that Trojan horse SHeur2.FKN was detected.
    AMW tells me that four Rootkit.Agents are on my system and it can't seem to remove them. They are all called ati0ntxx. One is in the system32/drivers folder and the others are in the reg key.

    Any of this help?
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Malwarebytes
    Database version: 1474 <= old
    Scan type: Quick Scan <= should be full scan

    I'd suggest un-install all of this:
    Ad-Aware
    AVG8 (yes this too)
    Spyware Doctor
    Spybot - Search & Destroy


    Then run another full scan of Malwarebytes (updated first)
    Then also download and run SuperAntiSpyware (update and scan)
    Also your version of Java jre1.6.0_07 (is now old)

    ie as per the guide: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

    And install Avira Antivirus (update and scan)
     
  9. gillianbrown

    gillianbrown Banned Posts: 141

  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    By the way, make sure to uninstall any torrent downloader program first, before scanning.
    Otherwise you may be re-infected, whilst in the process of removing any found issues
     
  11. profwagstaff

    profwagstaff TS Rookie Topic Starter Posts: 20

    Well, that will make me rest a bit easier.
    I'm running a couple more scans and I'll send another HJ log just to be absolutely sure.
    Thanks a lot!
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  13. profwagstaff

    profwagstaff TS Rookie Topic Starter Posts: 20

    So, I ran a couple of scans and came up with the same rootkit popping up. All the while, Avira was telling me that TR/Rootkit.Gen was trying to access my system.
    I have attached the scans. See what you think.
     
  14. gillianbrown

    gillianbrown Banned Posts: 141

  15. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well done so far ;)

    I noticed you have SUPERAntiSpyware installed
    So when you are able to run a full scan, please attach the log

    gillianbrown, we must have all logs, otherwise the thread may get too long!
     
  16. gillianbrown

    gillianbrown Banned Posts: 141

    If this is indeed a rootkit infection, no amount of normal applications will get rid of it.

    SAS certainly won't get rid of it.
     
  17. profwagstaff

    profwagstaff TS Rookie Topic Starter Posts: 20

    I did run a full scan with SAS and it didn't create a log. Would it have done that automatically and saved it somewhere that I can't find it? It certainly didn't ask me if I wanted to.
    If SAS can't get rid of it, what are the alternatives? Is there another tool? Or is this going to cause me to, once again, start from scratch? (I just got a brand new hard drive because my last one crashed after about 6 months, so starting over is not on my short list of things to do again. It's not even on my super-long list.)
     
  18. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

     
  19. gillianbrown

    gillianbrown Banned Posts: 141

  20. profwagstaff

    profwagstaff TS Rookie Topic Starter Posts: 20

    Ah. Easy enough. Here it is.
     
  21. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Hooray all attachments submitted :grinthumb

    Also this:
    As per the guide it needs updating
    I could not see any further issues in the HJT log (way up there)

    How's it going now?
     
  22. gillianbrown

    gillianbrown Banned Posts: 141

    Lol, that just cracked me up.

    Now, did you try the antirootkit tool I suggested?

    If so, what were the results?
     
  23. profwagstaff

    profwagstaff TS Rookie Topic Starter Posts: 20

    Well, I scanned all three areas that Sophos scans and it found nothing.
    I guess I'm clean? I haven't gotten any pop-ups from Avira or SAS in a while. It's very strange, though.
    Thanks for all your help. If you have any more advice, I'll keep watch here. And I'll let you know if anything else strange happens.
     
  24. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  25. gillianbrown

    gillianbrown Banned Posts: 141

    In that case, there are only two possibilities.

    1: The rootkit was a false positive in both AVG and Avira(quite possible).
    2: There really is a rootkit, but the rootkit removal programmes can't find it or remove it(unlikely).

    I'd guess at this being a false positive.;)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...