[Inactive] Help on rootkit.agent how to delete

By kapoy08 · 13 replies
Mar 12, 2010
  1. pls help on how to remove rootkit name rootkit.agent.bdov... this file is locked.. anti virus said it will be deleted in restart of my pc.. but my anti virus again keeps on detecting it... the virus is in my system ,,,C:\WINDOWS\system32\drivers\lgdrczay.sys..... i download top rated anti malware to delete it but again it keeps on coming back... i use also file assasin but stil the rootkit is still there.. plssss help... im really frustated....tnx...
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    It is in your best interest to let us guide you through removal programs. We'd like you to start by using the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, please attach the 3 logs for us to review. We will then have some idea of what the malware is and how best to handle it.

    I would be interested to know how you know the files is locked and that it is a Rootkit. If you ran a recent antivirus scan, please include that with the other logs.
  3. kapoy08

    kapoy08 TS Rookie Topic Starter

    Here is my log's the rootkit is still there after i remove it...t_t

    Here is my logs sir...tnx for the help...

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You had several different malware infections:

    P2P or 'file sharing Warning:

    This is most likely a cause of much of the malware:
    C:\Program Files\LimeWire\LimeWire.exe
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall LimeWire for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    Since this is loading at startup, I ask that you uninstall LimeWire while we're cleaning. If you do not, it leaves the potential to get more malware while I am helping you clean the present malware. This would be a wast of time for both of us.

    Let me know..
  5. kapoy08

    kapoy08 TS Rookie Topic Starter

    About Limewire

    Now i suCcesfully deleted the limewire sir... what is the next step...tnx a lot..!
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Please Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    Follow that with Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Then rescan with HJT. Include Combofix report, eset log and new HJT log with next reply.
  7. mossy95

    mossy95 TS Rookie Posts: 36

    same thing happend to me
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    mossy95, If you need help for this, please start your own new thread. I see game/server related threads for you, but nit malware. Describe your problems and follow the steps in the Preliminary Virus and Malware Removal HERE.

    When you have finished, attach the 3 logs for us to review.

    Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please start a new thread and follow the preliminary cleaning steps HERE. Attach the logs.
  9. kapoy08

    kapoy08 TS Rookie Topic Starter

    Tnx Sir here is my logs....

    here is my logs sir...tnx

    Attached Files:

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    kspoy08, it's very important that you stay away from the online gaming and any downloads from LimeWire while I am helping clean the system. Your computer is badly infected. You have a "Anti-Spy.Info" running which is a rogue security program. You have infected game files (Prime Suspects) I am attempting to determine if enough can be moved and/or removed to prevent your having to reformat and reinstall.

    Don't do any updates except antivirus, Don't do any installs, uninstall, etc. unless I instruct you to. You have at least one pirated program (NBA2k10) You have a SpySheriff infection- this is a Trojan disguised as an anti-spyware application. It installs stealthily onto a user's system, uses aggressive advertising, and produces false positives that may goad the user into purchasing the application.

    • 1. Close any open browsers.
      2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      3. Open notepad and copy/paste the text in the code below into it:
    C:\Documents and Settings\All Users\Application Data\AntiSpyInfo\_entreelist.dll
    C:\Documents and Settings\All Users\Application Data\AntiSpyInfo\_enviewlist.dll
    c:\documents and settings\USER\Local Settings\Application Data\.#
    c:\documents and settings\All Users\Application Data\AntiSpyInfo\icn_D6461317C3DC4F04799BDCE9E42626FE.dll
    c:\documents and settings\All Users\Application Data\AntiSpyInfo\icn_F60730A4A66673047777F5728467D401.dll
    c:\documents and settings\All Users\Application Data\AntiSpyInfo\icn_D20352A90C039D93DBF6126ECE614057.dll
    c:\documents and settings\All Users\Application Data\AntiSpyInfo\icn_8A0F842331866D117AB7000B0D610004.dll
    c:\documents and settings\All Users\Application Data\AntiSpyInfo\icn_B8499BEA2FF49C7499E0741044290AEF.dll
    c:\documents and settings\All Users\Application Data\AntiSpyInfo\icn_A28B4D68DEBAA244EB686953B7074FEF.dll
    c:\documents and settings\All Users\Application Data\AntiSpyInfo\icn_8376B3491084289409CE4024FEA7BE61.dll
    C:\Documents and Settings\USER\My Documents\Downloads\unlocker1.8.9.exe
    E:\G A M E S\Mystery Case Files Prime Suspects\PrimeSuspects.exe	
    E:\G A M E S\Mystery Case Files Prime Suspects\PrimeSuspects.exe.bak	
    c:\documents and settings\USER\Local Settings\Application Data\Help
    c:\documents and settings\All Users\Application Data\AntiSpyInfo
    c:\documents and settings\USER\Application Data\LimeWire
    C:\Documents and Settings\All Users\Start Menu\Programs\Anti-Spy.Info\
    C:\Program Files\Anti-Spy.Info\
    Save this as CFScript.txt, in the same location as ComboFix.exe

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
  11. kapoy08

    kapoy08 TS Rookie Topic Starter

    Tnx Sir here is my log,,,

    here is my log..
  12. kapoy08

    kapoy08 TS Rookie Topic Starter

    Tnx Sir here is my logs....

    hir is my log sir

    Attached Files:

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    kapoy08, I'm leaving some information for you regarding online games. It's not my job to tell you what to do or not do with your system. But you've asked for help in finding and removing malware. It might not make any difference to you, but you should be aware that if you continue. you will be basically fighting a losing battle with nalware:

    2010-03-08 17:15/2010-03-16 15:53: c:\program files\Cheat Engine
    Source: http://en.wikipedia.org/wiki/Cheat_Engine

    And additionally: Regarding popcinfot.dat
    I did some more research and found that the file may be related to PopCap Games, a site for free online games. Is that a site you use?
    2010-01-24 01:59/2010-02-11 00:22: c:\windows\popcinfot.dat

    Source: http://www.bleepingcomputer.com/forums/topic236341.html

    Please run the Eset scan once more. I'll set up one more removal after that.
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Closed due to lack of activity.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...