# Need help removing a rookit.agent

By fckid212 · 33 replies
Mar 22, 2010
1. Hi,

I've been looking around the forums and see that you all have had much success helping others with similar issues to mine. I would be greatly appreciative if somebody could help me out.

My computer was infected by malware/virus when I clicked a bad link online. I had avast antivirus scanner (home edition freeware) running and it told me a bunch of viruses (trojans) were being detected. I got really nervous and hit "delete" in the avast window a bunch of times. This clearly did not actually remove any of the infected files. Whats worse is that my Malwarebytes was unactived. I tried to run the shortcut for the .exe on my deskt top for it and it said it could not find the executable. I realized the virus deleted it. I uninstalled Malwarebytes (stupidly). After experiencing sever slowness on the cpu, internet websites being redirected to fake sites about anti-spyware, not being able to go to some websites all together, my cpu eventually blue screened. I decided to run a repair (not reformat) with my Windows XP home edition and went to bed after doing the install. I left the computer off.

On a side note, I was unable to edit options in 'view' so that i can see file extensions, (I knew i needed to block a .sys file and couldnt tell which ones were .sys- i had a very lucky guess). It looks like I have lost access to editing settings like seeing file extensions. I also thought about restoring my system to how it was a few days ago, but also could not do this because I got an error basically saying I did not have access and I need to get in touch with my domain admin.

I woke up, restarted the computer. It started up and I was able to use it though it was very slow. I did a bunch of internet research and found that I was probably infected by a Verdumonde Trojan as users with that virus had the same symptoms (website redirects, no access to some websites, inability to install or run Malwarebytes). I discovered there was a way to get Malwarebytes to run by changing the names of the installer and exe, but it also said that i needed to block TDSSserv.sys in hidden devices too in my hardware devices. I looked and did not have TDSSserv.sys as an option, so I assume that I had a variant of verdumonde trojan. So, being frustrated, I decided to pick a process which looked most fishy and to choose it to be blocked (difficult to do because they all have weird names). It blocked the process I selected and I rebooted. I guess I made the right choice because upon reboot many of my startup programs started up (MSN Messenger, Steam, Avast). I again opened the malwarebytes exe and it actually installed and I was able to initiate a scan.

Malwarebytes removed some 115 viruses from my system, but after 3 rescans, it seems it cannot delete one. It is in my C:\WINDOWS\system32\drivers\ folder. It's a rookit.agent file (C:\WINDOWS\system32\drivers\aqnyvv.sys (Rootkit.Agent) -> Delete on reboot.) . I have also downloaded (but not yet installed) installers for Combofix, Hijackthis, SuperAntiSpywarePro-trial- and windows malicious virus tool remover. I have them saved on my flashdrive for now. I am considering downloading fileassassin or rookitrepeal, but I figured I'd come here first for help.
My infected cpu is turned on, not connected to the internet and ready to be worked on.

Thanks in advance for assisting in getting this grimy virus off of my computer. Also, I am ready to run installers for any of the programs I mentioned on my computer and get a log to show you upon suggestion. Attached are my 3 Malwarebytes scans in order. The first one shows it deleted a lot of viruses and the next two show that it keeps detecting the rookit agent and cant delete it.

File size:
16.1 KB
Views:
3
File size:
931 bytes
Views:
2
File size:
931 bytes
Views:
1
2. ### BroniMalware AnnihilatorPosts: 53,797   +369

Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

===========================================================================

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

3. ### fckid212TS RookieTopic StarterPosts: 27

thanks for the quick response!

I downloaded TDSSKiller.exe and extracted onto my desktop. I copy pasted the line into start>run. It did say there is a hidden service detected and lists my suspected rookit file. I press "enter" as instructed by you even though it says to type in "delete" to get rid of it. When i hit "enter", it only moves the cursor lower on the screen. What am i doing wrong?

Thanks!

sorry, i see now that the TDSkiller log file was saved on my c-drive even though the DOS window never closed. The contents of that log is here:

21:29:28:015 0220 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
21:29:28:015 0220 ================================================================================
21:29:28:015 0220 SystemInfo:

21:29:28:015 0220 OS Version: 5.1.2600 ServicePack: 2.0
21:29:28:015 0220 Product type: Workstation
21:29:28:015 0220 ComputerName: JMONEY09
21:29:28:015 0220 Windows directory: C:\WINDOWS
21:29:28:015 0220 Processor architecture: Intel x86
21:29:28:015 0220 Number of processors: 2
21:29:28:015 0220 Page size: 0x1000
21:29:28:015 0220 Boot type: Normal boot
21:29:28:015 0220 ================================================================================
21:29:28:515 0220 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
21:29:28:515 0220 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:29:28:515 0220 wfopen_ex: Trying to KLMD file open
21:29:28:515 0220 wfopen_ex: File opened ok (Flags 2)
21:29:28:515 0220 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
21:29:28:515 0220 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:29:28:515 0220 wfopen_ex: Trying to KLMD file open
21:29:28:515 0220 wfopen_ex: File opened ok (Flags 2)
21:29:28:515 0220 Initialize success
21:29:28:515 0220
21:29:28:515 0220 Scanning Services ...
21:29:28:906 0220 Raw services enum returned 297 services
21:29:28:921 0220 Suspicious serv aqnyvv (h: 0, b: 1)
21:29:28:921 0220
21:29:28:921 0220 Hidden service detected!
21:29:28:921 0220 Service name: aqnyvv
21:29:28:921 0220 Image path:
21:29:28:921 0220 Type "delete" (without quotes) to delete it:

4. ### BroniMalware AnnihilatorPosts: 53,797   +369

It looks like the program didn't finish.
When you press "Enter", be patient afterwards. Let it run.

5. ### fckid212TS RookieTopic StarterPosts: 27

Thanks! I will give it some time. Is there anything that I should see happening? Like I mentioned before, hitting "enter" seems to only bring the cursor lower on the page in the tool. I dont see anything actually happening, like processes running or anything...

6. ### BroniMalware AnnihilatorPosts: 53,797   +369

Run Combofix and post its log along with HJT log.

7. ### fckid212TS RookieTopic StarterPosts: 27

i was running the TDSSKiller tool when I started up combofix, and at one point it restarted my computer so I will redo the TDSSKiller tool. attached are the combofix log and HJT log. I will run the TDSSkiller again and attach a log from that one when it completes.

File size:
5.3 KB
Views:
0
File size:
14.1 KB
Views:
2
8. ### BroniMalware AnnihilatorPosts: 53,797   +369

Don't run TDSSKiller for now.

9. ### fckid212TS RookieTopic StarterPosts: 27

shoot, i already did before I saw your post. sorry! hope it didnt screw anything up. its log is attached.

File size:
15.3 KB
Views:
3
10. ### BroniMalware AnnihilatorPosts: 53,797   +369

That's fine....

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::

Folder::

Driver::

RenV::
c:\program files\Alwil Software\Avast4\ashdisp .exe
c:\program files\DAEMON Tools Lite\daemon  .exe
c:\program files\Intel Audio Studio\intelaudiostudio    .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Steam\steam .exe

Registry::

RegLockDel::



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

• Combofix.txt
• A new HijackThis log.

11. ### fckid212TS RookieTopic StarterPosts: 27

all done. the two logs are attached. how are we looking?
thank you so so much for helping me with all this.

edit. i figured i would run another mbam scan while i'm waiting, the log for that is also attached. looks like the rookit is still there =\

File size:
12.6 KB
Views:
3
File size:
5.3 KB
Views:
0
File size:
956 bytes
Views:
2
12. ### BroniMalware AnnihilatorPosts: 53,797   +369

No
That is located in Combofix quarantine folder. Nothing to worry about.

Combofix log looks much better. There is still one item left...

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::

Folder::

Driver::

Registry::

RegLockDel::

RenV::
c:\program files\Alwil Software\Avast4\ashdisp .exe



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

• Combofix.txt
• A new HijackThis log.

13. ### fckid212TS RookieTopic StarterPosts: 27

Nice! Great news! Haha I didn't realize it was the quarantine box - sorry i've never taken a cpu class ever =)

Okie, the new logs are attached.

File size:
14.4 KB
Views:
1
File size:
5.2 KB
Views:
1
14. ### BroniMalware AnnihilatorPosts: 53,797   +369

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\program files\Alwil Software\Avast4\ashdisp .exe

Folder::

Driver::

Registry::

RegLockDel::



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

• Combofix.txt
• A new HijackThis log.

here we go.

File size:
14.4 KB
Views:
1
File size:
5.2 KB
Views:
0
16. ### BroniMalware AnnihilatorPosts: 53,797   +369

Good

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

==============================================================

Re-run Malwarebytes quick scan and post its log.

17. ### fckid212TS RookieTopic StarterPosts: 27

combo is uninstalled and the log is attached. it seems im fixed?! yay!

File size:
867 bytes
Views:
2
18. ### BroniMalware AnnihilatorPosts: 53,797   +369

Just couple more steps to make sure, nothing is in hiding...

Please run a BitDefender Online Scan

• Click Start Scanner button.
• Click Start scan button
• Allow browser plug-in to be installed when prompted.
• Click I Agree to agree to the EULA.
• Please refrain from using the computer until the scan is finished.
• When the scan is finished, click on View log.
• Notepad will open with scan results.

Post fresh HJT log as well.

here we go

File size:
32.8 KB
Views:
5
File size:
5.2 KB
Views:
2
20. ### BroniMalware AnnihilatorPosts: 53,797   +369

==========================================================================

You have some McAfee leftovers.

======================================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

5. Click on Fix checked button.

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.

7. Delete following files/folders (if present):

McAfee folder from C:\Program Files

Note. If deletion doesn't work, attempt it in Safe Mode - restart computer, and keep tapping F8 key, until menu appears.

8. Restart computer.

9. Post new HijackThis log.

21. ### fckid212TS RookieTopic StarterPosts: 27

i got rid of the ask tool bar and downloaded the McAfee uninstaller, but when i ran the uninstaller it randomly stopped and displayed this message: "Please exit the session. McAfee Enterprise software detected. Cannont continue. Please contact McAfee Technical Support." Any ideas on this part?

22. ### BroniMalware AnnihilatorPosts: 53,797   +369

I see. You have Enterprise edition, so that tool won't work.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

23. ### fckid212TS RookieTopic StarterPosts: 27

The logs are attached, i tried to paste them in but the forum told me that the text was too long. Should i hold off on the HJT instructions that you layed out?

File size:
66.9 KB
Views:
1
File size:
42.3 KB
Views:
1
24. ### BroniMalware AnnihilatorPosts: 53,797   +369

That's fine. Yeah, hold on with HJT. Let me review your logs.

25. ### fckid212TS RookieTopic StarterPosts: 27

got it. thanks.

Topic Status:
Not open for further replies.