Solved Rootkit.Agent found

Very good :)

If you restarted already, re-run MBAM and Combofix and post fresh logs.
 
I was correct though, MBAM is saying there's an infected file. I assume (..ha!) it's the same one. What now, Broni?


Edit: Yep, same file. Log included (no action taken).
 

Attachments

  • mbam-log-2010-07-18 (23-39-35).txt
    1 KB · Views: 1
Did you reboot after MBAM apparently fixed the issue?
If not, reboot and THEN run new MBAM and Combofix.
 
Yeah, rebooted it after it said "Quarantined and deleted successfully." The latest log I gave you is from after the reboot. Here's the Combofix log.
 

Attachments

  • ComboFix.txt
    12.2 KB · Views: 1
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    Code: 
    :filefind
eznmjfq.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 23:58 on 18/07/2010 by Gebruiker (Administrator - Elevation successful)

========== filefind ==========

Searching for "eznmjfq.sys"
C:\Windows\System32\drivers\eznmjfq.sys --a--- 823808 bytes [21:52 29/06/2010] [21:59 18/07/2010] (Unable to calculate MD5)

-=End Of File=-
 
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
C:\Windows\System32\drivers\eznmjfq.sys

Folder::

Driver::
eznmjfq

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eznmjfq]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
How does this look? File is too big to upload, as it's made a 'snapshot' apparently
 

Attachments

  • Combofix1.txt
    6.4 KB · Views: 1
It looks like it did it, but your Combofix log is cut off.
Either repost it, or re-run Combo and post fresh log.
 
Yeah, the .txt file is too big to upload, apparently - So I'd have to cut it into pieces for you.

I did a quick-scan with MBAM, this is the log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Databaseversie: 4230

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

19-7-2010 0:35:03
mbam-log-2010-07-19 (00-35-03).txt

Scantype: Snelle scan
Objecten gescand: 130790
Verstreken tijd: 4 minuut/minuten, 49 seconde(n)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registerwaarden geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registerdata geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Mappen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Bestanden geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)



Infected file is (or seems to be? I can't assume! :)) gone. What's my next step?
 
Perfect!
Any new issues?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
I did the scan.

Oh, there weren't any 'issues' when I started this topic. Before that (and before the first time I ran MBAM and Combofix..) I couldn't update Windows, and would occasionally get redirected to some site. But that hasn't happened, so there was no noticeable problem to speak of, just the infected file.. Heh.
 

Attachments

  • OTL.Txt
    100.2 KB · Views: 1
  • Extras.Txt
    38.1 KB · Views: 1
Time for bed now. Broni: thanks for all the help so far, really appreciate it. :)

Will read back tomorrow.
 
No problem :)
I'll have new homework waiting for you....

====================================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp
During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

=====================================================================

You're running low on C drive free space:
Drive C: | 99,61 Gb Total Space | 11,17 Gb Free Space | 11,21% Space Free
Click to expand...

=====================================================================

You're running two AV programs, Avira and NOD32. One of them has to go. Your choice.

=====================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\GEBRUI~1\AppData\Local\Temp\catchme.sys -- (catchme)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found


:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[resethosts]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 

Similar threads

A
Windows Remote Desktop Protocol contains a login backdoor Microsoft refuses to fix
2
Replies
32
Views
280
LimyG
LimyG
A
Apple fixed two zero-day vulnerabilities weaponized against Intel-based macOS systems
Replies
0
Views
196
Alfonso Maruccia
A
A
Microsoft's latest security update fixes a nasty remote code execution bug in Windows Wi-Fi driver
Replies
2
Views
518
wiak
W

Latest posts

Back