Rootkit.Agent rooting around my system

[profwagstaff]

Hey guys,
I managed to get ahold of some malware recently and, after going elsewhere and getting absolutely no help, decided to look around and find the place that actually helped me last time. Congratulations!
As the subject says, I have Rootkit.Agent in my drivers folder. I've run Malwarebyte's Anti-Malware a few times and it seems to always find it even after it tells me that it needs to reboot the system to delete it.
Any help here? Is there anything else I should look for? I ran AdAware, too, and it just found a couple of new things that, unfortunately, I just clicked through to get rid of. But I think they were pretty generic and are gone now.
Thanks for the help!
--Mark

 

[gillianbrown]

Ok, please do the following.

Download the Panda Antirootkit programme.

Unzip it and run the PAVARK.exe file.

Tick the box that says In depth scan and follow the on screen instructions.

DO NOT remove any UNKNOWN ROOTKITS at this stage. Instead, let me know your results in your reply.

Make sure you have the LATEST version of HJT (currently 2.0.0.2) from HERE.

Double-click on the file you just downloaded.
Click on the "Install" button to install.
It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
Please do not change the default install location.

[center]Very Important.[/center]

You need to rename HijackThis.exe to Crusty.exe. This is because some malware can hide from HijackThis.exe. Follow these instructions in order to do so.

Go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe file and right click on HijackThis.exe. Choose rename. Click in the title box and hit the enter key to clear what`s there.

Now type Crusty.exe into the title box and hit the enter key. Right click on the Crusty.exe file and choose "Send to desktop Create Shortcut".

You can now close the HJT directory.

Run Hijackthis

Next click on the "Do a system scan and save a log file" button.
Hijackthis will scan and then a log will open in notepad.
Attach the HJT log into your post.

Under no circumstances, should you add anything to the HJT ignore list.

 

[profwagstaff]

Hijack This file

Panda came up snake eyes on the rootkits. I'm a little surprised by that, but whatever.
Here's the logfile.
Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:51 PM, on 12/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Moderator Edit:
Pasted logs removed
All logs must be attached

 

[gillianbrown]

Please post all log files as attachments and not copy and pasted.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O18 - Protocol: mediaman - {F00B23B6-E372-4227-BCD9-CDC32EA1521E} - C:\Program Files\MediaMan\CoMProt.dll

O20 - Winlogon Notify: bwkpsd - bwkpsd.dll (file missing)

Click on the fix checked button.

Close HJT.

Please download Malwarebytes' Anti-Malware to your desktop use any of these links.
Malwarebytes
MajorGeeks

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please attach that log into your next reply, along with a fresh HJT log..

 

[profwagstaff]

Sorry about that.
Anti-Malware didn't come up with anything, but I've included it's log just in case.

 

[gillianbrown]

Your logs are clean.

Can you give me details of the Rootkit you think you have as well as telling me how you found out about it?

 

[profwagstaff]

Honestly, it was a while ago when all of my anti-virus programs started setting off fireworks. I ran them a few times and they pretty much always said that something was wrong, but they couldn't take care of it. It happened after I downloaded a program via torrents. Something was apparently embedded...of course.
I ran AdAware, Anti-Malware, Spyware Blaster and AVG and at least two of them said that they were finding things, but didn't seem to want to kill them.
That's when I sent the info to that other website, got busy with work and ended up forgetting what happened with my computer. I finally got some time to deal with it and messaged you guys.
This is my message to the other website:

I have apparently become a host to some viruses. I have run AVG and Anti-Malware a few times. AVG told me that there were no threats, but then popped up an alert saying that Trojan horse SHeur2.FKN was detected.
AMW tells me that four Rootkit.Agents are on my system and it can't seem to remove them. They are all called ati0ntxx. One is in the system32/drivers folder and the others are in the reg key.

Any of this help?

 

[kimsland]

Malwarebytes
Database version: 1474 <= old
Scan type: Quick Scan <= should be full scan

I'd suggest un-install all of this:
Ad-Aware
AVG8 (yes this too)
Spyware Doctor
Spybot - Search & Destroy

Then run another full scan of Malwarebytes (updated first)
Then also download and run SuperAntiSpyware (update and scan)
Also your version of Java jre1.6.0_07 (is now old)

ie as per the guide: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

And install Avira Antivirus (update and scan)

 

[gillianbrown]

Now we're getting somewhere.

The Trojan horse SHeur2 is a false positive picked up by AVG.

http://freeforum.avg.com/read.php?4,159402,159535

Unless you're having any other problems, you should be good to go.
Please let us know.

 

[kimsland]

but they couldn't take care of it. It happened after I downloaded a program via torrents.

By the way, make sure to uninstall any torrent downloader program first, before scanning.
Otherwise you may be re-infected, whilst in the process of removing any found issues

 

[profwagstaff]

Well, that will make me rest a bit easier.
I'm running a couple more scans and I'll send another HJ log just to be absolutely sure.
Thanks a lot!

 

[kimsland]

Here's the AVG Removal Tool: (seeming that generally corrupts under virus infection too)
http://www.grisoft.cz/filedir/util/avg_arm_sup_____.dir/avgremover.exe
But your choice

 

[profwagstaff]

So, I ran a couple of scans and came up with the same rootkit popping up. All the while, Avira was telling me that TR/Rootkit.Gen was trying to access my system.
I have attached the scans. See what you think.

 

[gillianbrown]

Both logs are clean.

Download, install and run the Sophos Antirootkit tool.

Let us know the results.

 

[kimsland]

Well done so far

I noticed you have SUPERAntiSpyware installed
So when you are able to run a full scan, please attach the log

gillianbrown, we must have all logs, otherwise the thread may get too long!

 

[gillianbrown]

If this is indeed a rootkit infection, no amount of normal applications will get rid of it.

SAS certainly won't get rid of it.

 

[profwagstaff]

I did run a full scan with SAS and it didn't create a log. Would it have done that automatically and saved it somewhere that I can't find it? It certainly didn't ask me if I wanted to.
If SAS can't get rid of it, what are the alternatives? Is there another tool? Or is this going to cause me to, once again, start from scratch? (I just got a brand new hard drive because my last one crashed after about 6 months, so starting over is not on my short list of things to do again. It's not even on my super-long list.)

 

[kimsland]

...

DO NOT SKIP ANY OF THE INSTRUCTIONS
...
Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Attach the notepad file here on your reply[/list]

 

[gillianbrown]

Did you try this?

Download, install and run the Sophos Antirootkit tool.

If not I suggest you do so.

 

[profwagstaff]

Ah. Easy enough. Here it is.

 

[kimsland]

Hooray all attachments submitted :grinthumb

Also this:

Java\jre1.6.0_07

As per the guide it needs updating
I could not see any further issues in the HJT log (way up there)

How's it going now?

 

[gillianbrown]

Lol, that just cracked me up.

Now, did you try the antirootkit tool I suggested?

If so, what were the results?

 

[profwagstaff]

Well, I scanned all three areas that Sophos scans and it found nothing.
I guess I'm clean? I haven't gotten any pop-ups from Avira or SAS in a while. It's very strange, though.
Thanks for all your help. If you have any more advice, I'll keep watch here. And I'll let you know if anything else strange happens.

 

[kimsland]

Clear System Restore Points:

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter
* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

Update Java: http://java.com/en/download/installed.jsp?detect=jre&try=1

Run CCleaner: http://www.ccleaner.com/download/downloading

Then restart

 

[gillianbrown]

In that case, there are only two possibilities.

1: The rootkit was a false positive in both AVG and Avira(quite possible).
2: There really is a rootkit, but the rootkit removal programmes can't find it or remove it(unlikely).

I'd guess at this being a false positive.