pedrobicalho

Ran other tests and nothing was detected. System is responding ok! I think you can close this topic now. Thanks again Kevin. Pedro

Kevin, logs are attached. TDSSKiller found Rootkit.Boot.DarkGalaxy.a. I selected "cure" as instructed and got the message "Can´t cure MBR. Write standard boot code?". Selected "Yes" and then rebooted....during Windows load I got and error message on cmd screen.....but then everything loaded fine (and I got the impression that load time was a little faster). Just ran my AV on boot sector, and everything was clean. I´ll post back after I run some other tests, but I think it worked!! Thank you so much for your assistance Kevin! TDSSKiller.3.1.0.28_17.09.2019_17.59.08_log.txt TDSSKiller.3.1.0.28_17.09.2019_17.49.47_log.txt

Kevin, Logs attached. It´s strange because during the scan, my AV software detects the Rootkit with a message saying that Malwarebytes Anti-Rootkit is trying to acess the file, than I get a message that the file was deleted. But the next time I boot the system, the Rootkit is still there. Malwarebytes Anti-Rootkit didn´t detect anythig. mbar-log-2019-09-17 (14-02-21).txt system-log.txt

My AV software stills detects the the Rootkit Agent on the startup scan (MBR sector)....😕

Kevin, Please find attached: 1 - Fixlog.txt (FRST log) 2 - Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/16/19 Scan Time: 7:19 PM Log File: 098b8786-d8d0-11e9-a5aa-d0bf9c01a728.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.625 Update Package Version: 1.0.12399 License: Free -System Information- OS: Windows Server 2012 CPU: x64 File System: NTFS User: SERVIDOR\Administrador -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 217899 Threats Detected: 0 Threats Quarantined: 0 Time Elapsed: 5 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) 3 - AdwClaner log: # ------------------------------- # Malwarebytes AdwCleaner 7.4.1.0 # ------------------------------- # Build: 09-04-2019 # Database: 2019-08-27.1 (Local) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Clean # ------------------------------- # Start: 09-16-2019 # Duration: 00:00:01 # OS: Windows Server 2012 Standard # Cleaned: 1 # Failed: 0 ***** [ Services ] ***** No malicious services cleaned. ***** [ Folders ] ***** Deleted C:\Program Files\WinZip\WinZip Smart Monitor ***** [ Files ] ***** No malicious files cleaned. ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** No malicious tasks cleaned. ***** [ Registry ] ***** No malicious registry entries cleaned. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries cleaned. ***** [ Chromium URLs ] ***** No malicious Chromium URLs cleaned. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries cleaned. ***** [ Firefox URLs ] ***** No malicious Firefox URLs cleaned. ***** [ Preinstalled Software ] ***** No Preinstalled Software cleaned. ************************* [+] Delete Tracing Keys [+] Reset Winsock ************************* AdwCleaner_Debug.log - [5385 octets] - [16/09/2019 16:57:16] AdwCleaner[S00].txt - [1450 octets] - [16/09/2019 16:58:23] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ########## 4 - Microsoft Malicious Software Removal Tool: Microsoft Windows Malicious Software Removal Tool v5.75, August 2019 (build 5.75.16236.1) Started On Mon Sep 16 19:32:56 2019 Engine: 1.1.16200.1 Signatures: 1.299.474.0 MpGear: 1.1.15747.1 Run Mode: Interactive Graphical Mode Results Summary: ---------------- No infection found. Successfully Submitted Heartbeat Report Microsoft Windows Malicious Software Removal Tool Finished On Mon Sep 16 19:37:12 2019 Return code: 0 (0x0) Fixlog.txt

Hi Kevin, So, I did what you instructed me and here is the result: https://www.virustotal.com/gui/file/8d49a4e7f2ca1239311f6b1d69ebf3e95735da9e0cdfbe8235a28e256cbaf6c9/detection Thanks,

Hi kevinf80! I´ve been away in a business trip and will be back at my office tomorrow. I´ll try you solution the moment I get there and will get back to you as soon as I can. Thanks in advance for your reply!

Here's a photo of the detection screen (AV software)

Hello! My antivirus software has detected and infection (Win32/Rootkit.Agent.OCL) in my company server. Could you please give me any tips on how to remove it? I ran Farbar Recovery Scan Tool as instructed, files are attached. I couldn´t configure Farbar to generate the files in english (my OS is in Brazilian Portuguese), so if that is a a problem let me know so I can try again. Thanks! FRST.txt Addition.txt