Jump to content

Persistant Rootkit.Agent and Malware.Trace


eon

Recommended Posts

The following 2 items are always show up when running MBAM:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

They are removed, and then after reboot will be detected again on subsequent runs. Logs are attached.

Not shown in the logs:

Looking in regedit at the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore key, I find:

\Enum\ImagePath

With value data:

\??\C:\WINXP\system32\drivers\restore.sys

The above file is not being detected on full scans.

mbam_log.txt

mbam_log.txt

Link to post
Share on other sites

I just thought I'd update this thread with my outcome in case others encoutered this problem.

It probably doesn't show up on the logs here, but I wound up being able to remove everything mentioned in my original post. However, later on, I discovered that I had been hit with a root kit. (Not the Win32.TDSS.rtk mentioned, which is actually fairly easy to remove).

Nothing which detected the root kit gave me a specific name for it, but I can describe it's characteristics:

It has some hidden/encrypted files which I was never able to detect with any programs (even tried with Kaspersky). At boot, these hidden files create two other files: restore.sys and driver.sys (I believe one was in the Windows directory and the other in the system32 folder). Also created is a temp file with the format: C:\Windows\temp\BN#.tmp (for example: BN5.tmp).

On reboot, the files disappear, causing any utilities which delete on reboot not to find them. It was causing one or both of the following two entries to peristently appear in MBAM:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Nothing was able to remove it, I even got in with GMER and UnhackMe (which is actually a pretty neat utility).

Ultimately, I had no choice but to do a complete format and reinstall, as is often recommended with rootkits anyway. I just thought I would share this information for anyone else unfortunate enough to acquire this pest; I wasted many hours attempting to remove it and reached the conclusion that it's more or less impossible, at least with current detection/removal options that are available.

Link to post
Share on other sites

  • Root Admin

Thank you for the follow-up. Sorry no one was available at the time to assist you with this removal.

Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.