Jump to content

Very persistent Rootkit.Agent


Pablo

Recommended Posts

Thanks for the log Pablo, yes this proving to be a real nuisance. Lets do a search in the registry to make sure we`ve got the correct navigational address...

Open FRST one more time:

Type or copy/paste the following in the edit box after "Search:".

aswbdisk

Click Search Registry button and post the log (Search.txt) it makes to your reply.

Thank you,

Kevin...

Link to post
Share on other sites

Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by Ahmed (12-01-2018 12:12:48)
Running from C:\Users\Ahmed\Desktop
Boot Mode: Normal

================== Search Registry: "aswbdisk" ===========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\aswbdisk]

====== End of Search ======

 

Link to post
Share on other sites

Thanks for that log, see if we can shift the problem with the following:

Download BlitzBlank from here: http://www.bleepingcomputer.com/download/blitzblank/dl/108/ and save it to your desktop.

Right click on user posted image Blitzblank.exe select "Run as Administrator"


Click OK at the warning (and take note of it, this is a VERY powerful tool!).

user posted image

Click the Script tab and copy/paste the following text there:

DeleteRegKey:
hkey_local_machine\system\CurrentControlSet\services\aswbdisk


user posted image

Click Execute Now. An alert will ask "You are about to delete files, are you sure to proceed" Select OK to proceed

user posted image

A system reboot warning will open, it will say "Please close all running applicatons to avoid data loss" Select OK to proceed

user posted image

Your computer will need to reboot in order to do the fixes

When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\
 
Thanks,
 
Kevin
Link to post
Share on other sites

Usually that service is moved with FRST in the recovery environment, its got me stumped. I`m going to seek advice for a solution, will get back to you later... In general how is your PC responding, is there any odd or erratic behavior. Same for your Browsers, any odd or erratic behavior any redirects etc...

Thanks,

Kevin..

Link to post
Share on other sites

PC is running like it used to. Boots up pretty fast and Im playing league of legends without any lag like the good old times. Im assuming its safe to use without any risks? My cpu usage also shot up crazily during the peak of the virus before we removed majority of it and now its back to how it used to be at low numbers so thats probably a good thing i hope. Thanks for your help so far!

Link to post
Share on other sites

Hello Pablo,

That nuisance service is safe and can be ignored, for now all we need to do is clean up..

Uninstall Sophos AV and Zemana http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Also delete this folder if still present: C:\ProgramData\Sophos

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.