csun_mizzou Posted June 20, 2018 ID:1251479 Share Posted June 20, 2018 My IT informed me of the following infection on my laptop: > ISAM has detected an infected system on the network. Information > about > the system can be found above. The threat signature detected is > MALWARE-CNC User-Agent known malicious user-agent string RookIE/1.0 > (1:18388:11), and is detected based on traffic coming from the system > in question with a known malicious user-agent string. My IT is unable to assist me directly as the computer is not a work desktop. I tried several sw (Defender, Malawarebytes, Cisco AMP, Cleanwin, Spybot), but the specific threat was not detected. Please see attached logs. Your advice is greatly appreciated. Carlos Sun Malwarebytes_scan_log.txt Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 23, 2018 Root Admin ID:1252084 Share Posted June 23, 2018 Hello @csun_mizzou and Do you have local Admin rights to the computer? Do you personally own this computer or does it belong to some other business? Assuming you have Admin rights and you own the computer please run the following. If you don't have admin rights or you don't own the computer please let me know. Please run the following anti-rootkit scan. Once that is done, please run the following. Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller. PC Winvids - How to run Kaspersky TDSSKiller If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection. Once the tool has completed scanning make sure to re-enable your other security applications. Thank you Ron Link to post Share on other sites More sharing options...
csun_mizzou Posted June 23, 2018 Author ID:1252192 Share Posted June 23, 2018 Ron, I followed your instructions. I ran the mbar rootkit and no malware was found. I ran the TDSSkiller twice after disabling all security apps. The first scan with loaded modules enabled produced two log files. The second scan with "verify and TDLFS" checked. Please see attached. Nothing was found by these scans. I will try to install Snort and see if I could replicate what my IT folks are finding at work with the rookIE/1.0 agent. Thank you again. Carlos TDSSKiller.3.1.0.17_23.06.2018_15.14.18_log.txt TDSSKiller.3.1.0.17_23.06.2018_15.13.10_log.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 23, 2018 Root Admin ID:1252215 Share Posted June 23, 2018 Okay, let me have you run the following again and we'll take another look. Please run the following steps and post back the logs as an attachment when ready.STEP 01 If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button. If you don't have Malwarebytes 3 installed yet please download it from here and install it. Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button. Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply. If Malwarebytes won't run then please skip to the next step and let me know on your next reply. STEP 02 Please download AdwCleaner by Malwarebytes and save the file to your Desktop. Right-click on the program and select Run as Administrator to start the tool. Accept the Terms of use. Wait until the database is updated. Click Scan. When finished, please click Clean. Your PC should reboot now if any items were found. After reboot, a log file will be opened. Copy its content into your next reply. RESTART THE COMPUTER Before running Step 3 STEP 03 Please download the Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens, click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here. Please attach the Additions.txt log to your reply as well. Thanks Ron Link to post Share on other sites More sharing options...
csun_mizzou Posted June 24, 2018 Author ID:1252228 Share Posted June 24, 2018 I followed your steps 1-3. By the way, I found that AdwCleaner doesn't respond if Mbar is running. I exited Mbar and AdwCleaner then ran fine. Please see attached logs. I don't think the RookIE/1.0 infection was found. Here is the info on the Snort rule detection: https://snort.org/rule_docs/1-18388 I will try to install Snort even though the process seem very complicated. I will also try ClamAV and immunet. Thank you. Carlos AdwCleaner[C00].txt Addition.txt mbar-log-2018-06-23_exported.txt FRST.txt Link to post Share on other sites More sharing options...
csun_mizzou Posted June 24, 2018 Author ID:1252313 Share Posted June 24, 2018 Immunet/ClamAV found a few items. There was no log or export function in immunet, but here are the entries: Clam.Win.Trojan.Agent-1380996 (Anvsoft\Syncios\qrcode.exe) - I think this was a false positive Clam.Html.Trojan.Blackhole-65 (2 instances, Firefox cache files) I am not sure if the Blackhole trojans were RookIE/1.0. My understanding of RookIE is that it is a generic password stealing trojan. I am still trying to get Snort up and running. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 25, 2018 Root Admin ID:1252445 Share Posted June 25, 2018 Let's try another scanner Download PowerTool and save to your Desktop, ensure to get the correct version: PowerTool for 64-bit systems >> https://malwarebytes.box.com/s/vnp2jdko58ww33bxabbm8zu9764u0tlh PowerTool for 32-bit systems >> https://malwarebytes.box.com/s/f0bsa1nuzjv994neyzbtrti1au0s98yx Please follow the instructions below: Right click on PowerTool, Select "Run as Administrator" Windows 8/8.1/10 users may see the following, if so select "More Info" In the next Window select "Run Anyway" Initially click on sq image to enlarge window to full screen (As shown in the image below) Now click on Kernel tab (No. 1 on the image below) Then click on Kernel Notify Routine (No. 2 on the image below) Also click on Path so you sort the list by name (No. 3 on the image below) Right click anywhere on listed items under path (No. 4 on the image above) and select Export. Save exported file to your Desktop, zip up that file and attach to your reply.... Thank you, Ron...... Link to post Share on other sites More sharing options...
csun_mizzou Posted June 26, 2018 Author ID:1252831 Share Posted June 26, 2018 Please see attached Powertool export file. Thank you. Carlos notify.zip Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 27, 2018 Root Admin ID:1252898 Share Posted June 27, 2018 Well, none of the scanners are finding any signs of a rootkit or other real threat. Let's go ahead and run a Kaspersky av scan. Please download and run the following Kaspersky antivirus scanner to remove any found threats Kaspersky Virus Removal Tool Let me know if it finds anything. Ron Link to post Share on other sites More sharing options...
csun_mizzou Posted June 28, 2018 Author ID:1253147 Share Posted June 28, 2018 I ran the Kaspersky tool and nothing was found. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 29, 2018 Root Admin ID:1253403 Share Posted June 29, 2018 I would contact your ISP and let them know that you're system has been checked and it is not infected or sending out any threats either. Provide them a link to this forum post if you like https://forums.malwarebytes.com/topic/231857-rookie10-infection/ Thank you Ron Link to post Share on other sites More sharing options...
Recommended Posts