Jump to content

RookIE/1.0 Infection


Recommended Posts

My IT informed me of the following infection on my laptop: 

> ISAM has detected an infected system on the network.  Information
> about
> the system can be found above.  The threat signature detected is
> MALWARE-CNC User-Agent known malicious user-agent string RookIE/1.0
> (1:18388:11), and is detected based on traffic coming from the system
> in question with a known malicious user-agent string. 

My IT is unable to assist me directly as the computer is not a work desktop. I tried several sw (Defender, Malawarebytes, Cisco AMP, Cleanwin, Spybot), but the specific threat was not detected. Please see attached logs. Your advice is greatly appreciated.

Carlos Sun

Malwarebytes_scan_log.txt

Addition.txt

FRST.txt

Link to post
Share on other sites

  • Root Admin

Hello @csun_mizzou and :welcome:

Do you have local Admin rights to the computer?
Do you personally own this computer or does it belong to some other business?

 

Assuming you have Admin rights and you own the computer please run the following. If you don't have admin rights or you don't own the computer please let me know.

 

Please run the following anti-rootkit scan.

 

Once that is done, please run the following.

 

 

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

PC Winvids - How to run Kaspersky TDSSKiller

If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.

Thank you

Ron

 

 

Link to post
Share on other sites

Ron,
 
I followed your instructions. I ran the mbar rootkit and no malware was found. 
I ran the TDSSkiller twice after disabling all security apps. 
The first scan with loaded modules enabled produced two log files. 
The second scan with "verify and TDLFS" checked. Please see attached. 
Nothing was found by these scans. 
 
I will try to install Snort and see if I could replicate what my IT folks are finding at work with the rookIE/1.0 agent. 
 
Thank you again. 
 
Carlos

TDSSKiller.3.1.0.17_23.06.2018_15.14.18_log.txt

TDSSKiller.3.1.0.17_23.06.2018_15.13.10_log.txt

Link to post
Share on other sites

  • Root Admin

Okay, let me have you run the following again and we'll take another look.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

I followed your steps 1-3. By the way, I found that AdwCleaner doesn't respond if Mbar is running. I exited Mbar and AdwCleaner then ran fine. Please see attached logs. I don't think the RookIE/1.0 infection was found. 

Here is the info on the Snort rule detection:

https://snort.org/rule_docs/1-18388

I will try to install Snort even though the process seem very complicated. I will also try ClamAV and immunet.  

Thank you. 

Carlos

AdwCleaner[C00].txt

Addition.txt

mbar-log-2018-06-23_exported.txt

FRST.txt

Link to post
Share on other sites

Immunet/ClamAV found a few items. There was no log or export function in immunet, but here are the entries:

Clam.Win.Trojan.Agent-1380996 (Anvsoft\Syncios\qrcode.exe) - I think this was a false positive

Clam.Html.Trojan.Blackhole-65 (2 instances, Firefox cache files)

I am not sure if the Blackhole trojans were RookIE/1.0. My understanding of RookIE is that it is a generic password stealing trojan. 

I am still trying to get Snort up and running.

Link to post
Share on other sites

  • Root Admin

Let's try another scanner

 

Download PowerTool and save to your Desktop, ensure to get the correct version:

PowerTool for 64-bit systems >> https://malwarebytes.box.com/s/vnp2jdko58ww33bxabbm8zu9764u0tlh

PowerTool for 32-bit systems >> https://malwarebytes.box.com/s/f0bsa1nuzjv994neyzbtrti1au0s98yx

Please follow the instructions below:

Right click on user posted image PowerTool, Select "Run as Administrator"

Windows 8/8.1/10 users may see the following, if so select "More Info"

user posted image

In the next Window select "Run Anyway"

user posted image

Initially click on sq image to enlarge window to full screen (As shown in the image below)
Now click on Kernel tab (No. 1 on the image below)
Then click on Kernel Notify Routine (No. 2 on the image below)
Also click on Path so you sort the list by name (No. 3 on the image below)

user posted image

Right click anywhere on listed items under path (No. 4 on the image above) and select Export.

user posted image

Save exported file to your Desktop, zip up that file and attach to your reply....

user posted image user posted image

Thank you,

Ron......
Link to post
Share on other sites

  • Root Admin

Well, none of the scanners are finding any signs of a rootkit or other real threat. Let's go ahead and run a Kaspersky av scan.

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything.

Ron

 

Link to post
Share on other sites

  • Root Admin

I would contact your ISP and let them know that you're system has been checked and it is not infected or sending out any threats either.

Provide them a link to this forum post if you like

https://forums.malwarebytes.com/topic/231857-rookie10-infection/

Thank you

Ron

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.