Jump to content
pedrobicalho

Need Help removing Rootkit Agent!

Recommended Posts

Hello!

My antivirus software has detected and infection (Win32/Rootkit.Agent.OCL) in my company server. Could you please give me any tips on how to remove it?

I ran Farbar Recovery Scan Tool as instructed, files are attached. I couldn´t configure Farbar to generate the files in english (my OS is in Brazilian Portuguese), so if that is a a problem let me know so I can try again.

Thanks!

FRST.txt Addition.txt

Share this post


Link to post
Share on other sites
Hello pedrobicalho and welcome to Malwarebytes,

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\ProgramData\KMSAuto\bin\KMSSS.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.


Thank you,

Kevin....

Share this post


Link to post
Share on other sites

Hi kevinf80!

I´ve been away in a business trip and will be back at my office tomorrow. I´ll try you solution the moment I get there and will get back to you as soon as I can.

Thanks in advance for your reply!

Share this post


Link to post
Share on other sites
On 9/12/2019 at 10:09 AM, kevinf80 said:
Hello pedrobicalho and welcome to Malwarebytes,

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\ProgramData\KMSAuto\bin\KMSSS.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.


Thank you,

Kevin....

Hi Kevin,

So, I did what you instructed me and here is the result: https://www.virustotal.com/gui/file/8d49a4e7f2ca1239311f6b1d69ebf3e95735da9e0cdfbe8235a28e256cbaf6c9/detection

Thanks,

Share this post


Link to post
Share on other sites

Thanks for the update pedrobicalho, continue as follows:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

fix.jpg

Next,

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Report tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply..

Thank you,

Kevin..

 

fixlist.txt

Share this post


Link to post
Share on other sites
3 hours ago, kevinf80 said:

Thanks for the update pedrobicalho, continue as follows:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

fix.jpg

Next,

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Report tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply..

Thank you,

Kevin..

 

fixlist.txt 849 B · 4 downloads

Kevin,

Please find attached:

1 - Fixlog.txt (FRST log)

2 - Malwarebytes log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/16/19
Scan Time: 7:19 PM
Log File: 098b8786-d8d0-11e9-a5aa-d0bf9c01a728.json

-Software Information-
Version: 3.8.3.2965
Components Version: 1.0.625
Update Package Version: 1.0.12399
License: Free

-System Information-
OS: Windows Server 2012
CPU: x64
File System: NTFS
User: SERVIDOR\Administrador

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 217899
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 5 min, 53 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

3 - AdwClaner log:

# -------------------------------
# Malwarebytes AdwCleaner 7.4.1.0
# -------------------------------
# Build:    09-04-2019
# Database: 2019-08-27.1 (Local)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    09-16-2019
# Duration: 00:00:01
# OS:       Windows Server 2012 Standard
# Cleaned:  1
# Failed:   0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

Deleted       C:\Program Files\WinZip\WinZip Smart Monitor

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

No malicious registry entries cleaned.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner_Debug.log - [5385 octets] - [16/09/2019 16:57:16]
AdwCleaner[S00].txt - [1450 octets] - [16/09/2019 16:58:23]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########


4 - Microsoft Malicious Software Removal Tool:

Microsoft Windows Malicious Software Removal Tool v5.75, August 2019 (build 5.75.16236.1)
Started On Mon Sep 16 19:32:56 2019

Engine: 1.1.16200.1
Signatures: 1.299.474.0
MpGear: 1.1.15747.1
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Mon Sep 16 19:37:12 2019


Return code: 0 (0x0)

Fixlog.txt

Share this post


Link to post
Share on other sites
7 hours ago, kevinf80 said:

What is the status of your PC now, any remaining issues or concerns...?

My AV software stills detects the the Rootkit Agent on the startup scan (MBR sector)....😕

11.jpg

Share this post


Link to post
Share on other sites

Thanks for the update, continue:

Please download Malwarebytes Anti-Rootkit from here
 
  • Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable)
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

Thanks,

Kevin..

Share this post


Link to post
Share on other sites
5 hours ago, kevinf80 said:

Thanks for the update, continue:

Please download Malwarebytes Anti-Rootkit from here
 
  • Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable)
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

Thanks,

Kevin..

Kevin,

Logs attached.

It´s strange because during the scan, my AV software detects the Rootkit with a message saying that Malwarebytes Anti-Rootkit is trying to acess the file, than I get a message that the file was deleted. But the next time I boot the system, the Rootkit is still there. Malwarebytes Anti-Rootkit didn´t detect anythig.

mbar-log-2019-09-17 (14-02-21).txt system-log.txt

Share this post


Link to post
Share on other sites

Thanks for those logs, this is frustrating for sure. Continue please:

Please read carefully and follow these steps.
  • Download TDSSKiller from here  http://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop.
  • Doubleclick on user posted image to run the application.
  • The "Ready to scan" window will open, Click on "Change parameters"

    user posted image

     
  • Ensure all entries are Checkmarked under Additionl Options, Ensure all entries are Checkmarked under Objects to scan When Loaded Modules is checkmarked a re-boot will be offered, allow that to happen...

    user posted image

     
  • Continue after reboot select "Change Parameters" make sure entries are checkmarked and then Select "Start Scan"

    user posted image

     
  • If an infected file is detected, the default action will be Cure, click on Continue.

    user posted image

     
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    user posted image

     
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    user posted image

     
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Share this post


Link to post
Share on other sites
42 minutes ago, kevinf80 said:

Thanks for those logs, this is frustrating for sure. Continue please:

Please read carefully and follow these steps.
  • Download TDSSKiller from here  http://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop.
  • Doubleclick on user posted image to run the application.
  • The "Ready to scan" window will open, Click on "Change parameters"

    user posted image

     
  • Ensure all entries are Checkmarked under Additionl Options, Ensure all entries are Checkmarked under Objects to scan When Loaded Modules is checkmarked a re-boot will be offered, allow that to happen...

    user posted image

     
  • Continue after reboot select "Change Parameters" make sure entries are checkmarked and then Select "Start Scan"

    user posted image

     
  • If an infected file is detected, the default action will be Cure, click on Continue.

    user posted image

     
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    user posted image

     
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    user posted image

     
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Kevin, logs are attached.

TDSSKiller found Rootkit.Boot.DarkGalaxy.a. I selected "cure" as instructed and got the message "Can´t cure MBR. Write standard boot code?". Selected "Yes" and then rebooted....during Windows load I got and error message on cmd screen.....but then everything loaded fine (and I got the impression that load time was a little faster).

Just ran my AV on boot sector, and everything was clean. I´ll post back after I run some other tests, but I think it worked!!

Thank you so much for your assistance Kevin!

 

TDSSKiller.3.1.0.28_17.09.2019_17.59.08_log.txt TDSSKiller.3.1.0.28_17.09.2019_17.49.47_log.txt

Share this post


Link to post
Share on other sites

Hello pedrobicalh,

Thanks for the logs and information update, its good to hear we`ve finally put this infection to the sword. I`m very surprised that MBAR (which we tried earlier) did not see it.. Yes please let me know how your system is responding after you`ve completed further checks. When you are happy all is ok we can clean up..

Regards,

Kevin..

Share this post


Link to post
Share on other sites
5 hours ago, kevinf80 said:

Hello pedrobicalh,

Thanks for the logs and information update, its good to hear we`ve finally put this infection to the sword. I`m very surprised that MBAR (which we tried earlier) did not see it.. Yes please let me know how your system is responding after you`ve completed further checks. When you are happy all is ok we can clean up..

Regards,

Kevin..

Ran other tests and nothing was detected. System is responding ok!

I think you can close this topic now. Thanks again Kevin.

Pedro

Share this post


Link to post
Share on other sites

Thanks for the update Pedro, good to hear your system is ok now. Continue to clean up...

The following are Portable and can be deleted from where they were saved:

Malwarebytes Anti-Rootkit
TDSSKiller


Also open C:\drive, any created logs files from TDSSKiller can be deleted..

Next,

Right click on FRST here: C:\Users\Administrador\Desktop\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.