TVDinner Posted January 9, 2010 ID:181743 Share Posted January 9, 2010 Hello all. I hope you are well and are able to assist me.My computer was infected. Not sure how, but obviously that is not important. I have been working closely with the Time Warner Cable security techs following the programs and instructions on this page - http://www.twccarolinas-security.com/For the past 4 days we have run 5-10 scans a day with every single program.Here is what I have found over and over - 1) Run paid version of AVG - updated multiple times a day and run multiple times a day - finds nothing- also do AVG Rootkit scan - finds nothing2) Run a-squared program multiple times a day - deep scan - finds nothing3) Run SuperAntiSpyware program multiple times a day - deep scan - finds nothing4) Run aswar root kit tool - finds nothing5) Run Malwarebytes multiple times a day and it finds one problem - C:\WINDOWS\system32\drivers\hbmkfoja.sys (Rootkit.Agent) -> No action taken.Try to delete - wont do itTry to Quarantine -wont do itTry to delete on reboot - says it does it - but comes back.Any help would be greatly appreciated. Below and attached is my mbam-log---------------------Malwarebytes' Anti-Malware 1.44Database version: 3519Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187021/8/2010 1:48:26 PMJA1.8.10_mbam-log-2010-01-08 (13-46-32)Scan type: Full Scan (C:\|)Objects scanned: 251439Time elapsed: 1 hour(s), 26 minute(s), 29 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\drivers\hbmkfoja.sys (Rootkit.Agent) -> No action taken.-------------THANK YOU ALL for any help you can provide.JamesJA1.8.10_mbam_log_2010_01_08__13_46_32_.txt Link to post Share on other sites More sharing options...
TVDinner Posted January 9, 2010 Author ID:181746 Share Posted January 9, 2010 I forgot to add that ONLY Malwarebytes is showing this rootkit.agent. I am currently running a-squared in safe mode and will post that info once it is done also.Thanks again. Link to post Share on other sites More sharing options...
TVDinner Posted January 9, 2010 Author ID:181769 Share Posted January 9, 2010 I forgot to add that ONLY Malwarebytes is showing this rootkit.agent. I am currently running a-squared in safe mode and will post that info once it is done also.Thanks again.I also ran File Assassin and tried to remove that file also. So far no luck. Link to post Share on other sites More sharing options...
chamber Posted January 12, 2010 ID:183203 Share Posted January 12, 2010 Hi, Download OTL to your desktop.Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check.Under the Custom Scan box paste this innetsvcsmsconfigsafebootminimalsafebootnetworkactivexdrivers32%SYSTEMDRIVE%\*.exe%systemroot%\*. /mp /sc:\$recycle.bin\*.* /sHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs/md5starteventlog.dllscecli.dllnetlogon.dllcngaudit.dllsceclt.dllntelogon.dlllogevent.dlliaStor.sysnvstor.sysnvstor32.sysatapi.sysIdeChnDr.sysviasraid.sysAGP440.sysvaxscsi.sysnvatabus.sysviamraid.sysnvata.sysnvgts.sysiastorv.sysViPrt.syseNetHook.dllexplorer.exesvchost.exeuserinit.exeqmgr.dllws2_32.dllproquota.exeimm32.dllkernel32.dllndis.sysautochk.exespoolsv.exexmlprov.dllntmssvc.dllmswsock.dllBeep.SYSntfs.systermsrv.dllsfcfiles.dllst3shark.sysahcix86.syssrsvc.dllnvrd32.sys /md5stop %systemroot%\system32\*.dll /lockedfiles%systemroot%\Tasks\*.job /lockedfiles%SYSTEMDRIVE%\*.*%userprofile%\Desktop\*.*%userprofile%\Desktop\*.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.Please download GMER from one of the following locations and save it to your desktop:Main MirrorThis version will download a randomly named file (Recommended)Zipped MirrorThis version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.Disconnect from the Internet and close all running programs.Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.Now click the Scan button. If you see a rootkit warning window, click OK.When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.Click the Copy button and paste the results into your next reply.Exit GMER and re-enable all active protection when done.-- If you encounter any problems, try running GMER in Safe Mode. Link to post Share on other sites More sharing options...
TVDinner Posted January 12, 2010 Author ID:183252 Share Posted January 12, 2010 Hi Chamber. Thanks for the response.Since no one was able to reply until now I had to take alternative action to try to save my computer. I was quickly losing control and the virus was taking over.As a last resort I had a representative from Dell dial into my computer and clean off the rootkit.agent. It took him over an hour using a combination of DOS commands and a wide variety of programs (Prevx CSI, Trojan Remover, etc), but he was able to clean everything up and I have been virus free for the past 3 days. Malwarebytes, a-squared, AVG, and those other programs I just mentioned are all coming up completely clean now - finally.It cost me $100 BUT WAS COMPLETELY WORTH IT and saved my HOURS AND HOURS AND HOURS of work trying or reformating. The Geek Squad at Best Buy also can dial into your computer and do this as well. TOTALLY WORTH IT, at least so far. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 13, 2010 Root Admin ID:183554 Share Posted January 13, 2010 Thank you for the follow-up and sorry for the delay - just too many users to assist in a short period of time.I'll close your post now.Take care. Link to post Share on other sites More sharing options...
Recommended Posts