Rootkit Agent

[gris]

Hello.

I recently downloaded Malwarebytes and performed a quick scan on my computer. It got rid of most of my viruses except for rootkit.agent and a couple of other trojans.

I read the "I'm infected- What do I do now?" topic and followed most of the instructions. However, I have had some trouble with the GMER program. Every time I run GMER and perform a scan, my computer freezes, so I do not have a GMER log attached to this post.

Here is my Malwarebytes log:

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

2/16/2010 10:25:47 AM

mbam-log-2010-02-16 (10-25-40).txt

Scan type: Quick Scan

Objects scanned: 105404

Time elapsed: 17 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\system32\Drivers\qhjflfk.sys (Rootkit.Agent) -> No action taken.

C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> No action taken.

Here is my DDS log:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Richard at 19:45:20.85 on Mon 02/15/2010

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_06

Microsoft

Attach.txt

[Maurice Naggar]

Hello,

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Step 4

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

DDS::

uRun: [rozupazer] Rundll32.exe "c:\progra~2\zasezara\zasezara.dll",a

uRun: [TOY5KNQ8OC] c:\users\richard\appdata\local\temp\Pnc.exe

uRun: [chkncoms] rundll32 "c:\users\richard\appdata\local\temp\cbsrlace.dll",DllEntryPoint

Driver::

qhjflfk.sys

rozupazer

TOY5KNQ8OC

chkncoms

File::

C:\Windows\system32\Drivers\qhjflfk.sys

C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

Folder::

c:\programdata\mazimiru

c:\programdata\zasezara

c:\programdata\rewuvafu

c:\programdata\rosozevi

c:\programdata\rigebevu

c:\programdata\jegugose

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 5

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 6

Reply with the latest C:\Combofix.txt

and the latest MBAM scan log

and tell me, How is your system now ?

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!