Jump to content
I_Hx

Rootkit agent .sys file

Recommended Posts

Windows Vista Home Premium 32bit

Malwarebytes Log

==================

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4056

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18904

5/1/2010 6:13:01 PM

mbam-log-2010-05-01 (18-13-01).txt

Scan type: Quick scan

Objects scanned: 111816

Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\drivers\djqsdrk.sys (Rootkit.Agent) -> No action taken.

DDS Log

====================

DDS (Ver_10-03-17.01) - NTFSx86

Run by AMO at 17:21:12.16 on Sat 05/01/2010

Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20

Microsoft

Attached_Logs.zip

Share this post


Link to post
Share on other sites

Hi I_Hx And Welcome to Malwarebytes!

I see you are being redirected to other sites with google yes? Lets see what we can do.

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Share this post


Link to post
Share on other sites

Did not ask for reboot after pressing enter to NOT do anything to the file. Here is log

================

18:28:53:351 3892 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04

18:28:53:351 3892 ================================================================================

18:28:53:351 3892 SystemInfo:

18:28:53:351 3892 OS Version: 6.0.6002 ServicePack: 2.0

18:28:53:351 3892 Product type: Workstation

18:28:53:351 3892 ComputerName: AMO-PC

18:28:53:351 3892 UserName: AMO

18:28:53:351 3892 Windows directory: C:\Windows

18:28:53:351 3892 Processor architecture: Intel x86

18:28:53:351 3892 Number of processors: 2

18:28:53:351 3892 Page size: 0x1000

18:28:53:367 3892 Boot type: Normal boot

18:28:53:367 3892 ================================================================================

18:28:53:367 3892 UnloadDriverW: NtUnloadDriver error 2

18:28:53:367 3892 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

18:28:53:460 3892 wfopen_ex: Trying to open file C:\Windows\system32\config\system

18:28:53:460 3892 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

18:28:53:460 3892 wfopen_ex: Trying to KLMD file open

18:28:53:460 3892 wfopen_ex: File opened ok (Flags 2)

18:28:53:491 3892 wfopen_ex: Trying to open file C:\Windows\system32\config\software

18:28:53:491 3892 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

18:28:53:491 3892 wfopen_ex: Trying to KLMD file open

18:28:53:491 3892 wfopen_ex: File opened ok (Flags 2)

18:28:53:491 3892 Initialize success

18:28:53:491 3892

18:28:53:491 3892 Scanning Services ...

18:28:54:022 3892 Raw services enum returned 427 services

18:28:54:037 3892 Suspicious serv djqsdrk (h: 0, b: 1)

18:28:54:037 3892

18:28:54:037 3892 Hidden service detected!

18:28:54:037 3892 Service name: djqsdrk

18:28:54:037 3892 Image path:

18:28:54:037 3892 Type "delete" (without quotes) to delete it:

Share this post


Link to post
Share on other sites

This is not the whole log it was cut off at the bottom. Please post it again. It's your C: drive called "TDSSKiller.txt"

Share this post


Link to post
Share on other sites

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

DeFogger

Download DeFogger by jpshortstuff from here & save it to your desktop.

  • Right click DeFogger then choose Run as Administrator Or you can double-click to run the tool
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK. If not, reboot your PC

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Share this post


Link to post
Share on other sites

Ran deFogger prior to posting as per READ HERE FIRST instructions

Ran again

Does not ask to reboot. I rebooted manually when I ran DeFogger earlier, should I do this again as I follow the above instructions?

Share this post


Link to post
Share on other sites

After following instructions and attempting to run Combofix, it disconnected me from my LAN. I then reconnected the LAN and ran combox fix again. This time I allowed it to disconnect the network. It finished and then prompted a reboot, which I allowed. On reboot, my machine told me it was not able to start windows, that a critical driver had been damaged or corrupted and also gave repair instructions, which were to boot from OS disc and do a system repair. I am now on my laptop reporting this.

Awaiting instructions

Share this post


Link to post
Share on other sites

Your PC has a rootkit that has replaced your driver file with malware.

Can you rename Combofix.exe to Firefox.com

Then try again.

Share this post


Link to post
Share on other sites

At this point I cannot even get windows to load. I am currently at the beginning of the OS disc boot where it asks for a language. I should continue with this process?

And thank you for your help. I do appreciate it and will donate for your trouble.

Share this post


Link to post
Share on other sites

Try to Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now Use your arrow keys to move to "Last Known Good Configuration" and press your Enter key. This will enables the system to go back to a date before you had this problem.

Share this post


Link to post
Share on other sites

Last known good configuration doesn't work either. I get this message

========

Windows failed to start. A recent hardware or software change might be the cause. to fix the problem:

1. Insert your windows install disc and restart

2. Choose your language settings and then click next

3. click repair your computer

If you do not have this disc, conact your systems admin or comp manufacturer for assistance.

file: \windows\system32\drivers\volmgrx.sys

status: 0x0000098

Info: Windows failed to load because a critical system driver is missing or corrupt

=============

Share this post


Link to post
Share on other sites

Were going to need to replace this driver (volmgrx.sys) and work outside your OP. But I'm going out and wiil not be back until Sunday or Monday.

Share this post


Link to post
Share on other sites

Well thanks for your help. Im going to try and get the OS repaired.

Share this post


Link to post
Share on other sites

Got windows to load after doing system repair from disc. Only thing came on screen tho is the rest of the combofix scan... waiting for that to complete

Share this post


Link to post
Share on other sites

Got windows to load and ComboFix finished. Here is log

=====================

ComboFix 10-05-01.02 - AMO 05/01/2010 20:21:44.1.2 - x86

Microsoft

Share this post


Link to post
Share on other sites

OK...Nice Job! You saved us a lot of work.

ComboFix replaced volmgrx.sys that is good.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Next

Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

In your next reply, please include these log(s):

EsetOnlineScanner\log.txt

checkup.txt

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Share this post


Link to post
Share on other sites

A test of google redirects by going to malwarebytes.com yielded normal behavior. Also, I was unable to turn on security center and now that is fixed as well it seems. Both positive developments. Logs follow

=========================================

eset log

====================================================

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=ee418116f7e3c643a8933de897e344fe

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-05-02 04:30:24

# local_time=2010-05-02 12:30:24 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=6.0.6002 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=1797 16775165 100 94 0 30916896 0 0

# compatibility_mode=5892 16776638 100 100 0 109374531 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=166364

# found=2

# cleaned=0

# scan_time=7621

C:\Users\AMO\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\301cb0e5-7cb022aa multiple threats 00000000000000000000000000000000 I

C:\Users\AMO\Desktop\older files\Bdub\Desktop\Adobe After Effects CS3. By Toppel. New.rar probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I

=====================================

Security check log

Results of screen317's Security Check version 0.99.4

Windows Vista Service Pack 2 (UAC is disabled!)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 20

Adobe Flash Player 10.0.45.2

Mozilla Firefox (3.6.3)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avguard.exe

````````````````````````````````

DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

``````````End of Log````````````

Share this post


Link to post
Share on other sites

Your logs looks good. You did well with this malware removal. And I see you keep everything up to date. I'm going to give you some applications.

Other than these:

C:\Users\AMO\AppData\LocalLow\Sun\Java\Deployment

C:\Users\AMO\Desktop\older files\Bdub\Desktop\Adobe

Please remove them..... :)

Your Computer is Clean

CLEAN-1.jpg

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Secunia software inspector & update checker

My Blog Malware And Spyware Tips

Also, see here for system improvement: Help! My computer is slow!

It was a pleasure working with you I_Hx.

6567E80CC55576485246E130E48A9FA8.png

Share this post


Link to post
Share on other sites

Thanks a bunch Kenny. Very much appreciated. I made a small donation for your trouble. Thanks so much for what you guys do here.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.