Help me remove Rootkit.Agent

Earz · May 25, 2010

My ISP suspended my account due to bandwidth usage. They said the most common cause is malware. I was able to use my iPhone to tether and install updates for malwarebytes. I ran MBAM and it found 5 things (see log). I restarted my PC to complete the removal process per MBAM and scanned it again once restarted. This time I found:

Rootkit.Agent C:\windows\system32\drivers\ttash.sys

I then ran HJT and the log is below. I apologize about the full log files, but the only way I have to get them to you is to copy and paste.

Earz · May 25, 2010

sorry

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904
5/24/2010 11:36:21 PM
mbam-log-2010-05-24 (23-36-21).txt
Scan type: Quick scan
Objects scanned: 138994
Time elapsed: 9 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickyPlaeyr (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\Windows\system32\Drivers\ttash.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickyPlaeyr\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\OFFICE\AppData\Local\Temp\sdfsejf98jfsiodkfd.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\OFFICE\AppData\Local\Temp\hsf78w3uhduf8w.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904
5/24/2010 11:52:42 PM
2nd log
Scan type: Quick scan
Objects scanned: 138291
Time elapsed: 10 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\system32\Drivers\ttash.sys (Rootkit.Agent) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:18 PM, on 5/24/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\zHotkey.exe
C:\Windows\ModPS2Key.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W5233
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W5233
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [showWnd] ShowWnd.exe
O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [diyonegamu] Rundll32.exe "kogiviwi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.youtube.com
O15 - Trusted Zone: http://*.youtube.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: rejiyuwa.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\Windows\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 5353 bytes

Earz · May 25, 2010

a little update. I was able to get my ISP to resume service, but this needs to get fixed ASAP. If they detect excessive bandwidth consumption again they will terminate my account, but as of right now, I have internet access.

Maniac · May 25, 2010

Hello Earz! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

The process of cleaning your system may take some time, so please be patient.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install or uninstall any software or hardware, while work on.

Step 1

Please follow these instructions:

http://forums.malwarebytes.org/index.php?showtopic=29028

Step 2

Your database version is 4052 , but the current is 4141 , so please:

Launch Malwarebytes' Anti-Malware
Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s) in this sequence:

MalwareBytes' Anti-Malware log
a new fresh HiJackThis log

Earz · May 25, 2010

Thanks Maniac,

I updated MBAM and it was database 4142. Here's the logs.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4142
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904
5/25/2010 10:02:59 AM
mbam-log-2010-05-25 (10-02-59).txt
Scan type: Quick scan
Objects scanned: 143414
Time elapsed: 9 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\system32\Drivers\ttash.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:30 AM, on 5/25/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\zHotkey.exe
C:\Windows\ModPS2Key.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W5233
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W5233
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [showWnd] ShowWnd.exe
O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [diyonegamu] Rundll32.exe "kogiviwi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.youtube.com
O15 - Trusted Zone: http://*.youtube.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: rejiyuwa.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\Windows\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 5267 bytes

Maniac · May 25, 2010

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Open Tools -> Options -> Main tab
- Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Earz · May 25, 2010

I ran into a problem, combofix saved to desktop with indicated name change. Was starting to run combo-fix.exe and got this warning message

I do not have CA Anti-spyware installed on my machine anymore. How should I proceed?

Maniac · May 25, 2010

Download DDS and save it to your desktop from here or here or here.

Double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
[*]Save both reports to your desktop. Post them back to your topic.

Earz · May 25, 2010

DDS.txt

Attach.zip

Maniac · May 25, 2010

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

SecCenter::
{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
{6B98D35F-BB76-41C0-876B-A50645ED099A}
{222A897C-5018-402e-943F-7E7AC8560DA7}

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Earz · May 25, 2010

I did as instructed, but combofix is still giving the same warning about CA anti-spyware. Should I just 'OK' through it?

Maniac · May 25, 2010

Yes, click on OK button.

Earz · May 25, 2010

combo_log.txt

Maniac · May 25, 2010

Bad....

Please go to www.virustotal.com and upload this one:

C:\blackra1n.exe

Please post the resaults in your next reply.

Earz · May 25, 2010

File has already been analysed:

MD5: 7ad0a6a31f0dc6360d7080b0c7ba1717

First received: 2009.11.03 17:04:26 UTC

Date: 2010.05.23 22:20:36 UTC [+1D]

Results: 2/41

Permalink: analisis/21aea2862672861950f5f8917a0c0a52a63650e9cdc95a9993bf3747f0809578-1274653236

Earz · May 25, 2010

And here's the info from the permalink (BTW - I have to go to work now. I'll be home in 8+ hours)

File blackra1n.exe received on 2010.05.23 22:20:36 (UTC)

Current status: finished

Result: 2/41 (4.88%)

Compact Print results Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.05.10 -

AhnLab-V3 2010.05.23.00 2010.05.22 -

AntiVir 8.2.1.242 2010.05.23 -

Antiy-AVL 2.0.3.7 2010.05.21 -

Authentium 5.2.0.5 2010.05.23 W32/Oficla.F.gen!Eldorado

Avast 4.8.1351.0 2010.05.23 -

Avast5 5.0.332.0 2010.05.23 -

AVG 9.0.0.787 2010.05.23 -

BitDefender 7.2 2010.05.23 -

CAT-QuickHeal 10.00 2010.05.21 -

ClamAV 0.96.0.3-git 2010.05.22 -

Comodo 4920 2010.05.23 -

DrWeb 5.0.2.03300 2010.05.23 -

eSafe 7.0.17.0 2010.05.23 -

eTrust-Vet None 2010.05.21 -

F-Prot 4.6.0.103 2010.05.23 W32/Oficla.F.gen!Eldorado

F-Secure 9.0.15370.0 2010.05.23 -

Fortinet 4.1.133.0 2010.05.23 -

GData 21 2010.05.23 -

Ikarus T3.1.1.84.0 2010.05.23 -

Jiangmin 13.0.900 2010.05.22 -

Kaspersky 7.0.0.125 2010.05.23 -

McAfee 5.400.0.1158 2010.05.23 -

McAfee-GW-Edition 2010.1 2010.05.23 -

Microsoft 1.5802 2010.05.24 -

NOD32 5139 2010.05.23 -

Norman 6.04.12 2010.05.23 -

nProtect 2010-05-23.01 2010.05.23 -

Panda 10.0.2.7 2010.05.23 -

PCTools 7.0.3.5 2010.05.23 -

Prevx 3.0 2010.05.24 -

Rising 22.48.06.04 2010.05.23 -

Sophos 4.53.0 2010.05.24 -

Sunbelt 6343 2010.05.23 -

Symantec 20101.1.0.89 2010.05.23 -

TheHacker 6.5.2.0.285 2010.05.23 -

TrendMicro 9.120.0.1004 2010.05.23 -

TrendMicro-HouseCall 9.120.0.1004 2010.05.24 -

VBA32 3.12.12.5 2010.05.22 -

ViRobot 2010.5.20.2326 2010.05.23 -

VirusBuster 5.0.27.0 2010.05.23 -

Additional information

File size: 608256 bytes

MD5 : 7ad0a6a31f0dc6360d7080b0c7ba1717

SHA1 : f7f86ae4a900653fcf8b7cf6ff91c330e1707438

SHA256: 21aea2862672861950f5f8917a0c0a52a63650e9cdc95a9993bf3747f0809578

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0xEAED0

timedatestamp.....: 0x4AF01257 (Tue Nov 3 12:21:59 2009)

machinetype.......: 0x14C (Intel I386)

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

UPX0 0x1000 0x57000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

UPX1 0x58000 0x94000 0x93200 7.84 f3dfb0547e1b6c117a98ac260125167f

.rsrc 0xEC000 0x2000 0x1400 3.99 fc32fda836a69bed252f7dbdd26d434b

( 4 imports )

> advapi32.dll: RegOpenKeyExA

> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess

> msvcrt.dll: _iob

> user32.dll: LoadIconA

( 0 exports )

TrID : File type identification

UPX compressed Win32 Executable (39.5%)

Win32 EXE Yoda's Crypter (34.3%)

Win32 Executable Generic (11.0%)

Win32 Dynamic Link Library (generic) (9.8%)

Generic Win/DOS Executable (2.5%)

ssdeep: 12288:ZILdFhuoYofV5ue/CsDhv10Q4jLeGuTsSJReY8PlFfCiNzDj+E72fk4N:idzuoLfV5ue/CsNd7zfkbPZN7+E72

sigcheck: publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

Prevx Info: http://info.prevx.com/aboutprogramtext.asp...A73F400E04A94BA

PEiD : -

packers (Kaspersky): PE_Patch.UPX, UPX

packers (F-Prot): UPX

packers (Authentium): UPX

RDS : NSRL Reference Data Set

-

Maniac · May 25, 2010

Here is 10:00 PM, so going to bed soon, because sooner got to go to school.

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=51550

KillAll::

Collect::[8]
c:\windows\system32\drivers\ttash.sys
c:\users\OFFICE\AppData\Local\igozuduq.dll
c:\users\OFFICE\AppData\Local\upeyirogo.dll
c:\users\OFFICE\AppData\Local\oruhepay.dll
c:\users\OFFICE\AppData\Local\iqaqububukuk.dll
c:\users\OFFICE\AppData\Local\ezuwuqewidu.dll
c:\users\OFFICE\AppData\Local\uhaqowuka.dll
c:\users\OFFICE\AppData\Local\ibogadag.dll
c:\users\OFFICE\AppData\Local\elutelag.dll
c:\windows\System32\kefuzego.exe
c:\windows\System32\miwajiho.exe
C:\blackra1n.exe

DDS::
uInternet Settings,ProxyOverride = <local>;*.local

RegLocK::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Earz · May 26, 2010

combo_log2.txt

Maniac · May 26, 2010

How are things?

Earz · May 26, 2010

As far as what? I didn't really have any symptoms. Eve tithing had been working normally except that my Internet provider suspended my account because of malware. The rootkit.agent was the only thing that I can see causing that.

Earz · May 26, 2010

I just want to male sure my account doesn't get suspended again

Maniac · May 26, 2010

Here's how: Please send me a private message to the website of your ISP and your names. I will contact him and tell him everything to correct the problems.

Last check please:

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

Please go here then click on:
Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Now click on Advanced Settings and select the following:

- Remove found threats
- Scan archives
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology

[*]Now click on:

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on:

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Earz · May 27, 2010

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=c9688eda0ce59e448a8365f040c8cbe0

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-05-26 10:50:02

# local_time=2010-05-26 05:50:02 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=6.0.6002 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 29358989 29358989 0 0

# compatibility_mode=1024 16777215 100 0 6551321 6551321 0 0

# compatibility_mode=5892 16776573 100 100 0 111501036 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=221071

# found=2

# cleaned=2

# scan_time=20694

C:\Qoobox\Quarantine\C\Windows\System32\drivers\_ttash_.sys.zip Win32/Bubnix.AF trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Users\OFFICE\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\5b3d5486-56778c7b a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined) 00000000000000000000000000000000 C

Maniac · May 27, 2010

Good! :welcome:

I'll contact your ISP about this. For further information, I'll send you PM.

Maniac · June 1, 2010

Last steps:

Step 1

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2

Please manually delete DDS.

Step 3

Please uninstall ESET Online Scanner and HiJackThis.

Step 4

Some malware preventions:

http://miekiemoes.blogspot.com/2008/02/how...nt-malware.html

Safe surfing!

Help me remove Rootkit.Agent

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information