Jump to content

rootkit.agent...help required


Recommended Posts

Hi

Few days back i was hit by antimalware doctor and i got rid of it but same same day i got hit by rootkit.agent also but every time i do a scan MBAM deletes it but it doesn't go. And if i do the scan again it is still there . I might have scanned 20 times and deleted it but still it is there.Also every night it brings 10 to 12 more virus which MBAM deletes but the rootkit agent is not going.

I beg for help.

here is the last log of MBAM

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4170

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

05/06/2010 9:36:18 AM

mbam-log-2010-06-05 (09-36-18).txt

Scan type: Quick scan

Objects scanned: 133333

Time elapsed: 7 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\system32\Drivers\buygpu.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hello Amar

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    netsvcs

    %SYSTEMDRIVE%\*.*

    %systemroot%\*. /mp /s

    CREATERESTOREPOINT

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles

    %systemroot%\System32\config\*.sav

    %systemroot%\system32\drivers\*.sys /90


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Link to post
Share on other sites

Hello Amar

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    netsvcs

    %SYSTEMDRIVE%\*.*

    %systemroot%\*. /mp /s

    CREATERESTOREPOINT

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles

    %systemroot%\System32\config\*.sav

    %systemroot%\system32\drivers\*.sys /90


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Iam not able to run OTL. windows gives me error saying "OTL has stopped working"

post-43527-1275830299_thumb.jpg

Link to post
Share on other sites

Try to right click on it and choose Run as Administrator.

If that will not work then do the following:

Download DDS and save it to your desktop.

  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open as well as attach.txt.
  • Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

attach.txt

Link to post
Share on other sites

The logs say that you have Norton 360 installed and AVG via the internet security suite provided by your isp.

If you have both then please remove one or the other before proceeding.

Also make sure to disable all protection before running Combofix.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

1. Open notepad and copy/paste the text in the codebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=52907&st=0entry263464

Collect::
c:\windows\system32\hxjnbnogvfdmmucm.exe

Driver::
{95A0AC8A-A663-4C1B-BF4B40853F5566FB}
{E542D6F0-B48B-4373-945C73CD733B37AA}

Folder::
c:\program files\$NtUninstallWTF1012$

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95A0AC8A-A663-4C1B-BF4B40853F5566FB}]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{E542D6F0-B48B-4373-945C73CD733B37AA}]

NetSvc::
{95A0AC8A-A663-4C1B-BF4B40853F5566FB}
{E542D6F0-B48B-4373-945C73CD733B37AA}

Save this as CFScript.txt

Drag CFScript.txt into ComboFix.exe

2. Save the above as CFScript.txt

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

4. During this run Combofix will collect and automatically upload some sample files.

You will see it say Combofix needs to upload some samples.

If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Link to post
Share on other sites

Hi

The combofix starts but stops after a windows error " windows command processor has stopped working".

the path you gave me C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

I couldn't find the file "[4]-submit_date_Time.zip". In the "Quarantine " folder there 2 other folders "c" and "Registry backups" And there is one file "catchme.txt"

1. Open notepad and copy/paste the text in the codebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=52907&st=0entry263464

Collect::
c:\windows\system32\hxjnbnogvfdmmucm.exe

Driver::
{95A0AC8A-A663-4C1B-BF4B40853F5566FB}
{E542D6F0-B48B-4373-945C73CD733B37AA}

Folder::
c:\program files\$NtUninstallWTF1012$

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95A0AC8A-A663-4C1B-BF4B40853F5566FB}]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{E542D6F0-B48B-4373-945C73CD733B37AA}]

NetSvc::
{95A0AC8A-A663-4C1B-BF4B40853F5566FB}
{E542D6F0-B48B-4373-945C73CD733B37AA}

Save this as CFScript.txt

Drag CFScript.txt into ComboFix.exe

2. Save the above as CFScript.txt

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

4. During this run Combofix will collect and automatically upload some sample files.

You will see it say Combofix needs to upload some samples.

If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Link to post
Share on other sites

Please delete your current version of Combofix and re-download it once more then repeat the steps to create the text document (cfscript) then drag it onto Combofix once more and follow the prompts.

Post the log that opens when complete.

Link to post
Share on other sites

Hi

i am ttaching the log file for the combofix and also i have uploaded "C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip" to the link which you asked for...

Please delete your current version of Combofix and re-download it once more then repeat the steps to create the text document (cfscript) then drag it onto Combofix once more and follow the prompts.

Post the log that opens when complete.

combofix.txt

Link to post
Share on other sites

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Hi

here is the MBAM log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4183

Windows 6.0.6002 Service Pack 2

Internet Explorer 7.0.6002.18005

09/06/2010 9:56:37 AM

mbam-log-2010-06-09 (09-56-37).txt

Scan type: Quick scan

Objects scanned: 134280

Time elapsed: 6 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Hi

here is the ESET log

Hi

here is the MBAM log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4183

Windows 6.0.6002 Service Pack 2

Internet Explorer 7.0.6002.18005

09/06/2010 9:56:37 AM

mbam-log-2010-06-09 (09-56-37).txt

Scan type: Quick scan

Objects scanned: 134280

Time elapsed: 6 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

log.txt

Link to post
Share on other sites

Download TDSSKiller and save it to your Desktop.

  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

Link to post
Share on other sites

Download TDSSKiller and save it to your Desktop.

  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

TDSSKiller.2.3.2.0_09.06.2010_14.28.07_log.txt

Link to post
Share on other sites

Please submit the following files to one of these online file scanners.

(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys

C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.

Link to post
Share on other sites

SCAN RESULT FOR C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys

2010-06-10 Found nothing 2010-06-10 Rootkit.Patched.TDSS.Gen

2010-06-10 Win32:Alureon-FZ 2010-06-10 Rootkit.Win32.TDSS

2010-06-10 Win32/Patched.DX 2010-06-10 Rootkit.Win32.TDSS.ap

2010-06-10 TR/Patched.Gen 2010-06-10 Win32/Olmarik.ZC Patched

2010-06-10 Rootkit.Patched.TDSS.Gen 2010-06-09 Found nothing

2010-06-10 Found nothing 2010-06-10 Found nothing

2010-06-10 Found nothing 2010-06-10 Mal/TDSSRt-A

2010-06-10 BackDoor.Tdss.2459 2010-06-10 Rootkit.Win32.TDSL.b

2010-06-09 W32/SYStroj.AB.gen!Eldorado 2010-06-10 Rootkit.TDSS.Gen.3

2010-06-10 Rootkit.Win32.TDSS.ap

SCAN RESULT FOR C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys

2010-06-10 Found nothing 2010-06-10 Found nothing

2010-06-10 Found nothing 2010-06-10 Found nothing

2010-06-10 Found nothing 2010-06-10 Found nothing

2010-06-10 Found nothing 2010-06-10 Found nothing

2010-06-10 Found nothing 2010-06-09 Found nothing

2010-06-10 Found nothing 2010-06-10 Found nothing

2010-06-10 Found nothing 2010-06-10 Found nothing

2010-06-10 Found nothing 2010-06-10 Found nothing

2010-06-09 Found nothing 2010-06-10 Found nothing

2010-06-10 Found nothing

Please submit the following files to one of these online file scanners.

(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys

C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.

Link to post
Share on other sites

Ok I am going to replace both files I still think Both are infected.

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

FCopy::
C:\Windows\system32\DRIVERS\netbt.sys|C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys
C:\Windows\system32\DRIVERS\netbt.sys|C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

=============

Link to post
Share on other sites

here is the combofix log

Ok I am going to replace both files I still think Both are infected.

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

FCopy::
C:\Windows\system32\DRIVERS\netbt.sys|C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys
C:\Windows\system32\DRIVERS\netbt.sys|C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

=============

combofix.txt

Link to post
Share on other sites

Well your system is clean so yes I would say you are safe but no one is ever completely safe on the web.

This is because there is no 100% perfect catch all protection suite\anything out there.

There will always be a certain risk if you are online.

But as far as your system it is clean.

=======================

Please uninstall the following:

J2SE Runtime Environment 5.0 Update 6

Java 6 Update 4

LimeWire 5.4.6

Especially Limewire.

HiJack This! Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.