rootkit.agent...help required

Amar · June 5, 2010

Hi

Few days back i was hit by antimalware doctor and i got rid of it but same same day i got hit by rootkit.agent also but every time i do a scan MBAM deletes it but it doesn't go. And if i do the scan again it is still there . I might have scanned 20 times and deleted it but still it is there.Also every night it brings 10 to 12 more virus which MBAM deletes but the rootkit agent is not going.

I beg for help.

here is the last log of MBAM

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4170

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

05/06/2010 9:36:18 AM

mbam-log-2010-06-05 (09-36-18).txt

Scan type: Quick scan

Objects scanned: 133333

Time elapsed: 7 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\system32\Drivers\buygpu.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

kahdah · June 5, 2010

Hello Amar

Welcome to Malwarebytes.

=====================

Download OTL to your desktop.
Double click on OTL to run it.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Under Custom scan's and fixes section paste in the below in bold

netsvcs

%SYSTEMDRIVE%\*.*

%systemroot%\*. /mp /s

CREATERESTOREPOINT

%systemroot%\system32\*.dll /lockedfiles

%systemroot%\Tasks\*.job /lockedfiles

%systemroot%\System32\config\*.sav

%systemroot%\system32\drivers\*.sys /90
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
It may take a minute to load and become available.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
IAT/EAT
Drives/Partition other than Systemdrive (typically only C:\ should be checked)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop
**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Click OK and quit the GMER program.
Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
Post that log in your next reply.

Amar · June 6, 2010

Hello Amar
Welcome to Malwarebytes.
=====================
Download OTL to your desktop.
Double click on OTL to run it.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Under Custom scan's and fixes section paste in the below in bold

netsvcs

%SYSTEMDRIVE%\*.*

%systemroot%\*. /mp /s

CREATERESTOREPOINT

%systemroot%\system32\*.dll /lockedfiles

%systemroot%\Tasks\*.job /lockedfiles

%systemroot%\System32\config\*.sav

%systemroot%\system32\drivers\*.sys /90

Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Download the following GMER Rootkit Scanner from Here
Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
It may take a minute to load and become available.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED

IAT/EAT

Drives/Partition other than Systemdrive (typically only C:\ should be checked)

Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop
**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Click OK and quit the GMER program.
Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
Post that log in your next reply.

Iam not able to run OTL. windows gives me error saying "OTL has stopped working"

kahdah · June 6, 2010

Try to right click on it and choose Run as Administrator.

If that will not work then do the following:

Download DDS and save it to your desktop.

Double click dds.scr to run the tool.
When done, DDS.txt will open as well as attach.txt.
Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

attach.txt

Amar · June 7, 2010

Here is the GMER and DDL log attached

ark.txt

DDS.txt

Attach.txt

kahdah · June 7, 2010

The logs say that you have Norton 360 installed and AVG via the internet security suite provided by your isp.

If you have both then please remove one or the other before proceeding.

Also make sure to disable all protection before running Combofix.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Amar · June 7, 2010

here is t he combofix log

ComboFix.txt

kahdah · June 7, 2010

1. Open notepad and copy/paste the text in the codebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=52907&st=0entry263464

Collect::
c:\windows\system32\hxjnbnogvfdmmucm.exe

Driver::
{95A0AC8A-A663-4C1B-BF4B40853F5566FB}
{E542D6F0-B48B-4373-945C73CD733B37AA}

Folder::
c:\program files\$NtUninstallWTF1012$

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95A0AC8A-A663-4C1B-BF4B40853F5566FB}]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{E542D6F0-B48B-4373-945C73CD733B37AA}]

NetSvc::
{95A0AC8A-A663-4C1B-BF4B40853F5566FB}
{E542D6F0-B48B-4373-945C73CD733B37AA}

Save this as CFScript.txt

Drag CFScript.txt into ComboFix.exe

2. Save the above as CFScript.txt

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

4. During this run Combofix will collect and automatically upload some sample files.

You will see it say Combofix needs to upload some samples.

If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

Combofix.txt

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Amar · June 8, 2010

Hi

The combofix starts but stops after a windows error " windows command processor has stopped working".

the path you gave me C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

I couldn't find the file "[4]-submit_date_Time.zip". In the "Quarantine " folder there 2 other folders "c" and "Registry backups" And there is one file "catchme.txt"

1. Open notepad and copy/paste the text in the codebox below into it:
http://forums.malwarebytes.org/index.php?showtopic=52907&st=0entry263464

Collect::
c:\windows\system32\hxjnbnogvfdmmucm.exe

Driver::
{95A0AC8A-A663-4C1B-BF4B40853F5566FB}
{E542D6F0-B48B-4373-945C73CD733B37AA}

Folder::
c:\program files\$NtUninstallWTF1012$

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95A0AC8A-A663-4C1B-BF4B40853F5566FB}]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{E542D6F0-B48B-4373-945C73CD733B37AA}]

NetSvc::
{95A0AC8A-A663-4C1B-BF4B40853F5566FB}
{E542D6F0-B48B-4373-945C73CD733B37AA}
Save this as CFScript.txt
Drag CFScript.txt into ComboFix.exe
2. Save the above as CFScript.txt
3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
4. During this run Combofix will collect and automatically upload some sample files.
You will see it say Combofix needs to upload some samples.
If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.
5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
Combofix.txt
===========
Note::
If Combofix fails to upload anything please do the following:
Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip
Click Here to upload the submit.zip please.

kahdah · June 8, 2010

Please delete your current version of Combofix and re-download it once more then repeat the steps to create the text document (cfscript) then drag it onto Combofix once more and follow the prompts.

Post the log that opens when complete.

Amar · June 9, 2010

Hi

i am ttaching the log file for the combofix and also i have uploaded "C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip" to the link which you asked for...

Please delete your current version of Combofix and re-download it once more then repeat the steps to create the text document (cfscript) then drag it onto Combofix once more and follow the prompts.
Post the log that opens when complete.

combofix.txt

kahdah · June 9, 2010

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

Click on the update tab then click on Check for updates.
If an update is found, it will download and install the latest version.
Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Check next options: Remove found threats and Scan unwanted applications.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Amar · June 9, 2010

Hi

here is the MBAM log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4183

Windows 6.0.6002 Service Pack 2

Internet Explorer 7.0.6002.18005

09/06/2010 9:56:37 AM

mbam-log-2010-06-09 (09-56-37).txt

Scan type: Quick scan

Objects scanned: 134280

Time elapsed: 6 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Update Run Malwarebytes
Please update\run Malwarebytes' Anti-Malware.
Double Click the Malwarebytes Anti-Malware icon to run the application.
Click on the update tab then click on Check for updates.
If an update is found, it will download and install the latest version.
Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
* Go here to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Check next options: Remove found threats and Scan unwanted applications.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
Copy and paste that log as a reply to this topic

kahdah · June 9, 2010

Ok post the Eset log when completed.

Amar · June 9, 2010

Hi

here is the ESET log

Hi
here is the MBAM log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4183
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
09/06/2010 9:56:37 AM
mbam-log-2010-06-09 (09-56-37).txt
Scan type: Quick scan
Objects scanned: 134280
Time elapsed: 6 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

log.txt

kahdah · June 9, 2010

Download TDSSKiller and save it to your Desktop.

Right click on the file and choose extract all extract the file to your desktop then run it.
If prompted to restart the computer type in Y then it will restart.
Or if you are prompted with a hidden service warning do go ahead and delete it.
Once completed it will create a log in your C:\ drive
Please post the contents of that log

Amar · June 9, 2010

Download TDSSKiller and save it to your Desktop.
Right click on the file and choose extract all extract the file to your desktop then run it.
If prompted to restart the computer type in Y then it will restart.
Or if you are prompted with a hidden service warning do go ahead and delete it.
Once completed it will create a log in your C:\ drive
Please post the contents of that log

TDSSKiller.2.3.2.0_09.06.2010_14.28.07_log.txt

kahdah · June 10, 2010

Please submit the following files to one of these online file scanners.

(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys

C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.

Amar · June 10, 2010

SCAN RESULT FOR C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys

2010-06-10 Found nothing 2010-06-10 Rootkit.Patched.TDSS.Gen

2010-06-10 Win32:Alureon-FZ 2010-06-10 Rootkit.Win32.TDSS

2010-06-10 Win32/Patched.DX 2010-06-10 Rootkit.Win32.TDSS.ap

2010-06-10 TR/Patched.Gen 2010-06-10 Win32/Olmarik.ZC Patched

2010-06-10 Rootkit.Patched.TDSS.Gen 2010-06-09 Found nothing

2010-06-10 Found nothing 2010-06-10 Found nothing

2010-06-10 Found nothing 2010-06-10 Mal/TDSSRt-A

2010-06-10 BackDoor.Tdss.2459 2010-06-10 Rootkit.Win32.TDSL.b

2010-06-09 W32/SYStroj.AB.gen!Eldorado 2010-06-10 Rootkit.TDSS.Gen.3

2010-06-10 Rootkit.Win32.TDSS.ap

SCAN RESULT FOR C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys

2010-06-10 Found nothing 2010-06-10 Found nothing

2010-06-10 Found nothing 2010-06-09 Found nothing

2010-06-10 Found nothing 2010-06-10 Found nothing

2010-06-09 Found nothing 2010-06-10 Found nothing

2010-06-10 Found nothing

Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys
Jotti File Scan
VirusTotal File Scan
This will produce a report after the scan is complete, please copy and paste those results in your next post.

kahdah · June 10, 2010

Ok I am going to replace both files I still think Both are infected.

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

FCopy::
C:\Windows\system32\DRIVERS\netbt.sys|C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys
C:\Windows\system32\DRIVERS\netbt.sys|C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

Combofix.txt

=============

Amar · June 11, 2010

here is the combofix log

Ok I am going to replace both files I still think Both are infected.
1. Please open Notepad
Click Start , then Run
type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
KILLALL::

FCopy::
C:\Windows\system32\DRIVERS\netbt.sys|C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys
C:\Windows\system32\DRIVERS\netbt.sys|C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
Combofix.txt
=============

combofix.txt

kahdah · June 11, 2010

Looks great now please run dds once more and post that log and let me know if everything is back to normal.

Amar · June 11, 2010

So Am I completely safe now...????

Looks great now please run dds once more and post that log and let me know if everything is back to normal.

Amar · June 11, 2010

So Am I completely safe now...????

Looks great now please run dds once more and post that log and let me know if everything is back to normal.

DDS.txt

Attach.txt

kahdah · June 11, 2010

Well your system is clean so yes I would say you are safe but no one is ever completely safe on the web.

This is because there is no 100% perfect catch all protection suite\anything out there.

There will always be a certain risk if you are online.

But as far as your system it is clean.

=======================

Please uninstall the following:

J2SE Runtime Environment 5.0 Update 6

Java 6 Update 4

LimeWire 5.4.6

Especially Limewire.

HiJack This! Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

=======Cleanup=======

Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

rootkit.agent...help required

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information