Jump to content

Having difficulty removing Rootkit.Agent


Recommended Posts

Malwarebytes found the following and attempted to remove but on reboot, they reappear. AVG antivirus and Spybot didnt pick these up. Booted in safe mode with system restore disabled and attempted to remove via malware but still getting the same after perform Delete on reboot.

Any help/comments/suggestions will be greatly appreciated

---------------------------------------------------------------

Malwarebytes' Anti-Malware 1.30

Database version: 1440

Windows 5.1.2600 Service Pack 2

2008/12/1 11:12:39AM

mbam-log-2008-12-01 (11-12-39).txt

Scan type: Quick Scan

Objects scanned: 44232

Time elapsed: 2 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati0saxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati0saxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati0saxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

D:\WINDOWS\Temp\BN2.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

D:\WINDOWS\Temp\BNC.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

---------------------------------------------------------------

EOF

HijackThis log

---------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 上午 11:15:42, on 2008/12/1

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\rundll32.exe

D:\WINDOWS\system32\hkcmd.exe

D:\WINDOWS\system32\igfxpers.exe

D:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

D:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

D:\Program Files\Pure Networks\Network Magic\nmapp.exe

D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

D:\Program Files\Java\jre6\bin\jusched.exe

D:\PROGRA~1\AVG\AVG8\avgtray.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\Java\jre6\bin\jqs.exe

D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

D:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe

D:\PROGRA~1\AVG\AVG8\avgrsx.exe

D:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

D:\PROGRA~1\AVG\AVG8\avgemc.exe

D:\Program Files\Skype\Phone\Skype.exe

D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

D:\WINDOWS\system32\wscntfy.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\Skype\Plugin Manager\skypePM.exe

D:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

D:\Program Files\Windows Live\Messenger\usnsvc.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [igfxtray] D:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] D:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] D:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [nmctxth] "D:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

O4 - HKLM\..\Run: [nmapp] "D:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [uniblue RegistryBooster 2009] D:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S

O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: @D:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @D:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O15 - ESC Trusted Zone: http://*.update.microsoft.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227676994031

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - D:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe

O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - D:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

-----------------------------------------------------------------

End of file - 5683 bytes

Link to post
Share on other sites

No reason to sugarcoat this , you have a very powerful and hard to remove infection in your system . It combines multiple rootkits , a MBR rooter and API cloaked patched MS files .

Even with the best tools , an alternate drive to boot to and seven years of experience I have problems getting this out of my test box (but it can be done) .

Unless it is critical to save this system as is you are far better off backing up your data and starting from scratch . If you take this route make sure to get instructions on how to clear the MBR malware from your system as well because even a format will not clean your system .

Let us know what you want to do from here .

Link to post
Share on other sites

Thanks for the reply. I've been trying to find all the available tools to attempt to get this out but like you said it's tough to get rid of. A few more try with other tools and if no luck then I will zero-in the drive and start from scratch.

Thanks

Link to post
Share on other sites

This is how I kill it .

I get a clean copy of svchost.exe and then boot to an alt OS or alt bootable drive .

From that install kill the rooters in drivers and then replace both the dllcache and system32 copies of svchost.exe with the clean copy .

Boot to recovery console and use FIXMBR .

At this point your system should be clean .

As far as killing this goes without a second drive or OS , I have not had much luck . I'm sure that it can be done but it likely involves way more work and I don't have the time to figure all of it out .

Link to post
Share on other sites

  • Root Admin

There are FREE bootable Windows CDs and Linux CDs that can assist you in performing this task as Bruce explained.

There are some links in our PC Help forum as well for some of them.

Need a CD or DVD burner, and a PC that can download from the Internet and that's it for some. For others you'd also need the Windows install CD.

If you do decide to start all over then I'd recommend removing the partition as well and recreate that from scratch too.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.