Jump to content

Recommended Posts

Hi, I recently ran a MBAM scan and it says i've got Rootkit.Agent in my computer and MBAM couldn't remove it.

I followed the instructions given from this forum and did all the scans (the DeFogger didn't prompt for a reboot so i posted the log here).

Not sure if it's related, but my laptop just recovered from the Windows recovery malware last month and

here it is under attack again. Seriously needing help here because I believe this Rootkit is related

my paypal money being transferred last week without me knowing and my email's password was changed too.

I'm a newbie in terms of these technical stuffs so please do inform

me if theres anything else i have to do.

Thanks so much, really appreciate any help given!!!!

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 00:53 on 26/05/2011 (dennis)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

Unable to read jzbhn.sys

-=E.O.F=-

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.19048

Run by dennis at 0:55:24 on 2011-05-26

Microsoft

Attach.zip

mbam-log-2011-05-26 (00-27-17).txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them. Also, please don't put quote tags around your logs.

With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt in your reply.

Link to post
Share on other sites

Hi, here are the logs.

--------------------

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6690

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.19048

5/27/2011 6:57:13 PM

mbam-log-2011-05-27 (18-57-13).txt

Scan type: Quick scan

Objects scanned: 151008

Time elapsed: 9 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-------------------------

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.19048

Run by dennis at 19:27:57 on 2011-05-27

Microsoft

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Thanks!

Both programs ran smoothly.

-----------------------

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6522

# api_version=3.0.2

# EOSSerial=738569775ccad54fae01e841eda219b8

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-06-01 12:47:38

# local_time=2011-06-01 10:47:38 (+1000, AUS Eastern Standard Time)

# country="United States"

# lang=9

# osver=6.0.6002 NT Service Pack 2

# compatibility_mode=5892 16776573 100 100 217644 144457560 0 0

# compatibility_mode=8192 67108863 100 0 4061 4061 0 0

# scanned=138479

# found=1

# cleaned=1

# scan_time=4026

C:\Qoobox\Quarantine\C\Windows\System32\drivers\volsnap.sys.vir Win32/Olmasco.E trojan (deleted - quarantined) 00000000000000000000000000000000 C

------------------------

Results of screen317's Security Check version 0.99.12

Windows Vista Service Pack 2 (UAC is enabled)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

Symantec AntiVirus

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java SE Runtime Environment 6

Java 6 Update 7

Out of date Java installed!

Flash Player Out of Date!

Adobe Flash Player 9.0.115.0

Adobe Reader 8.1.3

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

Windows Defender MSASCui.exe

Symantec AntiVirus DefWatch.exe

Symantec AntiVirus Rtvscan.exe

Symantec AntiVirus VPTray.exe

Windows Defender MSASCui.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

ESET Online Scanner v3

Java

Link to post
Share on other sites

  • Staff

Yes things look good from here!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.