Computer Support Forum

Rootkit.bagle and Rootkit.Agent - No Internet, No Safe Mode, No Antivirus

Question: Rootkit.bagle and Rootkit.Agent - No Internet, No Safe Mode, No Antivirus

Hi guys.
I am having serious trouble removing what seems like two visuses from my laptop. When they first attacked they shut down wireless netowrking, and then proceeded to start blocking all my antivirus.

I went through the READ & RUN ME FIRST Malware Removal Guide and the Windows XP Cleaning Procedure, and here are the results. I'm afraid to use a flash drive to get the log off my laptop because it's already infected one of my other computers by transfer via flash memory. Fortunately before the flash was corrupted I was able to save most of the reccomended antivirus software to it and got a lot of it onto the laptop, including MGTools.

- The wireless connection to my laptop is disabled, not by my doing.
- When I attempt to boot to Safe mode (or any non-standard mode) I get a blue screen and failure.
- When I attempt to run Hijack this, Spybot, Combofix.exe, etc. I get an error telling me it is not a valid win32 application
- When I attempt to run the MGTools analyse.exe from the MGTools folder and using a command prompt it gets half way through and then is shut down
- When I run SuperAntiSpyware it crashes windows with a blue screen reporting problems with srosa.sys
- When I run Malwarebytes it detected and cleaned about 7 bad files, but two remain even after the reccomended reboot:
Rootkit.Bagle C\WINDOWS\system32\drivers\srosa.sys
Rootkit.Agent C\WINDOWS\system32\drivers\hldrr.exe
Both detected during the final heuristic portion of the Malwarebytes scan.

Any help would be appreciated, I am a desperate man at this point.
Thanks,
Chris

Relevance 100%
Preferred Solution: Rootkit.bagle and Rootkit.Agent - No Internet, No Safe Mode, No Antivirus

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Rootkit.bagle and Rootkit.Agent - No Internet, No Safe Mode, No Antivirus

Welcome to Major Geeks!

Please try the below doing the below.

Run SuperAntiSpyware


In SUPERAntiSpyware under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options uncheck the below two options
Use Kernel Direct File Access (recommended)
Use Kernel Direct Registry Access (recommended)

Then try doing a new full scan and tell me if it still crashes.

14 more replies
Relevance 80.62%

I've already run malwarebytes, combofix, Spybot.

The winfiles and Pe-files attachments are from rootkitty running on ubcd4win, although they could possibly have been modified by the rootkit before uploading, as I uploaded them from the infected machine.

Here's dds.txt,
DDS (Ver_09-07-30.01) - NTFSx86
Run by Winxp at 9:13:45.14 on Sun 08/30/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.182 [GMT -5:00]
============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\avgas\guard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C... Read more

Answer:Rootkit, Vundo.h, Rootkit.agent, Rootkit.Rustock, Rootkit.Dropper, Slenugga, FakeAlert, WinWebSec, etc....

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

3 more replies
Relevance 104.96%

The links in my search results from google and yahoo get redirected to random search engines, I get registry defender pop-ups ( along with several other types of pop ups ). System restore and safe mode don't work, my computer won't hibernate, netstat -a closes immediately after opening, AVG and MBAM rarely find anything, and now MBAM.exe can't be found. Process Explorer show several mutant type handles in most of the processes running during normal operation. That's the gist, here is a link to the original post I made where you can find a lot of much more specific information:http://www.bleepingcomputer.com/forums/t/280283/safe-mode-registry-keys-missing-and-unfamiliar-registry-keys-appear/DDS (Ver_09-12-01.01) - NTFSx86 Run by Sephiroth at 15:12:51.82 on Thu 12/24/2009Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.73 [GMT -8:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exe -k NetworkServiceC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\Program Files\Commo... Read more

Answer:IS2010, Backdoor.Bots, winsts.sys (Rootkit.Agent) "Not a Valid Win32 Application" W32.Bagle?

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,I am thcbytes and I am here to help you!I reviewed your thread in "Am I Infected" and the logs you posted. You are seriously infected!!I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Please perform all steps in the order received and do not proceed if you need clarification.Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for ... Read more

23 more replies
Relevance 94.3%

Hi,Since Friday my computer started to run slow and kept crashing. I also noticed it would redirect Google searches to various webpages and not the actual link it was meant to...I have McAfee Security Centre (updated daily), so ran a scan. It revealed some trojans, namely "Spy-Agent.bw!mem, DNSChanger!ba and Generic FakeAlert!cd". Some of it was removed/quarantined while 1 or 2 files couldnt be fixed by McAfee.I then ran MBAM which managed to clear everything. Here is the log from then (28th Aug):[/color][/color]-----------------------------------------------------------------------------------------------------------------------------------------------Malwarebytes' Anti-Malware 1.40Database version: 2709Windows 5.1.2600 Service Pack 328/08/2009 18:07:25mbam-log-2009-08-28 (18-07-25).txtScan type: Full Scan (C:\|)Objects scanned: 165024Time elapsed: 36 minute(s), 47 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 6Registry Values Infected: 1Registry Data Items Infected: 2Folders Infected: 1Files Infected: 12Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\C... Read more

Answer:Infected with Google redirect & Rootkit TDSS and Rootkit.Agent/Gen-Rustock[KBI]

UPDATE:Did an online scan with Eset, it reported the following: C:\Documents and Settings\Amit Sinha\Application Data\Sun\Java\Deployment\cache\6.0\56\3c28cc78-2a20046a probably a variant of Win32/Agent trojan deleted - quarantinedSo lloks like there are still some remanents...Anyone?===========Hello While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are... Read more

4 more replies
Relevance 93.89%

well once again my co workers have managed to get something that i cannot remove, last time i had a issue you guys fixed it perfectly and i am here again asking for help, somehow this computer got a virus on it that has been spamming e-mails, because of this our ip has been blacklisted and e-mails we need to go out are not going out ect ect... i would just reformat this machine but it has very specific software on it and i cannot

as far as i know the virus's are called
rootkit-agent, rootkit.protector, and agprotector, here is my DDS.txt and again i hope i have done everything correctly and i hope you can help, thank you again


DDS (Ver_09-12-01.01) - NTFSx86
Run by Big Fox at 15:18:51.93 on Thu 12/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.389 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe... Read more

More replies
Relevance 92.66%

64 bit, Windows 7I was having issues with youtube. Streaming was very slow and would often times stop altogether. At first, I thought I had an issue with flash player and so I uninstalled it, installed it again, and checked on updates. I still had the same issues.I ran Spyware Doctor and Malwarebytes to see if the issue was malware. Previously, when I ran either program, it would show a lot of infections, but now there were none. I then thought that it could be a browser issue so I downloaded Google Chrome. Though it downloaded, Google Chrome would not open any sites. I got an error code. This is what it says:"This webpage is not available. The webpage at http://google.com/ might be temporarily down or it may have been moved permanently to a new web address. Error 102 (net::ERR_CONNECTION_REFUSED): Unknown error."It said a couple of times that I wasn't connected to the server, but to me that didn't make sense because I was online and surf the web with Firefox.I downloaded other types of anti virus and malware programs to see if it would help. This is a list: spybots, ad aware, bitdefender, avg, kaspersky.None downloaded. I received messages saying that the files were corrupted. There would be a bunch of programs opening while doing this. They were moving so fast so I couldn't catch any of them.I tried to do online scans. Those didn't work either. Same message.I tried to download these programs in safe mode with networks. They did not download. I trie... Read more

More replies
Relevance 92.66%

Earlier tonight, I was apparently infected with the above rootkit. I started to get Symantec AntiVirus notifications that downloaders were being deleted, and Windows Firewall kept popping up asking me if I wanted to block access to different nefarious items, the first being Rootkit.Win32.Agent.PP. I did a google search for this and found this site, in particular, this page. I started to follow the instructions on this page, so I ran MalwareBytes, which found a rootkit, among other things. I also ran the TFC program mentioned next. I rebooted after each of these. However, before doing anything else, I stopped and read the preparation guide for this forum. I next ran DDS and RootRepeal and am attaching the log files to this post.Before running MalwareBytes, I was getting frequent Symantec AntiVirus notifications, and frequent Windows Firewall notifications as mentioned above ("frequent" being 1 every minute or so). After running it and TFC, I have not gotten any more notifications. Upon reboot, though, Symantec AntiVirus reported that there were items it could not remediate after rebooting. So, I'm not entirely sure if I've gotten everything or not. I'm pasting my MalwareBytes log below, and then the DDS log.Thanks in advance for any help you can provide. Just to be safe, I am disconnecting my computer from the network tonight and will check any replies from another computer.-----MalwareBytes log:Malwarebytes' Anti-Malware 1.43Database version: 3485Windows 5.1.2600 Service Pack... Read more

Answer:Rootkit infection (possibly Rootkit.Win32.Agent.PP)

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Please download OTL from following mirror:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedIn the upper right hand corner ... Read more

11 more replies
Relevance 91.02%

First of all, hello to everyone.
I got infected just like him: http://forums.majorgeeks.com/showthread.php?t=157182
Any anti-malware program finds exactly the same files. Should I proceed the same way? In my case, the rootkit disabled my soundboard.
cheers,
Filipe
 

Answer:Rootkit.Agent and Rootkit.Bugle, yeah I know...

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.
READ & RUN ME FIRST. Malware Removal Guide

If something does not run, write down the info to explain to us later but keep on going.

Do not assume that because one step does not work that they all will not.
Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

 

12 more replies
Relevance 91.02%

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:17:21 AM, on 2/13/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\TechSmith\SnagIt 8\SnagIt32.exeC:\Program Files\TechSmith\SnagIt 8\TSCHelp.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ht... Read more

Answer:rootkit.pakes rootkit.agent..., too many to list!!!

hi all... saw the 5 day thread and judging by the number of posts today, i would probably still be in line tomorrow, so at the risk of offending i will pass on my request for help if nobody gets to me in the next 12 hrs or so

i have to get my system back up, so if fdisk is my only option i will need to start down that path... again, not meaning to be indignant, i am just in need of moving forward with repairs so if someone does have time, thank you... if not, thank you as well

6 more replies
Relevance 91.02%

Hello,Boopme directed me to this forum section, and instructed me to post the following logs. The first two are MBAM logs, and the last is a RootRepeal log. His parting statement goes as follows:You have a rootkit.As there are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team member.Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible. Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.Let me know if it went OK.The following are the logs that I was instructed to pass onto you (the HJT Team):Here is the first:Malwarebytes' Anti-Malware 1.40Database version: 2551Windows 5.1.2600 Service Pack 3 (Safe Mode)9/1/2009 3:30:18 PMmbam-log-2009-09-01 (15-30-18).txtScan type: Full Scan (C:\|E:\|H:\|)Objects scanned: 71585Time elapsed: 23 minute(s), 26 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Compo... Read more

Answer:Rootkit "Win32/Rootkit.Agent.ODG trojan"

Hello and to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.*If you have since resolved the original problem you were having, we would appreciate you letting us know. *If not please perform the following steps below so we can have a look at the current condition of your machine. *If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.**If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.----------------------------*-------------------------------We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is ne... Read more

15 more replies
Relevance 91.02%

Hello,
 
OS : WIndows XP SP3
 
My computer (actually on loan from my mother in law!) is taking ages to start and when it does, it is very slow to respond and even freezes. Eventually an Avast alert pops up and tells me it detected a rootkit called "Catchme". I didn't try to delete it, I don't know if I should have or even if Avast was right.
The PC was already slow when I first got it. I ran Malwarebytes before and it found a trojan.agent that was apparently deleted. I also ran JRT that found bad things too (tell me if you need the log).
When I run in Safe mode, the PC seems OK, more responsive.
 
Anyone to help me?
 
Thank you.

Answer:PC slow in normal mode, OK in safe mode, Catchme rootkit detected by Avast?

Hi,
 
I turned PC on this morning, it was still very slow to start, but the Avast message about the rootkit didn't come up this time! PC was still slow to respond though.
I decided to run AdwCleaner (saved on to USB key from my laptop and copied then on to the PC) just to see and it found 9 "bad" registry keys. I cleaned them and restarted the PC as prompted. PC seems a bit faster to repond now. I also ran Malwarebytes (quick scan) which didn't find anything.
Still think something is not right, can somebody help me check for rootkit or anything else please? Thank you

32 more replies
Relevance 90.61%

Yesterday I noticed my computer was acting weird, but nothing relevant. Today, it started by redirecting firefox to other sites, then disabled the security tools (MSE) and after that, forced reboots. Since then, windows is a mess. Sometimes explorer doesn't start, other times it says my windows copy is not legit, some other times doesn't let me open folders/explorer, etc...

I am kinda desperate because I have my MSc thesis presentation to prepare and I have no other computer do it. Luckily for me, the thesis was delivered today, right before this all started.

DDS and GMER logs will follow, thank you in advance.

DDS (Ver_10-10-21.02) - NTFSx86
Run by Pedro at 0:33:04,15 on 26-10-2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============
============== Pseudo HJT Report ===============

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 201... Read more

Answer:Infected with Rootkit.Agent: Firefox redirects + forced reboots + Antivirus Disable + others

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The ... Read more

3 more replies
Relevance 89.38%

Hello, I was sent here from the Am I Infected Forum by garmanma. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/260361/requesting-virus-help-malware-greenav-and-rootkit-etc/ ~ OBPrior to posting in that forum. I tried to run MBAM, Spybot, Spyunter. The programs would not run at all, I would get an error stating I didn't have appropriate permissions. I downloaded the DDS.scr file and tried to execute a scan. The scan screen popped open for about one second and closed....every program that I try to run will either not run at all, or if it does run, it will close a few seconds into the scan then shut down. If I try to run it again, I'll get an error saying I don't have permission to run that file.I have tried online scans from Bitdefender, Microsoft's OneCare, and one more (forgot the name)...but every online scan shuts down the entire browser. Also, on occasion I get a fake page saying that the webpage I requested has been blocked due to my infections, and links to me to a page regarding GreenAV. I could not run most of the tools in the preparation guide, even after renaming them. However, in the other forum I was able to run a couple of scans before the programs shut down. I was requested to start a new topic here and post the logs that I have. Thanks in advance:I was instructed to download "peek.bat" and run that program and also RootRepeal. The results from both are listed below:Peek.bat Log:Volume in drive C is SQ004214P01Volume Serial Number i... Read more

Answer:Rootkit and Spyware Problems: Antispyware/Antivirus/Rootkit Scanner programs all shut down when executed...

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

3 more replies
Relevance 88.97%

My dad asked me for help since his computer refuses to work with the usb keyboard/mouse.. I tried safe mode and noticed that it didnt work there either. Hes using Windows XP SP3 and hasn't any PS2 on his computer...

Any help would be appreciated i suspect a variant of TDL rootkit which he had some half year before so i dono WTF hes doing when he browsing the web.

Thanks anyway

Answer:TDL Rootkit again.. cant use keyboard in safe mode or anything

when did this issue start? How did he remove the TDL rootkit?DO an external keyboard or mouse work? If yesDownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive)DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

5 more replies
Relevance 88.56%

run mbam, deletes until restart, limited internet access but have use of a clean laptop if need be. i've included the last scan i have done. any help would be much appreciated. thankyou.

22/06/2010 12:18:15
mbam-log-2010-06-22 (12-18-15).txt

Scan type: Quick scan
Objects scanned: 121492
Time elapsed: 13 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\zlawt.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Answer:rootkit.agent limited internet please help!!!

Hello, odd that that Mbam log didn't contain your operating system and the version of MBAM ran..We Need to check for Rootkits with RootRepealDownload RootRepeal from the following location and save it to your desktop.Direct Download (Recommended)Primary MirrorSecondary MirrorSecondary MirrorSecondary MirrorZip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary MirrorSecondary MirrorSecondary MirrorRar Mirrors - Only if you know what a RAR is and can extract it.
Primary MirrorSecondary MirrorSecondary MirrorExtract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).Open on your desktop.Click the tab.Click the button.Check all seven boxes: Push OkCheck the box for your main system drive (Usually C:), and press Ok.Allow RootRepeal to run a scan of your system. This may take some time.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

3 more replies
Relevance 88.15%

I was recently infected with zeroaccess, although not very seriously. The initial infection seems to have come from a dummy adobe update window that I clicked yes to. It was very convincing, this was the first time i have ever been taken in by a virus. The reason no huge warning bells went off in my head was that the 'update window' only appeared after i had finished browsing and had opened a pdf.

Anyway, the main symptoms were that McAfee security center would not turn on real time scanning, occasionally the firewall would also go down. I tried scanning with McAfee, but obviously that did not work. At this point system restore was not working. I downloaded and scanned using malwarebytes and that quarantined and deleted a trojan (trojan.phex.THAGen6 according to the log). I then ran malwarebytes in safe mode and deleted a whole more viruses, for some reason I have no log of that so I can not say which ones. After this system restore was an option, so I restored back to a point over a month before the assumed date of infection and after a reinstall of McAfee I was symptom free.

I thought I might have a rootkit hanging around in there somewhere, so I found some antirootkit tools (kaspersky, McAfee, Sophos, Avast, unhackme) and ran them. Although everything comes up clean in regular mode, when I ran avast antirootkit in safe mode it showed 7 rootkits but gave errors when trying to delete them. Sophos in regular mode found 2 of these (identified as parts of ze... Read more

Answer:rootkit notification from avast in safe mode

Good evening. Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop. You will then need to extract the file(s) from the zipped folder.
To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish
Please close all open programs as this may result in a reboot being necessary.
Double click TDSSKiller.exe to begin. Click Start scan and allow the tool to do just that. One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate. Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens. If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
Please check that you get the one with the right date and time.

30 more replies
Relevance 88.15%

Had a few problems with Google redirects for awhile now just ingnored the problem as it didnt seem to much of a hassle, last night my Computer went down.

The Front in the Top Bar of FireFox and IE went black for some reason and my computer would freeze 5 minutes after login, the computer would also freeze if i closed and reopened IE or Firefox but not chrome.

I did a quick look around and found my wpa.dll file had been changed along with the appearance of msa.exe

I didnt delete any files, also foudn that a few random file had also been added to the system32 and one to the Driver folder gymahdhssa etc were the file names.

Any Help would be really appreciated, if i'am beyond repair guess its a case of a system wipe after moving my files to an external :(

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:40:42, on 15/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,S... Read more

Answer:Virus Possible MSA / Rootkit [Can only boot up in Safe Mode]

Hello and welcome to TSF.

HijackThis is no longer the preferred initial analysis tool in this forum.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

1 more replies
Relevance 88.15%

Greetings kind souls,

As you can probably glean from the title of this post, this computer has been infected with Rootkit TDSS. This is the last in a series of infections that have been coming up since a week back when a Fake Trojan Alert appeared. I have AVG, Spyware Doctor, Mbam, and SuperAntiSpyware. After these viruses are located and removed, it is only a matter of days until a new one is found. Since my understanding of these things is limited, I can only imagine that somewhere in the hard drive, one of these applications has a 'foothold' beyond the reach of the scanners. So if anyone can tell me how I can get rid of this for good, I would be very grateful.

Other symptoms:

1) When computer boots, error message:

RUN DLL
Error loading C:\WINDOWS\aqobuzix.dll
The module could not be found

2) Not possible to start computer in safe mode

3) Computer will not shut down

Answer:First Trojan, now Rootkit. Won't reboot in Safe Mode...

Anyone able to help?

4 more replies
Relevance 87.74%

Hello,My Laptop is running on Windows 7 64bit. I am facing a browser redirect malware issue from last 15days. I have temporarily fixed the issue by changing the HOST file as well as using Noscript mozilla addon. But i am not able to resolve the issue permanently. One more thing, i am not able to update WindowsDefender. But NIS 2010 is not showing any virus/spyware and is updating at regular intervals. I ran MBAM by renaming the file.MBAM detected two infected files with Rootkit.AgentMalwarebytes' Anti-Malware 1.45www.malwarebytes.orgDatabase version: 3967Windows 6.1.7600 (Safe Mode)Internet Explorer 8.0.7600.1638508-Apr-10 5:05:14 PMmbam-log-2010-04-08 (17-05-14).txtScan type: Quick scanObjects scanned: 106990Time elapsed: 3 minute(s), 51 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jtnfbjj (Rootkit.Agent) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Windows\System32\drivers\qkoi.sys (Rootkit.Agent) -> Quarantined and deleted successfully.I am ... Read more

Answer:Rootkit.Agent .. Redirect rootkit?

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you let... Read more

3 more replies
Relevance 87.74%

Hello, and thank you in advance for your assistance. I have a Dell E1505 running XP Media Center with automatic updates. I have experienced trojans & rootkit activity before including browser hijacking/redirecting, but have always been successful at solving the issue myself using a combination of the programs recommended here (MBAM, SS&D, HJT, & ComboFix for browser hijacking). In the past week I somehow became infected again & none of the programs I am familiar with will resolve the problem. The symptom of the infection is a very slow internet speed, and a "failure to connect to server" browser error on nearly every attempt at visiting a webpage. Only after multiple reloads will the website connect and even then it is often half-loaded with missing background images, and alignment formatting. The problem somehow extends to my network as well. Enabling the wireless radio on my laptop and allowing it to access my linksys wireless router causes near immediate disruption in the internet performance and server connection on the two PS3 systems using the same router. That's all I really know I'm afraid except that it seems to involve oevipvyr.sys which I couldn't find anywhere online so I assume is random. Thanks again for the help guys.

LoNDoN
DDS (Ver_09-12-01.01) - NTFSx86
Run by LoNDoN at 10:02:06.34 on Mon 12/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.667 ... Read more

Answer:RootKit.Agent Infection Slowing Internet

NOTE: Also, I just noticed that my Synaptics TouchPad mouse is no longer showing up in the msconfig window. Upon investigation at Control Panel - Mouse, I immediately receive the message "Unable to connect to Synaptics Device Driver. The driver still appears under Add/Remove programs and the TouchPad is still functioning (though settings seem to have been reverted to default as the Tap-To-Click function is active while I have always had it turned off). Thanks again for your assistance, and I hope to hear from someone soon.

6 more replies
Relevance 87.74%

I?m really ticked right now. I tried to post twice already, but due to my own stupidity I?ve either closed or overwritten the tabs that I was working on the post with. I?m going to try to keep this as short as possible in case it happens again.So around 2 weeks ago, I decided to remove this malware that was on my computer for the longest time, redirecting my search results. Malwarebytes didn?t turn up anything, so I decided to get NOD32, and when I ran a scan with it, it detected a bunch of items and deleted them. However, a bit later than that tons of pop-up ads started to appear and some of them I couldn?t even exit. Task manager was also disabled by the admin, no doubt the work of malware. I restart the computer, and whoop de ****ing doo, there?s a BSOD at the xp loading screen so I can?t even use windows. Safe mode doesn?t work either, I get a BSOD when that tries to load as well.For about a week, I go about wankin around with my computer before it starts working again. I install a second copy of xp by accident when trying to repair xp, and I use that second copy to gain access to my files and to access a certain .sys file in system32/drivers which I thought was denying me from accessing safe mode. I delete that file, and for some reason it let me access my broken version of xp, but not safe mode. I load up my broken version of xp, and not surprisingly, it?s completely infested with malware. There are tons of pop-ups. Task manager and Regedit are disabled by the admin, an... Read more

Answer:Possible Rootkit.Agent, Not sure, Internet, speakers disabled

oh and I missed a quick detail, the malware also messed wih my Winsock, whenever I try to start uTorrent it gives this message:WSA Startup() failed, or you have the incorrect version of Winsock installed.Windows Messenger also cannot start.I also have a hunch that there are a bunch of hidden processes, since in task manager it says there are 1,470 megs free when there should be actually 1,850 free.===========Hello While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the... Read more

21 more replies
Relevance 87.74%

Hi, hope someone can help.

My system is Win XP Professional, Media Center Edition 2005

IE not working, it just closes when I try to open it, so I cannot update windows, Malwareabytes etc or surf the Net. However, I can access Second Life ok through its shortcut icon.

Ran Malwareabytes, it found Rootkit Agent and removed it but my PC would not reboot, I could only restart by selecting "Last Known Good Configuration". I cannot access Safe Mode even. If I run MAB again, it detects Rookit Agent and goes through the same process. AVG does not fix it either.

Would appreciate any advice. Thank you.

Answer:Internet Explorer Not Working/Rootkit Agent

It looks like MAB wants to delete the file on a restart but as my PC will not restart properly, it cant. All I can use is "Last Known Good" which brings me back to where I started.

1 more replies
Relevance 87.33%

My ISP had been blocking my internet connection because they claimed I had a "bot" on one of my systems. After much dealing with them they instructed me to try running tools to remove zeroaccess. I ran the tool that can be found here 
 
http://www.mcafee.com/us/downloads/free-tools/rootkitremover.aspx
 
It found TDSS something and told me to reboot my system.
 
After rebooting my system flashes the blue screen with white writing and then reboots again asking me if I want to start in safe mode. 
The system starts normally in safe mode. 
System restore does not seem to run in safe mode.
A pop-up instructs me to run safe mode manually with a command, but it still does not work. 

Answer:System only restarts in Safe Mode after rootkit removal

Hello, lets first see if we can find a BSOD code here. We Need to Diagnose Your BlueScreenWhen you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe ModeSelect "Disable Automatic Restart on System Failure", as shown here:When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:Please post me the error(s).

16 more replies
Relevance 87.33%

Hey. So I have this semi old computer that's been running windows xp. Recently, the computer started to be worked up and files wouldn't work. .exe's would not even load or start up. When I tried moving files over on a flash drive to my other computer, the files would be blank on my other computer. In addition, no programs were visible in the startup menu in either safe mode or normal mode. My computer and other similar processes were unavaliable in normal mode too. In order to install malwarebytes and superantispyware, I downloaded a registy that fixed the .exe files. After running both, a few trojans were said to be quarantine. I have my Windows 7 installation CD. The logs are attached. Thank you for helping me.

SimplyBMW

Answer:Only able to boot computer in safe mode. Possibly rootkit

Hello simplybmw,My name is ratman and and I will be helping you with your computer problems.Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.Please do not do anything or perform other steps unless I have asked you to do so.Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.====================================================================================Please take note:If you have since resolved the original problem you were having, I would appreciate you letting me know.If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system. If you are unsure about any of these characteristics just post what you can and I will guide you.Please tell me if you have your original Windows CD/DVD available.<li>If you are unable to perform the steps I have recommended please try one more time and if unsuccessful alert us of such and I will design an alternate means of obtaining the necessary information.<li>If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.<li>Upon completing th... Read more

3 more replies
Relevance 87.33%

Computer continuously crashes with BSOD error as early as user log in screen, unless operating in Safe Mode.
(Note: Safe mode occasionally crashes with the same error/same filename)

Blue Screen Of Death with the following technical information:

driver_irql_not_less_or_equal
*** Stop: ojwmmc.sys - address F754ECCB base at F754a000, datestamp 4c906e35
_____________

I initially did a search for ojwmmc and found it in the driver directory and also in various registry entries:

ojwmmc.sys 0xf754a000 (File Type Unknown) C:\windows\system32\drivers

Example Registry Paths:
my computer\hkey_local_machine\system\controlset001\Services\ojwmmc (Cannot open ojwmmc: error while opening key)
my computer\hkey_local_machine\system\controlset001\enum\root\legacy_ojwmmc\00 00 (Service, REG_SZ, ojwmmc)

No virus/malware/rootkit remover has been able to resolve this problem yet, but I was redirected here from another section of the forum for expert analysis.

Following the instructions on the preparation page and scanning, GMER came up with a rootkit infection alert - so here are my DDS and GMER logs as requested.

Thank you very much for the help!
_______________________________________
DDS (Ver_10-10-10.03) - NTFSx86 NETWORK
Run by DarkLight at 17:20:56.73 on Mon 10/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.580... Read more

Answer:ojwmmc Rootkit Infection = Safe Mode or BSOD

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

2 more replies
Relevance 87.33%

I have Bitdefender on my PC and I did a scan and it said I had a rootkit and needed to be restarted to remove so I restarted and now normal boot goes to blue screen every time stop 0x0000007E, and safe mode works. I tried scan with updated malwarebytes in safe mode, and it comes back clean. I have ran Defogger and attached DDS log:

DDS (Ver_2012-10-14.05) - NTFS_AMD64 NETWORK
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_35
Run by Matt at 22:31:43 on 2012-10-17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3837.2900 [GMT -4:00]
.
AV: Bitdefender Antivirus *Disabled/Outdated* {98CD50CE-5097-4098-9669-6C401FB3969C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Bitdefender Antispyware *Disabled/Outdated* {23ACB12A-76AD-4F16-ACD9-57326434DC21}
FW: Bitdefender Firewall *Disabled* {A0F6D1EB-1AF8-41C0-BD36-C575E160D1E7}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe... Read more

Answer:Rootkit Removed Now Only Safe Mode Boot Vista

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Let see if we can restore your computer to a date prior to running Bitdefender and restarting your computer.Follow the directives listed here.http://windows.microsoft.com/en-US/windows-vista/Start-System-Restore-from-a-command-promptSelect a restore point prior to running Bitdefender. This should possibly restore the infection but will take care of it.If successful please run the DDS tool and post a fresh log for my review.Wait for further instructions.

16 more replies
Relevance 87.33%

Need some help badly...computer has been down for 2 weeks! Had bad infection, think I cleaned it - not totally sure (see hijack this file), but the computer will only reboot in Safe Mode only - not the F8 initial 'safe mode' with black screen during start up; once the computer has completely restarted and gone to the desktop page, everything 'looks' normal, but it has the 'gray' taskbar and limited functionality (no internet, etc). I tried several system restores and they don't work, I get "System Cannot be Restored to this Point" or something to that effect. I could REALLY use some help on this. Thanks!Best Regards,DanaDana ShuteLtCdr USN(Ret)Here's the hijackthis file:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:41:12 AM, on 1/22/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16945)Boot mode: Safe mode with network supportRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\Documents and Settings\Dana Shute\Desktop\HijackThis.exeO2 - BHO: &Yahoo! T... Read more

Answer:Computer Reboots Safe Mode Only after Rootkit cleaned??

Hi jetjockchicago,Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.I need some feedback from you. Tell me if you have internet connection when going to Safe Mode with Networking by using A8 key. And if the log you have posted is made from there. If it is not the case tell me how do you mange to download the tools and post the logs. I need to know our options in diagnosing and running the tools so that I know what tools I can use (some tools need internet connection) and also it will be minimum effort for you to perform the fixesWe need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make. Open Windows Defender. Click on Tools, Options. Scroll down the list of options to select "Real-time Protection Options." Uncheck "Use Real-Time Protection (Recommended)". After you uncheck this, click on the Save button and close Windows Defender.Note:After all of the fixes are complete and I give you the clean sign you enable Real-time Protection again.Make sure the ThreatFire is not running as long as we are not done with all the fixes and the system is not cleaned. We prefer to uninstall it, you can install it after... Read more

34 more replies
Relevance 86.92%
Question: Rootkit.Bagle

Hi,

I ran Malwarebyte's Anti-Malware and detected the infected file "C:\WINDOWS\system32\drivers\srosa.sys (Rootkit.Bagle)".

I have tried to remove the file repeatedly by each attempted scan and reboot, the Malwarebyte's is still picking it up.

My Avast Antivirus software was also unable to start and reinstall, and received the following error when trying to run it manually "C:\Program Files\Alwil Software\Avast4\ashAvast.exe is not a valid Win32 application".

Please help.

Thank you.

Answer:Rootkit.Bagle

Please update Mbam and run another scan . Post the log here

1 more replies
Relevance 86.92%
Question: rootkit.bagle.gen

Please help me.

Answer:rootkit.bagle.gen

Hello Arun T.TWelcome to BleepingComputer ========================Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.Link 1Link 2Link 3 --------------------------------------------------------------------Double click on Combo-Fix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

2 more replies
Relevance 86.92%
Question: Rootkit.bagle

Hi, I got infected with the rootkit.bagle about two days ago.

Antivirus gets terminated. win32 error when I try to manually restart it.
Wireless connection disable. Ethernet connection works though
Blue screen warning when booting safe mode
Random number .exe files occasionally appears in task manager. Process manager shows that they originate in Username\Application data\drivers but they are not visible.
autochk.exe missing message during restart. This happened from yesterday, so may be caused by my (amateurish) attempts to fix things.

I managed to manually delete a couple of the folders with the infected files(although they just reappear) but I can't empty them from the recycle bin now. Gets a "directory is not empty" message

CCleaner which was already installed on my comp won't run. SAS and combofix both gives win32 errors, even when renamed.

When I tried to run GMER, I get error msg "cannot create a stable subkey under a volatile parent key", but it seems to work.
 

Answer:Rootkit.bagle

Welcome to Major Geeks!

Please run the below procedure and attach the requested logs:

Removing Bagle Infections
 

13 more replies
Relevance 86.92%

Hello Guys,

I have a problem, with the name: RootKit.agent
Also known as: Rootkit.Agent.CL [Bitdefender] Rootkit.Win32.Agent.iy Rootkit.

Type:Hijacker, Rootkit, TT_Troj

Threath level by Spydoctor: High

and I also have Trojan-Dropper.Agent wich maybe caused the Rootkit.agent

It infected my computer with the file:
C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk
I cannot delete this file.

SpywareDoctor says it's deleted and asks me to restart the pc. After that it's back again. Rootkit.agent changed my starting page of my webbrowser and the the securitysettings of my webbrowser, and I can't change it anymore because my pc tells me I am not the administrator anymore. I have two accounts on my pc and they have both the status of the PC-owner.

The symptoms are various: sometimes gives pop-ups, sometimes it blocks my Symantec virusscanner and disables my Realtime Protection.

I did all the steps before posting so I think I'm ready for your reaction.
I really need my laptop because I am in Yemen on an internship to help disabled children and it's my only contact to the rest of the world.
Excuse for my English language (I'm from Holland)

This is what HijackThis says:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:20:49, on 3-2-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system... Read more

Answer:Rootkit.agent is changing my security on internet and networks

I'm sure we can fix it for you...




Please download SDFix from here and save it to your desktop


Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.


Open the extracted SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Post that log in your next reply.


=========================================


Download Combofix from any of the links below, and save it to your desktop. For further information... Read more

9 more replies
Relevance 86.1%

Hi there, I've spent most of my weekend trying to get rid of some malware that i believe is Rootkit.bagle. It disabled Nod and keeps most of antispyware tools from running properly.
I've been through your vista cleaning procedure to the best of my abilities.
-SuperAntisSpyware doesnt run
-Malewarebyte ran only in Safe mode (log attached)
-Combo fix after detecting a rootkit and restarting once it runs again says its not running on a compatible OS (XP and 2000)
-MGtools - managed to run (logs attached)

I've also included a log from hijackthis

Any help is very much apreciated

Cheers
Nuno
 

Answer:I think I have rootkit.bagle and I cant remove it

Please rerun malwarebytes and have it fix everything it finds!

Then run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from MWB's.
 

3 more replies
Relevance 86.1%

I was infected by rootkit bagle and I managed to remove it with Findykill. Malwarebytes doesn't find any traces of it now (with a complete scan). I installed Antivir and it doesn't find anything either.

When I try to find it again with Findykill, here is the log:
############################## [ FindyKill V4.720 ]

# User : Jonathan (Administrateurs) # HP-JONATHAN
# Update on 12/03/09 by Chiquitine29
# Start at: 17:48:43 | 14/03/2009

# AMD Turion(tm) 64 X2
# Microsoft Windows XP dition familiale (5.1.2600 32-bit) # Service Pack 3
# Internet Explorer 7.0.5730.11
# Windows Firewall Status : Enabled
# AV : Avira AntiVir PersonalEdition 8.0.1.30 [ Enabled | Updated ]
# FW : Norton Internet Worm Protection[ (!) Disabled ]2006

# C:\ # Disque fixe local # 84.95 Go (7.19 Go free) # NTFS
# D:\ # Disque fixe local # 7.19 Go (1.4 Go free) [HP_RECOVERY] # FAT32
# E:\ # Disque CD-ROM
# F:\ # Disque CD-ROM
# G:\ # Disque amovible # 1.89 Go (920.94 Mo free) # FAT

############################## [ Active Processes ]

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Cl... Read more

Answer:Rootkit Bagle, almost removed

Up ...
 

34 more replies
Relevance 86.1%

Hi,

Been having this prob afternoon.Identical to some others i have been searching on this forums, my anitvirus and firewall disabled, can't run hijcak this so i run mgtools - here is the log, i think, because it doesn't show some things like in other oens i've found on this forums.
i have run combo fix and it said it deleted those files in system32 folder but i still have the same problem

please help me

oh and my internet doesn't work after 5-8 minutes so i hav to reboot often
 

Answer:Bagle rootkit problem, new here?

You will find the MGTools log here:
C\MGLogs.zip

Please attach that after running the SAS and MWB scans and attaching those logs.
 

3 more replies
Relevance 86.1%

Hi!

I got this nasty Bagle / rootkit combination. Avast! warned me, but couldnīt kill them. I tried several things, but the one that saved me was F-Secure Rescue CD. You can find it here: http://www.f-secure.com/linux-weblog/

SpyBot and CCleaner took care of the rest (register).

Take care,
Harri
 

Answer:Bagle / rootkit killed

Thanks for posting us this message. I had actually saved this ISO file awhile back and just have not had time to create the CD and play with it. I have use other LINUX based CD tools myself and also UBCD4win to fix this infection myself manually. We also use the Recovery Console to fix this. The problem with manual steps is that they are difficult for many people to follow.

I will have to finish look at this and then try it with a user or two. Some people even have problems burning ISO files to CD.
 

3 more replies
Relevance 86.1%

Hi,

I was infected with a virus or malware or something that blocked my Panda antivirus and it also damage the wireless conection (I finally found the solution in a forum by changing a number in the configuration) among other problems. I have try to install many antivirus but without success. Many of the online scans didn't work but finally with Bitdefender I could. It found some problems. DeepSacn.Generic.Bagle, win32.bagle.suq, Generic.Malware.Bdld, Trojan.Downloader.Bagge and win32.bagle.2678.

I finally could intall Malwarebytes and it found rootkit.bagle and trojan.agent:

Malwarebytes' Anti-Malware 1.36
Database version: 1987
Windows 6.0.6001 Service Pack 1

4/18/2009 6:08:03 PM
mbam-log-2009-04-18 (18-08-03).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 407115
Time elapsed: 2 hour(s), 20 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sk9ou0s (Rootkit.Bagle) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sk9ou0s (Rootkit.Bagle) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk9ou0s (Rootkit.Bagle) -> Delete on reboot.... Read more

Answer:How to remove rootkit.bagle

Welcome to Major Geeks!


Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.
If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.

TDSSserv Non-Plug & Play Driver Disable

If something does not run, write down the info to explain to us later but keep on going.
Do not assume that because one step does not work that they all will not.
READ & RUN ME FIRST. Malware Removal Guide


Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
To avoid addtional delay in gettin... Read more

1 more replies
Relevance 86.1%

hi,

i have a rootkit.bagle infection and a trojan.agent infection. i have tried to run numerous anti spyware, anti virus, etc stuff i've found online, but nothing has worked. and any programs do not run with a "xx is not a valid win32 application" message. this evil thing has also killed my mobile broadband internet connection, and i can't connect to the internet (so i'm in a cafe at the moment).

i've seen people have kindly helped with this virus before on this forum and am hoping someone else will kindly do so... i would just follow another post's guidance but the post specificxally says not to use combifix if you dont know what you're doing, and the rules say not to post a combifix log until asked.

i found these 2 infections using a malware remover malwarebytes, and removed them but they just reappear again.

please can someone help?

also, if im asked to upload any logs etc, is it safe to transfer a log to an external hard drive and then onto another pc (as my internet connection is virus ko-ed) to upload, or will i be transerring the virus around? also is it safe to use my mobile broadband stick on another pc, or is it virused too (it has software on it for auto installation)?

Answer:please help - rootkit.bagle infection

The tools needed to remove this are only available thru the HiJackThis team.Please follow these instructions..Preparation Guide for use before posting a HijackThis Log Post the complete log here HijackThis Logs and Malware Removal and Not in this thread. Clicck on New topic,give the post a relevant title and copy/paste the log.If you have further questions on this ask them here.Please see post #2 here to run Flash_Disinfector to clean the flash drive.http://www.bleepingcomputer.com/forums/ind...ash+disinfector

1 more replies
Relevance 86.1%

My laptop is pretty hosed up it seems I DL'd a bunk file from Emule...usually I'm pretty careful what I get but obviously I made a mistake this time... I've read a lot of the threads concerning the bagle virus and tried to get my laptop fixed up but I'm coming up empty so hopefully I can get some help here.... I have the srosa.sys file and hldrrr.exe file so I know its bagle, when I had the internet on the computer before I ran a kasperskey scan and it found the files with the viruses and told me what files but I couldn't get everything taken care of. Right now the laptop has no internet connection, I can't open any spyware/virus related programs due to the win32 error msg, I get random BSOD's and starting in safe mode is hit or miss...Here's some log files hopefully I can get some help from you guys. TIA>

Answer:Bagle Rootkit Virus....

ttt....help a brother out!

3 more replies
Relevance 85.28%

Hi,

About a month ago I got a nasty virus when my wife clicked on an AntiMalware Doctor screen. I was able to finally get everything clean (apparently so). Today I was on the internet and I noticed that when attempting to navigate to another page in IE, Adobe Reader started launching which was followed immediately with my antivirus AVAST popping up a message saying that it had blocked a file before it had a chance to execute. It mentioned something about Rootkit. Right after this my screen turned blue (I don't recall what the message was) and I must have restarted.

My computer now will not boot into windows XP, and it won't boot into safe mode using F8 as it turns into a black screen with a cursor at the upper left. I can get to the Setup screen though. Also, I have a Dell Dimension E10 which did not come with a boot CD so I don't know what to do. I have hijack this and malwarebytes installed but I can't get to any of it obviously. I've disconnected from the Internet along with any other peripherals etc.

Thanks for the help.

Answer:Rootkit Virus, Blue Screen, Can't boot Windows or Safe Mode, No OS CD

Hello there,Please download ARCDC from Artellos.com.Double click ARCDC.exeFollow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3You will be prompted with a Terms of Use by Microsoft, please accept.You will see a few dos screens flash by, this is normal.Next you will be able to choose to add extra files. Select the Default Files.The last window will allow you to burn the disk using BurnCDCCYour ISO is located on your desktop. Insert the CD-ROM into the CD-ROM drive, and then restart the computer.

If your PC is not booting from the CD, you need to change the boot order:
Restart your PC As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key. Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change. Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order The tab should now show your current boot order.
If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily. Once the CD-drive is on top of the boot order, navigate to Exit a... Read more

15 more replies
Relevance 85.28%

Hi Everyone,This is my first time posting, so I apologize if I'm leaving out important info/not posting in the correct area of the forum. I have a virus on my computer. My Symantec catches it as 'hacktool.rootkit,' but will not clean it. MalwareBytes caught a myriad of trojans (like 'avsoft') and did clean that. The virus will not let my boot my computer in safe mode, so I had to run the scans in real time (I turned off the internet - not sure if that's helpful or not, but it stopped all of the avsoft popups). Anyhow, Malwarebytes cleaned some viruses, but I still cannot boot into safe mode. It acts like it will let me get there, then it says 'monitor going to sleep' and boots in regular mode. I want to get into safe mode because I think I know where the virus is (in my c:/hp admin/local host/temporary internet files), but the folder is hidden. Any help or guidance would be greatly appreciated. I'm at my wits end with this virus!Here is a copy of my Hijack This Log (I also attached it):Logfile of Trend Micro HijackThis v2.0.4Scan saved at 6:44:04 AM, on 6/9/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.17023)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\S... Read more

Answer:Viruses (hacktool.rootkit, avsoft) stopping me from booting in safe mode

Hi marce_a_tronWelcome to Bleeping Computer.I'm maranatha and I will be handling your log to help you get cleaned up. Please do this.Download DDS and save it to your desktop from here or here or here.Disable any script blocker, and then double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txtSave both reports to your desktop post the contents of the DDS logs here. Thanksmaranatha

18 more replies
Relevance 85.28%

Hi,

About a month ago I got a nasty virus when my wife clicked on an AntiMalware Doctor screen. I was able to finally get everything clean (apparently so). Today I was on the internet and I noticed that Adobe was launching which was followed immediately with my antivirus AVAST popping up a message saying that it had blocked a file before it had a chance to execute. It mentioned something about Rootkit. Right after this my screen turns blue (I don't recall what the message was) and I must have restarted.

My computer now will not boot into windows, and it won't boot into safe mode using F8 as it turns into a black screen with a cursor at the upper left. I can get to the Setup screen though. Also, I have a Dell Dimension E10 which did not come with a boot CD so I don't know what to do. I have hijack this and malwarebytes installed but I can't get to any of it obviously. I've disconnected from the Internet along with any other peripherals etc.

Thanks for the help.
 

More replies
Relevance 84.87%

thank you for your help.

i've downloaded a "crack" for my dad's program. as i ran the EXE cracker it asked me "select file to crack".
since then my avast is disabled, i cant see hidden icons (the malware also removed the ticking option from tools-->folder options)
and it has infected my ipod (!!!). safeboot wont work, also HJT and other malware removals appear to not work/disappear (just the bagle's nasty spit).
jesus will anyone help me?

what i've tried so far (as i'm a spyware/malware expert myself, this one's got me pretty bad):
Superantispyware - to recover my safeboot (succeeded)
adaware - (FAILED)
spybot - (FAILED)
combofix - (FAILED)
smitfraudfix - (FAILED)
manual deletion of the following files/folders:
%windir%\system32\drivers\srosa.sys
%windir%\system32\drivers\hldrrr.exe
%windir%\system32\drivers\down\*
%windir%\system32\drivers\downld\*
various registry keys regarding FirstRRun or something like that... FAILED (they got deleted but bagle kept coming back).

absolutely NOTHING worked. it keeps coming back (though it seems like windows is functioning normally because im having no problems writing this down or playing any other game.)

time is on the essence aswell as im being recruited in 29th of july and then ill be home once in 2 weeks so HELP IS VERY APPRECIATED.

Thanks a bunch.
your friendly neighborhood - Muli.

edit - also black... Read more

Answer:Bagle, And Possibly Another Rootkit Malware.

Crack programs are usually quite infested with malware. Hello and welcome, the tools needed to remove this are available under supervision here.Please follow the instructions in this tutorial for posting a HijackThis Log. Preparation Guide for use before posting a HijackThis LogAfter you have created it,post the log here HijackThis Logs and Malware Removal and NOT in this topic,thanks.Click on New Topic and copy/paste the entire log into the reply. Give it a relevant title.Once you have posted the log DO NOT reply to it or change it until contacted or advised to do so by the HJT Team tech.Should you have any other questions about this ask those here.

7 more replies
Relevance 84.87%

Hi guys, as continued from this thread i started before..

http://forums.techguy.org/windows-nt-2000-xp/768546-antivirus-installed-but-can-t.html

The virus is back again! I thought i got rid of them through combofix but apparently NOT! I scanned my com with antivir, kaspersky, it looks like it has duplicate into MORE!! Arghh!! help pls before it's uncontrollable pls!

This is my current hijack log while still scanning with antivir, OMG! The antivir scanned like 200+ of bagle infected file and it's beeping like crazy! But somehow my com still run ok though

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:51 AM, on 15/11/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.e... Read more

More replies
Relevance 84.05%

Virus writers have begun adding rootkit functionality as a component of commonplace malware such as MyDoom and Bagle. Rootkit technology is designed to hide the presence of malware on infected systems. Originally the technology featured only as a component of more sophisticated and exotic forms of malware. Now the technology has moved into the mainstream, anti-virus firm F-secure reports.

For example, Bagle-GE incorporates rootkit features designed to hide the processes and registry keys of another Trojan of the same family, Bagle-GF. The development has raised particular concerns because of strong links between Bagle and the operations of numerous botnets, networks of compromised Windows PCs that are often used to either distribute spam or attack other systems.

"There appear to be bugs in these new Bagles. But if the Bagle authors have seriously decided to turn their attention to upgrading their malware suite with rootkits, then this first step appears to be a dangerous one and one worth keeping an eye on," F-Secure's techies comment in a posting on the firm's weblog here.

Gurong-A, a new worm based on MyDoom code - possibly created by a copycat author with access to leaked copies of MyDoon's source code - which also features rootkit (stealth) technology designed to help malware to avoid detection by conventional anti-virus scanners.

"Rootkit development has had such a lull in recent months that we were beginning to wonder if the technique had sudd... Read more

Answer:VXers add rootkit tech to MyDoom and Bagle

Wtf, i hate **** malware and virus's. Cant they shut the virus writers down. Cos is their company's who just write malware and sell it to other company's?
BTW i only partially understand what ur talkn about. But i doesnt sound good. Malware writers may change the program so it is highly undectable, is that what ur saying?

1 more replies
Relevance 84.05%

I have Win XP Media Edition....Today my computer started shutting down by itself. So, I remebered a friend advising me the MSSE was not really up to date on its protections. Not sure...so downloaded Malwarebytes and ran a full scan.

I found SpamTool.Agent, Trojan.Agent, and 2 Rootkit.Agent infections.

My research lead me to this site to get rkille.exe, rkill.com, etc.

How do I find this and then the tdss killer?

Other sites mention this and want you to sign on with them. But, I heard this was a free download from bleeping computer? Where can I find it?
Bill

Answer:Rootkit.Agent, Trojan.Agent, SpamTool.Agent Removal???????

Please follow the instructions in ==>This Guide<==.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Once you have created the new topic, please reply back here with a link to the new topic.

1 more replies
Relevance 83.23%

Hi,

Like so many, i am new to this forum, and turn to strangers for help. I apologise very much for this imposition, and would like to immediately thank folks for the information whih has allowed me to get this far.


BACKGROUND

I have a Dell Inspiron 1735, running Vista Home Premium. I had been using Norton 360 antivrus, but when this came due for renewel i decided to change to Kaspersky. However, Kaspersky does not have a password facilty built in, so i download a copy of Robo Fill to provide this function. This took place at around 14.00 GMT on 27 March 09!

I thought that the website was bona fide, and (stupidly) did not scan the executable before installing. Immediately i did, i lost internet connectivity, and Norton was disabled, along with the standard microsoft software (defender etc). The PC then crashed.

I restarted it in safe mode, but could not get Norton to run. My first action (before discovering this website) was to remove Norton completely, in the hope that i could install my newly purchased copy of Kaspersky. Removing Norton was quite a battle, and i have not been able to install kaspersky anyway.


MAJOR GEEKS ADVICE

I have attempted to read and follow the various stickies.


1. I manged to do all the steps in "Read me first".


2. I was unable to run the SuperAntiSpyware.

In normal mode, it would not install due to the Win32 error.

In safe mode, it would not install due to the windows installer not operating.

Ch... Read more

Answer:Malware - Rootkit.Bagle? Most AV software inactivated/cannot be installed.

Welcome to Major Geeks!

Please run the below procedure and attach the two logs that are requested. The first log must be attached after you do the search and the second will be attached after the cleaning is complete.

Removing Bagle Infections
 

8 more replies
Relevance 83.23%

I have stupidly executed a DL from emule, assuming my Antivir protection would ward off any bad stuff.When I executed, the hourglass kept hovering for a while, and then BSD! On reboot, I noticed the absence of Antivir. Tried reinstall, also Norton and Kaspersky: all installs failed because one or several crucial files were never copied (or instantly deleted). Googled for help, found hints to the Bagle worm - also found srosa.sys on my sy,ptomRan blacklight, below is the log.I have followed your instructions, see below.Can anyone help me?Cheers,Hansmain.txt---------Deckard's System Scanner v20071014.68Run by mosbergh on 2008-05-24 23:47:28Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --27: 2008-05-25 03:47:36 UTC - RP404 - Deckard's System Scanner Restore Point26: 2008-05-24 23:09:56 UTC - RP403 - System Checkpoint25: 2008-05-23 23:01:36 UTC - RP402 - Installed Kaspersky Anti-Virus 7.0.24: 2008-05-23 20:58:16 UTC - RP401 - Installed Kaspersky Anti-Virus 7.0.23: 2008-05-23 19:27:18 UTC - RP400 - Avira AntiVir Personal - 5/23/2008 15:25-- First Restore Point -- 1: 2008-05-10 00:00:28 UTC - RP378 - System CheckpointBacked up registry hives.Performed disk cleanup.System Drive C: has 2.62 GiB (less than 15%) free.-- HijackThis Clone -------------------... Read more

Answer:Rootkit Infection? Bagle/beagle? (srosa.sys Found)

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download ComboFix and save it to your desktop.Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.Double click combofix.exe and follow the prompts.When it's done running it will produce a log for you. Please post that log in your next reply.Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

2 more replies
Relevance 83.23%

Hi. Full description of how this problem started is posted here:http://www.bleepingcomputer.com/forums/t/138001/persistent-bagle-infection-please-help/hijack this would not run in normal mode (says not a valid system32 app, like all the other virus protect programs). Here's the log from running it in safe mode:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:26, on 2008-03-25Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16609)Boot mode: Safe modeRunning processes:C:\Windows\Explorer.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missingO1 - Hosts: ::1 localhostO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.... Read more

Answer:Rootkit (bagle Variant) Difficult To Remove Virus

Hi debbieb13 I apologize for the delay in response to your thread. We get overwhelmed at times but we are trying our best to keep up.If you have since resolved the original problem you were having, I would appreciate you letting us know.. If not please perform the following below so I can have a look at the current condition of your machine.Thanks and again sorry for the delay.Please download Deckard's System Scanner (DSS) and save to your Desktop.alternate download siteDSS will do the following:Create a new System Restore point in Windows XP and Vista.Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.Check some important areas of your system and produce a report for me to analyze.Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.You must be logged onto an account with administrator privileges when using.Close all applications and windows.Double-click on dss.exe to run it and follow the prompts.If your anti-virus or firewall complains, please allow this script to run as it is not
malicious.When the scan is complete, two text files will open in Notepad:main.txt <- this one will be maximizedextra.txt <- this one will be minimizedIf not, they both can be found in the C:\Deckard\System Scanner folder.Please copy (Ctrl+C) ... Read more

36 more replies
Relevance 83.23%

Hello to any and all helpers,
I am new to this forum, so please help me follow the rules. I downloaded/ran the scans on the "new instructions" thing and will connect them to this post. 2 wks ago Friday I checked "the official" website of St. Exupery to see if one book was written before the other and up pops McAfee saying it identified 2 instances of the trojan named in the title of this thread. I was already late to class so I closed the window (IE7) and shut down the comuter, hoping it would be better later(bad move!). When I got home.. I'm trying to remember, I believe the computer started up ok to run the scan, somewhere in that day I had to restart several times because it stalled (windows was open but wouldn't do anything). I did run the McAfee scan and delete the trojans, but my computer wouldnt restart fully until the next day, when I discovered that my internet connection would no longer work (it may not have been working right away, I'm sorry I dont remember). It said it was connected but no pages would load. Since then it has not worked, even though I tried to reconfigure the connection (and my IP address). I would say that this is a problem with the modem/router, but my bf's computer is connected to the same and it works fine (this is the computer Im writing from btw, and he has no antivirus and is resolutely against it and so I can do nothing about it. I wanted to try to reestablish my internet connection before starting a thread so that I do... Read more

Answer:NTOSKRNL-HOOK, Generic Rootkit.d!rootkit & NO INTERNET CONNECTION

Hello, Exams+this :)
Welcome to TSF

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:In the meantime, please refrain from making any changes to your computer.
Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
Finally, please reply using the button in the lower left hand corner of your screen.
Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" .

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it'... Read more

19 more replies
Relevance 81.18%

I am trying to battle a rootkit on my Windows 7 32-bit machine. svchost.exe is sending many outbound connections, and I believe it is infected. Other .exe files have also tried to access the keyboard directly, access protected registry keys, and other things it shouldn't be doing. My antivirus is Comodo Internet Security. I can't run combofix, the rootkit tricks it into saying it's corrupted, when it works just fine in safe mode. What do I do next?
 ComboFix.txt   3.84KB
  3 downloadsEDIT: Posts merged ~BPGmer's catchme.exe log.
 catchme.log   300bytes
  1 downloadsAlso, a single security update fails every time I try to install it:Error code: "WindowsUpdate_800B0100" "WindowsUpdate_dt000"Update: KB977165EDIT: Posts merged ~BP

Answer:Rootkit: Rootkit.Agent.NLS, Max++, or ???

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for postin... Read more

2 more replies
Relevance 80.36%

Hello-

My Malwarebytes Antimalware scan shows these infections:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent)
C:\Documents and Settings\MH\Local Settings\Temp\dgankqeo.dat (Rootkit.Agent)

My Avira scan shows: Trash.gen

Both programs say that these infections are locked and will be removed when I restart the computer, but they are still there when I recheck. I've tried turning off system restore, but this doesn't seem to make a difference. I've run SuperAntispyware, Adaware, SpywareBlaster, and CCcleaner, but nothing gets rid of them.
Please help!

Here's the DDS.txt:
DDS (Ver_09-03-16.01) - NTFSx86
Run by MH at 11:11:16.46 on Sun 04/19/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.542 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated)
FW: Online Armor Firewall *enabled*

============== Running Processes ===============

C: ... Read more

Answer:Infected with Trojan.Agent, Trash.gen and Rootkit.Agent

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the resul... Read more

2 more replies
Relevance 80.36%

I am working on my fiance's laptop. She gave it to me after seeing AVG Resident Shield warnings last night. AVG scan (free) identified Trojan PSW.Agent.AGLY and AVG Resident Shield identified Rootkit-Agent.EG, Virus BAT/Deleter & Exploit. AVG could not clean or heal the infections saying object is inaccessible. The Resident Shield found the Trojan horse Rootkit-Agent.EG under C:\Windows\system32\drivers\asyncmac.sys and said "Object is white-listed (critical/system file that should not be removed).I do not get a dialog/Open box to attach the attach.txt and ark.txt files. Please let me know if these can be pasted or why I possibly cannot get the box to open. It appears the Browse button is depressing, but I do not get a dialog box to select the files.Please help! DDS.txt:DDS (Ver_10-03-17.01) - FAT32x86 Run by Suzanne at 13:03:07.71 on Fri 05/21/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.632 [GMT -4:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\System32\S24EvMon.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Fi... Read more

Answer:Infected with Trojan PSW.Agent.AGLY & Rootkit-Agent.EG

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

13 more replies
Relevance 80.36%

Hello. I have been directed to post an SSD log on this forum board for diagnosis. From this topic: http://www.bleepingcomputer.com/forums/t/203036/systemexe-problems/ ~ OB About midway through January, my computer caught a very strange virus, causing my desktop background to be changed to some "Warning: Your computer is infected with PassCaptures, many viruses blah blah..." I remember seeing the exact same background that I had on my desktop on the Home section. But after running MBAM, my computer seemed to work normally. Now everytime I scan my computer with MBAM, the same Malwares show up. I am stuck on what to do next. At the moment, my computer is only exhibiting minor symptoms, such as when I open my Firefox Browser Shortcut on my Desktop, a box titled "Malformed File" pops up and reads "Firefox could not install this item because "install.rdf" (provided by the item) is not well-formed or does not exist. Please contact the author about this problem." But as soon as I press "OK". Firefox opens up. Some sites appear different though. I also have several "iexplore.exe" that are in the "Processes" tab of the Task Manager. Finally, my computer will beat periodically and randomly every 2-3 minutes. All right here is the SDD scan, and its attachment:DDS (Ver_09-02-01.01) - NTFSx86 Run by Akaash Prasad at 21:59:42.85 on 2009-02-27Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.664 [GMT -8:00]AV: AVG An... Read more

Answer:Backdoor.bot, Trojan.agent, Rootkit.agent, and others on my Comp

Hello aNimosity1 and welcome to Bleeping Computer,I'm afraid I have bad news for you I see you're dealing with Virut on top of the other nasty malware on your system. In that case, it's unfortunately a lost cause - Game over situation and a format and reinstall is the fastest and especially the safest solution.You may want to read this why:Virut and other File infectors - Throwing in the Towel? So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.htmlGreetings,Thunder

7 more replies
Relevance 79.54%

Please be patient. Im a computer dummy. i have trend micro virus protection. For some reason(probably a virus) when my antivirus updates and asks me to reboot, after restarting it just does the same process again and again- like it never downloaded.

Today , I ran a free panda activescan and it found Bagle Hx. I didnt finish the scan. I disabled system restore and was going to try and reboot in safe mode. It does not let me. It gives me the option and just keeps going back to the option. When I click on msconfig and go into boot ini to check all boot paths, it says its not connected with an operating system.

I started realizing that I may have a virus because my machine keeps cutting off on its own. Can anyone help a computer illiterate gal get things going again?

thanks
 

More replies
Relevance 77.9%

Hi, I hope you can assist me. I got this trojan or whatever this malicious virus is caused last week, while trying to make a cd cover from a program someone sent me. Now, it attacked my Avast antivirus immediately and then the expression, all ____ broke loose.

Now, I got rid of some of it once, using Antimalwarebytes and then deleting the appropriate reg entries with some help. However, today, I ran a mbam scan again and it was back in its old stomping grounds. So, can you help me get this removed and my computer back to normal? I can't use some programs too, because it keeps saying, this is not a valid win32 application. Well, will await your assistance, thanks for listening, delray

Here is my DDS log

svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Easy Photo Print: {9421... Read more

Answer:Bagle Worm keeps coming back and can't use Safe Mode etc!

Hello and welcome to TSF.

I Apologize for the late response.

If you still require assistance, we would like to see the latest state of your system. So, please post a fresh DDS log and a new GMER log as described in this topic. In your reply, I would also like to know any symptoms you may still have and how your computer is running at the moment.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please note that the forum is very busy and if I don?t hear from you in three-five days this thread will be closed.

With Regards,
Extremeboy

6 more replies
Relevance 77.9%

HI, have been trying to see if everything works now on my computer, after one of the fine assts. in here helped me get rid of the bagle worm and its attachments. Everything seems to be all right, except since I couldn't get into safe mode while trying to do a lot of the manevers that others recommended, thought I would see if that was possible.

No dice, that is one move it won't let me do. Can you please help me get this needed reentry in case of emergency repaired or restores. I am sure you know how to arraange or rearrange this, delray

Answer:Can't boot into safe mode, finally rid of bagle worm, I think?

Since the 2 rootkit scanners were incomplete I suspect that you are still infected
Just my opinion

1 more replies
Relevance 77.49%

Hi,Got a nasty little one here, tried to get rid of it myself, but to no avail, I've had this disable my task manager (now back working), change my desktop picture to a picture that was advertising a spyware programme, Eset keeps popping up with the following:HTTP filter file <hxxp://212.117.174.14/lmn_setup.exe> a variant of Win32/Rootkit.Agent.NIZ trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access31/05/2009 22:17:13 Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean31/05/2009 22:17:18 Startup scanner file \\?\globalroot\systemroot\system32\gxvxcnsieobnevxepfbdvbfdxnpaskpxvhosb.dll a variant of Win32/Kryptik.PF trojan cleaned by deleting (after the next restart) - quarantinedNo idea why it keeps selecting the date as 31/05/2009, my clock is set right.Any help is much appreciated.DDS (Ver_09-05-14.01) - NTFSx86Run by Phil at 23:48:14.98 on 19/05/2009Internet Explorer: 7.0.5730.11Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.479.75 [GMT 1:00]AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\WINDOWS\Explorer.EXEsvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\ESET\ESET NOD32 Antivirus\egui.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\ESET\ESET NO... Read more

Answer:Win32/Kryptik.PF, Win32/Rootkit.Agent.ODG, Win32/Rootkit.Agent.NIZ

Hello and welcome to the BleepingComputer.com! I will be helping you today. If you still need help, please let me know by replying to this thread. In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.regards _temp_

3 more replies
Relevance 77.08%

My husband's friend brought his computer over. He thought he had a simple hijack situation. Whenever he opened IE, Firefox, Nortons, etc it woudl immediately close. My husband has tried numerous things. He cannot even get these programs to run in safe mode. Even in safe mode, these programs immediately close. We dont even know what we're trying to kill. Any suggestions???

Answer:Cannot run antivirus, antimalware, or internet even in safe mode

Sorry, he is on a Dell laptop, running XP.

1 more replies
Relevance 76.26%

I am having an issue with my computer since I updated my iTunes and QuickTime and now anytime I try to open or run a program, it pulls up "view downloads" page and asks if I want to run or save the file. Neither option works as it simply re-opens another "view downloads" page and won't allow anything to run. I am operating in Safe Mode but same issue arises. See attached picture as anything I try to open goes to this page and keeps adding the same item over and over if you try to click run or save.
Can you steer me in the right direction?

Answer:Virus won't allow any downloads or internet in safe mode. Won't run antivirus

Hello,
Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.
Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.
If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

3 more replies
Relevance 75.85%

I believe I was infected last night when a website somehow redirected me to liteautogreatest{dot}cn.I'm running XP Home SP3 and the ZoneAlarm Internet Security Suite (just updated earlier today).ZoneAlarm continually finds a couple of problems and hibernates them but they do not go completely away after a reboot.The ZoneAlarm active monitor scan shows the following...Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BNB.tmp on 4/20/2009 13:29:22Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BNA.tmp on 4/20/2009 13:23:26Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN9.tmp on 4/20/2009 13:17:40Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN8.tmp on 4/20/2009 13:14:30Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN7.tmp on 4/20/2009 13:07:26Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\Temp\BN6.tmp on 4/20/2009 13:02:40Rootkit.Win32.Agent.ikz was found in C:\WINDOWS\system32\drivers\systemntmi.sys on 4/20/2009 12:57:48Trojan-Dropper.Win32.Agent.amzh was found in C:\Documents and Settings\Don\Local Settings\T... Read more

Answer:Infected with Rootkit.Win32.Agent.ikz, Trojan-Dropper.Win32.Agent.amzh, Trojans? Malware?

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.alternate download linkThen download and install SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)In the Main Menu, click the Preferences... button.Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program.Do not run a scan just yet.Reboot your computer in "Safe Mode" using the F8 method. To do this, re... Read more

3 more replies
Relevance 75.85%

From: Eric

I received a computer running XP Media Center Edition from a friend. Its desktop was being hidden automatically unless I told it to "show desktop". I ran SuperAntiSpyware and MBAM on it. They seemed to have removed the viruses. In preparation of this topic I ran GMER, which would not run so I ran TDSSkiller. TDSSkiller got rid of a rookit virus. What I need now is to make sure that the computer is completely clean. Here are the DDS and GMER reports.

Thank you

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by sherri cordry at 20:08:08 on 2011-11-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1770 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device S... Read more

Answer:Comp was infected with Trojan.Agent/Gen-Fake AV, Trojan.Agent/Gen-Hullo[short], Rootkit virus

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/426646 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

26 more replies
Relevance 75.85%

Hi there, thanks for the help in advance.

I have the following problems: I reinstalled vista and several programs a few days ago, probably my computer got infected in some way. I started having a black screen after windows logon (I needed to run taskmgr and then run explorer for windows vista to finish the startup). Just today I noticed my date was changed to 2088, an error of svchost trying to run TDSScrrx.dll, my Windows Security Center could not be turned on. Then I removed Norton, after it did not work at all, I installed Malwarebytes and it detected and quarantined several files. The TDSScrrx.dll error at startup stopped happening. I also got into regedit Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and altered "Shell" from "Explorer.exe "C:\Windows\mchost.exe" to "Explorer.exe", this seemed to correct the Black screen at startup problem but unfortunately every time I restart the Shell is changed back to "Explorer.exe "C:\Windows\mchost.exe"". What can I do to correct this forever? Also I have ran services.msc and trying to enable automatically the Security Center service (only successfully after changing "shell" at registry as previously commented) but once again, after booting my windows Security Center appears disabled every time. I just reinstalled NAV 08 but it seems I still have the problem with my registry changin... Read more

Answer:Trojan.Agent and Rootkit.Agent

Hi

If you still have above mentioned problem post a fresh dds log, please.

2 more replies
Relevance 75.85%

Greetings,I seem to have gotten infected with the Rootkit.Agent.H and Trojan.Agent malwares.I have: run disk cleaners CCleaner manually emptied the IE (which I don't use) and Firefox caches and cookies cleaned all my temp files emptied my recycle bin run Trend Officescan, which didn't find anything run SUPERAntiSpyware, which didn't find anything. run MalwareByte's Anti-Malware, which found the two dealies above and said it was going to fix them on reboot, but didn't (log below). run Combofix, which said that it found and deleted the two dealies above, but didn't (log below). have a HijackThis log. I don't know what to do from this point. The only two things that actually find these infections are mbam and combofix, but neither of them seem to be able to clean them from my system.HELP!!!Pax Dominus-------------------------------------------MalwareByte's Anti-Malware LogMalwarebytes' Anti-Malware 1.34Database version: 1801Windows 5.1.2600 Service Pack 32/25/2009 8:23:51 AMmbam-log-2009-02-25 (08-23-32).txtScan type: Quick ScanObjects scanned: 82083Time elapsed: 4 minute(s), 7 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)... Read more

Answer:Rootkit.Agent.H and Trojan.Agent

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until instruc... Read more

22 more replies
Relevance 75.85%
Question: rootkit.agent.fq

I am having trouble trying to get rid of this thing. Every time I boot up syssrv.sys is found in the \system32 folder. When I run AVG Anti-Spyware it tells me it is infected with the Rootkit.Agent.fq which I then have quarantined but it comes back when I reboot. This is the only thing that the scanner finds infected
 

Answer:rootkit.agent.fq

Hello kharasanjay,

Welcome to TSG.

Please download RootRepeal.zip and unzip it to your Desktop.
Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:

[*]Drivers
[*]Files
[*]Processes
[*]SSDT
[*]Stealth Objects
[*]Hidden Services

Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running​
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program
Post the contents of RootRepeal.txt in your next reply.

Next

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra ... Read more

2 more replies
Relevance 75.85%
Question: Rootkit.agent

I have been running a malwarebytes scan and it keeps coming up with this rootkit.agent c/windows/systems/driveres/bkyhfzh.sys no matter how many times I quarantine and run the program. I purchased spyware doctor and is not detecting this rootkit. I have done a system restore, but it hasn't helped. I did the Preparation Guide that the Admin of BleepingComputer instructed me to do. I hope this is helpful to anyone that tries to help me. I truly appreciate any help with this matter. THANK YOU!DDS (Ver_10-10-10.03) - NTFSx86 NETWORK Run by Joseph at 19:50:27.47 on Sun 10/17/2010Internet Explorer: 8.0.6001.18943Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.3006.2343 [GMT -4:00]SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32 ... Read more

Answer:Rootkit.agent

Hello Momof8, Welcome to Bleeping Computer. My name is fireman4it and I will be helping you with your Malware problem.Please take note of some guidelines for this fix: Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post. I will be analyzing your log. I will get back to you with instructions.

28 more replies
Relevance 75.85%
Question: Rootkit Agent DI

Hello I have a rootkit Agent DI on my computer, I have tried everything I can to remove but no luck, I have been on this forum and was told to mention the previos thread which is - http://www.bleepingcomputer.com/forums/t/232393/rootkit-agent-di-how-can-i-clean-this-from-my-pc/I have followed the guide as requested and downloaded the DS tool, below is the log reportDDS (Ver_09-05-14.01) - NTFSx86 Run by David at 14:34:05.26 on 10/06/2009Internet Explorer: 6.0.2900.5512Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.151 [GMT 1:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exeC:\PROGRA~1\VCOM\Fix-It\mxtask.exeC:\Program Files\Google\Update\GoogleUpdate.exeC:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\PROGRA~1\VCOM\Fix-It\mxtask.exeC:\Program Files\Common Files\LightScri... Read more

Answer:Rootkit Agent DI

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 75.85%

I say "possible" because I came to this forum, initially, hoping to get rid of a RootKit.Agent that Malwarebytes detected(it's the only one that it can't get rid of). Got a load of infections a few days ago from trying to download a program... forgot what exactly. But I fixed most of it(i think) using Super AntiSpyware and Malwarebytes Antimalware).

Anyways. Did a DDS scan, proceeded to do gmer scan, gmer warns me about rootkit activity, unchecked the boxes as instructed. But I was stupid and clicked on the "start" while gmer was scanning, and was stupid enough to do this twice too(lol). Gmer froze on both accounts. Went ahead to try to do third gmer scan. Waits for the warning about rootkit activity thing to popup, but it never did. Is this the "Initial scan" that you guys are talking about?(attached as Gmer). Did a scan with Malwarebytes, DID NOT detect anything this time. No rootkit.agent either.

So my question now is, if you guys still need a full Gmer scan from me, should I just click "Scan" after the "Initial Scan" that without unchecking the boxes, or should I uncheck the boxes as instructed either. Not even sure if I still have the rootkit agent.

The listed DDS scan is my second DDS scan after Malwarebyte cannot detect Rootkit.Agent. Sorry for the long story.


DDS (Ver_10-03-17.01) - NTFSx86
Run by sam at 13:30:24.07 on Thu 04/29/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition ... Read more

Answer:Need help with possible rootkit.agent?

Hello and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

14 more replies
Relevance 75.85%

Hi!
I scanned my laptop at Trend Micro online and was notified of these two viruses: troj rootkit.cg and troj agent.aju. The following is the hijack log. I would appreciate some help in getting rid of these viruses. Also, Norton and Ewido do not show any viruses present. Thanks so much!
Logfile of HijackThis v1.99.1
Scan saved at 10:36:47 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC... Read more

Answer:Rootkit and agent aju

16 more replies
Relevance 75.85%
Question: Rootkit.agent

I administer my Nephews PC and irregularly come by and scan it for infections using Malewarebytes,SpybotS&D and Adaware. I normally find a few trojans and misc. maleware and greyware. I can fix these and remove them in most cases using available software like Killbox,Malewarebytes,SpybotS&D,Pandaactivescan,and a few others like Housecall. He seems to have contracted Rootkit.agent which is a royal pain to get rid of. I have used Malewarebytes which says it finds and removes it but upon further scans after reboots it appears again. I tried to disable the system restore to make sure it wasn't hiding in memory or the recovery log. That didn't work . So off to Google I went looking for an answer and after alot of reading it seems I need some real proffesional help. I came upon this site as it was the top 10 searched sites and a few of the other sites all reffered people to this one. He is running Windows Vista on a refurbished Compaq Presario buisiness system which has worked really well and continues to do so. The only hitch is that it has a rootkit installed. He would have never known if I hadn't come by to do maintenance on his rig. I read through the help givien to others and I have compiled a list of all acceptable logs and will post here. I have removed a few different Trojans and many misc. maleware. Threads I have read suggest to use Combofix under the suppervision of someone who is familiar with it applications which I am not, so here I am. Malewarebyt... Read more

Answer:Rootkit.agent

Hi, JDW73 Please download and run Rkill by Grinler from any of the following locations (Vista and Win7: to run the application, right click on Rkill and choose Run as an Administrator): rkill.exerkill.comrkill.scrrkill.pifPlease download ComboFix from Here or Here to your Desktop.**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**Please, never rename Combofix unless instructed.Close any open browsers.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.-----------------------------------------------------------Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.-----------------------------------------------------------Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it startsPlease do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.If there is no internet connection after running Combofix, then restart your computer to restore back your... Read more

10 more replies
Relevance 75.85%
Question: Rootkit/Agent.LNB

Hi I did a panda scan and got this:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-07-02 00:00:24
PROTECTIONS: 1
MALWARE: 1
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AntiVir Desktop 9.0.1.30 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\WINDOWS\SYSTEM32\DRIVERS\SBXIJZ.SYS... Read more

Answer:Rootkit/Agent.LNB

Hello and welcome to TSF

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

1 more replies
Relevance 75.85%
Question: Rootkit.Agent

I'm using a Toshiba Laptop, Windows 7 64-bit with 4GB of RAM and an ATI Radeon Mobility Series 4000 card. Starting last night my laptop has been randomly crashing, sometimes with a BSOD or it just freezes without warning. I an only able to use it in safe mode.Before we begin, here are my logs:DDS (Ver_10-12-12.02) - NTFS_AMD64 NETWORK Run by Matt at 16:47:08.60 on Sun 01/16/2011Internet Explorer: 8.0.7600.16385Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3835.3019 [GMT -5:00]AV: Norton Internet Security *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}============== Running Processes ===============C:\windows\system32\wininit.exeC:\windows\system32\lsm.exeC:\windows\system32\svchost.exe -k DcomLaunchC:\windows\system32\svchost.exe -k RPCSSC:\windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\windows\system32\svchost.exe -k netsvcsC:\windows\system32\svchost.exe -k LocalSystemNetworkRestrictedC:\windows\system32\svchost.exe -k LocalServiceC:\windows\system32\svchost.exe -k NetworkServiceC:\windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Prog... Read more

Answer:Rootkit.Agent

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.Click the Start Scan button.Do not use the computer during the scanIf the scan completes with nothing found, click Close to exit.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).Copy and paste the contents of that file in your next reply.Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.During the download, rename Combofix to Combo-Fix as follows:It is important you rename Combofix during the download, but not after.**NOTE:... Read more

1 more replies
Relevance 75.85%

Hi there,I have a rootkit.agent problem on my laptop and i'm having problems trying to remove it.The laptop is running windows 7 home premium 32bit.I've run AVG free and anti-malwarebytes antimalware on the system.The following file is infected: system32/drivers/ozuxjeg.sysmalware bytes detects this and disinfects and deletes the file.upon reboot the file reappears and is detected as a threat.I've looked in the registry and found these keys:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ozuxjegHKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\ozuxjegWhen i try to click on these keys an error box opens saying:"ozuxjeg cannot be opened. An Error is preventing the key from being opened. Details: A device attached to the system is not functioning"Likewise when i try to delete these keys it says:"cannot delete ozuxjeg. Error while deleting key."I've read previous threads on bleeping computer before posting this - and i've tried running ComboFix.When combofix was running it noticed 'The presence of Root Kit activity' and performed a reboot successfully.However after the combo fix scan the file ozuxjeg.sys and the registry keys were still present on the next boot up.I'm new to posting on this site and i understand you require some logs, so what follows is a DDS log (with the attachment log attached to this post), a ComoboFix log and an ark log (from GMER).Hope you can helpMank Thankslen DDS ... Read more

Answer:Help with Rootkit.Agent

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

2 more replies
Relevance 75.85%
Question: Rootkit.Agent

I have Vista, (service pack 1) and I use Malwarebytes' Anti-Malware, as well as Spybot. Each time either runs a scan Rootkit.Agent (C:\Windows\systems32\Drivers\igmaayf.sys) appears. Neither can remove it, and I've unsuccessfully tried FileAssassin as well. I've even gave into simply using a restore point, but apparently this Rootkit has been around longer than I thought, because even going back a month's time proved unsuccessful.

I've never had this kind of issue before so I'm not sure how to proceed.
 

Answer:Rootkit.Agent

Download ComboFix here :

Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

Click me
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
 

3 more replies
Relevance 75.85%

Hello,
Thank you for taking time out of your day to read through and assist with this matter. I get popups all the time. my system rootkit.agent trojan and it appears to be in C:\windows\system32/drivers/core.cashe.dsk

I can't delete file it says it is in use. Please can you assist with my problem
many thanks
Soto

see attached logs:

Deckard's System Scanner v20071014.68
Run by user on 2008-01-22 15:02:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-22 15:04:24
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\services.exe
C:\Windows\System32\lsass.exe
C:\Windows\System32\lsm.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SLsvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\dwm.exe
C... Read more

Answer:rootkit.agent .... can't get rid of it .. PLS help

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Caution...Never run and remove files using ComboFix without being supervised by a security analyst.

11 more replies
Relevance 75.85%
Question: Rootkit Agent CW

Hello,

AVG keeps telling me I have Trojan Horse Rootkit-Agent CW, but it won't remove it.

I've tried Malwarebytes but this didn't remove it either.

Please help as it's driving me mad.

Here's my log...
DDS (Ver_09-03-16.01) - NTFSx86
Run by Tom Armstrong at 10:13:20.03 on 31/03/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.991.129 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Pr... Read more

Answer:Rootkit Agent CW

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until ... Read more

2 more replies
Relevance 75.85%

Hi there:Win32/Rootkit.Agent- Help me, please! It is booting my laptop over and over ! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:21:19 PM, on 4/30/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18226) Boot mode: Safe mode with network support Running processes: C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\SpeedProject\SpeedCommander 12\SpeedCommander.exe C:\Windows\Explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Mozilla Firefox 3.1 Beta 2\firefox.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:9666 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar -... Read more

Answer:Rootkit.Agent- Help me, please!

Hello

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Before we can continue, please post a fresh HijackThis log back here

2 more replies
Relevance 75.85%

So around 2 weeks ago, I decided to remove this malware that was on my computer for the longest time, redirecting my search results. Malwarebytes didnít turn up anything, so I decided to get NOD32, and when I ran a scan with it, it detected a bunch of items and deleted them. However, a bit later than that tons of pop-up ads started to appear and some of them I couldnít even exit. Task manager was also disabled by the admin, no doubt the work of malware. I restart the computer, and whoop de ****ing doo, thereís a BSOD at the xp loading screen so I canít even use windows. Safe mode doesnít work either, I get a BSOD when that tries to load as well.

For about a week, I go about wankin around with my computer before it starts working again. I install a second copy of xp by accident when trying to repair xp, and I use that second copy to gain access to my files and to access a certain .sys file in system32/drivers which I thought was denying me from accessing safe mode. I delete that file, and for some reason it let me access my broken version of xp, but not safe mode.

I load up my broken version of xp, and not surprisingly, itís completely infested with malware. There are tons of pop-ups. Task manager and Regedit are disabled by the admin, and display a fake warning message telling me my computer is infected whenever I tried to use them. I also had a fake antivirus goading me to download the full version of it.
I re-enable task manager through user options, but the warni... Read more

More replies
Relevance 75.85%

i cant get rid of this annoying ads, trailers n other sounds off my computer, ive found a rootkit.agent n removed it but its came back agian help me

Answer:cant get rid of rootkit.agent

Hi, first, please run Rkill from the following link: http://download.bleepingcomputer.co...Once run, Do NOT reboot, as this will cause the malware to reboot.After running Rkill, please download Gmer from the following link: http://majorgeeks.com/downloadget.p...and follow these instructions very carefully:Before scanning with Gmer, please do the following in this order...1) Disconnect from the internet and close ALL running programs.2) Disable any Anti-Virus/Anti-Spyware software currently running to avoid conflicts.3) Double click on "Gmer.exe", and allow it's .Sys driver to load.4) Gmer will then open and run a quick scan. please DO NOT USE THE COMPUTER WHILE THE SCAN IS IN PROGRESS.5) If you receive a warning about Rootkit Activity on your system and are asked to do a full scan click No.6) Click the Scan button, and if you see a Rootkit Warning window click Ok (it should be the only option in the dialog box).7) When the scan is finished, please click Save, and save the log to your desktop as Gmer.log8) Click the Copy button and paste the log into your next reply.9) Re-enable any Anti-Virus/Anti-Spyware software and any other security software you've disabled (Firewall).Notes: If Gmer results in a BSOD or crashes please uncheck<b/> "Devices" on the right side of the program before scanning. Also, if you encounter problems while scanning in normal mode, please try scanning in Safe Mode.Helpful tips before getting started: http://www.computing.net/howtos/sho...

9 more replies
Relevance 75.85%
Question: Rootkit Agent CW

I am running AVG on Windows XP and got a message that it was infected with this Rootkit Agent CW. I try to remove it but it says it can't find the file specified or it heals it but it keeps on popping back up. Here are the reports:
DDS (Ver_09-03-16.01) - NTFSx86
Run by Compaq_Administrator at 11:36:14.98 on Fri 04/03/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.198 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Micro... Read more

Answer:Rootkit Agent CW

Hello,I apologize for the delay in response, we get overwhelmed at times but we are trying our best to keep up.If you have since resolved the original problem you were having would appreciate you letting us know. As its been a while since you posted your log, I will need an updated one.Please take a look at the Preparation Guide for a download link to DDS and instructions on how you should ask for help. Thanks and again sorry for the delay.

2 more replies
Relevance 75.85%
Question: Rootkit.Agent

I have tried everything, Combofix, MBAM, Spyware S&D, but nothing seems to get rid of a Rootkit.Agent infection. I posted the other day, when I was locked out of running any anti-malware, but got rid of most of the problems, now ther is just this one, but even when MBAM says it will delete on reboot, it comes right back I received no responses to my request for help on Friday, so am hoping someone will take pity on me.......

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:58 P, on 12/21/09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\s... Read more

Answer:Rootkit.Agent

16 more replies
Relevance 75.85%
Question: RootKit.Agent

Hi all,Not trying to "bump" anyone, but I just read that if a post has a reply to it, Admins may assume you are being helped ..therefore moving on to help someone else. I haven't been helped (and not trying to rush things as I know admins are spread very thin in this forum), but I added a reply to my own post (below url) because my post was not layed out as should have been ..due to laptop crashing and freezing problems. Like I said: "Not trying to bump" ..just hoping not to be bumped because of the one reply...................Hoping an admin might check to see if I have been pushed to the back of the line because of my reply to my post. Thanks!!!http://www.bleepingcomputer.com/forums/t/308275/rootkitagent-trojan/

Answer:RootKit.Agent

I merged your posts for you.

1 more replies
Relevance 75.85%
Question: rootkit.agent

Hi,I believe that my computer has a rootkit on it. MBAM keeps finding a file called awdimliu.sys in my C:\windows\system32\drivers folder. I have tried getting rid of it and nothing seems to work. I am getting ready to just give up and format and reinstall windows but I was wondering if there might be any way to avoid this.Here is the DDS Log:DDS (Ver_10-03-17.01) - NTFSx86 Run by Sean at 15:00:56.01 on Sat 08/07/2010Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3582.2046 [GMT -7:00]SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\rundll32.exeC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\... Read more

Answer:rootkit.agent

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Do not Attach logs unless I ask you to.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Gmer is the best but can be hard to get a log lets try this and see what we get.Scan With RKUnHookerPlease Download Rootkit Unhooker Save it to your desktop.Now double-click on RKUnhookerLE.exe to run it.Click the Report tab, then click Scan.Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.Wait till the scanner has finished and then click File, Sa... Read more

3 more replies
Relevance 75.85%
Question: Rootkit-Agent DL

Hi
The i am having problems with one if not several viruse on my computer.
i had a symantec antivirus on the computer which i think my have expired (oops) anyway somthing has got past any protection i had i removed the symatec prodct and installed AVG9 (free) and did a scan, it pulled up several threats: Trojan geneic 14.CXX, SHeur 2, trojan backdoor generic 11, trojan generic 15, Packed revolt, and the one which is giving me the most problems Rootkit-Agent DL.
I have all so run spybot SD.
at present all the viruse are just in the vault of AVG dont know if i should delet them just incase the files are important!?!
but the root kit wearning keeps poping up on AVG.
below is the Hijack this file, new to this forum stuff so hope i got it right!!! any helph much apprecited

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:59 p.m., on 28/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrs... Read more

More replies
Relevance 75.85%
Question: Rootkit Agent DI

Hello

My AVG has detected that I have got a Rootkit AGENT DI, I have run malwarebyte to clean it up but it didnt work, removed some rootkits but not the one in question, could anybody help me please.

Thanks

Dave
 

Answer:Rootkit Agent DI

Welcome to Major Geeks!

Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.
If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First. If TDSSserv is not found, just continue on with the READ & RUN ME.

TDSSserv Non-Plug & Play Driver Disable

READ & RUN ME FIRST. Malware Removal Guide
If something does not run, write down the info to explain to us later but keep on going.
Do not assume that because one step does not work that they all will not.

After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:
If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to s... Read more

7 more replies
Relevance 75.85%
Question: Rootkit.agent

Hello all, thanks in advance for any help with this. My computer was infected two days ago from the website mininova.org. I have read the stickys in this forum about the perils of p2p file share and have learned my lesson! I however do not understand how malware like this can get on my computer when I did not download anything, I was simply searching. I ran malwarebytes and it removed (I think) five of the six infections. The one left is a rootkit.agent, C:WINDOWS\system32\drivers\str.sys. I cannot boot normally, I can only boot in safe mode. I ran malwarebytes in safe mode numerous times but it keeps finding the above mentioned malware. Here is the info you need.

P.S. Should I delete everything in the malwarebytes quarrantine?

DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by Jeremy Schneider at 18:04:51.82 on Sat 06/27/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.563 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeremy Sc... Read more

Answer:Rootkit.agent

Hello and welcome to TSF.

Your Ark.zip file is empty. Let's try this special version of gmer.

Download GMER Rootkit Scanner from here to your desktop. Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.



Click the image to enlarge it


In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

18 more replies
Relevance 75.85%
Question: Rootkit.Agent

Hi there - I'm new here (as are so many I notice). I have been infected with one of the Antivir style virus. I have managed to get rid of all I can find using SAS, Malwarebytes and AVG also using previous posts on here. I just can't shake this Rootkit.Agent/Gen TDSS or similar. Can someone please help before I nuke my PC.Here is my latest SAS log:SUPERAntiSpyware Scan Loghttp://www.superantispyware.comGenerated 07/31/2010 at 09:36 PMApplication Version : 4.41.1000Core Rules Database Version : 5242Trace Rules Database Version: 3054Scan type : Quick ScanTotal Scan Time : 00:05:33Memory items scanned : 412Memory threats detected : 0Registry items scanned : 2203Registry threats detected : 0File items scanned : 4429File threats detected : 1Rootkit.Agent/Gen-TDSS C:\WINDOWS\SYSTEM32\DRIVERS\OVTKMUC.SYS

Answer:Rootkit.Agent

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you let... Read more

20 more replies
Relevance 75.85%
Question: Rootkit.Agent help

Well, a week ago I decided to get a new virus remover that is more in depth, Malwarebytes. I scanned it last night a few hours before I went to bed and the scan finished. I looked at the results and saw one file infected: It was called Rootkit.Agent it said it would remove on reboot so I rebooted. I rescanned it again and it still came up. Malwarebytes will not remove this. I am trying to remove this without completely wiping my hard drive. I want to do this as quickly as possible. I ran HijackThis and got the log which I will post and I will post the Malwarebytes log. I run Windows XP and if there is anything else that my post is missing that is required I will gladly post it. Please help!Heres the HijackThis LogLogfile of Trend Micro HijackThis v2.0.2Scan saved at 3:31:29 PM, on 2/3/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WI... Read more

Answer:Rootkit.Agent help

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

20 more replies
Relevance 75.85%
Question: Rootkit.Agent

Hi, I'm having a problem removing Rootkit.Agent from my PC. I've tried using AVG 7 Anti-spyware, Spyware Doctor, Search and Destroy, and a manyof other programs. But none have removed it successfully.

Can you guys please help me out? Thanks in advance for your consideration!

Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:47 AM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program File... Read more

Answer:Rootkit.Agent

Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
 

1 more replies
Relevance 75.85%
Question: agent ea rootkit

This is my first post i hope i did it right.

I have xoftspyse that i use. I have scanned my computer multiple times and i get an agent ea rotkit that is found. I remove it and scan again and it is still there. What do i do.

Deckard's System Scanner v20070905.67
Run by Carl on 2007-10-06 00:12:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Carl Eschler.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:47 AM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Common Files\InstallShield\... Read more

Answer:agent ea rootkit

Hello and welcome to TSF.

Sorry for the late response. If you haven't received help elsewhere yet and still need help, please post a fresh HijackThis log and I'll be happy to help you.

1 more replies
Relevance 75.85%

I read the instructions for ridding my PC of the virus/malware and was following the steps. I ran the dss and got the txt files, then I was running the Panda VirusScan when my PC crashed/blue-screened during the scan. The last progress I saw was 70 viruses found/cleaned, 37 of something found and below that 52 Rootkit (I think) found. That's when it crashed. What should I do? I rebooted to get back on and my AVG virus software found the Rootkit.Agent.ey and Backdoor.Generic7.USL when it came back up, so it's still infected (I had disabled it during the Panda scan). I am running XP media, sp2. Please tell me how to proceed.
Thanks, Tina

Answer:Help with Rootkit.Agent.ey

Here is the HT log file in case it helps tell me what I should do next. -Tina

Deckard's System Scanner v20070826.66
Run by Tina & Frank on 2007-09-02 15:34:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Tina & Frank.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:56 PM, on 9/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect... Read more

19 more replies
Relevance 75.85%

Hi I'm sebastian. I just got infected with this trojan yesterday. I been reading through a lot of forums without success. So finally I decided to ask for help.
Where should I start with. I downloaded OTS, Malwarebytes and ComboFix it took me a lot to run them I had to change their names in order to get them to start ( At the end ComboFix didn't start). Finally, I ran them and delete everything they had found. But NOD32 still founds it.
I think I have the OTS logs, Malwarebytes Logs.
I'll post them anyways.
So what should I do?
I know a lot but this time I think it's out of my knowledge.

Thank you very much,
hope to get answers soon.
 

Answer:Win 32 RootKit.Agent.ODG

Here is the OTS logs. I had to split it in two because it was 350kilobytes instead of the 250 allowed.
 

5 more replies