Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.agent ,unussable pc :(


  • Please log in to reply
10 replies to this topic

#1 Suzywong

Suzywong

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 19 October 2008 - 11:25 AM

Hi,

Im hoping someone knowledgable can help pls?

My friend had a slowly over time odd pc ,when he typed it typed different etc and got slower and slower sad.gif

Today its barely usable he downloaded Kaspersky free trial and it found 309 viri including Rootkit.agent and hotkey ones ................ sad.gif

After kaspersky fixed them his running processes dropped from 45 to 32 !!

but its coming back ...... he cannot scroll on net or type correctly when he hits a key diff one is done.

He has run reg mech,spybot,kaspersky and they fix lots but its not completly removed i think ?? what else can we do I trust kaspersky but its not keeping it clean ?
For 10 mins his pc ran great but now i am typing this as his pc can't

It deleted internet explorer ,winzip etc ^^

pls advise

thx Suz

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 20 October 2008 - 04:50 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#3 Suzywong

Suzywong
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 20 October 2008 - 07:15 AM

Malwarebytes' Anti-Malware 1.29
Database version: 1295
Windows 6.0.6001 Service Pack 1

10/20/2008 6:20:29 AM
mbam-log-2008-10-20 (06-20-29).txt

Scan type: Quick Scan
Objects scanned: 41353
Time elapsed: 1 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 20 October 2008 - 07:17 AM

First, update Kaspersky.
After that, please scan again with Kaspersky, and post that logfile in your next reply. :thumbsup:

#5 Suzywong

Suzywong
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 21 October 2008 - 10:57 AM

Hi

Thanks ,sorry for delay he had to reinstall Vista as pc wouldn't boot :thumbsup:


I couldnt work out how to add a zip of the file???? hope this is ok?


Results of system analysis

Kaspersky Anti-Virus 2009 8.0.0.454 (database released 21/10/2008; 09:35)
List of processes
File name PID Description Copyright MD5 Information
c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe
Script: Quarantine, Delete, BC delete, Terminate 972 Kaspersky Anti-Virus Copyright Kaspersky Lab 1996-2008. ?? 201.26 kb, rsAh,
created: 7/29/2008 10:20:28 PM,
modified: 7/29/2008 10:20:28 PM
Command line:
"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" -r
Detected:36, recognized as trusted 36
Module name Handle Description Copyright MD5 Used by processes
C:\ProgramData\Kaspersky Lab\AVP8\Bases\klark.kdl
Script: Quarantine, Delete, BC delete 942669824 Anti-Rootkit Engine Copyright Kaspersky Lab 1996-2008. -- 972
Modules detected:461, recognized as trusted 460
Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\Windows\System32\Drivers\dump_atapi.sys
Script: Quarantine, Delete, BC delete 8729F000 008000 (32768)
C:\Windows\System32\Drivers\dump_dumpata.sys
Script: Quarantine, Delete, BC delete 89709000 00B000 (45056)
Modules detected - 134, recognized as trusted - 132
Services
Service Description Status File Group Dependencies
Detected - 125, recognized as trusted - 125
Drivers
Service Description Status File Group Dependencies
blbdrive
Driver: Unload, Delete, Disable blbdrive Not started C:\Windows\system32\drivers\blbdrive.sys
Script: Quarantine, Delete, BC delete
catchme
Driver: Unload, Delete, Disable catchme Not started C:\ComboFix\catchme.sys
Script: Quarantine, Delete, BC delete Base
IpInIp
Driver: Unload, Delete, Disable IP in IP Tunnel Driver Not started C:\Windows\system32\DRIVERS\ipinip.sys
Script: Quarantine, Delete, BC delete Tcpip
NwlnkFlt
Driver: Unload, Delete, Disable IPX Traffic Filter Driver Not started C:\Windows\system32\DRIVERS\nwlnkflt.sys
Script: Quarantine, Delete, BC delete NwlnkFwd
NwlnkFwd
Driver: Unload, Delete, Disable IPX Traffic Forwarder Driver Not started C:\Windows\system32\DRIVERS\nwlnkfwd.sys
Script: Quarantine, Delete, BC delete
Detected - 220, recognized as trusted - 215
Autoruns
File name Status Startup method Description
rdpclip
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms
Autoruns items detected - 28, recognized as trusted - 27
Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
Elements detected - 2, recognized as trusted - 2
Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
%CommonProgramFiles%\System\Ole DB\oledb32.dll
Script: Quarantine, Delete, BC delete Microsoft Data Link {2206CDB2-19C1-11D1-89E0-00C04FD7A829}
lnkfile {00020d75-0000-0000-c000-000000000046}
Color Control Panel Applet {b2c761c6-29bc-4f19-9251-e6195265baf1}
Add New Hardware {7A979262-40CE-46ff-AEEE-7884AC3B6136}
Get Programs Online {3e7efb4c-faf1-453d-89eb-56026875ef90}
Taskbar and Start Menu {0DF44EAA-FF21-4412-828E-260A8728E7F1}
ActiveDirectory Folder {1b24a030-9b20-49bc-97ac-1be4426f9e59}
ActiveDirectory Folder {34449847-FD14-4fc8-A75A-7432F5181EFB}
Sam Account Folder {C8494E42-ACDD-4739-B0FB-217361E4894F}
Sam Account Folder {E29F9716-5C08-4FCD-955A-119FDB5A522D}
Control Panel command object for Start menu {5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
Default Programs command object for Start menu {E44E5D18-0652-4508-A4E2-8A090067BCB0}
Folder Options {6dfd7c5c-2451-11d3-a299-00c04f8ef6af}
Explorer Query Band {2C2577C2-63A7-40e3-9B7F-586602617ECB}
View Available Networks {38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b}
%CommonProgramFiles%\System\wab32.dll
Script: Quarantine, Delete, BC delete Windows Contact Preview Handler {13D3C4B8-B179-4ebb-BF62-F704173E7448}
Contacts folder {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48}
%CommonProgramFiles%\System\wab32.dll
Script: Quarantine, Delete, BC delete .group shell extension handler {4F58F63F-244B-4c07-B29F-210BE59BE9B4}
%CommonProgramFiles%\System\wab32.dll
Script: Quarantine, Delete, BC delete .contact shell extension handler {8082C5E6-4C27-48ec-A809-B8E1122E8F97}
%CommonProgramFiles%\System\wab32.dll
Script: Quarantine, Delete, BC delete group_wab_auto_file {16C2C29D-0E5F-45f3-A445-03E03F587B7D}
%CommonProgramFiles%\System\wab32.dll
Script: Quarantine, Delete, BC delete contact_wab_auto_file {CF67796C-F57F-45F8-92FB-AD698826C602}
Windows Firewall {4026492f-2f69-46b8-b9bf-5654fc07e423}
Problem Reports and Solutions {fcfeecae-ee1b-4849-ae50-685dcf7717ec}
iSCSI Initiator {a304259d-52b8-4526-8b1a-a1d6cecc8243}
.cab or .zip files {911051fa-c21c-4246-b470-070cd8df6dc4}
Windows Search Shell Service {da67b8ad-e81b-4c70-9b91b417b5e33527}
Microsoft.ScannersAndCameras {00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3}
"C:\Windows\System32\rundll32.exe" "C:\Program Files\\Windows Photo Gallery\PhotoViewer.dll",ImageView_COMServer {9D687A4C-1404-41ef-A089-883B6FBECDE6}
Script: Quarantine, Delete, BC delete Windows Photo Gallery Viewer Autoplay Handler {9D687A4C-1404-41ef-A089-883B6FBECDE6}
Windows Sidebar Properties {37efd44d-ef8d-41b1-940d-96973a50e9e0}
Windows Features {67718415-c450-4f3c-bf8a-b487642dc39b}
Windows Defender {d8559eb9-20c0-410e-beda-7ed416aecc2a}
Mobility Center Control Panel {5ea4f148-308c-46d7-98a9-49041b1dd468}
%CommonProgramFiles%\microsoft shared\ink\TipBand.dll
Script: Quarantine, Delete, BC delete Tablet PC Input Panel {15D633E2-AD00-465b-9EC7-F56B7CDF8E27}
"C:\Program Files\\Windows Media Player\wmprph.exe"
Script: Quarantine, Delete, BC delete Windows Media Player Rich Preview Handler {031EE060-67BC-460d-8847-E4A7C5E45A27}
User Accounts {7A9D77BD-5403-11d2-8785-2E0420524153}
Elements detected - 282, recognized as trusted - 247
Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
Elements detected - 6, recognized as trusted - 6
Task Scheduler jobs
File name Job name Job status Description Manufacturer
Elements detected - 0, recognized as trusted - 0
SPI/LSP settings
Namespace providers (NSP)
Provider Status EXE file Description GUID
Detected - 6, recognized as trusted - 6
Transport protocol providers (TSP, LSP)
Provider EXE file Description
Detected - 18, recognized as trusted - 18
Results of automatic SPI settings check

LSP settings checked. No errors detected

TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [0]
139 LISTENING 0.0.0.0 0 [0]
1110 LISTENING 0.0.0.0 0 [0]
19780 LISTENING 0.0.0.0 0 [0]
49152 LISTENING 0.0.0.0 0 [0]
49153 LISTENING 0.0.0.0 0 [0]
49154 LISTENING 0.0.0.0 0 [0]
49155 LISTENING 0.0.0.0 0 [0]
49156 LISTENING 0.0.0.0 0 [0]
49157 LISTENING 0.0.0.0 0 [0]
UDP ports
123 LISTENING -- -- [0]
137 LISTENING -- -- [0]
138 LISTENING -- -- [0]
500 LISTENING -- -- [0]
1900 LISTENING -- -- [0]
1900 LISTENING -- -- [0]
4500 LISTENING -- -- [0]
56580 LISTENING -- -- [0]
Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
Elements detected - 0, recognized as trusted - 0
Control Panel Applets (CPL)
File name Description Manufacturer
Elements detected - 20, recognized as trusted - 20
Active Setup
File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9
HOSTS file
Hosts file record


127.0.0.1 localhost

::1 localhost

Protocols and handlers
File name Type Description Manufacturer CLSID
Elements detected - 16, recognized as trusted - 16
Suspicious objects
File Description Type
C:\ProgramData\Kaspersky Lab\AVP8\Bases\klark.kdl
Script: Quarantine, Delete, BC delete Suspicion for Keylogger Suspicion for Keylogger or Trojan DLL

Main script of analysis
Windows version: Windows Vista ™ Home Premium, Build=6000, SP=""
System Restore: enabled
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:CreateProcessA (150) intercepted, method ProcAddressHijack.GetProcAddress ->76611D5C->6DA41370
Function kernel32.dll:CreateProcessW (153) intercepted, method ProcAddressHijack.GetProcAddress ->76611D27->6DA413D0
Function kernel32.dll:FreeLibrary (334) intercepted, method ProcAddressHijack.GetProcAddress ->766545A7->6DA41530
Function kernel32.dll:GetModuleFileNameA (502) intercepted, method ProcAddressHijack.GetProcAddress ->7665B578->6DA41470
Function kernel32.dll:GetModuleFileNameW (503) intercepted, method ProcAddressHijack.GetProcAddress ->766599ED->6DA414B0
Function kernel32.dll:GetProcAddress (546) intercepted, method ProcAddressHijack.GetProcAddress ->76654120->6DA41570
Function kernel32.dll:LoadLibraryA (754) intercepted, method ProcAddressHijack.GetProcAddress ->76639A9E->6DA410B0
Function kernel32.dll:LoadLibraryExA (755) intercepted, method ProcAddressHijack.GetProcAddress ->76639A76->6DA41230
Function kernel32.dll:LoadLibraryExW (756) intercepted, method ProcAddressHijack.GetProcAddress ->766395AF->6DA412F0
Function kernel32.dll:LoadLibraryW (757) intercepted, method ProcAddressHijack.GetProcAddress ->76639727->6DA41170
IAT modification detected: LoadLibraryW - 01220010<>76639727
IAT modification detected: GetModuleFileNameW - 0122003A<>766599ED
IAT modification detected: GetModuleFileNameA - 01220064<>7665B578
IAT modification detected: CreateProcessA - 012200B8<>76611D5C
IAT modification detected: LoadLibraryA - 0122010C<>76639A9E
IAT modification detected: GetProcAddress - 01220136<>76654120
IAT modification detected: FreeLibrary - 01220160<>766545A7
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=1278C0)
Kernel ntoskrnl.exe found in memory at address 81C00000
SDT = 81D278C0
KiST = 81C55E7C (398)
Functions checked: 398, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
C:\ProgramData\Kaspersky Lab\AVP8\Bases\klark.kdl --> Suspicion for Keylogger or Trojan DLL
C:\ProgramData\Kaspersky Lab\AVP8\Bases\klark.kdl>>> Behavioral analysis
Behavior typical for keyloggers not detected
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll"
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
>> Service termination timeout is out of admissible values
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
System Analysis in progress


Script commands
Add commands to script:

* Blocking hooks using Anti-Rootkit
* Enable AVZGuard
* BootCleaner - import list of deleted files
* Registry cleanup after deleting files
* BootCleaner - activate
* Reboot
* Insert template for QuarantineFile() - quarantining file
* Insert template for BC_QrFile() - quarantining file via BootCleaner
* Insert template for DeleteFile() - deleting file
* Insert template for DelCLSID() - deleting CLSID item from registry

Additional operations:

* Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)
* Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
* Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
* Security tweaking: disable CD autorun
* Security tweaking: disable administrative shares
* Security tweaking: disable anonymous user access
* Security: disable sending Remote Assistant queries

File list

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 22 October 2008 - 06:45 AM

What zip-file are you talking about? :thumbsup:
I don't think this is the whole report, is it? :flowers:

#7 Suzywong

Suzywong
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 22 October 2008 - 08:32 AM

Hi ,

nvm :thumbsup: I copy and pasted it all and the file list box was empty?

It arrived to me as zip file .

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 22 October 2008 - 08:35 AM

Okay, please e-mail everything to ***. I'll take a look then. :thumbsup:

Edit: E-mailaddress removed, because of spam-prevention. :flowers:

Edited by superbird, 22 October 2008 - 09:06 AM.


#9 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 22 October 2008 - 09:07 AM

Hi,

I really don't see any problems in your logfiles... Which problems are there still to be solved? :thumbsup:

#10 Suzywong

Suzywong
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 22 October 2008 - 11:00 AM

Thanks,it may just have left a strange keyboard issue .

That Kaspersky did its job ?

Hes getting strange keyboard affects but as the virus deleted things and did weird stuff it could have affected that also.

I asked him to try another keyboard and it stayed the same........I have asked him to delete old one ,drivers and all and see if the other keyboard with correct drivers does same?

But he wanted to know he was now virus free from you before trying that :thumbsup:

Thanks

#11 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 22 October 2008 - 11:16 AM

Yes, he is malware-free.

Let me know if the problem is solved. (else, I can look if I know any solutions)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users