Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Has Trojan horse Rootkit-Agent.CW infected my computer?


  • Please log in to reply
16 replies to this topic

#1 Rieper

Rieper

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 03 April 2009 - 10:16 PM

Hello everyone. Today, AVG (7.5?) started complaining about a virus or bit of malware infecting my computer. I decided to upgrade AVG to the most recent version (8.5), and then went ahead and ran Windows Update, downloading the updates there, and also updated and ran Malwarebytes' Anti-Malware. It found and removed 14 threats, so I hoped I was in the clear! But, of course, it doesn't appear so... AVG continues to randomly pop up with messages like:

Threat detected! File name C:\Windows\system32\drivers\port135sik.sys
Threat name: Trojan horse Rootkit-Agent.CW
Process name: C:\DOCUME~1\RYANST~1\LOCALS~1\Temp\BN22.tmp
Process ID: 4016

And a couple others along similar lines, including ati64si.sys and systemntmi.sys and netsik.sys, though all seem to be caused by Rootkit-Agent.CW. Selecting "Remove all unhealed infections" doesn't seem to stop them for long. I am running Windows XP. My latest Anti-Malware log is:


Malwarebytes' Anti-Malware 1.35
Database version: 1939
Windows 5.1.2600 Service Pack 2

4/3/2009 10:33:44 PM
mbam-log-2009-04-03 (22-33-44).txt

Scan type: Quick Scan
Objects scanned: 74605
Time elapsed: 18 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpi32 (Rootkit.Spamtool) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\acpi32.sys (Trojan.Agent) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 Guest_Jay-P VIP_*

Guest_Jay-P VIP_*

  • Guests
  • OFFLINE
  •  

Posted 04 April 2009 - 01:08 AM

:thumbsup: to Bleeping Computer. Thank you for joining!

Please update MBAM, do one more quick scan, and post the log in your next reply!

#3 Rieper

Rieper
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 04 April 2009 - 02:28 AM

Thank you kindly, Jay-P VIP. :thumbsup:

Trying to update MBAM again informed me I had the latest version, so I ran the quick scan. The chilling results can be found here...


Malwarebytes' Anti-Malware 1.35
Database version: 1939
Windows 5.1.2600 Service Pack 2

4/4/2009 3:26:34 AM
mbam-log-2009-04-04 (03-26-34).txt

Scan type: Quick Scan
Objects scanned: 75312
Time elapsed: 18 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\i386si (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\i386si (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i386si (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netsik (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\netsik (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsik (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\securentm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\securentm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\securentm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ws2_32sik (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ws2_32sik (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ws2_32sik (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpi32 (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemntmi (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fips32cup (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ksi32sk (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\i386si.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\netsik.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\securentm.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ws2_32sik.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN10.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN19.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN1A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN1B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN22.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN24.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN25.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN26.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN27.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN2A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN2B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN34.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN35.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN8D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN8E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BNC6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BND1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

#4 Guest_Jay-P VIP_*

Guest_Jay-P VIP_*

  • Guests
  • OFFLINE
  •  

Posted 04 April 2009 - 02:54 AM

It looks like quite an infection. I will have someone who is qualified on Bleeping Computer to help with malware removal at your service quickly.

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:26 PM

Posted 04 April 2009 - 06:10 AM

I would run yet another scan with MBAM, some of these infections take multiple passes with several programs.


One or more of the identified infections is a rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Someone may still be able to clean this machine but we can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Chewy

No. Try not. Do... or do not. There is no try.

#6 Rieper

Rieper
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 04 April 2009 - 05:03 PM

Sigh... :thumbsup:

Well, I'm hoping to get a new computer in the near future, when finances permit. Until then though, I have to try and stick with this one. I don't use this PC for banking or finances, thank goodness. I hope, if at all possible, I can get rid of this rootkit thing with your help...

I ran SuperAntiSpyware, Spybot Search & Destroy, and MBAM one after the other. I also ran MBAM twice. Here is the first log:

Malwarebytes' Anti-Malware 1.35
Database version: 1940
Windows 5.1.2600 Service Pack 2

4/4/2009 5:21:54 PM
mbam-log-2009-04-04 (17-21-54).txt

Scan type: Quick Scan
Objects scanned: 75406
Time elapsed: 17 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpi32 (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ws2_32sik (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsik (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fips32cup (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN10.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN17.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN18.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN19.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN1A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN1B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN1C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN20.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN22.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN2A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


And the second, after the reset:


Malwarebytes' Anti-Malware 1.35
Database version: 1940
Windows 5.1.2600 Service Pack 2

4/4/2009 5:53:10 PM
mbam-log-2009-04-04 (17-53-10).txt

Scan type: Quick Scan
Objects scanned: 74854
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsik (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\netsik.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ryan Styles\Local Settings\Temp\BN32.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


I'm wondering if there could be a virus or something in my system restore information, which keeps coming back after every sweep? I've also noticed that when I reset the computer I briefly get an error message that says something like "The application failed to initialize because the window station is shutting down".

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:26 PM

Posted 04 April 2009 - 05:20 PM

C:\WINDOWS\system32\drivers\netsik.sys


I don't think it's coming back from system restore, MBAM can't kill it as it's being replaced as quick as it's killed, it's hiding some other files whose function is to reinstall it as soon as it's killed

Let's try to trick it

http://rootrepeal.googlepages.com/

Download and run a FILE scan
Chewy

No. Try not. Do... or do not. There is no try.

#8 Rieper

Rieper
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 04 April 2009 - 05:59 PM

When I run it, I get this error message:

RootRepeal Error

Could not find kernel file on disk (C:\WINDOWS\system32\ntkrnlpa.exe)!

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:26 PM

Posted 04 April 2009 - 06:13 PM

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

Chewy

No. Try not. Do... or do not. There is no try.

#10 Rieper

Rieper
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 05 April 2009 - 09:57 AM

I followed your instruction and ran gmer.exe, which scanned for a long while (through the whole night, actually). In the morning it seemed to have finished, but when I tried to save the log an error message popped up, saying I didn't have enough memory in "Documents and Settings" or something along those lines. I tried to save the file anyway, but it seems the gmer.log file it saved is blank. Then my mouse stopped working... and when I reset the computer, I got the blue screen of death, forcing me to turn it off and on manually.

Rather scary stuff...

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:26 PM

Posted 05 April 2009 - 10:08 AM

I would suggest a clean install of windows as the best option, your computer may be so corrupt removing the infection might not even work in our HJT forum which has a week backlog right now.
Chewy

No. Try not. Do... or do not. There is no try.

#12 Rieper

Rieper
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 06 April 2009 - 04:12 PM

You might be right... It's depressing, but what can you do. I've been backing up my files on CD as best I can, and have discovered a charming new bonus: now I get the blue screen of death every time I eject a CD...

Is reinstalling Windows the same thing as reformatting? How would I go about doing that exactly? (Shoot, I don't think Dell provided a Windows XP CD...)

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:26 PM

Posted 06 April 2009 - 04:32 PM

http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/

Post in our xp forum, with your dell model, chances are someone with a similar model may be able to help

I've been to dellhell before

:thumbsup:
Chewy

No. Try not. Do... or do not. There is no try.

#14 dummie5

dummie5

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 08 April 2009 - 11:29 AM

Running XP sp3 Home. I had a similar problem. I discovered a new file running in system processes called xxxx.exe where xxxx = my system login name. I couldn't do anything with it. Ran a search for the file but it did not appear. Finally found it in the Documents and Settings/(my login name) folder and deleted it along with a file with a super long gibberish name that was created the same time as the xxxx.exe file. No more AVG alerts came up after that, and I've been running MB and SuperAnti full scans several times a day since then and they've turned up nothing. It appears that the xxxx.exe file was the parent of the rootkits that kept appearing. But why couldn't MB and SAS kill the parent??

Edited by dummie5, 08 April 2009 - 11:35 AM.


#15 Rieper

Rieper
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 10 April 2009 - 03:16 PM

Well I'll be darned... I didn't do what you did dummie5, but I distinctly remember that there was a file process just like that for me, too. Now that file seems to be gone, AVG has stopped freaking out every couple of minutes, and MBAM reports no infections. Could the threat really be... over?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users