Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit.agent/gen help to remove please


  • This topic is locked This topic is locked
10 replies to this topic

#1 liddlec7

liddlec7

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 23 June 2009 - 12:43 PM

Hi guys. Have been reading through this site and used some of the methods but I still cant remove this malware. I have successfully managed to get malwarebytes and superantispyware installed after renaming them. If I run either in safe mode the virus does not show up. If I run them in normal mode with an internet connection I receive the following reports. This is a vista laptopwith wired connection to router.
From malwarebytes......

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 6.0.6001 Service Pack 1

23/06/2009 18:36:59
mbam-log-2009-06-23 (18-36-59).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 218891
Time elapsed: 46 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

the log from Superantispyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/23/2009 at 05:02 PM

Application Version : 4.26.1004

Core Rules Database Version : 3910
Trace Rules Database Version: 1893

Scan type : Quick Scan
Total Scan Time : 00:21:07

Memory items scanned : 655
Memory threats detected : 0
Registry items scanned : 476
Registry threats detected : 5
File items scanned : 18315
File threats detected : 0

Rootkit.Agent/Gen
HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys
HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys#start
HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys#type
HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys#imagepath
HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys#group

I have navigated to this registry key and tried to delete and change the permissions both in normal and safe mode and am unable to.

Can someone please assist.

many thanks

BC AdBot (Login to Remove)

 


m

#2 liddlec7

liddlec7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 24 June 2009 - 04:15 AM

Hi guys. Have been reading through this site and used some of the methods but I still cant remove this malware. I have successfully managed to get malwarebytes and superantispyware installed after renaming them. If I run either in safe mode the virus does not show up. If I run them in normal mode with an internet connection I receive a virus. This is a vista laptop with wired connection to router.
Superantispyware says that it will delete the virus "rootkit" after reboot but this doesnt seem to work.
I have tried running it is safe mode as well to no avail.

could anyone help me please?

Edited by Orange Blossom, 27 June 2009 - 10:55 AM.
Merged topics. ~ OB


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:14 PM

Posted 24 June 2009 - 11:03 AM

Disconnect from the Internet and reset your router with a strong logon/password (if using one) so the malware cannot gain control before connecting again. Many users seldom change the default username/password on the router and are prone to this type of infection. If you're not sure how to do this, refer to the owner's manual for your particular router model. If you do not have a manual, look for one on the vendor's web site which you can download and keep for future reference. Also check the Default Password List. Then redo your scans while remaining disconnected.

These are generic instructions for how to reset a router:
  • Unplug or turn off your DSL/cable modem.
  • Locate the router's reset button.
  • Press, and hold, the Reset button down for 30 seconds.
  • Wait for the Power, WLAN and Internet light to turn on (On the router).
  • Plug in or turn on your modem (if it is separate from the router).
  • Open your web browser to see if you have an Internet connection.
  • If you don't have an Internet connection you may need to restart your computer.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 liddlec7

liddlec7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 25 June 2009 - 05:00 AM

thanks for the reply.
I have changed the router password and am still getting the virus pop up. I am scanning with superantispyware and it keeps finding the rootkit virus in the registry. I have tried scanning and removing in safe mode and in normal mode. I have tried normal mode without any router connection as well. I have tried downloading the the rootrepeal but am receiving an error "could not read the system registry".
I feel as if I am almost there with all the advice on here! Just need to get this last bit cleaned up!!
can anyone else help? Many thanks

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:14 PM

Posted 25 June 2009 - 08:26 AM

Using RootReal would have been my next suggestion but I see that's not going to work.

Please download the Kaspersky Virus Removal Tool and save to your desktop.
alternate download link

If you cannot run this tool in normal mode, then reboot your computer in "Safe Mode" using the F8 method to perform a scan.
  • Double-click the setup file (i.e. setup_7.0.0.290_24.06.2009_12-58.exe) to install the utility.
  • Click Next to continue.
  • It will install by default to your desktop folder. Click Next.
  • Click Ok at the prompt for scanning in Safe Mode if you booted into safe mode.
  • A box will open with a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.
  • System Memory
  • Startup Objects
  • Disk Boot Sectors
  • My Computer
  • Any other drives (except CD-ROM drives)
  • Then click on the Scan button.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
  • In the Scan window click the Reports button, name the report AVPT.txt and select Save to file.
  • This tool should uninstall when you close it so please save the report log before closing.
  • When done, close the Kaspersky Virus Removal Tool.
  • You will be prompted if you want to uninstall the program. Click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste only the first part of the report (Detected) in your next reply. Do not include the longer list marked Events.
If the above utility does not work, download Norman Malware Cleaner and save to your desktop.
alternate download link
  • Be sure to print out the instructions provided on the same page.
  • Restart your computer in "Safe Mode".
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file with the date (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
If these don't resolve the problem, then disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation. I will give you instructions on how to do that.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 liddlec7

liddlec7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 26 June 2009 - 07:51 AM

Many thanks for all your help quietman7

here is the report from Kaspersky: It found nothing in both safe mode or normal mode.

Scan
----
Scanned: 907443
Detected: 0
Untreated: 0
Start time: 25/06/2009 21:49:31
Duration: 14:31:41
Finish time: 26/06/2009 12:21:12


Detected
--------
Status Object
------ ------


Events
------
Time Name Status Reason
---- ---- ------ ------
25/06/2009 21:50:15 Running module: smss.exe\smss.exe ok scanned


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search No
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----



here is the report from Norman Malware:

Norman Malware Cleaner
Copyright 1990 - 2009, Norman ASA. Built 2009/06/25 02:27:15

Norman Scanner Engine Version: 6.01.09
Nvcbin.def Version: 6.01.00, Date: 2009/06/25 02:27:15, Variants: 3336426

Scan started: 26/06/2009 12:38:25

Running pre-scan cleanup routine:
Operating System: Microsoft Windows Vista 6.0.6001(Safe mode) Service Pack 1
Logged on user: Stephen-PC\Stephen



Scanning running processes and process memory...

Number of processes/threads found: 764
Number of processes/threads scanned: 764
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 18s


Scanning file system...

Scanning: C:\*.*

C:\SmitfraudFix\Agent.OMZ.Fix.exe (Infected with W32/Agent.MIAF)
Deleted file

C:\System Volume Information\{1f7c845f-61c9-11de-8bef-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{625d3e69-616e-11de-b5ab-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{70da26be-609a-11de-bf9f-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\Users\Stephen\Desktop\SmitfraudFix\Agent.OMZ.Fix.exe (Infected with W32/Agent.MIAF)
Deleted file

C:\Windows\System32\Agent.OMZ.Fix.exe (Infected with W32/Agent.MIAF)
Deleted file

C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl (Error opening file: Access denied)

C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl (Error opening file: Access denied)

C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl (Error opening file: Access denied)

C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl (Error opening file: Access denied)

Scanning: D:\*.*

D:\System Volume Information\{1f7c8460-61c9-11de-8bef-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{55cda139-5574-11de-854d-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{5bbb69fd-5f73-11de-948c-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{625d3e6a-616e-11de-b5ab-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{6c1a60fc-600b-11de-a0a4-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{70da2639-609a-11de-bf9f-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{70da2647-609a-11de-bf9f-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{70da2680-609a-11de-bf9f-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{70da26bf-609a-11de-bf9f-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

D:\System Volume Information\{bfdf7fcb-55f1-11de-ba11-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

Scanning: c:\System Volume Information\*.*

c:\System Volume Information\{1f7c845f-61c9-11de-8bef-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

c:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

c:\System Volume Information\{625d3e69-616e-11de-b5ab-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

c:\System Volume Information\{70da26be-609a-11de-bf9f-001eec4938e7}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)


Running post-scan cleanup routine:
Failed to set TCP/IP autotuning to "normal" (1) in 0 seconds

Number of files found: 257680
Number of archives unpacked: 1079
Number of files scanned: 257624
Number of files not scanned: 56
Number of files skipped due to exclude list: 0
Number of infected files found: 3
Number of infected files repaired/deleted: 3
Number of infections removed: 3
Total scanning time: 45m 6s

I can now connect to the internet in normal mode which it wasnt doing before - however it is extremely slow connecting to anything. I have another clean PC that I am using through the same router. It downloaded the norman malware at 800KB a sec. The infected laptop when it finally navigated to the page had a download speed of 10-15kb a second.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:14 PM

Posted 26 June 2009 - 09:17 AM

See if you can run Malwarebytes Anti-Malware in normal mode now. If so and it does not find anything, then either there is hidden piece of malware which has not been detected (and will require more comprehensive investigating) or there is an actual problem with your connection/settings which is not malware related.

Have you contacted your ISP and asked them to test the connection? If not, that would be an easy step to do next. If they say everything is ok and the problem is at your end, then double check all your settings. If everything is in order then you probably will need you to create and post a DDS/HijackThis log in the HijackThis Logs and Malware Removal forum for further investigation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 liddlec7

liddlec7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 26 June 2009 - 10:07 AM

Hi thanks for prompt reply...

The machine that I suspect has malware is a laptop of a friends. I know they havent kept it up to date both windows updates and virus defs.
I use a netgear router to connect my broadband. My personal machine is constantly updated and firewalled, also runs AVG. I can run a speed test fine on my machine and get up to 13mb sec. If i plug the laptop in I cant even navigate to the speedtest page.,.such is the slow speeds... I have checked the network connections settings on the laptop and they seem fine (ie same as my personal PC which works fine).

As for Malware bytes - if I try and run in normal mode and try to complete an update it times out. the definitions date is 6/17/09. the error code is 732,(0,0).

Malwarebytes reports no Malware/virus's.

Superantispyware does complete an update fine (at least it appears to : takes ages to download) this was run in normal mode:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/26/2009 at 03:59 PM

Application Version : 4.26.1004

Core Rules Database Version : 3910
Trace Rules Database Version: 1893

Scan type : Quick Scan
Total Scan Time : 00:16:00

Memory items scanned : 669
Memory threats detected : 0
Registry items scanned : 477
Registry threats detected : 5
File items scanned : 18318
File threats detected : 0

Rootkit.Agent/Gen
HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys
HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys#start
HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys#type
HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys#imagepath
HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys#group

It says that it needs to reboot to delete. once it reboots if I scan again the same report above is generated......

If I run superantispyware in safe mode it does not find any virus's/malware.

thanks

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:14 PM

Posted 26 June 2009 - 03:55 PM

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 liddlec7

liddlec7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 27 June 2009 - 08:44 AM

thread created as advised

http://www.bleepingcomputer.com/forums/t/237020/rootkitagentgen-msivxserv/

thanks

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,719 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:14 PM

Posted 27 June 2009 - 10:54 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/237020/rootkitagentgen-msivxserv/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users