Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection problem Rootkit.Agent.AJBY


  • Please log in to reply
5 replies to this topic

#1 stormec

stormec

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 23 November 2009 - 05:05 AM

Hello people. I'm new to this, so please forgive my clumsiness.
Anyways, recently I realized that my internet connection became very slow, so I've decided to scan with some of anti virus - anti spyware tools I'm using (spybot, bitdefender, malwarebytes) and I was really surprised what I've discovered. There were many infections, and some of them were removed instantly and some after rebooting. But somehow, my internet connection wasn't improving, so I've done a rescans. It discovered that this file (path : File c:\WINDOWS\system32\drivers\tcpsr.sys
) was infected with Rootkit.Agent.AJBY. So bitdefender removes it, but whenever I reboot my computer infection returns..
Please help me with my issue, I fill be forever grateful! :flowers:

Thank you! :thumbsup:

BC AdBot (Login to Remove)

 


#2 stormec

stormec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 23 November 2009 - 07:04 AM

Please could someone post regarding this issue. I need my comp working soon... Thanks

#3 stormec

stormec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 23 November 2009 - 12:00 PM

Sorry for being boring but, does anyone know what is issue here???

#4 stormec

stormec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 30 November 2009 - 05:39 AM

I've solved this problem and if anyone need help with same thing post here please.
No need to format anything.

Edited by stormec, 30 November 2009 - 05:40 AM.


#5 EvilJamie

EvilJamie

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 01 December 2009 - 05:06 PM

I am curious how you resolved it. Please post.

EJ. :thumbsup:

#6 stormec

stormec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 03 December 2009 - 06:16 PM

Well I've tried everything:
Malwarebytes, Spyware Doctor, Bitdefender (with online support), Combofix, gmer tools, Spybot Search & Destroy, and many more.
Combofix says that system file is infected (ndis.sys "...The file is a Windows core system file. The program is not visible. It is a Microsoft signed file. The service has no detailed description. NDIS.sys seems to be a compressed file. Therefore the technical security rating is 1% dangerous, however also read the users reviews. " - copy from one website). After normal scan it reboots computer and does a full scan before services are started. After that everything looks normal, at least for a while. After couple of minutes the system again starts bugging, everything is slowed up, connection if almost invisible, and it stops and starts in extremely big rates. Should I mention how is this all frustrating?! Rhetorical question.
Well that's for Combofix anyways.
Bitdefender has also successfully deleted and/or disinfected the file(for several times) but after some time, or rebooting everything is again the same. Same thing with other anti virus , anti spyware, rootkits any malicious software removal tools I've used. Bitdefender says that my system is infected with Rootkit.Agent.AJBY, referring to path c:\WINDOWS\system32\drivers\tcpsr.sys. I've been very surprised to find out that I couldn't find much information about this infection. "tcpsr.sys" infection was a reason of my low internet activity , but root of my problem was ndis.sys. Although those massive scans didn't resolve my problem they did help me a lot to find out what exactly was cause of problems. NDIS.sys is system file, and a Windows root file, it cannot be removed that "easily" or changed.
It was human versus machine and human was losing. Then it came up to me: "Why shouldn't I try manual replacing of the file?" It was a desperate try (yes I could always do format but stubborn as I am I simply didn't want to give up). Anyways it's a small file but I couldn't find it anywhere on internet to download. Then I've tried my luck on MSN. I've told one of my friends a problem I've been having and he sent me that file(He is also using Windows XP2 like me). Since you can't save that file under "sys" extension on hdd I saved simply like "NDIS", then copied it to USB and renamed itto "ndis.sys". After that I used program called Killbox (http://killbox.net/) and with it successfully replaced it. After reboot everything was back to normal and then Spyware Doctor easily removed leftovers.
Later I remembered SFC (system File Checker) command. Somehow I completely forgot about it. Damn (forgive me please)
I should mention that I am not computer specialist, programmer, or maintenance "wizzard". I was simply using my logic.
Brain is the strongest "computer", and any machine made of "pipes" chip and wires cannot replace it.
Oh yes, human versus machine 1:0. :flowers:
I hope this thread will help someone to solve this issue.
Regards :thumbsup:

Edited by stormec, 03 December 2009 - 06:23 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users