Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AGprotect rootkit


  • Please log in to reply
3 replies to this topic

#1 Runestrike

Runestrike

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 07 December 2009 - 08:03 PM

Hey,

I've scanned my system using mbam and encountered a few nasty problems on my system.
Memory Processes Infected:
H:\WINDOWS\temp\BN1.tmp (Trojan.Agent)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace)

Files Infected:
H:\Qoobox\Quarantine\H\WINDOWS\system32\drivers\ndis.sys.vir (Rootkit.Protector)
H:\WINDOWS\temp\BN1.tmp (Trojan.Agent)

Operating system: Windows XP professional SP3

I have used combofix a couple of times(probably wasn't a good idea) and these problems still reside. Also, each time i reboot I get an error message that reads: RUNDLL Error loading H:\windows\uhicajuh.dll the specified module could not be found. Lastly, i've noticed BN2.tmp has been running in the windows task manager. I'm pretty clueless when it comes to this stuff so any help would be greatly appreciated.


-Rune

BC AdBot (Login to Remove)

 


#2 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:12:29 PM

Posted 07 December 2009 - 09:19 PM

Use Rkill to stop the rootkit processes that start when the computer comes on. Then I run the Malwarebytes and SUPERAntiSpyware. Here are some DL links for the Rkill....

LINK 1
LINK 2
LINK 3
LINK 4

Save it to your desktop and then double click to launch it (With Vista you need to right click and select run as administrator). You should see a little black window open and then close. If you see that box then it worked. If you don't see the black box then delete the file and use another download link and repeat the steps.

Next you will want to update and run MBAM. After removing what it finds then you will want to install, update and run SUPERAntiSPyware and then remove what it finds.
DJ Digital Gem

I gave up on computers and now I just DJ!

#3 Runestrike

Runestrike
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 07 December 2009 - 10:50 PM

Ran rkil then mbam. When trying to scan with SuperAntiSpyware I get the blue screen of death about half way through then my computer reboots. Any ideas?

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 08 December 2009 - 07:53 AM

Can you please post your Malwarebytes log? It can be found under the "Logs" tab of the program.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users