Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit.Win32.Agent.abmh


  • This topic is locked This topic is locked
21 replies to this topic

#1 fatback

fatback

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 21 January 2010 - 02:03 AM

Kaspersky keep alerting me about my computer being infected.

The alarm states:

Kaspersky Anti-Virus has detected malicious software.

A special disinfection procedure is required which demands system reboot. You are advised to close all other applications.

Perform disinfection?

Object:
C:\Windows\system32\drivers\agzprwp.sys

Virus:
Rootkit.Win32.Agent.abmh

---------------------


If I perform the disinfection the computer reboots but it doesn't take long until the message pops up again. I've been trying this a few times now.
Btw, I'm running WinXP SP3.

Soo, if anyone has any idea about how I can get rid of this I would be most grateful.

//Fatback



Log from HJT
---------------------------------

DDS (Ver_09-12-01.01) - NTFSx86
Run by David at 7:40:36,04 on 2010-01-21
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1053.18.2047.1060 [GMT 1:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\Trust\Trust R-Series Mouse\StartAutorun.exe
C:\Program\Winamp\winampa.exe
C:\Program\Trust\Trust R-Series Mouse\KMConfig.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\ASUS\AASP\1.00.59\aaCenter.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Java\jre6\bin\jusched.exe
C:\Program\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Trust\Trust R-Series Mouse\KMProcess.exe
C:\Program\DAEMON Tools Lite\daemon.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program\NETGEAR\WG311T\wlancfg5.exe
C:\Program\Personal\bin\Personal.exe
svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\Trust\Trust R-Series Mouse\KMWDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\David\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\David\Mina dokument\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [msnmsgr] "c:\program\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\david\lokala inställningar\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] c:\program\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Ai Nap] "c:\program\asus\ai suite\ainap\AiNap.exe"
mRun: [CPU Power Monitor] "c:\program\asus\ai suite\aigear3\CpuPowerMonitor.exe"
mRun: [Cpu Level Up help] c:\program\asus\ai suite\CpuLevelUpHelp.exe
mRun: [ASUS Energy Saving] "c:\program\asus\ai suite\energysaving\PwSave.exe"
mRun: [Acrobat Assistant 8.0] "c:\program\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [HP Software Update] c:\program\hp\hp software update\HPWuSchd2.exe
mRun: [KMCONFIG] c:\program\trust\trust r-series mouse\StartAutorun.exe KMConfig.exe
mRun: [WinampAgent] c:\program\winamp\winampa.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVP] "c:\program\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\daemon~1.lnk - c:\program\daemon tools lite\daemon.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\hpdigi~1.lnk - c:\program\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\netgea~1.lnk - c:\program\netgear\wg311t\wlancfg5.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\personal.lnk - c:\program\personal\bin\Personal.exe
IE: Append to existing PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xportera till Microsoft Excel - c:\program\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program\micros~2\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
Trusted Zone: cdon.com
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218571482645
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254637565531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program\delade~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\program\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\o34qzcaj.default\
FF - plugin: c:\documents and settings\david\application data\mozilla\firefox\profiles\o34qzcaj.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\david\application data\mozilla\firefox\profiles\o34qzcaj.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\david\application data\mozilla\firefox\profiles\o34qzcaj.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\david\lokala instã¤llningar\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program\google\google updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program\personal\bin\np_prsnl.dll
FF - plugin: c:\program\veetle\player\npvlc.dll
FF - plugin: c:\program\veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");
c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-1-20 315408]
R2 AVP;Kaspersky Anti-Virus;c:\program\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-10-20 340456]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program\trust\trust r-series mouse\KMWDSrv.exe [2007-6-9 208896]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S2 gupdate1ca3e04ae97506;Tjänsten Google Update (gupdate1ca3e04ae97506);c:\program\google\update\GoogleUpdate.exe [2009-9-25 133104]
S3 TdsNordecr;Nordea NCR1 SmartCard Reader;c:\windows\system32\drivers\nordecr.sys [2008-8-28 23040]

=============== Created Last 30 ================

2010-01-21 06:32:57 0 d-----w- c:\program\Trend Micro
2010-01-20 10:02:09 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-01-20 10:02:09 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-01-20 10:01:14 0 d-----w- c:\program\Kaspersky Lab
2010-01-20 10:01:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-01-20 09:28:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-01-12 18:59:02 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-06 08:18:20 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-01-06 07:49:24 0 d-----w- c:\program\WinPcap
2010-01-05 22:35:29 0 d-----w- c:\windows\pss
2010-01-05 22:19:13 763904 ----a-w- c:\windows\system32\drivers\agzprwp.sys
2010-01-05 16:23:22 0 d-----w- C:\fusion
2010-01-02 09:30:05 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-01-02 09:28:43 1769 ----a-w- c:\windows\Language_trs.ini
2010-01-02 09:28:32 0 d-----w- C:\tempasus
2010-01-02 09:19:06 0 d-----w- c:\program\Intel Corporation
2010-01-01 20:50:09 0 d-----w- C:\Team17
2009-12-31 07:58:01 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-12-31 07:58:00 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-12-23 08:52:58 0 ----a-w- c:\windows\system32\drivers\wxtvrd.sys
2009-12-23 08:52:33 4 ----a-w- c:\docume~1\david\applic~1\avdrn.dat

==================== Find3M ====================

2009-12-09 17:04:21 78942 ----a-w- c:\windows\system32\perfc01D.dat
2009-12-09 17:04:21 434860 ----a-w- c:\windows\system32\perfh01D.dat
2009-11-30 17:02:40 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 17:02:38 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-16 05:06:22 60292 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-06 09:59:54 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 09:59:54 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-10-31 10:19:53 138056 ----a-w- c:\docume~1\david\applic~1\PnkBstrK.sys
2009-10-31 10:19:38 189248 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-31 10:19:29 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-31 10:19:29 2395944 ----a-w- c:\windows\system32\pbsvc_heroes.exe
2009-10-29 07:44:35 916480 ----a-w- c:\windows\system32\wininet.dll
2006-06-23 13:48:54 32768 ----a-w- c:\windows\inf\UpdateUSB.exe
2005-09-20 09:05:04 456768 ----a-w- c:\windows\inf\wg311t\WG311T13.sys
2004-10-19 17:58:28 35232 ----a-w- c:\windows\inf\wg311t\ME_INST.EXE
2004-10-19 17:58:28 26112 ----a-w- c:\windows\inf\wg311t\install.exe

============= FINISH: 7:41:16,71 ===============


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 26 January 2010 - 05:25 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 29 January 2010 - 01:51 PM

Hello.

Are you still there? Do you still require help?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 01 February 2010 - 12:38 PM

--edit--

I see you replying to the topic.

Edited by extremeboy, 01 February 2010 - 12:39 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 fatback

fatback
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 01 February 2010 - 12:54 PM

Yes, I still have the same problem as before and would appreciate your help.

I have attached the reports.


Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 01 February 2010 - 01:17 PM

Hello.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 fatback

fatback
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 02 February 2010 - 03:22 AM

So, I've attached the Combofix log.

Attached Files



#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 02 February 2010 - 04:18 PM

Hello.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    http://www.bleepingcomputer.com/forums/t/288937/infected-with-rootkitwin32agentabmh/
    Collect::[68]
    c:\windows\system32\drivers\agzprwp.sys
    File::
    c:\documents and settings\LocalService\Application Data\fvgqad.dat
    c:\windows\system32\drivers\wxtvrd.sys
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EE6F7F74-172B-2FB0-AEA279A1BF4D862C}\{E8F7F584-6580-7444-5DDA05E0F08E204D}\{B782894F-9CE8-F53C-F71000A030EC5F4C}*]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • Please post the contents of the Combofix log in your next reply.

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.


Let me know how it goes and if the upload went successfully or not in your next reply.

--
Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 06 February 2010 - 02:56 PM

Hello.

Are you still there? Do you still require help?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 fatback

fatback
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 07 February 2010 - 02:30 AM

Hi, I've been away but I'm starting ComboFix in 5 minutes.

#11 fatback

fatback
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 07 February 2010 - 03:12 AM

I ran ComboFix and I am attaching the Combofix.txt log to this post.
I am not sure if the quarantined malware was uploaded automatically so I uploaded it manually to be sure.

I am running Malwarebytes' Anti-Malware right now and I'll post the results as soon as it's finished.

Attached Files



#12 fatback

fatback
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 07 February 2010 - 03:16 AM

Malwarebytes says that there are no malwares or files infected at all, so I guess that's a good thing.? smile.gif

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 08 February 2010 - 08:04 PM

Yup, now let's get an online scan.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 fatback

fatback
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 09 February 2010 - 01:34 AM

Since I have Kaspersky Anti-Virus 9 installed I am not allowed to run the Kaspersky Web Scan.



EDIT: I did try to start it with my osftware disabled, but it still didn't start.

Edited by fatback, 09 February 2010 - 01:35 AM.


#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 09 February 2010 - 04:47 PM

Try ESET instead:

Run ESET Online Scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
You can refer to this animation by neomage if needed.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users