Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Trojan Horse Rootkit-Agent.EF ?


  • This topic is locked This topic is locked
4 replies to this topic

#1 yodah03

yodah03

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 19 February 2010 - 11:34 AM

It seems that I have the exact same issue as MarketMachine posted on Feb, 17, 2010 and some other folks who have posted similar rootkit problems on other sites. I started with a google search and found this site. I tried posting to MarketMachine's question to share the following information, but it was a voilation of the rules (for that I apologize, I was not trying to solve his problem, just add the following from research I have done). First of all, only AVG free seems to be picking up this Trojan Horse Rootkit-Agent.EF. Malwarebytes and SuperAntiSpyware are not? Could this be a false positive as atapi.sys is a system file and it still seems to have the 2004 date on it? From my research it seems that Malwarebytes started creating a false positive about this same rootkit back in sept 2009 as shown in their forum. Some people initially directed MalwareBytes to disinfect the trojan in the atapi file and then their computer would no longer boot. I tried telling AVG free to take action, but it only allowed me to ignore saying the file was white listed (whatever they mean by that) and that was a system file that shouldn't be touched. However, I am concerned and have not turned the computer off for a week and have lost my wireless connection. Malwarebytes apologized for the problem and updated their database. I am unable to connect to AVG on the "infected" computer to update my virus databse (it may have been fixed) and so I don't know if this is a false positive or the real thing? AVG provides no support on AVG free and so I don't believe they will help me. How do I find out if this is a false positive or a backdoor that can allow access to my computer?

EDIT: I just tried running gmer.exe from the desktop (renamed as check.exe) and it starts and then says this program must be closed sorry for the inconvenience. (if I can't run this programm how do I check for rootkit?)

Here is MarketMachine's post (this is exactly what has popped up on one of my main laptops running Win XP - BTW all of the reports I have seen are on XP???):

Hi all. I believe my computer is infected with Trojan Horse Rootkit-Agent.EF.

It first appeared in an AVG scan and looked like this :

(File)C:\system32\drivers\atapi.sys
(Infection) Trojan horse Rootkit-Agent.EF
(Result) Object is white-listed (critical/system file that should not be removed)

It continues to reappear on subsequent AVG scans and Resident Shield alerts.

Scans using Malwarebytes, SUPERAntiSpyware and ThreatFire (I didn't try this one!) are all negative for any infections.

Edited by yodah03, 19 February 2010 - 08:45 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:46 PM

Posted 21 February 2010 - 05:09 PM

Hello, let's do a Rootkit scan.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 yodah03

yodah03
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 24 February 2010 - 09:24 PM

Thanks boopme,

I had the feeling you would suggest this and so while I was waiting for a reply, I kept up with some of the other threads and already downloaded gmer. I have been working from a different computer ever since the rootkit first appeared on Feb 10th. Since then I have been trying to create a clone of the infected computer because I saw where someone had gotten a false positive back in Sept 2009 from Malwarebytes for a rootkit in atapi.sys and went ahead and quarantined it. The result was an unbootable computer. I can not afford to do that so when AVG free flagged my problem I have not turned the computer off since (that is two weeks ago) and have lost the wireless connection. When AVG first warned of the problem, I tried to heal it, but I believe it said not to because it was a critical system file (that is unstatement!!). I am hoping that I did not kill my atapi.sys and have been afraid to reboot. After copying the gmer exe from this computer to my infected one, I renamed it and gave it a go. It ran briefly and then reported an error that it could not continue and I just clicked ok. Then, I read another mods suggestion to disable the real time virus protection (as you also suggest), which I did but that didn't work. I have a virual drive running on the infected laptop, do I need to run that defogger as well? At the bottom of your reply, it says if having problems try running gmer in safe mode. Do you think it is safe for me to reboot. I am concerned that if it does not reboot I'm screwed. Is it also safe to allow the wireless to reconnect. The whole idea of this trojan (if I have it) is to steal passwords and bank account information. Is there a way to prevent this while we're trying to diagnose the problem?

#4 yodah03

yodah03
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 28 February 2010 - 04:45 PM

I backed up my hard drive with DriveImage XML and ran defogger. Now, I can run gmer. It says there is a suspicious modification of atapi.sys and something with an entry point and so I ran the dds.dcr and posted the dds and gmer logs to the actual forum for requesting removal help - thank you!

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:46 PM

Posted 28 February 2010 - 04:59 PM

Well done,log looks good.
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users