Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Agent infection menace


  • This topic is locked This topic is locked
2 replies to this topic

#1 aspirex2010

aspirex2010

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 24 May 2010 - 03:25 AM

Scanning with Malwarebytes shows the presence of Rootkit.Agent as follows:

C:\Windows\system32\Drivers\opkbmaqg.sys (Rootkit.Agent)

Malwarebytes is unable to remove it; neither could other spyware removers I had tried ~ Spybot, Norman, SuperAntiSpyware, etc.


Previous scans also showed these spyware infections but I think they have been successfully removed; as they do not show up on new scans anymore.

FYI, they were:

C:\Users\Edwin\AppData\Roaming\avdrn.dat (Malware.Trace)
C:\Windows\Temp\94bbb73e.tmp (Trojan.Downloader)
C:\Windows\Temp\b602e109.tmp (Trojan.Downloader)
C:\Windows\Temp\8b22d848.tmp (Trojan.Downloader)
C:\Windows\System32\Memman.vxd (Rogue.sysCleaner)


Now only Rootkit.Agent remains stubbornly.

Any help or advice would be appreciated.


Here is my DDS.txt; (Attch.txt & ark.txt attached as requested)

DDS (Ver_10-03-17.01) - NTFSx86
Run by Edwin at 14:04:16.38 on Mon 24/05/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.60.1033.18.2045.1277 [GMT 8:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Windows\system32\CTsvcCDA.exe
C:\Windows\system32\dldncoms.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\java.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\PROGRA~1\SPEEDB~2\VideoAcceleratorEngine.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
"C:\Windows\System32\svchost.exe"
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Edwin\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/trends/hottrends
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www1.ap.dell.com/content/default.aspx?c=my&l=en&s=gen
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: SBCONVERT Class: {a1056498-d09a-41e4-864b-505edd640d9e} - c:\program files\speedbit video downloader\toolbar\SpeedBitVideoDownloader.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\speedb~1\toolbar\grabber.dll
TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\program files\speedbit video downloader\toolbar\SpeedBitVideoDownloader.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
uRun: [Google Update] "c:\users\edwin\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-25 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-4-29 176128]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-25 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-25 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-25 56816]
R2 dldn_device;dldn_device;c:\windows\system32\dldncoms.exe -service --> c:\windows\system32\dldncoms.exe -service [?]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-4-28 161048]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-4-18 204800]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~2\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~2\VideoAcceleratorService.exe -start -scm [?]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-5-18 38224]
S2 dldnCATSCustConnectService;dldnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldnserv.exe [2008-8-12 99568]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]

=============== Created Last 30 ================

2010-05-24 05:56:33 0 ----a-w- c:\users\edwin\defogger_reenable
2010-05-24 04:28:22 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-05-23 10:02:47 0 d-----w- c:\users\edwin\appdata\roaming\TweakNow PowerPack 2010
2010-05-23 10:02:47 0 d-----w- c:\program files\TweakNow PowerPack 2010
2010-05-19 14:46:16 12 ----a-w- c:\users\edwin\appdata\roaming\qvjsge.dat
2010-05-18 07:56:01 0 d-----w- c:\users\edwin\appdata\roaming\Malwarebytes
2010-05-18 07:54:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-18 07:54:52 0 d-----w- c:\programdata\Malwarebytes
2010-05-18 07:54:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-18 07:54:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 04:10:51 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-11 06:33:48 741376 ----a-w- c:\windows\system32\drivers\opkbmaqg.sys
2010-05-11 06:20:05 12 ----a-w- c:\users\edwin\appdata\roaming\asgqmd.dat

==================== Find3M ====================

2010-05-12 03:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-21 08:04:29 12 ----a-w- c:\users\edwin\appdata\roaming\kcmdte.dat
2010-03-09 16:25:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42:17 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-04 17:33:45 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-01-11 10:37:53 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-11 10:37:52 86016 ----a-w- c:\windows\inf\infstor.dat
2010-01-11 10:37:52 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-08-13 08:34:49 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-22 02:42:53 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-06-13 13:10:27 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-02-18 06:11:34 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009021820090219\index.dat
2009-09-26 07:20:41 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009092620090927\index.dat
2009-12-29 13:38:40 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009122920091230\index.dat
2010-01-07 06:26:34 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012010010720100108\index.dat
2009-08-22 12:55:50 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-08-12 05:12:09 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 14:05:12.99 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aspirex2010

aspirex2010
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 25 May 2010 - 08:59 PM

Pls close thread.

I have decided to format the hd to get rid of the buggers. crazy.gif

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:50 PM

Posted 26 May 2010 - 11:46 AM

Since this topic appears to be resolved, I will now close it. Thanks for letting us know.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users