Rootkit.Agent found, but can't be removed

I’ve read a few other posts where people had a similar problem. I’ve run avast and malwarebytes. Both find the infected file (C:\Windows\System32\drivers\yuangs.sys) but neither can remove it, even after reboot. The other posts were for XP, but I’m on Windows 7. Was wondering if I need different versions of the same tools. It seems that the solution is unique each time.

Thanks for any help you can give.

Follow this guide from Essexboy and post the log`s here
http://forum.avast.com/index.php?topic=53253.0

if the log`s are big, see down left corner: Additional Options > attach

Ran MBAM again (3rd time) and got the same result. It showed 1 file infected. I selected the file and said to remove it. It said the file was removed but a reboot was necessary. Rebooted and the file was still there. Attached are the MBAM logs and the OTL txt files.

Thanks for your help!

if avast is detect it you could try a boot scan and see if avast can solve it that way.

http://www.techiecorner.com/166/avast-how-to-schedule-boot-time-scan-before-window-start/ for v 4.8

http://www.schmahl.net/avastbootscan.php for v 5

you could also try superantispyware.

http://filehippo.com/download_superantispyware/

good luck

Have sendt a PM to Essexboy, so he will look at this when he enters the forum

@pondus, thanks. I’ll wait for his reply.

@mikaelrask I did run a boot scan with avast. It flagged the infected file but couldn’t remove it.

Hi I do not know if OTL will shift this as it is well rooted - so I will try to kill it first and immediately follow up with the big boy

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [] File not found
[2010/05/24 22:08:49 | 000,741,376 | ---- | M] () -- C:\windows\System32\drivers\yuangs.sys
[2010/05/22 16:19:34 | 000,000,120 | ---- | M] () -- C:\Users\Ed\AppData\Local\Hmuxeyeyogo.dat
[2010/05/22 09:04:38 | 000,000,000 | ---- | M] () -- C:\Users\Ed\AppData\Local\Wxaro.bin
[2010/05/19 22:43:05 | 000,000,020 | ---- | M] () -- C:\Users\Ed\AppData\Roaming\qvjsge.dat
[2010/05/24 22:20:51 | 000,741,376 | ---- | M] () Unable to obtain MD5 -- C:\windows\System32\drivers\yuangs.sys

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

ON REBOOT

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

After OTL ran and rebooted the machine, it reran automatically on startup. I’ve included that log, 05252010_142729.log. Then I ran OTL and ran Quick Scan so I’ve attached the OTL.txt file from that. Also attached is the ComboFix log file.

Thanks for all of your help.

forgot to mention, though you probably can see it, C:\Windows\system32\drivers\yuangs.sys is still there

Intriguing that Combofix did not see it

  1. Please download The Avenger by Swandog46 to your Desktop.
    [*]Right click on the Avenger.zip folder and select “Extract All…”
    [*] Follow the prompts and extract the avenger folder to your desktop
  2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Drivers to delete:
yuangs

Files to delete:
C:\windows\System32\drivers\yuangs.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Now, open the avenger folder and start The Avenger program by clicking on its icon.

[*] Right click on the window under Input script here:, and select Paste.
[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.

  1. The Avenger will automatically do the following:
    [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
    [*]On reboot, it will briefly open a black command window on your desktop, this is normal.
    [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  2. Please copy/paste the content of c:\avenger.txt into your reply

Here are the contents of avenger.txt:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista


Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger


Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver “yuangs” deleted successfully.
File “C:\windows\System32\drivers\yuangs.sys” deleted successfully.

Completed script processing.


Finished! Terminate.

It looks like yuangs.sys is finally gone.

Looks like it. However, could you now update and run MBAM again please

Updated and reran MBAM.

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4143

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/25/2010 3:51:04 PM
mbam-log-2010-05-25 (15-51-04).txt

Scan type: Quick scan
Objects scanned: 140569
Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Shall we call it gone then ? ;D

Let it run for 24 hours and if there are no further problems I will remove my tools. Be aware the malware is in several quarantine folders so Avast may detect it and delete it - if it is a backup or quarantine folder with the same name as my tools or in system restore that is not a problem

Let’s hope we can call it gone. Thank you SO much for all of your help. I saw on another post or website somewhere that you had paypal button to accept donations. Would love to send you something. Could you steer me to a website, link, etc.?

Thanks again.

My main work site is Geeks to Go http://www.geekstogo.com/forum/Removal-Help-Virus-Malware-Rootkit-Fake-Alert-Search-Redirect-f37.html but I really do this for the fun of it ;D

You could become a member of Malwarebytes forum and keep up on the latest Malwarebytes has to offer:
http://forums.malwarebytes.org

Please review
Terms of Use
http://forums.malwarebytes.org/index.php?act=boardrules

General Chat A place to introduce yourself and talk about general things apart from malware, politics and religion. Please keep anything clean.
http://forums.malwarebytes.org/index.php?showforum=35

OK lets now remove my tools

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove .

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

SPRING CLEAN

Download TFC to your desktop

[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

Thanks for all of your help, essexboy. Much appreciated.