Rootkit.Agent help!!!!

Viruses and worms
1

Hello all you nice and cool experts out there.
Mbam detected a rootkit.agent on my computer…can’t remove it obviously.

The file is at E:\WINDOWS\system32\drivers\crjfad.sys

(N.B. somehow after reformatting once the computer decided to use E:\ for its C:)

Here are the logs:

[b]Malwarebytes' Anti-Malware 1.44[/b] Database version: 3510 Windows 5.1.2600 Service Pack 2 Internet Explorer 7.0.5730.13

1/13/2010 10:51:37 PM
mbam-log-2010-01-13 (22-51-32).txt

Scan type: Quick Scan
Objects scanned: 106798
Time elapsed: 8 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\WINDOWS\system32\drivers\crjfad.sys (Rootkit.Agent) → No action taken.

I have an old version of ComboFix, avenger, atf cleaner and autoruns if that’s of ANY help at all :stuck_out_tongue:
Please help me!! Rootkits are totally new for me…and reading about it from some other unfortunate people around here, it surely doesn’t seem like something easy to fix :frowning:

Thanks a lot in advance!!!
xxx

Hijackthis log up next…

2

Logfile of HijackThis v1.99.1
Scan saved at 22:52, on 1/13/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
E:\Program Files\Google\Google Talk\googletalk.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Windows Live\Messenger\msnmsgr.exe
E:\Program Files\Screen Calendar\scrcal.exe
E:\Program Files\Skype\Phone\Skype.exe
E:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Windows Live\Contacts\wlcomm.exe
E:\Program Files\Skype\Plugin Manager\skypePM.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\Han\Desktop\REMOVE\HijackThis.exe

3

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - E:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - E:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: PlusIEEventHelper Class - {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - E:\Program Files\Nuance\PDF Professional 5\Bin\PlusIEContextMenu.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ZeonIEEventHelper Class - {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} - E:\Program Files\Nuance\PDF Professional 5\Bin\ZeonIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Nuance PDF - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - E:\Program Files\Nuance\PDF Professional 5\Bin\ZeonIEFavClient.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [QuickTime Task] “E:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [googletalk] E:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM..\Run: [SunJavaUpdateSched] “E:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [Adobe ARM] “E:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
O4 - HKLM..\Run: [Bdusetoh] rundll32.exe “E:\WINDOWS\ohahopira.dll”,Startup
O4 - HKCU..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “E:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [Screen Calendar] “E:\Program Files\Screen Calendar\scrcal.exe” -m
O4 - HKCU..\Run: [Skype] “E:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append the content of the link to existing PDF file - res://E:\Program Files\Nuance\PDF Professional 5\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
O8 - Extra context menu item: Append the content of the selected links to existing PDF file - res://E:\Program Files\Nuance\PDF Professional 5\Bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
O8 - Extra context menu item: Append to existing PDF file - res://E:\Program Files\Nuance\PDF Professional 5\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
O8 - Extra context menu item: Create PDF file - res://E:\Program Files\Nuance\PDF Professional 5\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
O8 - Extra context menu item: Create PDF file from the content of the link - res://E:\Program Files\Nuance\PDF Professional 5\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
O8 - Extra context menu item: Create PDF files from the selected links - res://E:\Program Files\Nuance\PDF Professional 5\Bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with PDF Professional 5.2 - res://E:\Program Files\Nuance\PDF Professional 5\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
O8 - Extra context menu item: Send To &Bluetooth - E:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - E:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra ‘Tools’ menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - E:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - E:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra ‘Tools’ menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - E:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - E:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*

4

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ZH-HK/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219243680812
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FC6703A7-5B7E-4f58-BE6D-2693AA3906AE} (HP Content Update) - http://h30299.www3.hp.com/ediags/hpna/web/14/install/gtdownhp.cab?1,0,0,94
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - E:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - E:\WINDOWS\system32\urlmon.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - E:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - E:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - E:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - E:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - E:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - E:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - E:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - E:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - E:\WINDOWS\system32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - E:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - E:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - E:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - E:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - E:\WINDOWS\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - E:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - E:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - E:\WINDOWS\system32\mshtml.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - E:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - E:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - E:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - E:\WINDOWS\system32\wiascr.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - E:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - E:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - E:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - E:\Program Files\Java\jre6\bin\jqs.exe" -service -config "E:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

(apologize for the length...)
5

Would you mind posting hijack this log as a notepad file attached?

6

Why would he need to do that all the information is available in the three posts.

@ mysysteme
HiJackThis is pretty much dead in the water anyway as it isn’t going to find any rootkit info as too many malware files now know how to hide from it.

E:\Images\CapturedScreenPrint\MBAM-2.gif - Run MBAM again and this time when the scan is complete, all detections should have a check mark in the box to the left of the entry, leave them selected (or select if not selected). At the bottom of the window there is a button, Remove Selected, click that and the items will be removed.

7

Your version of HJT is also ancient I think there is 2.02 or 2.03 beta being the latest - FileHippo Download - HiJackThis and post the contents of the HJT log file here.

Further to that from your HJT data, I don’t understand why you have all the O18 - Protocol: entries, I haven’t got a single one.

XP SP3 has been out for over 18 months now, so I wonder what else might be out of date - I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

8

Thx guys that was quick!!!

hello123> Alrighty if that can help you help me :wink:

DavidR> Thanks for the site! I’ll be looking at it tmr. The thing with the old HJT is cuz I prefer the one I’m using which is just an exe file and I don’t have to install anything :stuck_out_tongue:
and I’m not tech savvy so I have no idea what those O18 etc are…

is it really that important to keep programmes up to date? I’m more like the type who doesn’t want to add extra stuff when things work the way I want them to already…(except of course updating the malware detection programmes)

Mbam can’t remove the thing…I have restarted 2 times after clicking “remove item” and it said it will delete after restart. Still there in the scans *sigh

9

The point of the newer version is it makes up for inadequacies of the long out of date version. Security based tools that are out of date are worse than useless and makes the report much less useful to make it almost not worth analysing. I have the latest 2.0.2 version and that isn’t installed, but is the zip download, which is the stand alone version.

HiJackThis should also be in its own folder, as any changes that you make copies would be retained in that folder allowing for reversal of the change if found to be incorrect, in other locations there is a possibility that these may be lost.

Yours isn’t in its own folder, E:\Documents and Settings\Han\Desktop\REMOVE\HijackThis.exe.

Have you re-run MBAM and removed the item as suggested ?

10

Hey I’ve scanned with the site you gave me,
it says my Adobe Reader 9.x, Adobe Flash Player 10.x and Sun Java JRE 1.6x/6.x are insecure…
didn’t even pick up the rootkit thing…

Yeah I re-ran MBAM. same thing it says delete on restart but scanning after restart the thing is still there :-\

11

MBAM is designed to be run in normal mode, but sometimes safe mode will work
so update MBAM and try a scan in safe mode, maybe with some luck…

12

The secunia site isn’t looking for malware, just old program versions which have vulnerabilities which may be exploited. Once you find toe vulnerable ones there are normally links to get the latest versions.

13

Thanks again…

Ok I will try running in safe mode next time I log in :slight_smile:

And here’s my updated version of HJT’s log attached. x

14

Hello mysysteme, as you are aware, this is a rootkit infection. HJT cannot detect this type of infection, which seem impossible to remove with conventional AV programs.
I would follow the instructions in this post and run OTS.

http://forum.avast.com/index.php?topic=53050.msg450158#msg450158

Hopefully the person who analyses these logs will see yours and direct you. If not, I would delete your old version of Combofix,download and run the latest version, following all the instructions very carefully

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

15

Hello…I’m back. Well safe mode didn’t work either :frowning: still there in the scan :cry:

Micky77> I’ve looked through the thread you posted it looks scarily complicated #_#… I have used combofix before but it was with an expert telling me what to do step by step…I’m not too sure if i should just follow the instruction on that thread cuz it’s not specific to my problem?? (scared~~) But thank you so much for looking at my case :slight_smile:

Honestly I don’t actually know what a rootkit is but it just seems to be something totally 1. undesirable 2. scary 3. hard to tackle…faints

16

Just read the new sticky…so HJT is no longer needed…
I will download OTL and put up a log later…(just too many windows open at the moment for my essay research…sigh) hopefully that might help? :frowning:

17

Ok looks like there’s good news…I updated and ran MBAM again, restarted for it to remove infections that didn’t get deleted right away, ran a new scan and it’s clean - see log.

Anyway I did an OTS scan as well (not that i know what it is), if an expert doesn’t mind sparing a few seconds to glance through them, then please be kind enough to give me the peace of mind that I’m rid of malicious things on my computer now…(fingers crossed)

Thank you so much!
xxx

18

ahhh i scanned again and the rootkit.agent at E:\WINDOWS\system32\drivers\crjfad.sys is back :frowning:

so…HELP~~~~ again =.=

19

OK lets start the process - first I will kill the respawners and then tackle the rootkit. This appears to have come from an infected flash drive

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.


[Unregister Dlls]
[Modules - Safe List]
YY -> ohahopira.dll -> E:\WINDOWS\ohahopira.dll
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Bdusetoh" -> E:\WINDOWS\ohahopira.DLL [rundll32.exe "E:\WINDOWS\ohahopira.dll",Startup]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun\command -> 
YY -> \F\Shell\AutoRun\command\\"" -> F:\autorun.bat [F:\autorun.bat]
YN -> \{0e09e5ce-ada7-11dd-a037-00c09faf9f9b} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0e09e5ce-ada7-11dd-a037-00c09faf9f9b}\Shell\AutoRun\command -> 
YY -> \{0e09e5ce-ada7-11dd-a037-00c09faf9f9b}\Shell\AutoRun\command\\"" -> C:\1q8p0y.com [C:\1q8p0y.com]
YN -> \{0e09e5ce-ada7-11dd-a037-00c09faf9f9b} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0e09e5ce-ada7-11dd-a037-00c09faf9f9b}\Shell\explore\Command -> 
YY -> \{0e09e5ce-ada7-11dd-a037-00c09faf9f9b}\Shell\explore\Command\\"" -> C:\1q8p0y.com [C:\1q8p0y.com]
YN -> \{0e09e5ce-ada7-11dd-a037-00c09faf9f9b} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0e09e5ce-ada7-11dd-a037-00c09faf9f9b}\Shell\open\Command -> 
YY -> \{0e09e5ce-ada7-11dd-a037-00c09faf9f9b}\Shell\open\Command\\"" -> C:\1q8p0y.com [C:\1q8p0y.com]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9c5b3204-9221-11dd-a00e-00c09faf9f9b}\Shell\AutoRun\command -> 
YN -> \{9c5b3204-9221-11dd-a00e-00c09faf9f9b}\Shell\AutoRun\command\\"" -> [RECYCLER\autoplay.exe]
YN -> \{9c5b3204-9221-11dd-a00e-00c09faf9f9b} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9c5b3204-9221-11dd-a00e-00c09faf9f9b}\Shell\open\command -> 
YN -> \{9c5b3204-9221-11dd-a00e-00c09faf9f9b}\Shell\open\command\\"" -> [RECYCLER\autoplay.exe]
YN -> \{dc1340e0-2387-11de-a0c4-0010c6929f0f} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dc1340e0-2387-11de-a0c4-0010c6929f0f}\Shell\AutoRun\command -> 
YY -> \{dc1340e0-2387-11de-a0c4-0010c6929f0f}\Shell\AutoRun\command\\"" -> C:\AutoTransfer.exe [C:\AutoTransfer.exe]
[Files/Folders - Modified Within 14 Days]
NY ->  crjfad.sys -> E:\WINDOWS\System32\drivers\crjfad.sys
NY ->  Xfukoxir.dat -> E:\WINDOWS\Xfukoxir.dat
NY ->  Awipogovitog.bin -> E:\WINDOWS\Awipogovitog.bin
NY ->  $.lnk -> E:\Documents and Settings\Han\Desktop\$.lnk
NY ->  fjhdyfhsn.bat -> E:\WINDOWS\System32\fjhdyfhsn.bat
[Files - No Company Name]
NY ->  Awipogovitog.bin -> E:\WINDOWS\Awipogovitog.bin
NY ->  Xfukoxir.dat -> E:\WINDOWS\Xfukoxir.dat
NY ->  crjfad.sys -> E:\WINDOWS\System32\drivers\crjfad.sys
NY ->  fjhdyfhsn.bat -> E:\WINDOWS\System32\fjhdyfhsn.bat
[Custom Scans]
YY ->  crjfad.sys : Unable to obtain MD5  -> E:\WINDOWS\system32\drivers\crjfad.sys
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

20

Thank you so very very much!!! <3

So here goes the logs…

OTS log after the fix: 01212010_222637.txt
OTS scan log after the computer restarted: OTS.txt

nothing weird in particular happened during the OTS operations, it just restarted to remove some files.

Here comes the funny part…with Combofix

I downloaded the exe from the 2nd link given…ran it…AND THE PROGRAMME TURNED INTO CHINESE!? (might be something to do with me setting the region or to deal with the input methods that made it do that i guess #_#).

Got a Chinese person to look at it - it was saying the same as mentioned i.e. prompting to download the recovery console…got through that and started scanning, then the computer restarted itself.

To note: windows explorer was shut down twice automatically by windows during the combofix scan. And then it restarted.

The log is attached…the original one: “log.txt”

…and “log (with translation).txt” translates the chinese words in the file in =[ ]= brackets…
be prepared for a good laugh if you look at that =_=“”" (don’t know CHINESE tech language, alien even to my chinese friend)

if not, let me know how to download an English version of combofix (didn’t ask me what language I use as far as I remember…) and I will be very happy to run it again