Hello,
I have a rootkit in my system and Avast is unable to delete it.
I tried it in savemode aswell, but i just can’t get the file deleted…
Does anyone know a solution?
Greetings,
Rutger
Have a look here at the first post. If you post those logs, Essexboy will look at them for you. http://forum.avast.com/index.php?topic=53253.0
Or you could try booting from a linux cd, navigate to the file location and delete/rename the file , then run MABM http://puppylinux.org/main/index.php?file=Overview%20and%20Getting%20Started.htm
When is this reported ?
Is this what is reported ?
- “A suspicious file has been detected (using a heuristic method). This may be a sign of malware infection. Please allow the file to be submitted to our virus lab for analysis.”
Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate. Though given the file name, it looks like a randomly generated file name, zero hits on google other than your post. So it looks like it is a good detection.
Is it in the drivers folder ?
Hi Rutger :
On the GeeksToGo Advanced Malware Removal Forums where “Essexboy” is a
Moderator, they also recommend using the GMER Rootkit Scanner and submitting a
“report” according to their “Step 4”, which can be viewed at
http://www.geekstogo.com/forum/Malware-Spyware-Cleaning-Guide-t2852.html .
Hi this will probably not kill it first time so I will follow up with a stronger tool straight after
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
[2010-02-21 11:14:38 | 000,000,000 | ---- | C] () -- C:\Windows\System32\H
[2010-02-20 19:21:16 | 000,791,552 | ---- | C] () -- C:\Windows\System32\drivers\ozihysx.sys
[2008-12-13 17:23:35 | 000,000,000 | -HSD | M] -- C:\Users\Rutger\AppData\Roaming\.#
[2010-02-21 20:48:11 | 000,791,552 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\drivers\ozihysx.sys
:Commands
[purity]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
- Please download The Avenger by Swandog46 to your Desktop.
[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop - Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Drivers to delete:
ozihysx
ozihysx.sys
Files to delete:
C:\Windows\System32\drivers\ozihysx.sys
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Now, open the avenger folder and start The Avenger program by clicking on its icon.
[*] Right click on the window under Input script here:, and select Paste.
[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.
- The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. - Please copy/paste the content of c:\avenger.txt into your reply
Hello,
Used the OTL with this code and Avenger (twice) and the file is gone on the places in the code.
But I still get the virus-alerts and when I run Regedit it still finds Ozihysx-crap… (which i cant remove)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OZIHYSX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_OZIHYSX
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OZIHYSX
Malwarebytes (u know the program i think) doesn’t find any rootkits anymore and Avast says everything is clean aswell
So, what’s next?
Could you post the Avenger log please as I need to see that data
Here is the file after the second attempt
Lets use avenger to kill the keys - although it did state that it could not find them
- Please download The Avenger by Swandog46 to your Desktop.
[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop - Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OZIHYSX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_OZIHYSX
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OZIHYSX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Now, open the avenger folder and start The Avenger program by clicking on its icon.
[*] Right click on the window under Input script here:, and select Paste.
[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.
- The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. - Please copy/paste the content of c:\avenger.txt into your reply
Whoehoe and JEAH! It’s gone!!! Out of the registry and everything!
But…
I still get the virus-warning from Avast (see attached file) It’s always the svchost.exe in a differtent .tmp-file in the windows\temp directory (see attached screendump).
I also noted the bottomfile which has a future-date. In the system32\drivers directory there still is a agp440.sys.bak file. I hope this is not a problem but I would like some advice on deleting it or not…
Thanks for all the great help so far!
And the other file…
I do not like the bit where it states that agp40.sys is infected
Download TDSSKiller and save it to your Desktop.
[*]Extract the file and run it.
[*]Once completed it will create a log in your [b]C:[/b] drive
[*]Please post the contents of that log
I do not like it when you do not like stuff…
Here it is…
please note, there is nog agp440.sys file in the directory anymore, just a agp440.sys.bak file
Thx
OK that turned out clean - that is an indication of the latest TDL3 rootkit. But you do not have it
Lets clear your temps as they may be a residue
Clear Cache/Temp Files
Download TFC by OldTimer to your desktop
[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
Done, but no result
Does it help if i say it only happens when i’m connected to the internet…? Or to be more exact, when I’m connected to the wireless network which has an internet-connection…
scvhost.exe in C:\windows\temp\xxxx.tmp (xxxx being any lettercombo)
P.s. I noticed the Please help!-item on this forum, “noobje” had the same problem i think, but i don’t have any scvhosts active in my taskmanager (probably because i keep blokking it with Avast)
Sorry, meant this item: http://forum.avast.com/index.php?topic=54147.msg458590#msg458590
It does as it is coming from one of the sites you visit
You will see no log with TFC as it just removes everything in all your temp folders
Lets see if you have something in your internet temp files that is not getting deleted
I only use this programme when I can see nothing else
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Looks like everything is gone!
Here’s the log…
Thanks for all the help!
That is the first time that TDSSKiller has failed me - I wonder why
Besmet exemplaar van c:\windows\system32\drivers\atapi.sys werd aangetroffen en gedesinfecteerd Hersteld exemplaar van - Kitty ate it :p
-
Please open Notepad
[*] Click Start , then Run[*]Type notepad .exe in the Run Box. -
Now copy/paste the entire content of the codebox below into the Notepad window:
File::
c:\users\Rutger\AppData\Local\Temp\QMQSAXAIJWW.exe
c:\users\Rutger\AppData\Local\Temp\VFDKFL.exe
c:\users\Rutger\AppData\Local\Temp\WWKZOKJ.exe
c:\users\Rutger\AppData\Local\Temp\YUDACWOI.exe
Driver::
QMQSAXAIJWW
VFDKFL
WWKZOKJ
YUDACWOI
-
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
-
Save the above as CFScript.txt
-
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
- After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt .