Jump to content


Photo
- - - - -

Unable to remove virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 jamie60509

jamie60509

    New Member

  • Members
  • Pip
  • 4 posts

Posted 19 October 2008 - 10:41 AM

Hi

I ran Malwarebytes' Anti-Malware and it reported that it had found "Rootkit.Agent.H" in c:\Windows\System32\drivers\mrxdavv.sys. It said that the file would be removed after restarting Vista but I tried this and it was still there. I tried scanning again and it was found, tried cleaning it and it said I needed to reboot but it still hasn't worked!

Can somebody please help me?

Thanks
Jamie

MBAM Scan Log

Malwarebytes' Anti-Malware 1.29
Database version: 1286
Windows 6.0.6001 Service Pack 1

19/10/2008 17:43:51
mbam-log-2008-10-19 (17-43-51).txt

Scan type: Quick Scan
Objects scanned: 42572
Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) ->

Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe

"%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

#2 JeanInMontana

JeanInMontana

    Delete this account!!

  • Honorary Members
  • PipPipPipPipPipPip
  • 3,867 posts
  • Interests:would love to see some honesty around this site.

Posted 19 October 2008 - 01:03 PM

Hi jamie60509 and welcome to Malwarebytes. I must tell you with a rootkit there is never any guarantee it can be fully removed and you should immediately contact all bankc, credit cards etc that you may have any information stored on the machine have them stop the cards, change passwords etc. Keep the machine offline as much as possible until you either reformat or we feel it is clean

If you decide to proceed with cleaning. Please read and follow the instructions here http://www.malwareby...?showtopic=2936 Be sure that you update the programs. Your MBAM is behind in definitions.


#3 jamie60509

jamie60509

    New Member

  • Members
  • Pip
  • 4 posts

Posted 19 October 2008 - 01:31 PM

Thanks for your response

I have updated MBAM, here's the new log

Malwarebytes' Anti-Malware 1.29
Database version: 1290
Windows 6.0.6001 Service Pack 1

19/10/2008 19:17:34
mbam-log-2008-10-19 (19-17-34).txt

Scan type: Quick Scan
Objects scanned: 42687
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

#4 jamie60509

jamie60509

    New Member

  • Members
  • Pip
  • 4 posts

Posted 19 October 2008 - 01:42 PM

HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:49:36, on 19/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\SYSTEM32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox3\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...=en&source=iglk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O13 - Gopher Prefix:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...t/PCPitStop.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8487A670-EBCE-40D8-958C-3D37D87639AC}: NameServer = 192.168.0.1
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4977 bytes


AdAware, Panda Activescan and SpyBot found no problems

#5 JeanInMontana

JeanInMontana

    Delete this account!!

  • Honorary Members
  • PipPipPipPipPipPip
  • 3,867 posts
  • Interests:would love to see some honesty around this site.

Posted 20 October 2008 - 02:37 PM

Are you rebooting? Have your considered reformat because of the rootkit? Update MBAM your several definition versions behind. If it says delete on reboot then reboot and then scan again. Post both logs please and a new HJT.

#6 jamie60509

jamie60509

    New Member

  • Members
  • Pip
  • 4 posts

Posted 21 October 2008 - 07:56 PM

Hi

Thanks for the reply but I decided to reformat my laptop and have only just got back online.

Thanks again

Jamie

#7 JeanInMontana

JeanInMontana

    Delete this account!!

  • Honorary Members
  • PipPipPipPipPipPip
  • 3,867 posts
  • Interests:would love to see some honesty around this site.

Posted 22 October 2008 - 03:12 PM

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users