jamie60509

Unable to remove virus

7 posts in this topic

Hi

I ran Malwarebytes' Anti-Malware and it reported that it had found "Rootkit.Agent.H" in c:\Windows\System32\drivers\mrxdavv.sys. It said that the file would be removed after restarting Vista but I tried this and it was still there. I tried scanning again and it was found, tried cleaning it and it said I needed to reboot but it still hasn't worked!

Can somebody please help me?

Thanks

Jamie

MBAM Scan Log

Malwarebytes' Anti-Malware 1.29

Database version: 1286

Windows 6.0.6001 Service Pack 1

19/10/2008 17:43:51

mbam-log-2008-10-19 (17-43-51).txt

Scan type: Quick Scan

Objects scanned: 42572

Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) ->

Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe

"%1") -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

Share this post


Link to post
Share on other sites

Hi jamie60509 and welcome to Malwarebytes. I must tell you with a rootkit there is never any guarantee it can be fully removed and you should immediately contact all bankc, credit cards etc that you may have any information stored on the machine have them stop the cards, change passwords etc. Keep the machine offline as much as possible until you either reformat or we feel it is clean

If you decide to proceed with cleaning. Please read and follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 Be sure that you update the programs. Your MBAM is behind in definitions.

Share this post


Link to post
Share on other sites

Thanks for your response

I have updated MBAM, here's the new log

Malwarebytes' Anti-Malware 1.29

Database version: 1290

Windows 6.0.6001 Service Pack 1

19/10/2008 19:17:34

mbam-log-2008-10-19 (19-17-34).txt

Scan type: Quick Scan

Objects scanned: 42687

Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

Share this post


Link to post
Share on other sites

HijackThis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:49:36, on 19/10/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\SYSTEM32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Mozilla Firefox3\firefox.exe

C:\Windows\system32\DllHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en&source=iglk

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"

O4 - HKLM\..\Run: [sBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing

O13 - Gopher Prefix:

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{8487A670-EBCE-40D8-958C-3D37D87639AC}: NameServer = 192.168.0.1

O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)

O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe

O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 4977 bytes

AdAware, Panda Activescan and SpyBot found no problems

Share this post


Link to post
Share on other sites

Are you rebooting? Have your considered reformat because of the rootkit? Update MBAM your several definition versions behind. If it says delete on reboot then reboot and then scan again. Post both logs please and a new HJT.

Share this post


Link to post
Share on other sites

Hi

Thanks for the reply but I decided to reformat my laptop and have only just got back online.

Thanks again

Jamie

Share this post


Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.