Rootkit-Agent.DI also named Win32/CutwailF removal??

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mattknobs, Jul 15, 2009.

  1. mattknobs

    mattknobs Private E-2

    Hi, I've been having alot of problems with this virus; making my internet super slow and computer hang sometimes, also my ISP is not happy with spam emails my computer is sending out over the internet - AVG says it found Rootkit-Agent.DI in ndis.sys (using the process svchost.exe , normally like 8 of the processes are running while on my computer?) - But I just ran window malicious removal tool and it says it found Win32/CutwailF in ndis.sys , so I'm not sure which it is, I've attached the requested logs ... RootRepeal won't run on my XP for some reason so I attached a different rootkit scanner program log...thanks for the help

    also I used to have isues with iexplore.exe running all the time even when im not using internet explorer...i always use firefox. also it changes icons in my start menu display from firefox to IE, not sure why...not to worried about that though, just not sure about the iexplore.exe process.

    Thanks again.
     

    Attached Files:

    mattknobs, Jul 15, 2009
    #1
  2. mattknobs

    mattknobs Private E-2

    all the requested logs are uploaded now...this is a nasty nasty virus thats taken over a week for me to try and remove and no luck so far, hopefully you can figure out the problem and safe my pc, thanks alot again.

    also the title should read Win32/Cutwail.F - sorry... the main 3 files associated with this virus/2 viruses are: NDIS.SYS , SVCHOST.EXE, IEXPLORE.EXE

    matt
     

    Attached Files:

    mattknobs, Jul 15, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Why are you running your PC with no protection installed?

    First run MSconfig and put your PC into Normal Startup mode as requested in step 1 of the READ & RUN ME and remain in this mode. Don't reboot if it tells you it needs to. Your reboot will occur down below while running the fix.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jul 17, 2009
    #3
  4. mattknobs

    mattknobs Private E-2

    Here are the requested logs...comp still seems to be running about the same - somewhat slow, especially the internet and firefox, and still lots of svchost.exe processes...hopefully the logs look better, i think this thing might almost be gone
     

    Attached Files:

    mattknobs, Jul 23, 2009
    #4
  5. mattknobs

    mattknobs Private E-2

    I ran windows malicious sortware removal tool again last night and it found "3" infected files with win32/cutwail / the rootkit virus. this is the log file just incase it helps you find a couple extra malicious files...thanks again


    ---------------------------------------------------------------------------------------

    Microsoft Windows Malicious Software Removal Tool v2.12, July 2009
    Started On Thu Jul 23 00:34:30 2009

    Extended Scan Results
    ----------------
    ->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
    ->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
    ->Scan ERROR: resource file://C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll (code 0x00000020 (32))
    Found malware: Virus:Win32/Cutwail.F in file://C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\ndis.sys.vir
    Found malware: Virus:Win32/Cutwail.F in file://C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP7\A0004473.sys
    Found malware: Virus:Win32/Cutwail.F in file://C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP7\A0004474.sys

    Extended Scan Removal Results
    ----------------
    Start 'clean' for file://\\?\C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP7\A0004474.sys
    Operation failed (code=0x8017), please use a full antivirus product ! !

    Start 'clean' for file://\\?\C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP7\A0004473.sys
    Operation failed (code=0x8017), please use a full antivirus product ! !

    Start 'clean' for file://\\?\C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\ndis.sys.vir
    Operation failed (code=0x8017), please use a full antivirus product ! !


    Results Summary:
    ----------------
    Found Virus:Win32/Cutwail.F, partially removed.

    Return code: 7
    Microsoft Windows Malicious Software Removal Tool Finished On Thu Jul 23 04:10:11 2009
     
    mattknobs, Jul 23, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have your system in Selective Startup mode and we cannot continue until you correct this. Step 1 of the READ & RUN ME requested that you not use MSconfig and it explain why this is a bad idea. You need to run MSconfig and put your system into Normal Startup mode. Then you need to reboot. After reboot, you need to run MGtools again and then attach a new log so that we can properly continue.

    Don't worry about what Microsoft Windows Malicious Software Removal is reporting. The C:\System Volume Information folder is just System Restore and the C:\Qoobox folder is just the quarantines from ComboFix. These are not problems and will be resolved when we get to final steps.
     
    chaslang, Jul 23, 2009
    #6
  7. mattknobs

    mattknobs Private E-2

    Hrm, not sure what happened last time, I did everything step by step - I had alot of services disabled so that may have been causing the problem - hopefully this one is better - sorry about that.
     

    Attached Files:

    mattknobs, Jul 23, 2009
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes you had them disabled using MSconfig which is what step 1 of the READ & RUN ME stated you must not be doing.

    Is your Symantec software still running properly? I can see it loading but is does not show up in your uninstall list.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jul 26, 2009
    #8
  9. mattknobs

    mattknobs Private E-2

    Yea norton 2005 has given me problems in the past - i no longer use it, havent in about a year. It's old and expired and apparently there is a bug with symantec products on XP that modifies add/remove programs and makes it so you cannot uninstall norton and a few other programs (there is just no remove/uninstall button in the control panel?) I tried running the norton removal tool but that didnt work. I've just been using malware bytes and SaS as my anti-viral tools

    Everything still seems to be running about the same as before..I did re-enable the services - they were disabled through services in administrator tools on the control panel not msconfig but should be fixed now...

    here are the requested logs, thanks again - hopefully were making progress.
     

    Attached Files:

    mattknobs, Jul 27, 2009
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The uninstall and removal tool probably did not work properly because you were using MSconfig to control some of the startups. Your new logs look better since MSconfig is not in use. So it may be gone now. If I see anything else from Symantec, we will remove it. ;)

    These are not antivirus programs and the free versions you have installed provide no protection from malware. They are just after the fact scanners.

    Okay your logs are now clean, you just need to get Sun Java Updated as requested in the READ & RUN ME in step 1.

    Uninstall the below old versions of software:
    Java(TM) 6 Update 13

    After a reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


    And slowness problems you are having are most likely due to PC specs which show below average speed and only half the minimum amount of recommended memory for properly running Windows XP. Your spec show
     
    Last edited: Jul 29, 2009
    chaslang, Jul 29, 2009
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds