Possible Rootkit infection/win32.agent.mpq

Ok...it all started last tues (28th Feb) - I initially noticed Windows Firewall messages popping up which I'd never had before. Then I discovered I had the Google redirect issue (aboutnow). I managed to resolve that and was able to browse again. (I had no other symptoms that anything was wrong)
I installed Ad Aware (before viewing majorgeeks) and updated MBAB and SAS - I ran all three and Ad Aware picked up that I had win32.agent.mpq (v), MBAB and I think SAS picked up that I had rootkit.0access, backdoor.0access, rootkit.zeroaccess (those were the main ones in a long list). I also ran TDSSKiller - which detected and removed some other nastie!

I thought the issue had been resolved until I started up the next day and AdAware said it's blocking several processes (rootkit activity or something) and proceeded to scan my pc - only to find the same win32.agent.mpq thing again.

I basically then followed all your 'read/run-me' steps, at some point I lost access to the internet (wouldn't resolve an ip) so I couldn't update the database on MBAM. Tried to run the mbam manual update exe and it caused a database error that prevented MBAB from running. Basically had to reinstall it (with database being 50 days old). Eventually completed all the scans successfully. Regained access to the internet, but AdAware is still detecting the same issues and blocking processes upon startup.
Really sorry if this is all a bit garbled - just trying my best to explain the sequence of events. I wasn't sure whether to run all the scans again as i've now been able to download the database updates (but it states in the read-me not to, so I haven't).

Logs are attached.
Thank you.

 

mglog log

 

just noticed I another combofix log file. see attached.

 

Hi and welcome to Major Geeks, 1rise!

Do you have a log from AdAware that shows the file path of the infection it is finding? Your logs look pretty clean but we will run a few more scans to be sure.

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img825.imageshack.us/img825/2648/hjt.gif Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
C:\WINDOWS\1340578319
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
C:\WINDOWS\system32\DRIVERS\netbt.sys
[COLOR="DarkRed"]Folder::[/COLOR]
C:\WINDOWS\$NtUninstallKB5930$
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0000CC75-ACF3-4cac-A0A9-DD3868E06852}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"=-
"QuickTime Task"=-
"iTunesHelper"=-
"Adobe Acrobat Speed Launcher"=-
"Acrobat Assistant 8.0"=-

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img196.imageshack.us/img196/3557/tdsskiller.gif Please note that TDSSKiller has updated and I want you to run it the way described here: TDSSKiller - How to run

http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Hello Thisisu

Thank you for your help so far.

I've attached the adaware logs (one from a full system scan that I ran and the other from a smart scan that ran after I rebooted) This time, after the first reboot, it detected only one offending process and I think it may have been repaired because after restarting again, it wasn't detected.

I'm afraid I only got up to the combofix step this time, after I dragged the CFScript file onto it, it told me that this version had expired and would I like to run it in reduced functionality mode or quit. As I wasn't sure, I just quit.
I then connected to the internet (as I wasn't connected previously) and ran dragged the file across again and this time I received the following error:

Error opening file for writing: C:\32788R22FWJFW\License\iexplore.exe
Abort to stop, Retry or Ignore.

I selected retry but got the same error so just ended up aborting.

Can you please advise what I can try next to get it to run...or if I should just skip and continue with your other suggested steps.


Thanks

 

Code:

Description: c:\program files\pc connectivity solution\transports\nclusbsrv.exe

Ad-aware is detecting a malicious file that is part of the Nokia PC Suite software you have installed.

See here: http://www.file.net/process/nclusbsrv.exe.html

This is a false-positive. It's not actually a bad file
___

ComboFix gave you that Reduced functionality error because the version of ComboFix you are trying to run is expired. Delete your copy of ComboFix.exe from your desktop.

Please download a new one from here: Download ComboFix.exe

Then try the instructions provided again using the CFScript.txt and the new ComboFix.exe.

 

Hello thisisu

Please see attached logs after completing all of your advised steps.

Thanks for your patience and help.

 

Hi,

I see that you were able to update MBAM and some additional scans. Can you attach the results of these scans? Thanks

How is your system running at this point? aswMBR shows an unknown MBR code but that may just due to it not recognizing Dell MBR.

So far I am not convinced that this is a malware problem.

 

Hi Thisisu

My system seems to be running normally now, but I haven't started using the net again (apart from quickly updating the databases as necessary).
All of my more recent scans are clean, which is very reassuring, however I think I'm feeling cautious as prior to posting here, after running scans and being told the threats had been removed, they would reappear again on another scan after rebooting.

Are you able to confirm from logs if everything is as it should be on my pc? I understand that these rootkits can be quite sophisticated, so I would just like to be sure it's safe for me to use the internet again without risk of any further issues - and obviously, what measures I can take to prevent anything like this from occurring again.

I've attached a more recent log, and some of the original ones that detected the zeroaccess etc.

Also, I have a question....When I discovered I had been infected, I copied my important files to an external drive. As yet, I still don't know how my pc initially became infected and wanted to know if there is any chance that something could have attached itself to any of my files (docs, pdfs, jpegs etc.). I ran a scan on my external drive a few days back and it was clean. So i'm hoping that means it's all ok.

Again, thank you for your help.

 

Yes, according to your latest logs the rootkit is gone now.

This type of infection does not spread to external devices.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in Access Denied messages whenever you run a security application. For more specific information about this infection, please refer to:

• Dissecting the ZeroAccess Rootkit
• ZeroAccess / Max++ / Smiscer Crimeware Rootkit
• MAX++ sets its sights on x64 platforms
• ZeroAccess (Max++) Rootkit
• ZeroAccess Gets Another Update
• ZeroAccess – an advanced kernel mode rootkit

You're welcome.
Below are the cleanup procedures which also give you recommendations on how to protect yourself from malware in the future.

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe