SmitFraud-C Rootkit.Win32.Agent.EQ

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Hattenator, Jan 19, 2008.

  1. Hattenator

    Hattenator Private E-2

    I am not sure I am posting this in the correct spot but I wanted to post this just to try and help someone having this problem and to let the mods know if they don't already Since majorgeeks has been such a big help to me many times before.

    I recently had a problem with smitfruad-C at least that is what spybot was saying it was the only problem was none of the known fixes were getting rid of it and just when u thought it was gone there it was again.

    On to the Online Scanners...First I tried Housecall, then Panda ActiveScan, nothing was found...Finally I tried Kaspersky Online Scanner and it found a Rootkit (Rootkit.Win32.Agent.EQ) infecting a file called core.sys in the c:\windows\system32\drivers directory.


    The core.sys file had registered itself as a service and was starting automatically each time Windows booted. Because of such a generic name, it didnt appear suspicious when I was examining the running services early on.

    I recently had a second round with this only the file names were different this time it was rio8drvv.sys and core.cache.dsk again located in C:\windows\system32\drivers directory

    DON'T mistake this with rio8drv.sys which is a valid sys folder. and located in a different area of system32.


    The following is what I did to get rid of this nasty problem both times on two seporate computers.

    1) Boot into Safe Mode
    2) Click on Start, Search, and choose All Files and Folders
    3) In the all or part of file name box, type the following

    rio8drvv.sys or core.sys or they may have used a different system file name as I have seen two different ones so far with this.

    4) In the Look In box, choose local hard drives and click Search
    5) When core.sys is found in the c:\windows\system32\drivers directory, right-click on it and choose Delete
    6) Repeat steps 2-5 for the file core.cache.dsk
    7) Close the Search box
    8) Click on Start, Run and type REGEDIT and press Enter
    9) Click on the Plus sign (+) next to HKEY_LOCAL_MACHINE
    10) Click the plus next to SYSTEM
    11) Click the plus next to CurrentControlSet
    12) Click the plus next to Services
    13) Find the folder called rio8drvv and right-click on it and choose Delete

    *** WARNING *** If the folder rio8drvv or core does not exist, dont do anything

    14) Close the Registry Editor by clicking on the X in the right-hand corner of the window

    15) Reboot your computer in Normal mode
    16) Once the computer is rebooted, open your web browser and go to Kaspersky Online Scanner by clicking on the link below.

    http://www.kaspersky.com/virusscanner

    17) Scan your computer and delete any other files flagged as problems.


    AGAIN this is only to try to help if I posted this in the wrong place or if u see a mistake here let me know
     
    Hattenator, Jan 19, 2008
    #1

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds