1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Removing Rootkit.Win32.Agent.zl

Discussion in 'Virus & Other Malware Removal' started by jonroe, Apr 1, 2008.

Thread Status:
Not open for further replies.
  1. jonroe

    jonroe Thread Starter

    Joined:
    Apr 1, 2008
    Messages:
    2
    Hi...I seem to be infected with the subject line and have tried everything possible, with no result! Hence my search led me here. I realise that there has been a similar thread but I feel my situation is a bit different so I would appreciate this being treated as a case. Basically my problems in order of priority are:

    1. Rootkit.Win32.Agent.zl
    2. Constant pop-ups if I do not deny access to IE through KAV.
    3. Unkown icons on each of my hard drive partitions (eg 00007E00-01A801A8/00007E00-01A801A8_Backup). I have upto 4 of these files on each partition which cannot be deleted
    4. General slowness of an otherwise "fastish machine" with a clean OS install and all existing software installed.
    5. I feel my PC is eating up bandwidth on a small office network (this one may be my imagination)

    I would like to send you the whole KAV Scan Report but the text file is too large and I cannot even attach it. But included below are the KAV Scan Details and Parameters and a HighJack This Log:

    KASPERSKY ANTI-VIRUS

    Scan
    ----
    Scanned: 106994
    Detected: 1
    Untreated: 0
    Start time: 4/1/2008 1:09:49 PM
    Duration: 00:03:03
    Finish time: 4/1/2008 1:12:52 PM


    Detected
    --------
    Status Object
    ------ ------
    will be deleted when the computer is restarted: Trojan program Rootkit.Win32.Agent.zl File: c:\windows\system32\drivers\updatee.sys

    Statistics
    ----------
    Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
    ------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------
    All objects 106994 1 0 0 0 2 0 28 0
    My Documents 469 0 0 0 0 0 0 0 0
    Mail databases 1031 0 0 0 0 0 0 0 0
    I:\ 0 0 0 0 0 0 0 0 0
    3.5 Floppy (A:) 6 0 0 0 0 0 0 0 0
    Local Disk (C:) 94844 1 0 0 0 1 0 0 0
    Dilmah (D:) 1262 0 0 0 0 0 0 0 0
    Wizard of Oz (E:) 2441 0 0 0 0 0 0 0 0
    HOCT Photo Album (F:) 6348 0 0 0 0 0 0 0 0
    Jonathan (G:) 593 0 0 0 0 1 0 28 0
    CD Drive (H:) 0 0 0 0 0 0 0 0 0


    Settings
    --------
    Parameter Value
    --------- -----
    Security Level Recommended
    Action Prompt for action when the scan is complete
    Run mode Manually
    File types Scan all files
    Scan only new and changed files No
    Scan archives All
    Scan embedded OLE objects All
    Skip if object is larger than No
    Skip if scan takes longer than No
    Parse email formats No
    Scan password-protected archives No
    Enable iChecker technology Yes
    Enable iSwift technology Yes
    Show detected threats on "Detected" tab Yes

    HIGHJACK THIS LOG

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:51:23 PM, on 4/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\PROGRA~1\MICROS~1\Office12\OUTLOOK.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Documents and Settings\Jonathan\My Documents\Trend Micro HiJackThis 2.2\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.historyofceylontea.com/bulletin/admin/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Service Pack 3 Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

    --
    End of file - 7128 bytes


    Thank you again, and might I add what a great job you guys are doing!
     
  2. jonroe

    jonroe Thread Starter

    Joined:
    Apr 1, 2008
    Messages:
    2
    Is there no one who could help me on this? I am desperate to get rid of this rootkit and would really appreciate some assistance.
    Thanks again.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Removing Rootkit Win32
  1. lunarlander
    Replies:
    5
    Views:
    633
  2. ricincalifornia
    Replies:
    2
    Views:
    450
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/699162

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice