Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

rootkit.win32.agent.go

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

rootkit.win32.agent.go

Unread postby ski » July 12th, 2007, 5:39 am

The Hijackthis analysis is shown below.

Problem:
I'm on my husband's computer and worried about the this dire warning I keep getting from the Steganos 2006 software bundle - firewall, anti-virus, anti-spy, etc. (He gets rid of the flying insects and I do the computers.) There is also Spybot on this computer and that doesn't help either.

Message from Steganos - sounds like a computer-geek film title I think :)

"Access to the object C:\...\drivers\MchInjDrv.sys is blocked.
Object is a Trojan Rootkit.Win32.Agent.go
You are advised to delete this object."
I have tried a lot but each time am told:
"This object cannot be deleted."
I also tried checking the box for it to done on re-starting the computer, but that hasn't worked either.

I've done searches to find the files mentioned and they don't show up. I've also tried this site - http://virusscan.jotti.org/ - and found I could - through clicking on "browse" find the win32 drivers file and loads of other stuff - but still cannot track down the filenames shown.

I did discover it's to do with a program call MadCHook - which is apparently a legitimate application - but is being misused.

Anyway, the Hijack stuff follows. I hope someone can help!
Many thanks,
Ski

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:23, on 12-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Steganos AntiSpyware 2006\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\VIAudioi\SBADeck\ADeck.exe
C:\Programmer\Picasa2\PicasaMediaDetector.exe
C:\Programmer\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Programmer\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Steganos Personal Firewall 2006\KAVPF.exe
C:\Programmer\Steganos AntiSpyware 2006\saspy2006.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Mozilla Firefox\firefox.exe
C:\DOCUMENTS AND SETTINGS\JOHN WRENCH\SKRIVEBORD\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AudioDeck] C:\Programmer\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmer\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Antispyware 2006] "C:\Programmer\Steganos AntiSpyware 2006\saspy2006.exe" /startintray
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programmer\Steganos AntiVirus 2006\kav.exe" /minimize
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Programmer\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [PMCRemote] C:\Programmer\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmer\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Steganos Personal Firewall 2006.lnk = C:\Programmer\Steganos Personal Firewall 2006\KAVPF.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O23 - Service: kavsvc - Steganos GmbH - C:\Programmer\Steganos AntiVirus 2006\kavsvc.exe
O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programmer\Steganos AntiSpyware 2006\WRSSSDK.exe

--
End of file - 4591 bytes
ski
Active Member
 
Posts: 4
Joined: July 12th, 2007, 5:15 am
Advertisement
Register to Remove

Unread postby Shaba » July 12th, 2007, 5:58 am

Hi ski

This -> MchInjDrv.sys is part of SpySweeper -> C:\Programmer\Steganos AntiSpyware 2006\WRSSSDK.exe and legitimate.

It is true that it can be used as malicious purposes but in this case, it's kind of false positive :)

You may try if you can put it to ignore list.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

It is the Rootkit Trojan that's the problem

Unread postby ski » July 12th, 2007, 9:34 am

Many thanks for your reply. It is more the Rootkit.Win32.Agent.go file that is of concern to me. The warning message said that ACCESS to the object mchInjDrv.sys was BLOCKED by Rootkit.Win32.Agent.go I don't understand the technical stuff, but I do understand the seriousness of having a Trojan in the works.

I have scoured sites looking for how to get rid of this - and found companies selling software which is supposed to do the job - but then also found springlings of comments from others complaining that these software packages DON'T get rid of rootkits :?

I'm getting increasingly worried that this rootkit thingy is steadily munching away into the system and one day soon it will all go haywire.
ski
Active Member
 
Posts: 4
Joined: July 12th, 2007, 5:15 am

Unread postby Shaba » July 12th, 2007, 9:38 am

Hi

This one says that MchInjDrv.sys IS Rootkit.Win32.Agent.go

Access to the object C:\...\drivers\MchInjDrv.sys is blocked.
Object is a Trojan Rootkit.Win32.Agent.go

So which one of the error messages is correct? :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Now I really am confused!

Unread postby ski » July 12th, 2007, 12:11 pm

Hmmnn... it's listed as a virus in viruslist.com - but with no information as yet about the one ending in"go" - but there is info on the ones ending with "az", "p" or "h".
http://www.viruslist.com/en/viruses/enc ... sid=163831

There's quite few recent references to this also on the site
http://forums.zonelabs.com/zonelabs/boa ... Discussion

I see the term "false-positive" cropping up sometimes - but most people seem to be trying their hardest to get rid of it.

And Steganos described it as a trojan and advised to delete it - also giving another way if it refused to be deleted (but neither way worked).

Finally, have just found this site
http://searchwindowssecurity.techtarget ... 50,00.html
which is all about rootkits - detecting them and getting rid of them. I have to do other things now, but will take a proper look at this tomorrow morning when my brain is hopefully feeling a bit less melty.
ski
Active Member
 
Posts: 4
Joined: July 12th, 2007, 5:15 am

Unread postby Shaba » July 12th, 2007, 12:39 pm

Hi

It IS false positive and part of Spy Sweeper (Steganos AntiSpyware)

"And Steganos described it as a trojan and advised to delete it - also giving another way if it refused to be deleted (but neither way worked). "

Steganos can't recognize if that is used for malicious purposes or as a part of antispyware; it's only a program :)

MchInjDrv.sys can be used on malicious purposes, too. That's why it's listed
in viruslist.com.

If you delete it, Spy Sweeper (Steganos AntiSpyware) WON'T work.

See also here
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

thank you

Unread postby ski » July 13th, 2007, 4:42 am

Hello again, and thank you for all your patience :oops:

Because the message comes up every time the computer is switched it's a bit unsettling, but at least you have, with your endless patience and knowledge, convinced me that nothing evil is munching its way through the system.

ski :wave:
ski
Active Member
 
Posts: 4
Joined: July 12th, 2007, 5:15 am

Unread postby Shaba » July 13th, 2007, 5:00 am

Hi

You can't contact Steganos and report that false positive and also put that file to ignore list in Steganos AntiVirus, that should help :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Shaba » July 21st, 2007, 7:25 am

Hi

How's it going ski?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Shaba » July 23rd, 2007, 5:18 am

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 56 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware