Avira Personal: RKIT/INJUNK.A.|[TROJAN]

Discussion in 'other anti-virus software' started by Escalader, Aug 24, 2009.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    On my 2nd Dell a gaming PC, running under xp sp3 there is a "parasite" which is detected only by the real time Block as :

    RKIT/INJUNK.A.|[TROJAN] C: \windows\system32\Msvtx86.aqmgu

    The Avira scan does not detect this but the block does. No matter what he does quareenteen, deny etc the issue keeps recurring. A number of BSOD's have also occurred. As well the message NT services has encountered a problem and must shut down.

    It seemj clear the block can detect but not remove this one.

    He did run SAS and it found 9 issues and fixed them but this one remains.

    3 files in systems 32 folder:

    msvd86.agmmgu
    msvp86.agmmgu
    msvk86.agmmgu

    He deletes manually but they keep getting recreated.

    This is a bad one!

    Any clues/advice before we reformat the PC from scratch?

    I'm particularly interested in hearing from anyone who has hit this one with Avira.
     
  2. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    You might want to try running:

    www.prevx.com (see what it detects - if it finds the files - PrevxHelp will analyse the scanlog - full paid licence might be worth it)
    www.hitmanpro.com (if it finds the files - has 30 day removal)
    www.freedrweb.com (no harm in running a full scan)

    As recommended on other threads with the same infection, running www.malwarebytes.org
     
  3. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
  4. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi:

    Thank for the suggestions! :thumb:
     
  5. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    No problems. Prevx and Hitman Pro do emphasize rootkits as a specialty. Both will only take you a few minutes to install and perform a full scan.

    Dr Web could take up to an hour or so, same with emsisoft (a-squared). I'd run these if nothing is found with the first two scanners.
     
  6. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Last edited: Aug 24, 2009
  7. virtumonde

    virtumonde Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    501
    Did u tried a safe mode scan(with system retore turned off)?Wort a try before installing other scanners
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    We did try 2 scans in safe mode but NOT with systems restore turned off.

    We did Avira scan and SuperAntispyware. No luck.

    Why is it important to turn restore off?
     
  9. BuzzStone

    BuzzStone Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    163
    Malware will sometimes attach itself to the restore point and will just regenerate. Turn off System Restore, as mentioned, and run again.
     
  10. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
  11. Mapson

    Mapson Registered Member

    Joined:
    Dec 29, 2005
    Posts:
    54
    Hi Escalader,
    Probably best to clean it up outside of windows:

    1. Download DrWeb LiveCD from http://www.freedrweb.com/livecd/

    2. Burn the ISO to a CD

    3. Reboot with the CD in the drive

    4. Disinfect
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    did you try " system restore "
     
  13. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Yes, every single restore point was "gone" nothing to restore from!

    This is a bad one for sure.

    I think the safe path is reformat the whole PC I will try some of the tools you guys have suggested but there would always be doubt that some piece of this beast would linger around.... more later
     
  14. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    try to rename the file and then try to restore your system or rename the file and remove it in safe mode
     
  15. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK

    Quite possibly the rootkit driver itself which is located in system32/Drivers has not been unloaded or detected by AntiVir/other software.

    Hence why the files keep restoring and AntiVir blocks the known trojan code in realtime as it is restored.

    The variant in the ThreatExpert report we definetly have covered,i would hope we have yours too :)
     
  16. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Try using AntiHookExec with GMER

    About AntiHookExec:
    https://www.wilderssecurity.com/showpost.php?p=1528871&postcount=28


    HKEY1952
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    i wonder how did you manage to get it.
    By the way try MBAM, gmer and root repeal.
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    Make sure to try Prevx, hitman pro, and asquared before you reformat. We all want to know if this resolves the issue. I would try Prevx first.
     
  19. prairie dog

    prairie dog Registered Member

    Joined:
    Jun 9, 2009
    Posts:
    129
    +1:thumb: for prevx and MBAM for stubborn infections
     
  20. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Excellent work if MBAM does pick up the variant listed in the ThreatExpert report.

    We're waiting in suspense Escalader! ;)
     
  21. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I want to thank everybody here who has suggested an approach or different tool to clean this mess up. Many of you have tools to suggest for removal. I wanted to try these tools and ideas but have been prevented by the owner of the PC from any “experiments”

    But the same problem has been reported on:

    http://www.threatexpert.com/report.aspx?md5=f5c3d4c2911ab4a109dd06aac7830c52

    Several vendors have identified it or pieces of this beast. So you could scan your own PC’s for key words such as aqmgu as a file extension. Hope it isn’t there.


    What I failed to anticipate before posting this issue is the human factor/attitude.

    This is my fault alone! I apologize that I will not be able to report back on how your various solutions may have worked.

    But the bottom line now for this infected gaming PC is that my family member will not trust any tool now to clean it even if the tool says FIXED. Not only that, he won't connect to www to download any new tools due to the presence of the "spy".

    My answer to all this was no sweat; I'll download new tools for you on my PC to my USB stick thus avoiding "your" spy/root kit. But he just isn't interested in this approach as it exposes him to the hazards of the spy during the even during process so he thinks.

    In my view, the amount of work manually to try to fix it is not much different that a reformat and reinstall of windows so that is what will happen. He says he has his data backed up and has all the program disks and licences so that's his "plan". I have personally learned from all this (it ain't over yet) and I will NEVER post about a PC issue again that I don't have 100% control over!

    I'm forwarding the advice I received below over at the OP forum:

    The only good thing is he will now keep images on an external drive. But I fully expect him to do all this again!

    What can I say other than prevention is better than clean up!
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmm it was interesting to see what would have worked.
     
  23. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Well Escalader I hope your family member appreciates the effort you made in trying to resolve their issue,even if they chose to do their own thing.
     
  24. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    All ok Escalader. As long as his new setup is more secure than before, than he won't have a problem again. :thumb:
     
  25. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Yes, I hope so. Now I'm consulting on how to respond to the windows xp install prompts! There is no justice:oops:
     
Loading...
Thread Status:
Not open for further replies.