Latest

Bike

Chat

News

Search

Forums
Overview
Chat Forum
Computer help, Worm...
 

  You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more

[Closed] Computer help, Worm?

 
Chat Forum
Last Post by englishbob 16 years ago
2 Posts
2 Users
0 Reactions
47 Views
 oldgit
Posts: 126
Free Member
Topic starter
 

My daughters laptop is popping up an antimalware add offering a free trial, and claims that it has been infected with Rootkit.win32.Agent.pp
I've not touched anything,but it is blocking internet access.
Any help please?


 
Posted : 17/12/2009 4:45 pm
 englishbob
Posts: 0
Free Member
 

Google "Rootkit.win32.Agent.pp removal"

Removal instructions below. Once you get internet access back I recommend "Hitman Pro". And dock her a weeks pocketmoney for dodgy surfing!

To remove registry keys goto start, run; enter "regedit" in the box; in the regedit program goto ctl_w32 by expanding the tree list under my computer -> 'HKEY_LOCAL_MACHINE', then System\CurrentControlSet\Services\

Locate ctl_w32 and follow the instructions below.
1. Delete the following system registrykey:
[HKLM\System\CurrentControlSet\Services\ctl_w32]
2. Reboot the computer.
3. Delete the following file:
%System%\drivers\ctl_w32.sys
4. Update your antivirus databases and perform a full scan of the computer

----------------
Technical details

This Trojan masks its presence in the system from users and from other programs. It is a Windows PE SYS file. It is 40960 bytes in size. It is not packed in any way. It is written in C.
Installation

This malicious program will be installed to the victim machine together with other malicious programs. It is used to hide the activity of other malicious programs in the system.

Once launched, the Trojan copies its body to the Windows system directory as "ctl_w32.sys":
%System%\drivers\ctl_w32.sys

In order to ensure the Trojan is launched automatically each time the system is started, it registers the following service in the system registry:
[HKLM\System\CurrentControlSet\Services\ctl_w32]
"Start" = "dword:0x00000003"
"Type" = "dword:0x00000001"
"ImagePath" = "%System%\drivers\ctl_w32.sys"
Payload

The Trojan will attempt to gain access to the "\\.\Rntm2" driver if it is installed on the system.

Once launched, the Trojan deletes its original file.
--------------
Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the following system registrykey:
[HKLM\System\CurrentControlSet\Services\ctl_w32]
2. Reboot the computer.
3. Delete the following file:
%System%\drivers\ctl_w32.sys
4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).


 
Posted : 17/12/2009 4:54 pm
 englishbob
Posts: 0
Free Member
 

Another option is to try one of the CD based bootable virus scanners.

[url= http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/ ]here[/url]


 
Posted : 17/12/2009 5:09 pm
Forum Jump:
  Previous Topic
Next Topic  

6 DAYS LEFT
We are currently at 95% of our target!

Learn more