Preventing rootkit.agent

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I seem to be attacked frequently by the browser search engine
highjacker rootkit.agent at windows\system32\sysaudio.sys.  I can
remove it with Malwarebytes Anti-Malware, but I would like to be able
to prevent future infestations.  

I'm using WindowsXP and AVG Anti-Virus and, usually, Firefox as a
browser.  I do use IE sometimes, but Firefox seems more prone to
catching this bug.

Is there a suggested program for resisting rootkit.agent?  Preferably
free.

--
Tony Cooper - Orlando, Florida

Re: Preventing rootkit.agent


| I seem to be attacked frequently by the browser search engine
| highjacker rootkit.agent at windows\system32\sysaudio.sys.  I can
| remove it with Malwarebytes Anti-Malware, but I would like to be able
| to prevent future infestations.

| I'm using WindowsXP and AVG Anti-Virus and, usually, Firefox as a
| browser.  I do use IE sometimes, but Firefox seems more prone to
| catching this bug.

| Is there a suggested program for resisting rootkit.agent?  Preferably
| free.

| --
| Tony Cooper - Orlando, Florida

Was it MBAM that defind this trojan as "rootkit.agent" ?


Please submit a sample of "sysaudio.sys" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it.  In addition Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

This we can see what anti virus vendor recognises this trojan and that
information can be
used to get you better protected as well as Alwil (Avast) will then get a sample
such that
they can generate signatures for it.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Preventing rootkit.agent

On Thu, 18 Dec 2008 16:43:09 -0500, "David H. Lipman"

Quoted text here. Click to load it

I'm not sure.  When I started noticing that my browser was being
highjacked, I started searching for info on rootkit.agent.  MBAM was
one of the programs that I found that would find it.  Now, when the
problem starts (search results in hits for the subject, but links to
other sites), I can run MBAM and it will turn-up rootkit.agent and
kill it.  The problem goes away until it comes back.

Quoted text here. Click to load it

How do I do that?  I'm not sure how I *get* a sample.

Quoted text here. Click to load it

All new to me.  First time I've had a virus-type thing.  The websites
I visit are mostly hobby-connected photography sites (Not *that*
kind!) and some individual pages from links in photography newsgroups.
All very tame stuff.  I never personally open email that is not from a
known source, but my wife gets some forwarded inspirational stuff from
elderly relatives.


--
Tony Cooper - Orlando, Florida

Re: Preventing rootkit.agent




Quoted text here. Click to load it

| I'm not sure.  When I started noticing that my browser was being
| highjacked, I started searching for info on rootkit.agent.  MBAM was
| one of the programs that I found that would find it.  Now, when the
| problem starts (search results in hits for the subject, but links to
| other sites), I can run MBAM and it will turn-up rootkit.agent and
| kill it.  The problem goes away until it comes back.


Quoted text here. Click to load it

| How do I do that?  I'm not sure how I *get* a sample.

From the location you posted...
windows\system32\sysaudio.sys


Quoted text here. Click to load it
| URL...
Quoted text here. Click to load it

| post back the exact results.

Quoted text here. Click to load it
| trojan and that information can
Quoted text here. Click to load it
| (Avast) will then get a sample such
Quoted text here. Click to load it

| All
| new to me.  First time I've had a virus-type thing.  The websites
| I visit are mostly
| hobby-connected photography sites (Not *that*
| kind!) and some individual pages from
| links in photography newsgroups.
| All very tame stuff.  I never personally open email
| that is not from a
| known source, but my wife gets some forwarded inspirational stuff
| from
| elderly relatives.


| --
| Tony Cooper - Orlando, Florida


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Preventing rootkit.agent

"tony cooper" wrote:

Quoted text here. Click to load it

Generally you can't infer much from a file name, but if this is
similar to the sample I've seen it's neither a rootkit agent nor a
driver (as the sys file extension would suggent).

Quoted text here. Click to load it

Keep your software up to date with the latest releases/patches. A
current sysaudio.sys infection is being delivered via javascript
injected into legitimate web sites in order to exploit vulnerabilities
in Microsoft Data Access Components (MDAC), Adobe PDF reader, Flash
and possibly others including Firefox.



Site Timeline