Solved

Rootkit Agent found with Malwarebytes.  How do I remove it?

Posted on 2009-05-09
14
3,422 Views
Last Modified: 2013-11-22
Running the latest version of Malwarebytes, it found a file that it identified as a Rootkit.Agent.  It looked like it was successfully removed; however, upon reboot, it was still there.  It is c:/windows/temp/gnijhagv.dat.  When you try to delete the file by itself it gives an access denied error.  I have run several freeware programs against it, as well as Symantec anti-virus.  Can anyone help me get rid of it?  

Following is the malwarebytes log:
Malwarebytes' Anti-Malware 1.36
Database version: 2101
Windows 5.1.2600 Service Pack 3
5/9/2009 8:58:09 PM
mbam-log-2009-05-09 (20-58-09).txt
Scan type: Quick Scan
Objects scanned: 84960
Time elapsed: 6 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\Temp\gnijhagv.dat (Rootkit.Agent) -> Delete on reboot.
0
Comment
Question by:schowning
  • 7
  • 3
  • 2
  • +2
14 Comments
 

Author Comment

by:schowning
ID: 24346817
I have already tried this.  I ran it in safe mode and it looked like it was deleting, but it didn't.  I've also run dial-a-fix, smsitfraudfix, ccleaner, and combofix.  Any other suggestions?
0
 

Expert Comment

by:kwakdoo
ID: 24346858
Have you tried safe mode command prompt or even creating a dos boot disk and browsing to that directory in dos and deleting the file that way?   Does it delete and then recreate itself?

 
0
 

Author Comment

by:schowning
ID: 24346875
I have tried deleting from a command prompt in safe mode.  I can't tell if it really deletes from Malwarebytes.  It looks like it does.  From the command prompt, it says "Access is denied".  I will try to create a dos boot disk and see what happens.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24346922
Use combofix and if it won't remove during its first run, we should be able to remove it using its script function, just show us the logfile.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix 
0
 

Author Comment

by:schowning
ID: 24347038
I ran combofix earlier and it couldn't find any problems.  I couldn't get it to run in safe mode so I ran it from a normal startup.  Attached is the log files.   Thanks for your help.
log.txt
0
 
LVL 4

Expert Comment

by:althakar
ID: 24347617
0
 

Author Comment

by:schowning
ID: 24348738
althakar,

Upon running unlocker, I get a message that says "the object could not be deleted.  Do you want to perform the requested command at next reboot?"  When I choose yes and reboot, the file is still there.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 4

Expert Comment

by:althakar
ID: 24348830
so try after reboot.. what about other softwares???
0
 

Author Comment

by:schowning
ID: 24348888
althakar,

i did reboot and the file is still there.  actually i rebooted several times.  as stated above, I've also run dial-a-fix, smsitfraudfix, ccleaner, and combofix.
0
 
LVL 4

Expert Comment

by:althakar
ID: 24349174
so do than temp install xp in other partition and then remove if u dont want to format ur c drive...

or reinstall ur pc
0
 

Author Comment

by:schowning
ID: 24349246
thanks, althakar.  but i'm trying to avoid a reinstall.  perhaps someone else can offer a suggestion?
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24355686
Have you tried using FileAssassin from within MalwareBytes?? Try to use that to delete the file. Just browse to where the file is and it will attempt to delete it.

Secondly, I am going to suggest that you scan with Kaspersky Online Scanner based at: http://www.kaspersky.co.uk/virusscanner . Let us know, what you find in this scan. This virus scanner will not remove viruses but will let us know of what is in there.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 24383813
Combofix should be able to delete those baddies.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
KillAll::

Rootkit::
c:\windows\system32\drivers\csrvbt.sys
c:\windows\system32\drivers\zjxinobd.sys
c:\windows\system32\drivers\bocxug.sys

Driver::
zjxinobd
dahw

NetSvc::
ipbamkag
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
Please attach the result of the Combofix run.
0
 

Author Closing Comment

by:schowning
ID: 31579862
Thanks!  This worked.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Read about achieving the basic levels of HRIS security in the workplace.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now