Solved

W32/Agent.BNEX!tr.rkit Removal

Posted on 2011-09-11
3
885 Views
Last Modified: 2013-11-22
Struggling with this one.

Windows 7 HP Laptop

FortiClient AV detects W32/Agent.BNEX!tr.rkit at every startup. System runs very slowly and buggy, random aaps crash, etc.

In Safe Mode I have installed and scanned with:

Malwarebutes
SUPERAntiSpyware
Scanning with GMER rootkit tool now

Unable to find a lot about this virus on the web.

The offending files are I think the ones in C:\Users\User\Appdata\Local\ and \Temp

Lots of files named oxxwgfhf and fiqhfqio etc, as well as some suspicious exe's.

I delete them but next normal reboot they return.
0
Comment
Question by:hongedit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36518988
"In Safe Mode I have installed and scanned with"

These tools are NOT designed to run in safe mode. You NEED to be running them in a normal boot environment.
0
 
LVL 1

Author Comment

by:hongedit
ID: 36519028
Oops. I meant I  downloaded and installed them in Safe mode, but scanned in normal.
0
 
LVL 38

Accepted Solution

by:
younghv earned 500 total points
ID: 36519227
The only reference I can find to that Trojan/Rootkit is fairly old (June 2011), so the current tools/scanners should work.

One of the keys to using Malwarebytes now is to run a rogue process stopper immediately prior to the scan.  Details here:
Rogue-Killer-What-a-great-name

You might want to also run TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
Please post the log to be analyzed.

You can also try FixTDSS.exe from Symantec:
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

Please post the logs here as attachments for all three tools/scanners and we'll take a look at them for you.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question