BleepingComputer.com: Unable to remove rootkit

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Unable to remove rootkit

#1 User is offline   hongman1 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 1
  • Joined: 11-September 11

Posted 11 September 2011 - 10:03 AM

Hi all

Laptop is running W7HP. Apparently the user web onto some dodgy websites and now is infected with W32/Agent.BNEX!tr.rkit.

THe laptop is using FortiClient as AV.

The AV detection comes up every boot. I have found some files which reside in C:\Users\xxx\Local\ and also \Temp.

I also have a "uwnblgjk.exe" in the Startup menu, and associated startup reg keys that keep coming back. If I try to delete the exe I get the error:

The action can't be completed because the file us open in Host Process for Windows Services.

I have tried scanning with Malwarebytes, SuperAntiSpyware and ComboFix. All found some things which were removed, but are now coming up clean although the infection is still there.

Please help!

Attached File(s)

  • Attached File  DDS.txt (20.88K)
    Number of downloads: 4
  • Attached File  Attach.txt (12.31K)
    Number of downloads: 0

#2 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,053
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 18 September 2011 - 09:39 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

You may already have this tool. Run it and if asked to update please do so.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.

How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt

Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Post the log for my review.

#3 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,053
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 25 September 2011 - 09:23 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users