Jump to content

Malwarebytes does not remove rootkit.agent


Recommended Posts

Hi All,

I got infected through my java runtime environment with a rootkit. Malwarebytes found a rootkit called rootkit.agent with the follwing file:

c:\windows\system32\drivers\tzjia.sys

After completing Malwarebytes states that the file will be deleted after reboot. Which unfortunatly does not happen. After searching around I used combofix to do a scan. Here is the log:

ComboFix 10-05-07.07 - verszuz 05/08/2010 22:58:00.1.2 - x86

Microsoft

Link to post
Share on other sites

Hi olibaron And Welcome to Malwarebytes!

Your really should not run ComboFix on your own:

http://www.bleepingcomputer.com/forums/topic273628.html

DeFogger

Download DeFogger by jpshortstuff from here & save it to your desktop.

  • Right click DeFogger then choose Run as Administrator Or you can double-click to run the tool
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK. If not reboot your PC

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      GMER_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

Link to post
Share on other sites

Hi Kenny,

I already started with GMER and got the result that tzjia.sys was encountered. After this I ran Combofix which actually quarantined the reg values and the file itself.

After this I deleted the tzjia.sys file.

I ran comfix again after reboot to see if anything was found. Afterwards I ran another rootkit detector, avenger2, and it came up clean. So right now everything is clean. Also ran cccleaner, atfcleaner, auslogics registry cleaner to make sure everthing was running ok.

Afterwards I ran malwarebytes one more time with a full system scan and it came up clean.

No more blue screens untill now. That is a couple of hours running multiple programs. Let keep my fingers crossed, I really do not want to do a reinstall right now :blink:.

Chrz

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.