Results 1 to 5 of 5

Thread: Problem with Rootkit.Win32.Agent.go

  1. #1
    fyigmo Guest

    Default Problem with Rootkit.Win32.Agent.go

    My computer is infected with Rootkit.Win32.Agent.go, which my ZA Security Suite 7 has detected on two successive reboots. The files found to be infected on those reboots were winik.sys for the first incident, and mchlnjDrv.sys on the second. Both files were located in the directory C:\Windows\System32\Drivers. After I had been infected the first time I ran (in Safe Mode) my ZA antivirus/antispyware, SpySweeper, SpyDoctor, and Blacklight Defender, all of which found nothing. Upon reboot my ZA found the malware a second time, which leads me to believe my computer is infected and that ZA has not permanently deleted it. Can anyone tell me how to delete this malware permanently? Thanks

    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    navel_gazer Guest

    Default Re: Problem with Rootkit.Win32.Agent.go


    <blockquote><hr>fyigmo wrote:
    My computer is infected with Rootkit.Win32.Agent.go, which my ZA Security Suite 7 has detected on two successive reboots. The files found to be infected on those reboots were winik.sys for the first incident, and mchlnjDrv.sys on the second. Both files were located in the directory C:\Windows\System32\Drivers. After I had been infected the first time I ran (in Safe Mode) my ZA antivirus/antispyware, SpySweeper, SpyDoctor, and Blacklight Defender, all of which found nothing. Upon reboot my ZA found the malware a second time, which leads me to believe my computer is infected and that ZA has not permanently deleted it. Can anyone tell me how to delete this malware permanently? Thanks

    Operating System: Windows XP Pro
    Software Version: 7.0
    Product Name: ZoneAlarm Internet Security Suite

    <hr></blockquote>


    Ditto. After running my ZASS 7 AV three times in the last 16 hours, I found the same thing--Rootkit.Win32.Agent.go. For now, it's quarantined, but I wanted to find out what exactly it did. When I first Googled it this morning, there wasn't any info available, but now I've found a discussion on a Kaspersky forum that might be helpful to you:

    QUOTE(p2u @ 9.07.2007 01:58)
    OK. I didn't realize that kev was on Vista. So I started digging deeper, and here's what I have:
    MchInjDrv.sys is part of 3rd party API hooking software development kit call madCodeHook from a guy called Mathias Rauen. Here's his address:
    http://www.madshi.net/
    It is used by both rootkits and security software from companies that don't know how to write their own device drivers or don't have time to do that. It can be used for good or evil depending on the dll being injected into other software. This detection points to a &quot;suspicious&quot; system wide hook, but it's not necessarily malware. I would be surprised if it was, actually. As I said before, **bleep** uses it.

    Paul

    Here's the link:
    http://forum.kaspersky.com/index.php?showtopic=42886

    If the above info is accurate, I wonder if it might not have been used by System Mechanic 7, too. Last night, right before my first AV scan of the day, SM7 had 2 &quot;important updates&quot;, which I downloaded and installed. Until then, my machine was fine.

    Anyway, good luck and if you find out anymore, perhaps you can share it here:-)

    Lolly, aka navel_gazer

  3. #3
    fyigmo Guest

    Default Re: Problem with Rootkit.Win32.Agent.go

    Thanks, Paul, for your response. I'll definitely check out the URL you provided. Also, just wanted to add that my brain slipped a cog earlier today and immediately after my post I dumped Windows Restore and performed a wipe of the free space and file slacks on my hard drive. So far (two reboots) the malware has not reappeared. I'll let you know if I find out anything more and if my system stays clean. Thanks again. fyigmo

  4. #4
    Join Date
    Apr 2004
    Location
    East Coast of Florida - Lightening/Shark Bite Capital of the World
    Posts
    2,477

    Default Re: Problem with Rootkit.Win32.Agent.go

    Hi,

    Welcome to the forum!

    Anytime I have doubt about a rootkit on my computer, I use the following tool which will find it if you have a rootkit installed and it if you do, it will try to remove it for you. If you are interested here is the info on it.

    Sophos offers free rootkit detection and removal tool

    http://www.sophos.com/pressoffice/ne...i-rootkit.html

    PLEASE keep me posted on your results, THANKS.

    SlyFox
    "Politeness costs nothing and gains everything".

    Click here for ZA Support

    Avail. 24x7 - Excl. Holiday













  5. Join Date
    Apr 2004
    Location
    East Coast of Florida - Lightening/Shark Bite Capital of the World
    Posts
    2,477

    Default Re: Problem with Rootkit.Win32.Agent.go

    Hi,If nothing shows up on any of your rootkit scans, I suggest you contact the following site to make sure it is not a false positive.Please reportany false positive here:http://www.zonelabs.com/store/conten...are_report.jsp
    PLEASE keep all of us posted on your results, THANKS.SlyFox:8}
    "Politeness costs nothing and gains everything".

    Click here for ZA Support

    Avail. 24x7 - Excl. Holiday













Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •