Can't delete Rootkit.Agent file jccnwb.sys

Hewlett-packard / Df253a-aba a250n
December 18, 2009 at 19:41:24
Specs: Microsoft Windows XP Professional, 2.6 GHz / 511 MB
My computer is running very slow, and I keep getting pop ups when I open IE. A window opens up from I have run Malwarebyte's Anti-Malware and have gotten rid of everything except one file...

Rootkit.Agent C:\WINDOWS\system32\drivers\jccnwb.sys

I have tried to delete the file and a pop up stated, "cannot delete jccnwb: cannot read from the source file or disk"

I tried to delete it from command prompt but i'm kinda confused with command prompt. Especially since when I open command prompt, it shows "C:\Documents and Settings\joe>" When I know that the problem file is NOT in documents and settings. Anyway, I have little knowledge on how to control the command prompt. I did try a million different "del" functions that I saw online, but none worked, until it said, "A device attached to the system is not functioning."

I tried to start my computer in safe mode and it did not allow me. The black screen came up, I pressed the up arrow to highlight, then select "Safe Mode" and it said that something had changed perhaps because of something new installed. I haven't installed anything new. I also tried to click the other 2 Safe Mode options with no luck.

I also tried to find a system restore point. Unfortunately my computer mysteriously had NO restore points before this. (For the record, every time I've tried to use system restore in the past, it's done the same thing. I create a point and have it set to do them every so often, only to find that when I need a restore point, they are all gone.)

I'm not too knowledgeable with regedit, but I was wondering if I should just delete everything that has jccnwb in it??

The only thing that I can think is that I downloaded a song and maybe it was attached to it.

I have also run Spybot - Search and Destroy with no luck.

Thanks in advance for your help.

See More: Cant delete Rootkit.Agent file jccnwb.sys

Report •

December 19, 2009 at 08:22:47
My personal feeling is if you have a rootkit that infected your computer, backup your data, format, and reinstall.


Report •

December 19, 2009 at 16:56:13
I got the same problem days ago and worked on this virus 4 days. So far no luck.

At the beginning, my PC got Internet Security 2010 virus. I deleted some new files in my system and run XP repair, run Spybot S&D and Malwarebytes' Anti-Malware, which show rootkit.agent.ex with file c:\windows\system32\drivers\nxhhkfas.sys and key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nxhhkfas. I tried to delete this file from Window Explore, got error: cannot read source file or disk. When tried to delete from DOS, it shows message: A device attached to the system is not functioning. I tried to delete the key from registry and got failed, too.

One thing I found: when starting up with Safe Mode, the file nxhhkfas.sys is loaded with other sys files. Also Date Modified for this file is always current.

Now my PC seems working fine. But when checking network traffic, it's pretty high. I think a virus issues port scan attack from my PC.

To remove this virus, is reinstalling XP only option?

Thanks for any input

Report •

December 19, 2009 at 17:01:44
jim567, I think we could help but you need to start a new thread of your own.

Just post what you stated in this thread.

Report •

Related Solutions

December 19, 2009 at 17:05:28
There may be another file or two that also need to be removed.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.


1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply. It may take 3 to 4 post to get the entire log to us.

Download Gmer.exe from the following link.


1. Disconnect from the Internet and close all running programs.
2. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
3. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
4. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
5. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6. If you receive a WARNING!!! about rootkit activity and are asked to fully scan your NO.
7. Now click the Scan button. If you see a rootkit warning window, click OK.
8. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
9. Click the Copy button and paste the results into your next reply.
•Exit GMER and re-enable all active protection when done.

Report •

December 21, 2009 at 17:37:27

Sorry for the delay reply. The PC affected is my working desktop. When I went to office today, the first thing I did is to download Gmer.ex and run it. Unfortunately, it was painful experience. I followed the instruction to run it. It frozen after running 2 hours. I have to repair the system with original XP CD and got system started up. When I run it again, I didn't see it finished after 5 hours. I tried to stop scan by clicking Cancel button, the result window is gone. Now I decided to backup files and reinstall fresh XP.

Of course, it does show a lot of registry entries or files related to virus file nxhhkfas.sys. I think reinstalling system may be the best option to remove this kind of virus.

Thanks again for your reply.

Report •

December 21, 2009 at 17:48:59
It just give GMER #$@&%$#@ it does not mean we can't find and remove it. GMER has been blue screening lately. A format is extreme. If any program runs over 30 minutes without someone telling you it will take that length of time abort it, there is a problem.

Post the RSIT log if you wish to continue.

Report •

December 21, 2009 at 20:22:48
Right now I have been following instructions from another forum to fix my comp and they are working (I hope). I'll forward the link to the fix when I have my stuff all cleared up. Thanks

Report •

December 21, 2009 at 20:48:16
Thanks for the follow up.

Report •

December 29, 2009 at 07:26:04
Someone helped me here

Follow this link to see how I was able to fix my computer. There are many links to software to help remove and prevent viruses and other computer problems.

Report •

December 29, 2009 at 09:34:03
download combofix

Report •

December 29, 2009 at 21:21:57
I use avenger for rootkits. Most of the rootkits I've dealt with are disabled by avenger.

Report •

January 8, 2010 at 01:35:02

F this Site--->
I found a load of crap here
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5

I went to delete it and I couldn't delete some of it. like index.dat thats 3.06 MB (3,211,264 bytes)
so I looked inside and to my suprise!
all sortz of urls that I nvr used and never will
here's one of the sites

So I figured I would Delete all the info inside the index.dat, and then save it but it wouldnt let me save it it said some program was using it... SoOoOooOOOo

Reboot to safemode del everything in that dir, then reboot normal, and NO MORE POPUPS!!!!! YEA! hope this helps someone else...

Report •

March 15, 2010 at 16:56:10
Hi All,
Firstly I had the same problem and after 4 days had to kick myself as the answer was right in front of me the whole time.
Firstly here is what happened.
An Internet explorer weakness allowed a piece of malware to penetrate my main system via an ad on the piratebay web site. This malware then proceeded (over about 30 seconds) to instal hacktool.rootkit (an oldie but a goodie) on the system. At this point the hacktool.rootkit did a bunch of nasty things such as: (in no particular order)
1:creating a new administrator account
2:downgrading the existing admin access (ie: mine)
3: disabling task manager
4:removing access to system restore
5:disabling the antivirus scanner
6: launching windows defender ( A pretend antivirus program) This later morphed into windows guardian (another pretender)
7:disabling the firewall and windows security center.
At this point I realised that something was seriously wrong so I did the smart thing and disconnected the maching from the network.
Now at this point rather than bore you with all the detail let me just sum up the rest...
After 3 days of cocking around with every malware and antivirus ware known to man I finally reduced the maleware down to the root infection. No virus / maleware removal program was capable of going any further and my system was still compromised.
Some of the many prograns used were:
-kapersky (russian crap virus scanner)
-Nortons v10 corporate (symantec)
-Mcafee (totally useless)
-malwarebytes (effective but only up to a point)
-avenger (very effective but could not get rid of the last bit)
-prevx (found all the pieces but need paid version for it to possibly work so I did not bother) frankly I found it suspicious that when I installed this program the virus seems to morph.
-unlocker (to try to delete the file)
windows malware remover (totally useless and very slow)
-unhackme (really good)
and a few other to boot.
I also tried all other methods listed on this and other forums.

All to no avail.
At this point it is worth noting the the computer had been turned into a spam mail server, i did a quick netstat -a in dos and guess what? SMTP outbound connections everywhere. It also tried to update itself to prevent virus scanners from catching it. It seems to like the ports from 900 to 1100 so I bloicked the lot on the hardware firewall in the router and that slowed it down a lot.
I then proceeded to scratch my head. All the forums were saying that once you get a rootkit you are probably up the creek and you should just format the hard drive and reinstal.
Anbd now for the solution that was staring me in the face the whole time...Dooooh.
Simplyboot from the windows CD and innstal a new copy of the OS (do not format) in a directory windows1 on the primary partition then instal the nortons 2010 and avenger and malwarebytes and unhackme and go to work. guess what after 4 hours of scanning the bugger is gone.
Then use the second copy of windows to copy new versions of any system files damaged by the virus in c:windows and presto you can then reboot the old windows and start to fix things.
Once the origional windows is fixed you can go back to the new windows to run an independant check and then remove it if you want.

Hope that helps.
Oh and BTW the guys at symantec are kidding themselves if they think their removal instruction even barely work. And frankly what a bunch of newbs anyway as their top end real time protection was knocked out minute one with this software.
Moral of the story is never delay windows updates by even a day.

Report •

Ask Question