WiredWX Hobby Weather ToolsLog in

 


Can't remove Rootkit.Agent

2 posters

descriptionCan't remove Rootkit.Agent - Page 3 EmptyRe: Can't remove Rootkit.Agent

more_horiz
Just run the combofix again - then tried clicking on the explorer and this is whatthe message says when i click on it:

c:\windows\explorer.exe
Illegal operation on a registry key that has been marked for deletion


I haven't re-booted the laptop yet - i realised i was being stupid 😉 - i could just save the log straight onto the flash disk by using 'Save As' option in notepad when the log pops up at the end of the combofix scan.

anyway here's the log:

COMBOFIX LOG - WITH COMMANDS
=========================

ComboFix 10-10-28.09 - Bob 30/10/2010 20:18:07.6.1 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3033.2079 [GMT 1:00]
Running from: c:\users\Bob\Desktop\commy.exe
Command switches used :: c:\users\Bob\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\ozuxjeg.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ozuxjeg.sys

.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-30 )))))))))))))))))))))))))))))))
.

2010-10-30 19:21 . 2010-10-30 19:23 -------- d-----w- c:\users\Bob\AppData\Local\temp
2010-10-30 19:21 . 2010-10-30 19:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-30 19:16 . 2010-10-30 19:17 -------- d-----w- C:\32788R22FWJFW
2010-10-29 21:44 . 2010-10-29 21:44 -------- d-----w- C:\Device
2010-10-29 19:18 . 2010-10-30 09:57 -------- d-----w- C:\commy
2010-10-29 18:10 . 2010-10-29 18:10 -------- d-----w- C:\_OTL
2010-10-29 12:13 . 2006-11-01 12:06 162616 ----a-w- C:\RegDelNull.exe
2010-10-14 13:42 . 2010-10-14 13:42 -------- d-----w- c:\windows\Sun
2010-10-14 13:26 . 2010-10-14 13:26 -------- d-----w- c:\users\Bob\AppData\Roaming\PCF-VLC
2010-10-14 13:23 . 2010-10-14 13:23 -------- d-----w- c:\program files\GetMiro Toolbar
2010-10-14 13:23 . 2010-10-14 13:23 -------- d-----w- c:\users\Bob\AppData\Roaming\Participatory Culture Foundation
2010-10-14 13:22 . 2010-10-14 13:22 -------- d-----w- c:\program files\Participatory Culture Foundation
2010-10-13 21:26 . 2010-06-29 04:57 4247040 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2010-10-13 21:26 . 2010-06-29 05:02 1413632 ----a-w- c:\windows\system32\ole32.dll
2010-10-13 21:20 . 2010-08-21 05:36 738816 ----a-w- c:\windows\system32\wmpmde.dll
2010-10-13 21:20 . 2010-05-05 06:46 363520 ----a-w- c:\windows\system32\StructuredQuery.dll
2010-10-11 19:07 . 2010-10-11 19:07 -------- d-----w- c:\users\Bob\AppData\Roaming\Malwarebytes
2010-10-11 19:05 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-11 19:05 . 2010-10-11 19:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-11 19:05 . 2010-10-11 19:05 -------- d-----w- c:\programdata\Malwarebytes
2010-10-11 19:05 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-21 05:32 . 2010-09-15 19:11 316928 ----a-w- c:\windows\system32\spoolsv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-09-27 2102600]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-09-27 11:32 2102600 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2010-06-13 18:10 2734688 ----a-w- c:\program files\Vuze_Remote\tbVuze.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 14:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-09-27 2102600]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-09-27 2102600]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="c:\program files\TTG\Reminder\Reminder.exe" [2009-08-26 3599360]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-19 321328]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-03 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-24 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-24 151064]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-26 7723552]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-06-25 1537320]
"MDS_Menu"="c:\program files\CyberLink\MediaShowEspresso\MUITransfer\MUIStartMenu.exe" [2009-02-25 218408]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-03 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"YouCam Mirror Tray icon"="c:\program files\CyberLink\YouCam\YouCamTray.exe" [2009-07-31 162912]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-08-20 1164584]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-30 503808]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Launch.lnk - c:\windows\Installer\{4A65DAD2-E914-4923-9C2A-81B968A68CE2}\_A685CC3126A7CC37D335DE.exe [2009-9-3 17542]
OSD.lnk - c:\windows\Installer\{73289228-1853-4623-982A-EB17FF0270CA}\_CCB0CAEC2D875359E0C287.exe [2009-9-1 3262]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-10 135664]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-09-27 431432]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 16472]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys [2009-06-04 166912]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-24 1343400]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2010-10-03 59240]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-07-15 216400]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-07-15 243024]
S1 RapportCerberus_19917;RapportCerberus_19917;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [2010-10-03 34792]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-10-03 169320]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-21 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]
S2 LiveGpdKBFilter;LiveGpdKBFilter; [x]
S2 LiveIO;LiveIO; [x]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-10-03 767208]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-05-26 122368]
S3 Livekbc;Livekbc; [x]
S3 Livemouclass;Livemouclass; [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]

.
Contents of the 'Scheduled Tasks' folder

2010-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-10 18:45]

2010-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-10 18:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mirostart.com/?cfg=2-365-0-22iJZ
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\ul2yvn84.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mirostart.com/?cfg=2-365-0-22iJZ
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\ul2yvn84.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\ul2yvn84.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3448)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-10-30 20:26:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-30 19:26
ComboFix2.txt 2010-10-30 18:56
ComboFix3.txt 2010-10-30 17:09
ComboFix4.txt 2010-10-30 16:37
ComboFix5.txt 2010-10-30 19:16

Pre-Run: 9,689,567,232 bytes free
Post-Run: 9,597,771,776 bytes free

- - End Of File - - 36387CC98009CEAF4F830F0CF5F9A428

descriptionCan't remove Rootkit.Agent - Page 3 EmptyRe: Can't remove Rootkit.Agent

more_horiz
Hi,

Please run a free online scan with ESET Online Scanner by downloading it from 'here' and save it to your Desktop.

  • Please ensure that you're logged into an Administrator account before running the scanner. The ESET Online Scanner will not work if you're on a limited account.
  • Double-click esetsmartinstaller_enu.exe to execute the program.
  • Check the box next to 'YES, I accept the Terms of Use'. Press 'Start'.
  • If this is your first time installing the scanner, allow the ActiveX Control to install.
  • Database download may take some time.
  • On the next page, ensure the box next to 'Remove found threads' has been checked. Also ensure that the box next to 'Scan unwanted applications' is checked. Proceed by clicking on 'Start'.
    • The ESET Online Scanner will update the Virus Signature Database and begin the scan.
    • Please allow it to complete successfully and ensure that any current downloads are stopped.

  • Once the scan's completed, please open 'Notepad' by navigating to 'Start', then 'Run', and type in 'Notepad'. Open the file located at 'C:\Program Files\ESET\ESET Online Scanner\log.txt'.
  • Please Copy & Paste this log into your next reply.
  • Press 'Finish'.

descriptionCan't remove Rootkit.Agent - Page 3 EmptyRe: Can't remove Rootkit.Agent

more_horiz
hello,

ESET Online Scan Results
===================


ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0624e9108b96614fa3af085c114b645d
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-30 09:07:28
# local_time=2010-10-30 10:07:28 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=1024 16777215 100 0 16803393 16803393 0 0
# compatibility_mode=5893 16776574 100 94 16344661 40937328 0 0
# compatibility_mode=8192 67108863 100 0 684 684 0 0
# scanned=91892
# found=42
# cleaned=41
# scan_time=1912
C:\Qoobox\Quarantine\C\Windows\explorer.exe.vir Win32/Bamital.EL trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\system32\wininit.exe.vir Win32/Bamital.EL trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\ozuxjeg.sys.vir a variant of Win32/Bubnix.BB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\74U3GEQ2\ping[1] Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\74U3GEQ2\p[1] Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\79KXXOIB\bl[1].gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\79KXXOIB\bl[2].gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\79KXXOIB\ww[1].homepage-tlbrf Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RO8IUUNR\GetCfg[1] Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RO8IUUNR\wotd[1].xml Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UKG4Q5FB\wp[1] Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Data\default\us_sres.data Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\ab_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\bmfav_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\bmfol_1_s0.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\bmpref_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\bmrc_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\bmsearch_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\del_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\dir.bmp Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\discmore_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\edu.bmp Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\flk2.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\hj_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\loc_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\mov_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\srch_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\srch_ans_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\srch_aud_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\srch_img_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\srch_loc_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\srch_map_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\srch_nws_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\srch_sh_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\srch_site_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\srch_stk_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\srch_vid_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\trav_1.gif Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Yahoo! Companion\Icons\e\ybang_200908276_h.png Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Bob\Downloads\Iron Man 2 2010 DVDrip XviD-ORC\Iron.Man.2.2010 DVDrip XviD-ORC.avi a variant of WMA/TrojanDownloader.GetCodec.gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Bob\Downloads\Juno Soundtrack\18-Vampire.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Users\Public\Documents\Server\hlp.dat Win32/Bamital.EK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

descriptionCan't remove Rootkit.Agent - Page 3 EmptyRe: Can't remove Rootkit.Agent

more_horiz
Hi,

How is your computer running now?

descriptionCan't remove Rootkit.Agent - Page 3 EmptyRe: Can't remove Rootkit.Agent

more_horiz
Hiya,

It seems to be ok.

I've just updated the malwarebytes antimalware database and the avg database and i'm running scans.
I'll get back to you when the scans have completed.

Many thanks for your help so far.

descriptionCan't remove Rootkit.Agent - Page 3 EmptyRe: Can't remove Rootkit.Agent

more_horiz
Hiya.
Just finished AVG and antiMWbytes.
No infections were found using those.

Also searched for ozuxjeg.sys and couldn't find it.

Everything seems ok.

descriptionCan't remove Rootkit.Agent - Page 3 EmptyRe: Can't remove Rootkit.Agent

more_horiz
Hi,

Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

Updating System Restore

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE.


You now have a clean restore point.

To get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do a calculation of temporary/old files, and then display a dialogue box.
  • Select the More Options Tab.
  • At the bottom will be a System Restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done.


========

Removing the tools

Now, to remove all of the tools we used and the files and folders they created, please do the following:

Download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


============

Service Pack upgrade

Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

More info about SP3: Here

============

Update Programs

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.



Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

===============

Staying Protected

If you don't have a Anti-Virus I recommend to download these free Anti-Virus programs:
1. Avast!
2. Avira
3. Microsoft Security Essentials

If you don't have a good firewall I recommend these free firewalls:
1. Comodo Firewall
2. Tallemu Online Armor

I recommend using MalwareBytes Anti-Malware for a anti-malware program.

If you don't have a anti-spyware I recommend to download these free programs to help keep you spyware free:
1. SpywareBlaster
2. Spybot - Search & Destroy

Please don't download more than one Anti-virus, firewall, or anti-spyware because they will conflict with each other making your computer slow, data loss, and false results so please just don't do it.

================

Here are some prevention tips:

1. Torrents are a conduit of malware; this is why we highly recommend not using them as chances are extremely high that you will be infected from them.

2. Cracks/warez/keygens are another conduit of malware and are illegal so don't use them.

3. Disable auto-run to prevent auto-run worms from infecting your machine through USB drives.XP or Vista/7

4. Always make sure you have the latest Windows update.

5. Use a Site Advisor so you don't go to sites that will infect you. Web-of-Trust or Mcafee Siteadvisor

6. Also there are many holes and flaws in Internet Explorer I recommend using Firefox or Google Chrome to keep you more safe.

7. Always keep your Java and Adobe Reader updated and all older versions removed to keep clear from exploits.

8. Don't fall for Scareware. What is Scareware? A rogue anti-virus on your system that will scare you into buying their fake software due to false detections.

9. Be sure to always have a firewall and anti-virus installed at all times.

Thanks for choosing GeekPolice, see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

For more information on keeping yourself safe please visit Here

descriptionCan't remove Rootkit.Agent - Page 3 EmptyRe: Can't remove Rootkit.Agent

more_horiz
Hiya,

Everything is ok.
Uninstalled the tools as susggested and updated Java and Adobe.

Just a quick couple of questions on the antivirus stuff.

The laptop has AVG free and antimalwartebytes running on it.

1) will comodo firwall conflict with AVG Free?
2) Will Spyware Blaster conflict with AVG and Malwarebytes Antimalware?

Many thanks for helping me out with this problem

May a thousand blessings come your way

Thank You!

descriptionCan't remove Rootkit.Agent - Page 3 EmptyRe: Can't remove Rootkit.Agent

more_horiz
Hi,

None of those things would conflict.

You're welcome, glad to help.

descriptionCan't remove Rootkit.Agent - Page 3 EmptyRe: Can't remove Rootkit.Agent

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum