WiredWX Hobby Weather ToolsLog in

 


Rootkit.Agent Cant Remove

2 posters

descriptionRootkit.Agent Cant Remove - Page 2 EmptyRe: Rootkit.Agent Cant Remove

more_horiz
ComboFix 11-02-25.02 - User 27/02/2011 15:58:41.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.1915.848 [GMT 11:00]
Running from: c:\users\User\Desktop\commy.exe
Command switches used :: c:\users\User\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_032bc77b60bbbd07
-------\Service_0a4eb282bacc68c0
-------\Service_17daf900cee82e20
-------\Service_265347b198166c88
-------\Service_3d2dcff8c6e47101
-------\Service_45de3557e70e3e79
-------\Service_50a14282cdad657d
-------\Service_a193c65487b29150
-------\Service_ad06f63bebc249ff
-------\Service_c0fe0e95ccc86f5b
-------\Service_c27f2f5f2c963005
-------\Service_c92d2423e8a7c508
-------\Service_c9b16f0087ec304a
-------\Service_d965cc8f47acdc6b
-------\Service_efe06024c735dd05
-------\Service_f031a7cab2eeb0fe
-------\Service_f105b6f8d926e485
-------\Service_massfilter
-------\Service_MEMSWEEP2
-------\Service_owqvdxbe


((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))
.

2011-02-27 05:08 . 2011-02-27 05:13 -------- d-----w- c:\users\User\AppData\Local\temp
2011-02-26 03:59 . 2011-02-26 03:59 -------- d-----w- c:\program files\VS Revo Group
2011-02-25 01:42 . 2011-02-25 01:42 -------- d-----w- c:\users\Admin
2011-02-23 09:06 . 2011-02-23 09:06 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-02-22 20:20 . 2011-02-22 20:20 -------- d-----w- c:\windows\system32\EventProviders
2011-02-22 11:49 . 2010-05-25 23:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-02-22 07:41 . 2011-02-22 07:41 -------- d-----w- c:\program files\Sophos
2011-02-22 07:36 . 2011-02-22 07:36 -------- d-----w- c:\windows\Sun
2011-02-21 06:26 . 2011-02-21 06:26 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2011-02-21 06:26 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-21 06:26 . 2011-02-21 06:26 -------- d-----w- c:\programdata\Malwarebytes
2011-02-21 06:26 . 2011-02-21 06:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-21 06:26 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-20 20:50 . 2011-02-20 20:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-20 20:25 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2011-02-20 20:25 . 2009-10-09 21:56 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2011-02-20 20:25 . 2009-10-09 21:56 241152 ----a-w- c:\windows\system32\winrscmd.dll
2011-02-20 20:25 . 2009-10-09 21:56 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2011-02-20 20:25 . 2009-10-09 21:56 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2011-02-20 20:25 . 2009-10-09 21:55 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2011-02-20 16:02 . 2009-11-07 23:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-02-20 16:02 . 2009-11-07 23:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-02-20 16:02 . 2009-11-07 23:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-02-20 16:02 . 2009-11-07 23:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-02-20 16:02 . 2009-11-07 23:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-02-20 05:14 . 2010-09-06 16:24 125952 ----a-w- c:\windows\system32\srvsvc.dll
2011-02-20 05:14 . 2010-09-06 14:13 303616 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-20 05:14 . 2010-09-06 16:23 17920 ----a-w- c:\windows\system32\netevent.dll
2011-02-20 05:14 . 2010-09-06 14:12 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-20 05:14 . 2010-09-06 14:12 101888 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-02-20 05:14 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2011-02-20 05:14 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2011-02-20 05:13 . 2010-05-27 19:16 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-02-20 01:51 . 2010-12-18 06:22 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-20 01:51 . 2010-12-18 06:22 743424 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2011-02-20 01:51 . 2010-12-18 06:28 638232 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2011-02-20 01:51 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-02-20 01:45 . 2011-02-20 01:45 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2011-02-20 01:43 . 2011-02-20 01:44 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2011-02-20 00:04 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2011-02-20 00:04 . 2009-07-14 08:30 43520 ----a-w- c:\windows\system32\msdxm.tlb
2011-02-20 00:04 . 2009-07-14 08:30 18432 ----a-w- c:\windows\system32\amcompat.tlb
2011-02-20 00:02 . 2010-06-16 15:59 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-02-19 23:17 . 2010-04-14 17:46 80896 ----a-w- c:\windows\system32\MSNP.ax
2011-02-19 23:17 . 2010-04-14 17:45 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-02-19 23:17 . 2010-04-14 17:47 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-02-19 23:17 . 2010-04-14 17:47 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-02-19 23:17 . 2010-04-14 17:46 428544 ----a-w- c:\windows\system32\EncDec.dll
2011-02-19 23:13 . 2011-02-20 01:42 -------- d-----w- c:\windows\system32\MpEngineStore
2011-02-19 06:50 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2011-02-19 06:50 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2011-02-19 06:50 . 2008-06-20 01:14 37384 ----a-w- c:\windows\system32\infocardcpl.cpl
2011-02-19 06:50 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2011-02-19 06:50 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2011-02-19 06:50 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2011-02-19 06:44 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2011-02-19 06:44 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2011-02-19 06:16 . 2011-02-19 06:16 -------- d-----w- c:\program files\CCleaner
2011-02-19 06:08 . 2011-02-19 06:07 80416 ----a-w- c:\windows\system32\RtNicProp32.dll
2011-02-19 06:08 . 2011-02-19 06:07 100896 ----a-w- c:\windows\system32\RTNUninst32.dll
2011-02-19 06:08 . 2011-02-19 06:07 309352 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2011-02-19 05:57 . 2011-02-19 05:57 -------- d-----w- c:\users\User\AppData\Local\Downloaded Installations
2011-02-19 03:40 . 2011-02-19 03:40 -------- d-----w- C:\$AVG
2011-02-19 03:17 . 2011-02-19 03:17 -------- d-----w- c:\users\User\AppData\Roaming\AVG10
2011-02-19 03:17 . 2010-10-18 14:01 81920 ----a-w- c:\windows\system32\consent.exe
2011-02-19 03:17 . 2010-11-06 11:10 345088 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-02-19 03:17 . 2010-11-06 11:10 357376 ----a-w- c:\windows\system32\taskschd.dll
2011-02-19 03:17 . 2010-11-06 11:09 603648 ----a-w- c:\windows\system32\schedsvc.dll
2011-02-19 03:17 . 2010-11-05 00:53 171520 ----a-w- c:\windows\system32\taskeng.exe
2011-02-19 03:17 . 2010-11-06 11:10 270336 ----a-w- c:\windows\system32\taskcomp.dll
2011-02-19 03:17 . 2010-04-16 16:10 1314816 ----a-w- c:\windows\system32\quartz.dll
2011-02-19 03:16 . 2010-06-11 15:30 1257472 ----a-w- c:\windows\system32\msxml3.dll
2011-02-19 03:16 . 2008-09-18 04:56 125952 ----a-w- c:\windows\system32\wersvc.dll
2011-02-19 03:16 . 2008-09-18 04:56 147456 ----a-w- c:\windows\system32\Faultrep.dll
2011-02-19 03:16 . 2010-08-10 15:02 274432 ----a-w- c:\windows\system32\schannel.dll
2011-02-19 03:16 . 2010-10-28 12:56 2048 ----a-w- c:\windows\system32\tzres.dll
2011-02-19 03:16 . 2010-05-27 19:16 81920 ----a-w- c:\windows\system32\iccvid.dll
2011-02-19 03:14 . 2010-08-31 15:41 954752 ----a-w- c:\windows\system32\mfc40.dll
2011-02-19 03:13 . 2009-03-17 03:38 13824 ----a-w- c:\windows\system32\apilogen.dll
2011-02-19 03:13 . 2009-03-17 03:38 24064 ----a-w- c:\windows\system32\amxread.dll
2011-02-19 03:13 . 2008-08-12 03:39 443392 ----a-w- c:\windows\system32\win32spl.dll
2011-02-19 03:13 . 2009-09-10 15:21 1418752 ----a-w- c:\program files\Windows Media Player\setup_wm.exe
2011-02-19 03:13 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2011-02-19 03:13 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\msdxm.ocx
2011-02-19 03:13 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2011-02-19 03:13 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2011-02-19 03:13 . 2009-07-14 10:59 107520 ----a-w- c:\program files\Windows Media Player\wmpconfig.exe
2011-02-19 03:13 . 2009-07-14 10:58 107520 ----a-w- c:\program files\Windows Media Player\wmpshare.exe
2011-02-19 03:11 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2011-02-19 03:11 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2011-02-19 03:11 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2011-02-19 03:11 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2011-02-19 03:11 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2011-02-19 03:11 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2011-02-19 03:11 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2011-02-19 03:11 . 2009-07-11 19:32 302592 ----a-w- c:\windows\system32\wlansec.dll
2011-02-19 03:11 . 2009-07-11 19:32 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2011-02-19 03:11 . 2009-07-11 19:29 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2011-02-19 03:11 . 2009-07-11 19:32 513024 ----a-w- c:\windows\system32\wlansvc.dll
2011-02-19 03:11 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll
2011-02-19 03:08 . 2011-02-19 03:08 -------- d--h--w- c:\programdata\Common Files
2011-02-19 03:05 . 2011-02-26 04:03 -------- d-----w- c:\programdata\AVG10
2011-02-19 03:00 . 2008-06-23 01:59 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2011-02-19 03:00 . 2008-06-23 01:58 94720 ----a-w- c:\windows\system32\logagent.exe
2011-02-19 03:00 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2011-02-19 03:00 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2011-02-19 02:44 . 2011-02-19 03:03 -------- d-----w- c:\programdata\MFAData
2011-02-17 12:41 . 2011-02-17 12:41 -------- d-----w- c:\users\User\AppData\Roaming\EMCO
2011-02-17 10:17 . 2010-02-20 23:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
2011-02-17 10:17 . 2010-02-20 23:37 31232 ----a-w- c:\windows\system32\httpapi.dll
2011-02-17 10:17 . 2010-02-20 21:18 411136 ----a-w- c:\windows\system32\drivers\http.sys
2011-02-17 10:17 . 2010-09-20 09:25 231936 ----a-w- c:\windows\system32\msshsq.dll
2011-02-17 10:16 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2011-02-17 10:16 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
2011-02-17 10:13 . 2009-08-10 13:05 351232 ----a-w- c:\windows\system32\WSDApi.dll
2011-02-17 10:13 . 2010-08-31 15:40 531968 ----a-w- c:\windows\system32\comctl32.dll
2011-02-17 10:12 . 2008-01-21 02:23 2730536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8EDA4EC6-21A3-4268-A991-25E1362E5FF6}\mpengine.dll
2011-02-16 08:37 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2011-02-16 07:45 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2011-02-16 07:45 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2011-02-13 10:34 . 2011-02-02 06:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-13 10:14 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2011-02-13 10:14 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2011-02-13 10:14 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2011-02-13 10:14 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-22 22:35 . 2011-02-27 05:14 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C3029CC2-6EF7-475D-9447-F36C0204E0D4}\mpengine.dll
2010-12-10 07:29 . 2010-12-10 07:29 64864 ----a-w- c:\windows\system32\sqlctr90.dll
2010-12-10 07:29 . 2010-12-10 07:29 2248032 ----a-w- c:\windows\system32\sqlncli.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"NDSTray.exe"="NDSTray.exe" [BU]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-13 1348904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-09-26 417792]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\DRIVERS\zgwhsdiag.sys [x]
R3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\DRIVERS\zgwhsmdm.sys [x]
R3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\DRIVERS\zgwhsnmea.sys [x]
R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [x]
S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-05-25 18816]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-08-24 77824]


--- Other Services/Drivers In Memory ---

*Deregistered* - atgron

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ebay.com.au/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHN&bmod=TSHN
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-27 16:14
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????v??Miz????>???>???>? >?H

scanning hidden files ...


c:\windows\system32\wbem\Performance\WmiApRpl_new.h 357 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\atgron]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000009
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\WLANExt.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2011-02-27 16:23:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-27 05:23
ComboFix2.txt 2011-02-26 04:39

Pre-Run: 206,197,530,624 bytes free
Post-Run: 205,916,983,296 bytes free

- - End Of File - - 104D120DB02058CC72A623ED1ECAA06D

descriptionRootkit.Agent Cant Remove - Page 2 EmptyRe: Rootkit.Agent Cant Remove

more_horiz
Hello.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.

descriptionRootkit.Agent Cant Remove - Page 2 EmptyRe: Rootkit.Agent Cant Remove

more_horiz
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

This is the entire contents of the ESET Online Scanner log. No infections were found, however MBAM still detects the rootkit agent at C:\windows\system32\drivers\atgron.sys.

Thanks

descriptionRootkit.Agent Cant Remove - Page 2 EmptyRe: Rootkit.Agent Cant Remove

more_horiz
I think I managed to remove the infection using GMER rootkit scanner. It allowed me to disable the infected service, then I could remove it.

I have since performed multiple reboots and completed 2 full scans with MBAM, both of which returned 0 infections.

If there are other steps you would like me to complete, please advise. I thank you for all of your help and time so far.

Cheers

descriptionRootkit.Agent Cant Remove - Page 2 EmptyRe: Rootkit.Agent Cant Remove

more_horiz
Hello.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight Java(TM) 6 Update 6
  • Click on the Uninstall/Change button at the top.

You can re-install AVG. How is the machine running now?

descriptionRootkit.Agent Cant Remove - Page 2 EmptyRe: Rootkit.Agent Cant Remove

more_horiz
I uninstalled the Java update 6. Re-installed AVG and did several test runs.

Computer is clean and running well. Thanks for all your time and patience. How do I mark this thread as solved?

descriptionRootkit.Agent Cant Remove - Page 2 EmptyRe: Rootkit.Agent Cant Remove

more_horiz
I have to do that. Smile...

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

  • SpywareBlaster
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  • Spybot - Search & Destroy.
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

  • Firefox may be downloaded from here: http://www.getfirefox.com
  • Opera is available here: http://www.opera.com/download/
  • Google Chrome is available here: Google Chrome
  • SRWare Iron is available here: SRWare Iron

Thank you for choosing GeekPolice. Please leave feedback!

descriptionRootkit.Agent Cant Remove - Page 2 EmptyRe: Rootkit.Agent Cant Remove

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum