Can't delete Rootkit.Agent

[Firefly24]

My mom's computer got a virus today, and Malwarebytes found and deleted it... all but one file, it seems.

The file is "ogphqtx.sys". It keeps coming up in scans done by both Malwarebytes and Avast, but neither of them can delete it, and Avast can't even move it to the chest.

This is its location:
C:/WINDOWS\System32\drivers\ogphqtx.sys

Avast says that is is a "Rootkit.Agent".

I tried to go into the drivers folder and delete it myself but it says:
"Cannot delete ogphqtx: Cannot read from the source file or disk."

Does anyone know of a way to get rid of this thing? That is, assuming that Malwarebytes and Avast are correct in telling me that it isn't supposed to be there...

Also, I have a log from hijackthis, if it is needed. I don't know what any of it means, but I imagine there's a lot of stuff in there that shouldn't be. This poor computer has been through a lot. I will post the log in the next post, though, because posting it in this one made it exceed the maximum allowed length.

EDIT: Also, I did a Boot Time Scan with Avast. It did not even find the file. I was glad because I thought it was gone, but just to be sure, I booted into Safe Mode and scanned again with both Malwarebytes and Avast. Avast still finds it with a normal scan (odd that it finds it that way but not in a Boot Time Scan...), but even in safe mode, it still cannot move it to the chest or delete it; Malwarebytes can't find it at all in safe mode. Is this really a part of the virus from before, or could this be a false positive that was coincidentally found with actual virus files? I can't find anything about "ogphqtx.sys" by googling it, so I assume that it isn't supposed to be in there, but...

[Firefly24]

Here's the first half of the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:05 PM, on 12/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 spyware-protector-2009.com
O1 - Hosts: 91.212.65.122 www.spyware-protector-2009.com
O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7CE6300E-0D33-4A85-85B5-D983FF00FFE0} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

[Firefly24]

And the second half of the log:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222190239437
O20 - AppInit_DLLs: ohgslr.dll c:\windows\system32\yezenefi.dll c:\windows\system32\huginoke.dll,toluboli.dll
O21 - SSODL: voyijosap - {e920e280-0377-4a2f-83cf-2b0af13972d9} - c:\windows\system32\yezenefi.dll (file missing)
O21 - SSODL: kowevebas - {9eb607ea-d231-4009-911a-2f648fb5db25} - c:\windows\system32\huginoke.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {e920e280-0377-4a2f-83cf-2b0af13972d9} - c:\windows\system32\yezenefi.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {9eb607ea-d231-4009-911a-2f648fb5db25} - c:\windows\system32\huginoke.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcj_device -   - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10440 bytes

[mkis]

I will leave your HiJackThis log for someone else. There are others on the forum who can provide specialist support. There are a few tasks to do but nothing major as far as I can see.

The following is important --
Not a good idea to run two antivirus at the same time as they may clash.
You have Norton (Symantec) and avast running at the same time

[Firefly24]

Thank you for pointing that out. I've been wanting to get Norton off of this computer for a while now. I'll take care of it.

[Tarq57]

Get this (from MajorGeeks) to finish off the removal of Norton.
You could try a boot scan with Avast.
I'm not qualified to process your log; that's just general advice. Hope it might work.

[Firefly24]

I already did a Boot Time Scan. It didn't find anything; but a normal scan with Avast is still able to find it.

Question: you said to use that program to "finish off" the removal of Norton; does that mean I need to start with something else?

[envd]

Rootkits and virussus are two different things. They are hidden pests. Download sophos antirootkit and see if that helps.

[Firefly24]

Okay. Thank you for the advice. I downloaded Sophos Antirootkit and it is scanning now. I will let you know the results when it is finished.

[Tarq57]

I already did a Boot Time Scan. It didn't find anything; but a normal scan with Avast is still able to find it.

Question: you said to use that program to "finish off" the removal of Norton; does that mean I need to start with something else?

Ah, not really,you could just run the program and it should totally remove all Norton products, but the normal order of things would be to uninstall it from the control panel first, reboot, then run the removal tool.
I don't think it matters that much. I've only used it twice in anger.

Other suggestions to try different rootkit scanners are good.

[Firefly24]

Rootkits and virussus are two different things. They are hidden pests. Download sophos antirootkit and see if that helps.

Sophos found the file (along with 13 others... yikes!) but for every one of them it says that cleanup is not recommended. Except for ogphqtx.sys (which is in the drivers folder, like I mentioned before), all 13 of the other files are in:

C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5

Since Sophos does not recommend cleanup for any of these files, I'm hesitant to do the cleanup. But all of them (except, of course, for ogphqtx.sys) are in the Temporary Internet Files, so wouldn't they be safe to get rid of? Should I go ahead and try to cleanup all of these files anyway (ogphqtx.sys included)?

Ah, not really,you could just run the program and it should totally remove all Norton products, but the normal order of things would be to uninstall it from the control panel first, reboot, then run the removal tool.

Okay. Thank you! I will definitely be getting rid of Norton as soon as this Rootkit thing is sorted out.

[Tarq57]

The temporary internet files can be simply cleaned using the disk cleanup utility, or ATF cleaner (hosted here by MajorGeeks.
I think that would be preferable to using the Sophos application to clean it; without knowing the tech details, antirootkit apps. will also delve inot the alternated data stream, and might possibly mess things up.
Definitely clean the item indicated in the drivers folder, though, and then try another scan with Avast, to see if it's really gone.

[Firefly24]

I told it to clean it, then it needed to restart the computer and... ogphqtx.sys is still there.

I'm going to do a disk cleanup now, though, to try and get rid of the others.

But as for ogphqtx.sys... now what?

[Tarq57]

Not sure. This is a bit beyond me.
After the cleanup, I'd try scanning with MBAM again, not so much to find that file but to see if any others have been created in the meantime.
Something is re-creating this file. That "something" is eluding detection. Although it may be related to the temporary internet files.
(We can but hope.)
If MBAM finds anything, clean with it, if it prompts for a reboot to remove that one problem file, don't; run Sophos again and have it remove it, then reboot.

[Firefly24]

Will do. The disk cleanup has already finished, so I am scanning with MBAM now. It usually takes about an hour, so I'll come back when its finished and let you know if it found anything.