Can't delete Rootkit.Agent

[envd]

Avira is a good AV too, but not on the long run. Install it, scan for infections, and then use Spybot. Install avast! again. I'm still confused why a boot scan couln't remove the rootkit? One of the trojans proprably added an autostart entry. Use run and type "msconfig" go to startup. Only known programs or drivers should be checked!

[Firefly24]

The Boot Time Scan was not even able to detect the file, much less delete it.

I didn't see anything suspicious in msconfig, but I took the opportunity to disable some other things that aren't needed at startup. I never knew I could do that or I would have done it a long time ago. Thank you for bringing my attention to it.

Also, thank you for your opinion of AVG.

[Tarq57]

What did you disable in msconfig, Firefly24?
Reason I ask is that there is some stuff (often) in there that is best disabled via the program options, or services.

[Firefly24]

I disabled:

MsnMsgr
SNDMon
Adobe Reader Speed Launch
Microsoft Office
SpySubtract
OpenOffice.org 2.4

[Tarq57]

All of those are better disabled from starting via each programs options, there is a bit more info on services and msconfig here. (At this site, also have a look at the standard Services configuration.)
SpySubtract (by TrendMicro) should not even be present; unless the program is still maintained, it should be uninstalled.
SNDMon is one that might be appropriate to disable via msconfig, the others I'm pretty sure should be done via their individual program settings.

[FreewheelinFrank]

Boot from a rescue CD and eliminate the rootkit from outside Windows.

Rescue CD's. Download and burn the disk image on an uninfected computer. Boot the infected computer from the disk and run a virus scan (after updating virus definitions if this option is present).

Dr.Web LiveCD
Kaspersky Rescue Disk
AntiVir Rescue CD
Bitdefender Rescue CD
F-Secure Rescue CD

Um. I've never done something like that before. Will it leave all of my other files in tact? And which of those would be the best to try? What kind of disc do I use to burn it onto? Just a normal CD-R? I hope so, because that's all I have...

Your files will not be affected.

I can't really recommend any particular one. Your choice.

Yes, just a normal CD-R.

[Firefly24]

All of those are better disabled from starting via each programs options, there is a bit more info on services and msconfig here. (At this site, also have a look at the standard Services configuration.)
SpySubtract (by TrendMicro) should not even be present; unless the program is still maintained, it should be uninstalled.
SNDMon is one that might be appropriate to disable via msconfig, the others I'm pretty sure should be done via their individual program settings.

Okay. Thank you for letting me know.

SpySubtract is something that apparently came with the computer and I don't remember it ever really being there until after that system recovery I did. Can I just uninstall it with the Add/Remove programs tool, then?

I don't think Microsoft Office is even installed. We lost our product key, so after the system recovery I could not reinstall it; which is why I have OpenOffice now. Not sure if I can get to any options for Microsoft Office. I'll look though.

Your files will not be affected.

I can't really recommend any particular one. Your choice.

Yes, just a normal CD-R.

Okay. Thank you. I'll give it a try. Might have to wait until tomorrow, though, when I'm not so sleepy.

[Tarq57]

I think it's best to concentrate on the malware removal first, once the computer is clean, I'll throw a couple of links and maybe tutorials on cleaning up the un-needed or unwanted stuff.
So don't worry about that for now.
I've read a couple of good reports concerning both the DrWeb and the Avira CD's. But that should be regarded as purely anecdotal as I've no direct experience.
What' I'd probably do is look at each site -they're all reputable and good quality- and maybe choose the one with the easiest to follow directions, but that's just me.

[Firefly24]

Okay. I'll wait to do anything else until the rootkit is gone, then. I already got rid of Norton though. Glad to have that done. Thanks so much for the help with that! I originally wanted to wait until after the rootkit thing was taken care of before I got rid of Norton, but aside from making Avast tell me that its there, the problem file does not seem to be having any effect on the computer. So I figured it would be okay to try to get rid of Norton. It worked, but I'll quit messing with things for now until the rootkit issue is solved.

And as far as the rootkit goes, I think I'll wait for a reply from micky77 about the RootRepeal report, then I'll do the things you wanted me to do with HjT (unless I should do that first?), and then I'll try one of those Rescue CDs.

But for now, I think I'll go to bed and get back to all of this tomorrow.

Thanks again to you and to everyone who has helped me so far. All of your ongoing help is greatly appreciated!

[envd]

Glad to help. If I were you I'd try and find an XP OS cd and do a repair install, I doubt that it will kill the rootkit but chances are good that it will. The bad thing about rootkits is that removal procedures are never simple. Incase you have another pc (not laptop) insert the infected hdd (as a secondary master)in it and manually delete the file, but scan it just to be thorough. Remember not to boot from the infected drive. If all else fails - format.

[micky77]

Firefly24, unfortunately the RR log is scrambled.I don't know why,.Ironically one of the files on show is C:\WINDOWS\system32\drivers\ogphqtx.sys which the file your after.
You can try again if you wish.
Regarding the rescue cds some of them will be Iso files which need to burned as an image, Avira however has its own built in function, so just double click on the file and insert cd.

Here are some instructions for the cd's

http://forum.avira.com/wbb/index.php?page=Thread&threadID=82163
http://www.freedrweb.com/livecd/how_it_works/
http://www.techmixer.com/kaspersky-rescue-disk-load-kaspersky-antivirus-2009-using-dos/


EDIT
Well i have posted my log, and it too is scrambled  

Apparently there is a problem exclusive to RR logs and this forum
 Maybe you could copy/paste the log, if its huge you may have to split it into several posts or upload it to mediafire and post the download url http://www.mediafire.com/

[Firefly24]

@envd: I don't think I have the know-how to do that kind of thing. But yes, if all else fails, I can reformat. I'm going to try to avoid doing that if possible, though.

@micky77: Here is my RootRepeal report. I hope it shows up all right.



ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2009/12/20 18:59
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: 6.tmp
Image Path: C:\WINDOWS\system32\6.tmp
Address: 0xF79F2000   Size: 6144   File Visible: No   Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEDEF6000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A3E000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8882000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\ogphqtx.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a
Status: Locked to the Windows API!

SSDT
-------------------
#: 025   Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedf396b8

#: 031   Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x84db7d08

#: 041   Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedf39574

#: 065   Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedf39a52

#: 068   Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedf3914c

#: 119   Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedf3964e

#: 122   Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedf3908c

#: 128   Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedf390f0

#: 177   Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedf3976e

#: 204   Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedf3972e

#: 247   Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedf398ae

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System   Address: 0x8536e1c0   Size: 3649

==EOF==

[micky77]

Well the file is there, also there is another virus showing  C:\WINDOWS\system32\6.tmp.
I would start with the rootkit file. Run Rootrepeal again, this time, click on files at the bottom, choose C drive and scan only. When the scan is finished, highlight the entry C:\WINDOWS\system32\drivers\ogphqtx.sys then right click and choose ' wipe file ' Then reboot.
Run Rootrepael again, If the ogphqtx file is gone, I would then run MalwareBytes again and post that log

[Firefly24]

I decided to try using one of those Rescue CDs. I'm using the Avira one right now (I'm posting this from another computer) and it is still scanning. But it has given me some reports of files that it has renamed since it was not able to delete them.

It has renamed "KillIt.exe" and "KillWind.exe." I am pretty sure those are important. Will their being renamed have any negative effect on my computer? Will I be able to change their names back after the scan is completed?

I've gotten very uncomfortable with this Rescue CD...

Well the file is there, also there is another virus showing  C:\WINDOWS\system32\6.tmp.
I would start with the rootkit file. Run Rootrepeal again, this time, click on files at the bottom, choose C drive and scan only. When the scan is finished, highlight the entry C:\WINDOWS\system32\drivers\ogphqtx.sys then right click and choose ' wipe file ' Then reboot.
Run Rootrepael again, If the ogphqtx file is gone, I would then run MalwareBytes again and post that log

Okay, I'll try that after the Rescue CD finishes... if I can still use my computer when its done.


EDIT: The Rescue CD's scan is done, and my computer has booted normally. The CD didn't find anything it called "suspicious" but it did rename 7 files. Two of which are "KillIt.exe" and "KillWind.exe." How do I find those files and restore their original names?

[micky77]

How do I find those files and restore their original names?

When the disc renames files,it changes the extension so ' killit.exe' becomes killt.exe.xxx, The files are still in their original location, but inactive. As they are not malicious or vital , hopefully you can find them and right click to  rename them. I am sorry Avira has renamed legit files, it would appear they belong to HP not windows.
One major problem with Avira, afaik, is it does not produce a log,if you have n't written them down another scan has to be made, it will still find the files as suspicious even though they are renamed,
I am off to bed soon, good luck