Rootkit.Agent removal

homerun_homer · 23-02-2010 5:19pm #1

I got no response on my last thread about this so without the full scans here is the brunt of my problem - Rootkit.Agent atvtq.sys.

I can't delete it, keeps showing up on Malware Bytes, I've tried kill box, tried deleting/scanning and removal in safe mode and it's still there. Not sure how much of a problem this is but since it is a threat I'd like any help getting rid.

Files Infected:
C:\WINDOWS\system32\drivers\atvtq.sys (Rootkit.Agent) -> Delete on reboot.

kierank01 · 23-02-2010 7:08pm

There are commercial tools that run from a CD, and can remove rootkits, because they never attempt to start windows. I had a version of symantic that did this about 3 or 4 years ago.

If I were you I would copy any user data do an external drive, and run a virus check, from another pc, and then reinstall windows on the infected machine

ASJ112 · 23-02-2010 11:40pm

hi

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix\ComboFix.txt log in your next reply.

homerun_homer · 25-02-2010 11:25pm

ComboFix 10-02-25.02 - Aaron 25/02/2010 22:02:32.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1319 [GMT 0:00]
Running from: c:\documents and settings\Aaron\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Aaron\LOCALS~1\Temp\clclean.0001.dir.0001\~df394b.tmp
c:\documents and settings\Aaron\Local Settings\temp\clclean.0001.dir.0001\~df394b.tmp
c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\EventSystem.log
c:\windows\srchasst\nls302en.lex
c:\windows\system32\Data
c:\windows\system32\drivers\atvtq.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\twain_32.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

c:\windows\system32\powrprof.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Legacy_NPF

\Service_npf

\Legacy_atvtq

\Service_atvtq

((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))
.

2010-02-25 21:56 . 2010-02-25 21:56 389120 ----a-w- c:\windows\system32\CF19463.exe
2010-02-25 20:39 . 2010-02-25 20:39 389120 ----a-w- c:\windows\system32\CF4304.exe
2010-02-25 19:16 . 2010-02-25 19:16

d

w- c:\program files\LightroomPortable
2010-02-25 17:54 . 2010-02-25 17:54

d

w- c:\documents and settings\Aaron\Local Settings\Application Data\Temp
2010-02-23 21:13 . 2010-02-23 21:13

d

w- c:\documents and settings\Aaron\Local Settings\Application Data\CANON_INC
2010-02-22 22:30 . 2010-02-22 22:41

d

w- c:\documents and settings\All Users\Application Data\PhotoStitch
2010-02-14 11:45 . 2010-02-14 11:45

d

w- c:\program files\iPod
2010-02-14 11:45 . 2010-02-14 11:46

d

w- c:\program files\iTunes
2010-02-12 00:05 . 2010-02-12 00:05

d

w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-02-10 20:10 . 2010-02-10 20:10

d

w- C:\!KillBox
2010-02-09 20:56 . 2010-02-09 21:25 116 ----a-w- c:\windows\system32\fjhdyfhsn.bat
2010-01-30 20:54 . 2010-01-30 20:54

d

w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-30 20:49 . 2010-01-30 20:49

d

w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 22:17 . 2009-09-13 20:33

d

w- c:\documents and settings\All Users\Application Data\RetroExp
2010-02-25 22:16 . 2008-06-14 13:07

d

w- c:\program files\DNA
2010-02-25 22:16 . 2008-06-14 13:07

d

w- c:\documents and settings\Aaron\Application Data\DNA
2010-02-25 22:01 . 2009-11-11 14:51 79488 ----a-w- c:\documents and settings\Aaron\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-25 21:52 . 2009-12-03 23:37

d

w- c:\documents and settings\All Users\Application Data\avg9
2010-02-23 22:52 . 2007-11-13 20:51

d

w- c:\documents and settings\Aaron\Application Data\ZoomBrowser EX
2010-02-23 22:10 . 2007-10-15 21:36

d

w- c:\program files\Canon
2010-02-23 21:44 . 2007-10-15 21:36

d

w- c:\program files\Common Files\Canon
2010-02-22 21:20 . 2007-09-15 12:51

d

w- c:\program files\Flickr Uploadr
2010-02-14 11:45 . 2007-09-13 16:41

d

w- c:\program files\Common Files\Apple
2010-02-14 11:33 . 2010-02-14 11:33 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-10 21:49 . 2009-12-26 04:48

d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-09 20:55 . 2010-02-09 20:55 16 ----a-w- c:\documents and settings\LocalService\Application Data\sgcpom.dat
2010-01-30 20:49 . 2007-09-11 15:35

d

w- c:\program files\Google
2010-01-23 12:20 . 2010-01-23 12:20 152576 ----a-w- c:\documents and settings\Aaron\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-20 18:54 . 2009-06-15 22:39

d

w- c:\program files\Malwarebytes' Anti-Malware
2010-01-20 18:52 . 2008-06-14 13:07

d

w- c:\documents and settings\Aaron\Application Data\BitTorrent
2010-01-19 23:44 . 2009-06-15 22:40 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-18 00:16 . 2010-01-18 00:16

d

w- c:\program files\AnvSoft
2010-01-12 21:24 . 2010-01-12 21:23

d

w- c:\program files\QuickTime
2010-01-07 16:07 . 2009-06-15 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-06-15 22:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2005-08-16 03:18 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2005-08-16 03:18 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2005-08-16 03:37 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2005-08-16 03:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2005-08-16 03:18 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 21:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2005-08-16 03:18 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-03 23:38 . 2009-07-14 22:32 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-03 23:38 . 2009-07-14 22:32 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-03 23:38 . 2009-07-14 22:32 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-03 23:38 . 2009-07-14 22:32 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.

Sigcheck

[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll

[-] 2009-06-08 . 70299B463F8C940CBA318171148005F6 . 21504 . . [6.00.2900.5512] . . c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2009-06-08 . 70299B463F8C940CBA318171148005F6 . 21504 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2009-06-08 . 70299B463F8C940CBA318171148005F6 . 21504 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4A9D-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]
2008-06-25 21:38 2401584 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]
2008-06-25 21:38 2401584 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-27 68856]
"BitTorrent DNA"="c:\program files\dna\btdna.exe" [2009-11-11 323392]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2006-02-10 2048000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-10-31 1392640]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-06-28 1355042]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"RetroExpress"="c:\progra~1\RETROS~1\RETROS~1.5\RetroExpress.exe" [2008-07-16 9499928]
"TRUUpdater"="c:\program files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe" [2009-01-05 558360]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2009-01-15 58648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Aaron\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-9-11 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-9-13 2311472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-03 23:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-19 16:21 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2007-02-20 11:29 1191936 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-08-13 17:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-09-11 15:35 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 19:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 08:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 10:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-02-16 08:20 1118208

w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Flickr Uploadr\\Flickr Uploadr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\WebUpdater\\SwiApiMux.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [14/07/2009 22:32 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [14/07/2009 22:32 360584]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/01/2010 20:49 135664]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [20/09/2007 22:21 16512]
S3 L6UX2;Service - Line 6 UX2;c:\windows\system32\Drivers\L6UX2.sys --> c:\windows\system32\Drivers\L6UX2.sys [?]
S3 SWNC8U90;Sierra Wireless MUX NDIS Driver (UMTS90);c:\windows\system32\drivers\swnc8u90.sys [02/12/2008 09:10 173312]
S3 SWUMX90;Sierra Wireless USB MUX Driver (UMTS90);c:\windows\system32\drivers\swumx90.sys [17/11/2008 13:33 145280]
S3 zlportio;zlportio;\??\c:\documents and settings\Aaron\Desktop\Aaron\Ultrastar\zlportio.sys --> c:\documents and settings\Aaron\Desktop\Aaron\Ultrastar\zlportio.sys [?]
S4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [03/12/2009 23:37 285392]
.
Contents of the 'Scheduled Tasks' folder

2010-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2010-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 20:49]

2010-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 20:49]
.
.

Supplementary Scan

.
uStart Page = hxxp://www.boards.ie/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=8pPZOBNAeZLayr8Ub4zj4ZmanqU
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: line6.net
FF - ProfilePath - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\ul636oyx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.boards.ie/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-FreeVPN - c:\program files\FreeVPN\FreeVPN.exe
HKLM-Run-AirCardEnabler - (no file)
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
AddRemove-Security Task Manager - c:\program files\Security Task Manager\Uninstal.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-25 22:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

DLLs Loaded Under Running Processes

- - - - - - - > 'winlogon.exe'(960)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2072)
c:\windows\system32\WININET.dll
c:\program files\MozyHome\mozyshell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

Other Running Processes

.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MozyHome\mozybackup.exe
c:\program files\Retrospect\Retrospect Express HD 2.5\retrorun.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\UAService7.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\System32\vssvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\Aaron\LOCALS~1\Temp\clclean.0001
c:\program files\iPod\bin\iPodService.exe
c:\program files\Retrospect\Retrospect Express HD 2.5\retrospect.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-02-25 22:22:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-25 22:22

Pre-Run: 5,734,912,000 bytes free
Post-Run: 5,899,988,992 bytes free

- - End Of File - - A3FF30EFA0F079DAE9DF59E75DEEE388

ASJ112 · 26-02-2010 1:41am

hi

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services
zlportio

:Reg

:Files
c:\windows\system32\fjhdyfhsn.bat
c:\documents and settings\Aaron\Desktop\Aaron\Ultrastar\zlportio.sys 

:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
- c:\windows\system32\powrprof.dll
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

homerun_homer · 26-02-2010 7:26pm

OTM Log

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
Service zlportio stopped successfully!
Service zlportio deleted successfully!
========== REGISTRY ==========
========== FILES ==========
c:\windows\system32\fjhdyfhsn.bat moved successfully.
File/Folder c:\documents and settings\Aaron\Desktop\Aaron\Ultrastar\zlportio.sys not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Aaron
->Temp folder emptied: 758597 bytes
->Temporary Internet Files folder emptied: 9147803 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 36677106 bytes
->Apple Safari cache emptied: 0 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 192 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 44.00 mb

OTM by OldTimer - Version 3.1.6.0 log created on 02262010_181619
All processes killed

OTM by OldTimer - Version 3.1.6.0 log created on 02262010_181614

Files moved on Reboot...
C:\Documents and Settings\Aaron\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp moved successfully.
C:\Documents and Settings\Aaron\Local Settings\Temp\clclean.0001.dir.0000\~efe2.tmp moved successfully.

Registry entries deleted on Reboot...

homerun_homer · 26-02-2010 8:21pm

VirScan.org log

VirSCAN.org Scanned Report :
Scanned time : 2010/02/26 18:39:53 (GMT)
Scanner results: 14% Scanner(s) (5/36) found malware!
File Name : powrprof.dll
File Size : 21504 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 70299b463f8c940cba318171148005f6
SHA1 : 004d67f594697d9a141e3159e4defcb5cf32e3fe
Online report : http://virscan.org/report/085e894ce245753ed4f2224277df3f45.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100227023444 2010-02-27 5.43 -
AhnLab V3 2010.02.27.00 2010.02.27 2010-02-27 2.89 -
AntiVir 8.2.1.176 7.10.4.158 2010-02-26 0.08 -
Antiy 2.0.18 20100226.3925867 2010-02-26 0.12 -
Arcavir 2009 201002261429 2010-02-26 0.03 -
Authentium 5.1.1 201002261355 2010-02-26 1.37 -
AVAST! 4.7.4 100226-0 2010-02-26 0.00 Win32:Patched-KS [Trj]
AVG 8.5.720 271.1.1/2711 2010-02-26 0.25 -
BitDefender 7.81008.5324048 7.30553 2010-02-27 5.34 Trojan.Patched.EL
ClamAV 0.95.3 10461 2010-02-26 0.02 -
Comodo 3.13.579 4073 2010-02-26 1.49 -
CP Secure 1.3.0.5 2010.02.27 2010-02-27 1.23 -
Dr.Web 5.0.1.12222 2010.02.27 2010-02-27 5.66 -
F-Prot 4.4.4.56 20100226 2010-02-26 1.41 -
F-Secure 7.02.73807 2010.02.26.06 2010-02-26 0.12 -
Fortinet 11.529- 11.529 2010-02-25 0.21 -
GData 19.10697/19.782 20100226 2010-02-26 7.15 Win32:Patched-KS [Trj] [Engine:B]
ViRobot 20100226 2010.02.26 2010-02-26 0.53 -
Ikarus T3.1.01.80 2010.02.26.75290 2010-02-26 4.64 -
JiangMin 13.0.900 2010.02.25 2010-02-25 13.62 -
Kaspersky 5.5.10 2010.02.26 2010-02-26 0.08 -
KingSoft 2009.2.5.15 2010.2.26.17 2010-02-26 1.10 -
McAfee 5.3.00 5903 2010-02-25 3.77 -
Microsoft 1.5502 2010.02.26 2010-02-26 7.16 -
Norman 6.01.09 6.01.00 2010-02-10 4.00 -
Panda 9.05.01 2010.02.26 2010-02-26 2.57 -
Trend Micro 9.120-1004 6.878.02 2010-02-26 0.04 -
Quick Heal 10.00 2010.02.26 2010-02-26 1.38 -
Rising 20.0 22.36.04.04 2010-02-26 1.05 -
Sophos 3.04.1 4.50 2010-02-27 3.55 -
Sunbelt 3.9.2406.2 5700 2010-02-25 3.95 Trojan.Win32.Patched.el (v)
Symantec 1.3.0.24 20100226.006 2010-02-26 0.15 -
nProtect 20100226.01 7564961 2010-02-26 5.08 Trojan.Patched.EL
The Hacker 6.5.1.6 v00212 2010-02-26 0.37 -
VBA32 3.12.12.2 20100225.2226 2010-02-25 2.64 -
VirusBuster 4.5.11.10 10.120.9/2019141 2010-02-26 2.38 -

ASJ112 · 26-02-2010 8:52pm

hi

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
- c:\windows\$NtServicePackUninstall$\powrprof.dll
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

repeat it for this file

c:\windows\ServicePackFiles\i386\powrprof.dll

homerun_homer · 27-02-2010 2:07pm

First scan

VirSCAN.org Scanned Report :
Scanned time : 2010/02/27 12:57:47 (GMT)
Scanner results: 14% Scanner(s) (5/36) found malware!
File Name : powrprof.dll
File Size : 21504 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 70299b463f8c940cba318171148005f6
SHA1 : 004d67f594697d9a141e3159e4defcb5cf32e3fe
Online report : http://virscan.org/report/82a34f7c09ebc0a2f9e63a7d6be82f57.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100227202227 2010-02-27 6.49 -
AhnLab V3 2010.02.28.00 2010.02.28 2010-02-28 3.82 -
AntiVir 8.2.1.176 7.10.4.158 2010-02-26 0.05 -
Antiy 2.0.18 20100226.3925867 2010-02-26 0.12 -
Arcavir 2009 201002261910 2010-02-26 0.03 -
Authentium 5.1.1 201002262354 2010-02-26 1.29 -
AVAST! 4.7.4 100227-0 2010-02-27 0.00 Win32:Patched-KS [Trj]
AVG 8.5.720 271.1.1/2712 2010-02-27 0.23 -
BitDefender 7.81008.5334765 7.30561 2010-02-27 5.34 Trojan.Patched.EL
ClamAV 0.95.3 10462 2010-02-27 0.01 -
Comodo 3.13.579 4083 2010-02-27 0.94 -
CP Secure 1.3.0.5 2010.02.27 2010-02-27 0.04 -
Dr.Web 5.0.1.12222 2010.02.27 2010-02-27 5.57 -
F-Prot 4.4.4.56 20100226 2010-02-26 1.27 -
F-Secure 7.02.73807 2010.02.27.02 2010-02-27 0.16 -
Fortinet 11.531- 11.531 2010-02-27 0.43 -
GData 19.10701/19.784 20100227 2010-02-27 7.47 Win32:Patched-KS [Trj] [Engine:B]
ViRobot 20100227 2010.02.27 2010-02-27 0.47 -
Ikarus T3.1.01.80 2010.02.27.75293 2010-02-27 5.95 -
JiangMin 13.0.900 2010.02.27 2010-02-27 5.59 -
Kaspersky 5.5.10 2010.02.27 2010-02-27 0.09 -
KingSoft 2009.2.5.15 2010.2.27.7 2010-02-27 0.88 -
McAfee 5.3.00 5904 2010-02-26 3.76 -
Microsoft 1.5502 2010.02.27 2010-02-27 6.92 -
Norman 6.01.09 6.01.00 2010-02-10 6.01 -
Panda 9.05.01 2010.02.26 2010-02-26 2.24 -
Trend Micro 9.120-1004 6.880.03 2010-02-27 0.10 -
Quick Heal 10.00 2010.02.27 2010-02-27 1.56 -
Rising 20.0 22.36.05.04 2010-02-27 1.07 -
Sophos 3.04.1 4.50 2010-02-27 3.54 -
Sunbelt 3.9.2406.2 5702 2010-02-26 3.08 Trojan.Win32.Patched.el (v)
Symantec 1.3.0.24 20100226.006 2010-02-26 0.08 -
nProtect 20100227.01 7579365 2010-02-27 4.61 Trojan.Patched.EL
The Hacker 6.5.1.6 v00213 2010-02-26 0.40 -
VBA32 3.12.12.2 20100225.2226 2010-02-25 2.70 -
VirusBuster 4.5.11.10 10.120.9/2019141 2010-02-26 2.42 -

homerun_homer · 27-02-2010 2:16pm

2nd scan

VirSCAN.org Scanned Report :
Scanned time : 2010/02/27 13:10:43 (GMT)
Scanner results: 14% Scanner(s) (5/36) found malware!
File Name : powrprof.dll
File Size : 21504 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 70299b463f8c940cba318171148005f6
SHA1 : 004d67f594697d9a141e3159e4defcb5cf32e3fe
Online report : http://virscan.org/report/2a837ff26460fff1cd42ac556799389d.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100227202227 2010-02-27 4.38 -
AhnLab V3 2010.02.28.00 2010.02.28 2010-02-28 1.11 -
AntiVir 8.2.1.176 7.10.4.158 2010-02-26 1.40 -
Antiy 2.0.18 20100226.3925867 2010-02-26 0.12 -
Arcavir 2009 201002261910 2010-02-26 0.03 -
Authentium 5.1.1 201002262354 2010-02-26 1.30 -
AVAST! 4.7.4 100227-0 2010-02-27 0.00 Win32:Patched-KS [Trj]
AVG 8.5.720 271.1.1/2712 2010-02-27 0.26 -
BitDefender 7.81008.5334765 7.30561 2010-02-27 5.37 Trojan.Patched.EL
ClamAV 0.95.3 10462 2010-02-27 0.01 -
Comodo 3.13.579 4083 2010-02-27 1.11 -
CP Secure 1.3.0.5 2010.02.27 2010-02-27 0.04 -
Dr.Web 5.0.1.12222 2010.02.27 2010-02-27 5.77 -
F-Prot 4.4.4.56 20100226 2010-02-26 1.38 -
F-Secure 7.02.73807 2010.02.27.02 2010-02-27 0.14 -
Fortinet 11.531- 11.531 2010-02-27 0.20 -
GData 19.10701/19.784 20100227 2010-02-27 6.75 Win32:Patched-KS [Trj] [Engine:B]
ViRobot 20100227 2010.02.27 2010-02-27 0.46 -
Ikarus T3.1.01.80 2010.02.27.75293 2010-02-27 4.69 -
JiangMin 13.0.900 2010.02.27 2010-02-27 21.07 -
Kaspersky 5.5.10 2010.02.27 2010-02-27 0.09 -
KingSoft 2009.2.5.15 2010.2.27.7 2010-02-27 2.14 -
McAfee 5.3.00 5904 2010-02-26 3.69 -
Microsoft 1.5502 2010.02.27 2010-02-27 6.53 -
Norman 6.01.09 6.01.00 2010-02-10 4.01 -
Panda 9.05.01 2010.02.26 2010-02-26 1.81 -
Trend Micro 9.120-1004 6.880.04 2010-02-27 0.03 -
Quick Heal 10.00 2010.02.27 2010-02-27 1.41 -
Rising 20.0 22.36.05.04 2010-02-27 1.25 -
Sophos 3.04.1 4.50 2010-02-27 3.51 -
Sunbelt 3.9.2406.2 5702 2010-02-26 5.23 Trojan.Win32.Patched.el (v)
Symantec 1.3.0.24 20100226.006 2010-02-26 0.06 -
nProtect 20100227.01 7579365 2010-02-27 4.95 Trojan.Patched.EL
The Hacker 6.5.1.6 v00213 2010-02-26 0.46 -
VBA32 3.12.12.2 20100225.2226 2010-02-25 3.34 -
VirusBuster 4.5.11.10 10.120.9/2019141 2010-02-26 2.53 -

ASJ112 · 27-02-2010 9:03pm

hi

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

SRPeek::
c:\windows\system32\powrprof.dll
c:\windows\$NtServicePackUninstall$\powrprof.dll
c:\windows\ServicePackFiles\i386\powrprof.dll
Folder::

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

homerun_homer · 28-02-2010 3:43pm

combofix scan log

ComboFix 10-02-27.04 - Aaron 28/02/2010 2:11.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1232 [GMT 0:00]
Running from: c:\documents and settings\Aaron\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Aaron\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Aaron\LOCALS~1\Temp\clclean.0001.dir.0001\~df394b.tmp
c:\documents and settings\Aaron\Local Settings\temp\clclean.0001.dir.0001\~df394b.tmp

c:\windows\system32\powrprof.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-27 16:23 . 2010-02-27 17:09
d
w- c:\documents and settings\Aaron\Local Settings\Application Data\Adobe
2010-02-26 18:16 . 2010-02-26 18:16
d
w- C:\_OTM
2010-02-25 21:56 . 2010-02-25 21:56 389120 ----a-w- c:\windows\system32\CF19463.exe
2010-02-25 20:39 . 2010-02-25 20:39 389120 ----a-w- c:\windows\system32\CF4304.exe
2010-02-25 19:16 . 2010-02-25 19:16
d
w- c:\program files\LightroomPortable
2010-02-25 17:54 . 2010-02-25 17:54
d
w- c:\documents and settings\Aaron\Local Settings\Application Data\Temp
2010-02-23 21:13 . 2010-02-23 21:13
d
w- c:\documents and settings\Aaron\Local Settings\Application Data\CANON_INC
2010-02-22 22:30 . 2010-02-22 22:41
d
w- c:\documents and settings\All Users\Application Data\PhotoStitch
2010-02-14 11:45 . 2010-02-14 11:45
d
w- c:\program files\iPod
2010-02-14 11:45 . 2010-02-14 11:46
d
w- c:\program files\iTunes
2010-02-14 11:33 . 2010-02-14 11:33 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-12 00:05 . 2010-02-12 00:05
d
w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-02-10 20:10 . 2010-02-10 20:10
d
w- C:\!KillBox
2010-01-30 20:54 . 2010-01-30 20:54
d
w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-30 20:49 . 2010-01-30 20:49
d
w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 14:16 . 2008-06-14 13:07
d
w- c:\documents and settings\Aaron\Application Data\DNA
2010-02-27 02:17 . 2009-11-11 14:51 79488 ----a-w- c:\documents and settings\Aaron\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-27 02:13 . 2009-09-13 20:33
d
w- c:\documents and settings\All Users\Application Data\RetroExp
2010-02-27 02:11 . 2008-06-14 13:07
d
w- c:\program files\DNA
2010-02-25 21:52 . 2009-12-03 23:37
d
w- c:\documents and settings\All Users\Application Data\avg9
2010-02-23 22:52 . 2007-11-13 20:51
d
w- c:\documents and settings\Aaron\Application Data\ZoomBrowser EX
2010-02-23 22:10 . 2007-10-15 21:36
d
w- c:\program files\Canon
2010-02-23 21:44 . 2007-10-15 21:36
d
w- c:\program files\Common Files\Canon
2010-02-22 21:20 . 2007-09-15 12:51
d
w- c:\program files\Flickr Uploadr
2010-02-14 11:45 . 2007-09-13 16:41
d
w- c:\program files\Common Files\Apple
2010-02-10 21:49 . 2009-12-26 04:48
d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-09 20:55 . 2010-02-09 20:55 16 ----a-w- c:\documents and settings\LocalService\Application Data\sgcpom.dat
2010-01-30 20:49 . 2007-09-11 15:35
d
w- c:\program files\Google
2010-01-23 12:20 . 2010-01-23 12:20 152576 ----a-w- c:\documents and settings\Aaron\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-20 18:54 . 2009-06-15 22:39
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-01-20 18:52 . 2008-06-14 13:07
d
w- c:\documents and settings\Aaron\Application Data\BitTorrent
2010-01-19 23:44 . 2009-06-15 22:40 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-18 00:16 . 2010-01-18 00:16
d
w- c:\program files\AnvSoft
2010-01-12 21:24 . 2010-01-12 21:23
d
w- c:\program files\QuickTime
2010-01-07 16:07 . 2009-06-15 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-06-15 22:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2005-08-16 03:18 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2005-08-16 03:18 916480
w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2005-08-16 03:37 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2005-08-16 03:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2005-08-16 03:18 2145280
w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 21:59 2023936
w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2005-08-16 03:18 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-03 23:38 . 2009-07-14 22:32 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-03 23:38 . 2009-07-14 22:32 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-03 23:38 . 2009-07-14 22:32 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-03 23:38 . 2009-07-14 22:32 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
Sigcheck

[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[-] 2009-06-08 . C1FC04A603EE3F80AA51A090C42E5E2C . 993792 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll

[-] 2009-06-08 . 70299B463F8C940CBA318171148005F6 . 21504 . . [6.00.2900.5512] . . c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2009-06-08 . 70299B463F8C940CBA318171148005F6 . 21504 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2009-06-08 . 70299B463F8C940CBA318171148005F6 . 21504 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4A9D-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]
2008-06-25 21:38 2401584 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]
2008-06-25 21:38 2401584 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-27 68856]
"BitTorrent DNA"="c:\program files\dna\btdna.exe" [2009-11-11 323392]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2006-02-10 2048000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-10-31 1392640]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-06-28 1355042]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"RetroExpress"="c:\progra~1\RETROS~1\RETROS~1.5\RetroExpress.exe" [2008-07-16 9499928]
"TRUUpdater"="c:\program files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe" [2009-01-05 558360]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2009-01-15 58648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Aaron\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-9-11 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-9-13 2311472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-03 23:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-19 16:21 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2007-02-20 11:29 1191936 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-08-13 17:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-09-11 15:35 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 19:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 08:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 10:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-02-16 08:20 1118208
w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Flickr Uploadr\\Flickr Uploadr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\WebUpdater\\SwiApiMux.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [14/07/2009 22:32 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [14/07/2009 22:32 360584]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/01/2010 20:49 135664]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [20/09/2007 22:21 16512]
S3 L6UX2;Service - Line 6 UX2;c:\windows\system32\Drivers\L6UX2.sys --> c:\windows\system32\Drivers\L6UX2.sys [?]
S3 SWNC8U90;Sierra Wireless MUX NDIS Driver (UMTS90);c:\windows\system32\drivers\swnc8u90.sys [02/12/2008 09:10 173312]
S3 SWUMX90;Sierra Wireless USB MUX Driver (UMTS90);c:\windows\system32\drivers\swumx90.sys [17/11/2008 13:33 145280]
S4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [03/12/2009 23:37 285392]
.
Contents of the 'Scheduled Tasks' folder

2010-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2010-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 20:49]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 20:49]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.boards.ie/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=8pPZOBNAeZLayr8Ub4zj4ZmanqU
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: line6.net
FF - ProfilePath - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\ul636oyx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.boards.ie/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 14:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
DLLs Loaded Under Running Processes

- - - - - - - > 'winlogon.exe'(956)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-02-28 14:28:26
ComboFix-quarantined-files.txt 2010-02-28 14:28
ComboFix2.txt 2010-02-25 22:22

Pre-Run: 4,468,875,264 bytes free
Post-Run: 4,683,694,080 bytes free

- - End Of File - - 45182B0DAD66248ACE4334CD7A5C09F0

ASJ112 · 01-03-2010 5:10pm

got your windows cd ?

* Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Check next options: Remove found threats and Scan unwanted applications.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Please download Dr.Web CureIt . Save it to your desktop:

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, select Complete scan.
Click the green arrow at the right, and the scan will start.
Click Yes to all if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your desktop. The report will be called DrWeb.csv
Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
Please post the Dr.Web.txt report in your next reply
Close Dr.Web Cureit.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.

homerun_homer · 03-03-2010 1:09am

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f93c244677ce9d4a8d39fffd124949b7
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-03-02 08:14:26
# local_time=2010-03-02 08:14:26 (+0000, GMT Standard Time)
# country="Ireland"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 23052063 23052063 0 0
# compatibility_mode=768 16777215 100 0 22461004 22461004 0 0
# compatibility_mode=1024 16777175 100 0 7675765 7675765 0 0
# compatibility_mode=4352 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 3992 3992 0 0
# scanned=142674
# found=2
# cleaned=2
# scan_time=5273
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atvtq.sys.vir a variant of Win32/Rootkit.Kryptik.AF trojan (cleaned by deleting - quarantined) E153DCEA8CA499CFC45F5E485A7F6577 C
C:\_OTM\MovedFiles\02262010_181619\c_windows\system32\fjhdyfhsn.bat BAT/Agent.NFC trojan (cleaned by deleting - quarantined) 0C98D0683F0C086A288C093C2C985121 C

ASJ112 · 03-03-2010 1:22pm

if you do, do the following

place it in your CD ROM drive and follow the instructions below:

Click on Start and select Run... type sfc /scannow (note the space) (Let this run undisturbed until the window with the blue progress bar goes away)

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.
If you want to see what was replaced, right-click My Computer and click on Manage. In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System.

Boot from the Windows XP installation CD.

At the "Welcome to Setup" screen, press R to start Recovery Console. Choose the installation to be repaired by number (usually 1) and press "Enter".

When you are asked for the Administrator password, leave it blank and press "Enter".

At the command prompt, type chkdsk /r and press "Enter". (Note the space before /r) The disk check operation will start.

This will be a very thorough check of the hard drive and the file system...be patient and let it complete. It may appear to hang or even back up a few times...this is normal. 60 to 90 minutes is not unusual for this check...it may take longer in some cases.

Once the check completes and you are back at the command prompt, type exit and press "Enter". Let your computer boot normally to Windows.

Rootkit.Agent removal

Comments