Qandr Rootkit, all approaches failed

[HokaHei]

Pardon my english as it is not my first language. Let me try to explain.

When I turn on the computer, it automatically goes online through a wi-fi connection (although the stability of the connection is not very good since Qandr Rootkit infected the laptop). I can use the internet, for example, to connect to Pokerstars or Full Tilt Poker to play online poker. But, when I open IE or Firefox or Chrome, I can't get any webpage to open for a period of around 30 minutes (even if I'm playing poker online at the same time). This only happens with the browsers, but not with any other programs I use online (eg.: Poker programs, P2P). After about 30 minutes of being online, the browsers suddenly start working on an off and I can get to see my email or this forum or whatever website.

Hope I have made myself clear

Thanks for your time and patience.

[SuperDave]

Pardon my english as it is not my first language. Let me try to explain.

Don't apologize. I admire anyone who can speak more than one language. I've been trying to learn french for years but I only know the swear words.lol
I can't see any evidence of a rootkit on your computer and my list of tools I can use are nearly exhausted.
Have you given any consideration about the warning I gave you about free space on your C: drive? Low free space can make a computer do strange things.

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
****************************************

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[HokaHei]

Yes, I have made some more space free in the C drive. I already ran MBAM. Do you want me to run it again?

Here are the ESET results. I didn't clean any of the infected files, though.


C:\Users\Pedro\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-43c6316c   Java/TrojanDownloader.Agent.NBK trojan
C:\Users\Pedro\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\7bb99554-262cb67a   Java/TrojanDownloader.Agent.NBL trojan
C:\Users\Pedro\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\40591084-43a7cc6b   Java/TrojanDownloader.Agent.NBL trojan
C:\Users\Pedro\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\72d19db0-3aa663a6   Java/Mugademel.A trojan
C:\Users\Pedro\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-2e5c282f   Java/TrojanDownloader.Agent.NBL trojan
C:\Users\Pedro\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\27c71832-6170d83e   a variant of Java/Exploit.Agent.NAC trojan
C:\Users\Pedro\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\42441975-34b22db5   Java/TrojanDownloader.Agent.NBM trojan
C:\Users\Pedro\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\640c67b5-256c5351   Java/TrojanDownloader.Agent.NBM trojan
C:\Users\Pedro\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\449b676-4e7f46e3   multiple threats
C:\Users\Pedro\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3f5641c8-23c8d0b8   Java/TrojanDownloader.Agent.NBK trojan

If you want to know some swear words in portuguese, just let me know. Portuguese is a very rich language when it comes to insulting

[SuperDave]

Please run ESET again and clean those infections.

[HokaHei]

I've ran ESET and deleted the infected files. Also ran MBAM again, it popped the "wtxtg.sys" file as a Rootkit Agent and supposedly quarentined it and removed it. I rebooted the laptop and went the the system32\drivers folder and wtxtg.sys is still there as a file that has been modified today. Browsers seem to be working properly but I really can't tell if the infection is gone...

[HokaHei]

Avast just popped up "wtxtg.sys" file as Qandr Rootkit. I'm this close to nuke the laptop...

[SuperDave]

It would appear that the driver file wtxtg.sys is located in the Avast folder. Could you please try this for me. Please download and install MSE. Disable your Avast and run a scan with MSE and let me know what you find. 

Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
Microsoft Security Essentials for Windows XP

[HokaHei]

SD,

Sorry for the late reply. After one month of fighting, I've decided to resort to heavy weaponry: I've reinstalled Windows 7 and deleted the old. I was trying to avoid this, but I couldn't be held hostage by Quandr Rootkit's moods.

That said, I want to thank you for your time and patience.

Best regards,

Pedro