Help needed - Rootkit

[Yoav]

'The Problem started a week ago, I got many Norton Anti-Virus 'email failure notification'
I uninstalled norton and got AVG, NOD32 & spyware doctor, but the problem is still here.
From time to time the AVG prompts a 'trojan horse rootkit.av' message.

The logs requested are enclosed.
Thanks in advance
Yoav

[attachment deleted by admin]

[Yoav]

ok, I just had avg 'threat detected': Trojan Horse Rootkit-Agent.av
file name: c:\windows\system32\drivers\ati3fbxx
process name:c:\ windows\temp\bn3cd.tmp
OS : XP

I could really use your help..
thanks

[evilfantasy]

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[Yoav]

The logs are enclosed, but I'm not sure that the AVG was closed (I kept on getting an error message while uninstalling). I think i have the RC (although it says I don't in the combofix log, but I hadn't have this option anyway while running combofix.

once again, thanks!

[attachment deleted by admin]

[evilfantasy]

You have two antivirus installed. Eset and AVG. You should only run one at a time so it's best to pick one and uninstall the other now.

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[Yoav]

After encountering some problems, here is the log.

Yoav

[attachment deleted by admin]

[evilfantasy]

Do you know what that is?

_ati3fbxx_.sys.zip

[Yoav]

A search for a file under that name got the results as written in the log:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ati3fbxx_.sys.zip

One of the AVG notification showed an infection in a file called ati3fbxx.
By the way, I just had another AVG infection notice about another file.

[evilfantasy]

Yea sorry, I noticed it's already quarantined after I posted that.


• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
----------

Download

ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

Important: Restart the computer before continuing.

----------


Let the computer run for a bit and let me know how it is running now. Any virus alerts please note the file location and post it here.