My mom’s computer got a virus today, and Malwarebytes found and deleted it… all but one file, it seems.

The file is “ogphqtx.sys”. It keeps coming up in scans done by both Malwarebytes and Avast, but neither of them can delete it, and Avast can’t even move it to the chest.

This is its location:
C:/WINDOWS\System32\drivers\ogphqtx.sys

Avast says that is is a “Rootkit.Agent”.

I tried to go into the drivers folder and delete it myself but it says:
“Cannot delete ogphqtx: Cannot read from the source file or disk.”

Does anyone know of a way to get rid of this thing? That is, assuming that Malwarebytes and Avast are correct in telling me that it isn’t supposed to be there…

Also, I have a log from hijackthis, if it is needed. I don’t know what any of it means, but I imagine there’s a lot of stuff in there that shouldn’t be. This poor computer has been through a lot. I will post the log in the next post, though, because posting it in this one made it exceed the maximum allowed length.

EDIT: Also, I did a Boot Time Scan with Avast. It did not even find the file. I was glad because I thought it was gone, but just to be sure, I booted into Safe Mode and scanned again with both Malwarebytes and Avast. Avast still finds it with a normal scan (odd that it finds it that way but not in a Boot Time Scan…), but even in safe mode, it still cannot move it to the chest or delete it; Malwarebytes can’t find it at all in safe mode. Is this really a part of the virus from before, or could this be a false positive that was coincidentally found with actual virus files? I can’t find anything about “ogphqtx.sys” by googling it, so I assume that it isn’t supposed to be in there, but…

Here’s the first half of the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:05 PM, on 12/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 spyware-protector-2009.com
O1 - Hosts: 91.212.65.122 www.spyware-protector-2009.com
O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7CE6300E-0D33-4A85-85B5-D983FF00FFE0} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [ccApp] “c:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [HPBootOp] “C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe” /run
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe”
O4 - HKLM..\Run: [lxcjmon.exe] “C:\Program Files\Lexmark 8300 Series\lxcjmon.exe”
O4 - HKLM..\Run: [EzPrint] “C:\Program Files\Lexmark 8300 Series\ezprint.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM..\Run: [LXCJCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

And the second half of the log:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra ‘Tools’ menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra ‘Tools’ menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222190239437
O20 - AppInit_DLLs: ohgslr.dll c:\windows\system32\yezenefi.dll c:\windows\system32\huginoke.dll,toluboli.dll
O21 - SSODL: voyijosap - {e920e280-0377-4a2f-83cf-2b0af13972d9} - c:\windows\system32\yezenefi.dll (file missing)
O21 - SSODL: kowevebas - {9eb607ea-d231-4009-911a-2f648fb5db25} - c:\windows\system32\huginoke.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {e920e280-0377-4a2f-83cf-2b0af13972d9} - c:\windows\system32\yezenefi.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {9eb607ea-d231-4009-911a-2f648fb5db25} - c:\windows\system32\huginoke.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

–
End of file - 10440 bytes

I will leave your HiJackThis log for someone else. There are others on the forum who can provide specialist support. There are a few tasks to do but nothing major as far as I can see.

The following is important –
Not a good idea to run two antivirus at the same time as they may clash.
You have Norton (Symantec) and avast running at the same time

Thank you for pointing that out. I’ve been wanting to get Norton off of this computer for a while now. I’ll take care of it.

Get this (from MajorGeeks) to finish off the removal of Norton.
You could try a boot scan with Avast.
I’m not qualified to process your log; that’s just general advice. Hope it might work.

I already did a Boot Time Scan. It didn’t find anything; but a normal scan with Avast is still able to find it.

Question: you said to use that program to “finish off” the removal of Norton; does that mean I need to start with something else?

Rootkits and virussus are two different things. They are hidden pests. Download sophos antirootkit and see if that helps.

Okay. Thank you for the advice. I downloaded Sophos Antirootkit and it is scanning now. I will let you know the results when it is finished.

Ah, not really,you could just run the program and it should totally remove all Norton products, but the normal order of things would be to uninstall it from the control panel first, reboot, then run the removal tool.
I don’t think it matters that much. I’ve only used it twice in anger.

Other suggestions to try different rootkit scanners are good.

Sophos found the file (along with 13 others… yikes!) but for every one of them it says that cleanup is not recommended. Except for ogphqtx.sys (which is in the drivers folder, like I mentioned before), all 13 of the other files are in:

C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5

Since Sophos does not recommend cleanup for any of these files, I’m hesitant to do the cleanup. But all of them (except, of course, for ogphqtx.sys) are in the Temporary Internet Files, so wouldn’t they be safe to get rid of? Should I go ahead and try to cleanup all of these files anyway (ogphqtx.sys included)?

Okay. Thank you! I will definitely be getting rid of Norton as soon as this Rootkit thing is sorted out.

The temporary internet files can be simply cleaned using the disk cleanup utility, or ATF cleaner (hosted here by MajorGeeks.
I think that would be preferable to using the Sophos application to clean it; without knowing the tech details, antirootkit apps. will also delve inot the alternated data stream, and might possibly mess things up.
Definitely clean the item indicated in the drivers folder, though, and then try another scan with Avast, to see if it’s really gone.

I told it to clean it, then it needed to restart the computer and… ogphqtx.sys is still there. :-\

I’m going to do a disk cleanup now, though, to try and get rid of the others.

But as for ogphqtx.sys… now what?

Not sure. This is a bit beyond me.
After the cleanup, I’d try scanning with MBAM again, not so much to find that file but to see if any others have been created in the meantime.
Something is re-creating this file. That “something” is eluding detection. Although it may be related to the temporary internet files.
(We can but hope.)
If MBAM finds anything, clean with it, if it prompts for a reboot to remove that one problem file, don’t; run Sophos again and have it remove it, then reboot.

Will do. The disk cleanup has already finished, so I am scanning with MBAM now. It usually takes about an hour, so I’ll come back when its finished and let you know if it found anything.

When you are done cleaning the system Windows XP Service Pack 3 has been available for over a year and provides many Critical Updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

IE8 is more secure than IE6 and has a lot better performance:
http://www.microsoft.com/windows/Internet-explorer/default.aspx

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

mbam should not take an hour to scan.
You don’t need to run thorough. Quick scan is preferable, and remember to update the definitions prior to the scan.

Do you have System Restore turned on?
If so create a new System Restore (check) point. Then use Windows Disk Cleanup in System Tools to remove all System Restore points except the most recent.
Start–>Programs–>Accessories–>System Tools–>Disk Cleanup–>More Options–>…remove all but…

Alternatively, if System restore is turned on, then turn it off prior to scanning and cleaning

Either way, should significantly decrease the time takes to scan and clean.

As YoKenny says above - you need Service pack 3 and all recommended updates.
Do this sooner rather than later, unless you are especially confident and at home with Windows OS.

MBAM still only found the one file, and it still cannot remove it.

It didn’t even occur to me to do a quick scan. I always do thorough, just to be sure it doesn’t miss anything. But you’re right, it would have been better just to do a quick one.

I think I’ll do another scan with Sophos tomorrow; too tired to do it tonight.

Also, I am aware of the service pack issue. In fact, trying to install Service Pack 3 when it came out is the reason for not having updated since. After updating, the computer said it needed to restart. So I let it do so, of course. But then it was no longer able to boot. Not even in Safe Mode. Nothing. It would try over and over again with no results.

I found a blog about this (by using another computer, of course) by a person that had found a solution for this problem. I suppose the problem came about because this is an AMD-based computer and Service Pack 3 assumed that it was an Intel-based computer and some driver was not working properly because of this. I had to disable that driver with the command prompt and then the computer was finally able to boot after several stupid and desperate attempts to fix it myself before I knew that’s all it was. I had attempted to do a system recovery at some point, which completely disorganized and confused the computer.

Now I am very wary of Windows Updates and I decided that I would only update in the future if it was -absolutely- necessary to do so. But even if I tried to update, I’m not sure it would work; I can’t even update Windows Media Player on this computer (apparently, this computer’s version of Windows Media Center (I think that’s what it was, anyway) is now invalid or something as far as the installer is concerned; which, of course, I know it’s not, but the computer is terribly confused ever since the SP3 update and the problems that resulted from it (and my attempt to fix it with a system recovery).

But yeah. I haven’t been all that trusting of windows updates ever since then. :-\

Download this program, unzip it, and execute it,http://ad13.geekstogo.com/RootRepeal.zip

Click on report at the bottom, then scan, tick all the boxes, then ok. Post the log as an attachment, using ‘+additional options’

I’ve been browsing your HJT log (as a non-expert) and there are a couple of things that pretty much leap out at me.

At some stage, maybe after you’ve tried Rootrepeal (as posted by micky77) you could run HjT again. Place a tick beside all the “file missing” entries. and beside this one:

O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe

and all but the first “01 hosts” entries (4 total, indicating you’ve been exposed to the rogue security program spyware-protector2009).

O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 spyware-protector-2009.com
O1 - Hosts: 91.212.65.122 www.spyware-protector-2009.com
O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com

After doing this select “fix selected”, and reboot; post a new HJT log after this action.

Your Java is seriously out of date.

Your computer, as you say, is actually quite a mess.
Quite possibly the reason for the SP3 update failing was Norton. I have helped someone with a borked SP3 install. Worked no problem after I’d worked it out, uninstalled Norton, and put it right.
Norton is sometimes one of those programs you actually do need to disable to allow decent updates.

The above para just a bit of background info to let you know where you should be heading after this problem is sorted.