Hi! I have a problem and I hope you can help me to solve it.

Recently I was updating the sound driver of my pc, from hxxp://www.ma-config.com/es and when the update was succesful avast notified me of a possible rootkit and I make a Boot-time scan, but nothing appears in the scan. I downloaded AVG anti rootkit free and a rootkit was detected in C:\Windows\System32\Drivers with .SYS extension, I deleted and reboot the pc but then I make a scan again and AVG anti rootkit free told me that there was another one rookit in the same folder: C:\Windows\System32\Drivers I think that the rootkit that I deleted previosly was not deleted but rename.

I make scans using Malwarebytes, OTL and aswmBR.exe. and I´ve attached the log files of the respectives programs. So I hope someone can help me 'cause I don´t wanna lost my pc… I appreciate your prompt help.

Could you give me the full name of the file AVG found

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (a7x8mj7d)
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.facemoods.com/?a=ddr&s={searchTerms}&f=4
IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
IE - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
IE - HKLM\..\SearchScopes\{148145DD-5AF9-4049-8755-142C1F4BFEBE}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=410&systemid=406&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=ironpub&chnl=ironpub&cd=2XzuyEtN2Y1L1QzutDtD0F0FyEtByE0DyE0F0CtAzztBtD0CtN0D0Tzu0StBtAzztN1L2XzutBtFtCtFtCtFtAtCtB&cr=1669840488
FF - prefs.js..keyword.URL: "http://search.babylon.com/?babsrc=SP_ss&mntrId=a01c820c000000000000000000000000&tlver=1.5.29.1&instlRef=sst&babTrack&q="
[2012/08/04 00:49:28 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\Foxconn\AppData\Roaming\mozilla\Firefox\Profiles\1r7a86ck.default\extensions\ffxtlbr@babylon.com
O2 - BHO: (no name) - {68DD98BF-9DE8-418C-89F0-E37AC61CC2D9} - No CLSID value found.
O2 - BHO: (no name) - {F1AF26F8-1828-4279-ABCE-074EF3235BD7} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thanks!!!

This is an image of the result, I stopped the scan 'cause only appears one file as a hidden driver file

http://bit.ly/ZVJPSv

I have a doubt, after I reboot the pc, Do I need to copy the script in Custom Scans/Fixes again???

OK I have OTL slated to remove that so run the fix please

Well, I did the Fix with OTL, reboot the pc and then appears a log file…

Later I make the Quick Scan and then I save the Log…

Here I attach both files… File after reboot and Log (Quick Scan)…

OK it did not want to leave the building, time for the sledgehammer

1. Please download The Avenger by Swandog46 to your Desktop.
   [*]Right click on the Avenger.zip folder and select “Extract All…”
   [*] Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

https://dl.dropbox.com/u/73555776/avenger.jpg

Begin copying here: 
Drivers to delete:
a7x8mj7d

Files to delete:
C:\windows\system32\drivers\a7x8mj7d.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

[*] Right click on the window under Input script here:, and select Paste.
[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.

4. The Avenger will automatically do the following:
   [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
   [*]On reboot, it will briefly open a black command window on your desktop, this is normal.
   [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
   [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh OTL log .

Thanks, I’m very thankful for your help

I attach the avenger.txt and OTL Log…

I make a new scan with Avg anti rootkit free and shows this:

http://bit.ly/ZR8eak

I think I must use Avenger program again and change in the script “a7x8mj7d / a7x8mj7d.sys” and put “a9fxofea / a9fxofea.sys”…

What do you think???

It looks like it is changing on the boot, there are no rootkit type activities however, it will need a deeper look

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I followed your instructions as you suggested me…

Here is the combofix log…

That looks to have done it, how is the system now ?

Well, the system is working normally…

Although the results of “avg anti rootkit free” still are showing a hidden driver file in C:\Windows\System32\Drivers…

What another solution can I apply?

Is it dangerous keeping that hidden driver file in my system???

Hidden drivers are in themselves not a problem. This one is probably being generated by a programme on your system. Is Avast detecting it on the antirootkit scan ?

Nope. I’ve enabled in settings rootkit scan on system startup. Today I made a boot-time scan and no rootkits was found…

What do you think?

Is it a false positive of avg anti rootkit free?

However, previously (when this problem began) avast notified me about a possible infection due by a rootkit when I updated sound driver…
Was it an avast false positive too???

It may have been the way that the driver was installed that alerted avast to possible rootkit like activity

And all AVG is doing is annotating a hidden file

So, I must ignore that? :o

If it is causing no problems and Avast is not alerting at all then yes

Ok! Thank you!!!

I edit this message:

I found in google a similar problem with hidden drivers detected with avg anti rootkit here: http://bit.ly/YH80lq
The hidden driver file is generated by Alcohol 120!