infected

i did a scan with spyware doctor and it also has rootkit scanning with it,it picked up a file c:\windows\9129837.exe that it flagged as being-Rootkit.Agent.Ex,i scanned with avast and avg anti rootkit but nothing was found,i also scanned on virus total and nothing was found but being labled a rootkit not sure if it would be detected on virus total?

Hi bri lets have a quick look at your drivers and see where i is

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Hi bri,

To get a glimpse of an analog cleansing routine, look here:
http://www.daniweb.com/forums/thread83124.html

Of course essexboy will come up with his proposed cleansing routine, follow that, but you also have an indication what to look out for,

polonus

i attatched the 2 logs

Hi bri found it C:\WINDOWS\system32\drivers\wfprotect.sys

Rootkit.Win32.Agent.gt
Type Malware
Type Description Malware (“malicious software”) consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.
Category Rootkit
Category Description A Rootkit is software that cloaks the presence of files and data to evade detection, while allowing an attacker to take control of the machine without the user’s knowledge. Rootkits are typically used by malware including viruses, spyware, trojans, and backdoors, to conceal themselves from the user as well as from malware detection software such as anti-virus and anti-spyware applications. Rootkits are also used by some adware applications and DRM (Digital Rights Management) programs to thwart the removal of that unwanted software by users.
Level High
Level Description High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
Advice Type Remove
Release Date Jul 27 2007
Last updated on Feb 6 2008
File Traces
%system%\ drivers\ wfprotect.sys
%system%\ drivers\ wfprotects.sys

And I know just the programme to get rid of it ;D (according to the latest change log)

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[]Please, never rename Combofix unless instructed.
[
]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

heres the logs,also combofix created a folder in c:\windows called QooBox and it has a backup of that file.should i leave it?will it do any harm there.
should i send it to alwil?

Hi bri hows are you now any reports ?

Yes if you could send it to Alwil it is safely within Qoobox at the moment

I see you used a lot of scans to try and kill it

Your logs look clear now

ya alot of scans but spyware doctor was the only one who found anything,the file that combofix quarentined i think is encrypted or something by combofix so is it worth sending to alwil?

Yes, I do not think it is encrypted - just stuffed away in a dark corner

hey essexboy,thanks for all the help getting rid of that
much appreciated,bri

No probs glad to help