Rootkits on a netbook

e [x]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [x]
S0 Avglogx;AVG Logging Driver;c:\windows\system32\DRIVERS\avglogx.sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207020.003\SYMDS.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207020.003\SYMEFA.SYS [x]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [x]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [x]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20120215.001\BHDrvx86.sys [x]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20120222.002\IDSvix86.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207020.003\Ironx86.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NIS\1207020.003\SYMNETS.SYS [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [x]
S2 Atheros Bt&Wlan Coex Agent;Atheros Bt&Wlan Coex Agent;c:\program files\Bluetooth Suite\Ath_CoexAgent.exe [x]
S2 AtherosSvc;AtherosSvc;c:\program files\Bluetooth Suite\adminservice.exe [x]
S2 avgfws;AVG Firewall;c:\program files\AVG\AVG2013\avgfws.exe [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [x]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [x]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [x]
S3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys [x]
S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys [x]
S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys [x]
S3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys [x]
S3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys [x]
S3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys [x]
S3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 hpCMSrv;HP Connection Manager 4.0 Service;c:\program files\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 64645624
*Deregistered* - 64645624
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-28 c:\windows\Tasks\HPCeeScheduleFor********-HP$.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
2012-11-28 c:\windows\Tasks\HPCeeScheduleFor**********.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\*********\AppData\Roaming\Mozilla\Firefox\Profiles\uunqb6lt.default\
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-11-26 19:40; [email protected]; c:\users\********\AppData\Roaming\Mozilla\Firefox\Profiles\uunqb6lt.default\extensions\[email protected]
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-28 13:37:08
ComboFix-quarantined-files.txt 2012-11-28 13:37
.
Pre-Run: 179,225,632,768 bytes free
Post-Run: 178,836,885,504 bytes free
.
- - End Of File - - A0951DE6E849EA388DA0F438F9779A92

 

Sorry, now it looks fine to me.

 

AVG saying that the Rootkits are still there.

 

C:\config.sys

 

Try running Spybot S&D

Or just save yourself the hassle and copy the files you want to keep onto a portable then reboot the netbook.

I had a look at one of the files and my ESET won't even let me on the website "Yontoo"

 

Nothing really wrong in the log, no sign of any rootkit although these two files may be dodgy

c:\windows\system32\shoEFF6.tmp
c:\windows\system32\shoDB03.tmp

upload them to virustotal and see if they come back positive as bad https://www.virustotal.com/

Also you need to uninstall Norton Internet Security as you have 2 antivirus installed.

 

Files were already analysed and the detection ratio is 0/44?

 

Never use Norton/Symantec software for anything ever.

 

Free?

 

I think it came with the netbook

 

Does avg say what files are infected with the rookit or any other information?

 

Aye.

http://www.safer-networking.org/

 

It will have done. Get it uninstalled.

 

spybot does not remove rootkits.

 

Just leave it into the shop and pay the few wquid Baz.

 

Well like I said earlier EDGE.

Reboot the ****ing thing and it will perform better anyway.

 

.

 

Rootkit 1 = Service function NtMapViewofSection hoo.. then it says "part of operating system

 

#2 NtCreatethreadEx hook ... part of operating system

 

Have you tried WD40? Skoosh it in all the openings you can find. That'll sort it.