Trouble with trojans/rootkits - Please help!

[JohnNada]

Hi people,

I've been having trouble recently with trojan horses and root-kits, which are causing endless pop-ups to appear in Firefox. I have scanned my hard drive in safe mode with Malwarebytes, and it keeps deleting the troublesome files, but everytime I reboot my computer, they come back.

I scanned my hard drive in safe mode and here is the log file I got:

------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.31

Database version: 1511

Windows 5.1.2600 Service Pack 2

24/12/2008 08:00:13

mbam-log-2008-12-24 (08-00-13).txt

Scan type: Full Scan (C:\|)

Objects scanned: 198996

Time elapsed: 3 hour(s), 42 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

------------------------------------------------------------------

I then restarted my computer in normal mode and scanned it again. Here is the second log file I got:

------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.31

Database version: 1511

Windows 5.1.2600 Service Pack 2

24/12/2008 10:06:15

mbam-log-2008-12-24 (10-06-15).txt

Scan type: Full Scan (C:\|)

Objects scanned: 197919

Time elapsed: 1 hour(s), 28 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 6

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tyqaotl (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati7hxxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati7hxxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati7hxxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\tyqaotl.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\ati7hxxx.sys (Rootkit.Agent) -> Delete on reboot.

------------------------------------------------------------------

If anybody could help me I would be extremely grateful.

Thanks...

[sho-dan]

Hello JohnNada, welcome to Malwarebytes

Please read and follow the instructions provided here: Pre- HJT Post Instructions

When ready please post your logs here: Malware Removal - HijackThis Logs

An expert will give you further instructions to assist you with the cleaning of your system.

Note:

Do Not run any other tools or scans during the cleanup process, Do Not install any other software unless requested to do so.