Rootkit.agent infection

[StephenJohnson]

After multiple attempts to delete it with Malwarbytes tool (which would report it deleted, but it would reappear on rescan) I read the instructions and here are the results:

DDS.txt

******************************************************

DDS (Ver_10-03-17.01) - NTFSx86

Run by Stephen2 at 20:32:31.83 on 17/03/2010

Internet Explorer: 8.0.6001.18882

Microsoft

[kahdah]

Hello StephenJohnson

Welcome to Malwarebytes.

=====================

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
  
• Follow the prompts and extract the avenger folder to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to disable:
txeqdz

Drivers to delete:
txeqdz

Files to delete:
C:\Windows\System32\drivers\txeqdz.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
  
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  
• Click on Execute
  
• Answer "Yes" twice when prompted.
  

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

[StephenJohnson]

Thanks, Kahdah:

Here are the results:

Avenger:

*********************************************

ogfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Driver "txeqdz" disabled successfully.

Driver "txeqdz" deleted successfully.

File "C:\Windows\System32\drivers\txeqdz.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

*******************************************************

zip files attached.

MBAM

********************************************************

Malwarebytes' Anti-Malware 1.44

Database version: 3872

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18882

18/03/2010 12:40:29 PM

mbam-log-2010-03-18 (12-40-29).txt

Scan type: Full Scan (C:\|)

Objects scanned: 275813

Time elapsed: 50 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

********************************************************************************

*****

ESET online scan

********************************************************************************

*****

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=a4e41aff27a4a245aad7cdaaf32d3cdd

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-03-18 07:55:26

# local_time=2010-03-18 01:55:26 (-0700, Mountain Daylight Time)

# country="Canada"

# lang=1033

# osver=6.0.6002 NT Service Pack 2

# compatibility_mode=5892 16776573 100 100 0 105545716 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=139327

# found=2

# cleaned=2

# scan_time=3938

C:\Users\Stephen2\AppData\Local\ave.exe a variant of Win32/Kryptik.DBC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Stephen2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NDEUNB0X\tjgcdnnak[1].htm a variant of Win32/Bamital.AE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

********************************END*********************************************

*******

So, as we say in the Chemical Engineering world - Is it is or is it ain't?

backup.zip

[kahdah]

Looks good how are things running?

I don't see an antivirus running at all.

If you have one already and it just doesn't show in the log's then disregard the following:

download only ONE of these anti-virus programs and install it.

These are free.

This is antivirus and antispyware.

Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.

AVG free 9.0

This is just antivirus protection.

Antivir

===============================================

[StephenJohnson]

Looks good how are things running?

I don't see an antivirus running at all.

If you have one already and it just doesn't show in the log's then disregard the following:

download only ONE of these anti-virus programs and install it.

These are free.

This is antivirus and antispyware.

Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.

AVG free 9.0

This is just antivirus protection.

Antivir

===============================================

Things seem to be running well, and I now have Antivir (though I didn't previously).

I had my ISP's freebie, ran into some problems, uninstalled it and forgot to replace it (D'oh!)

Thanks for the help!

[kahdah]

You are welcome

[kahdah]

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...