Please help - Infected with Rootkit.Agent?

I appear to have been infected with Rootkit.Agent and possibly other malware. I am not sure whether I am still infected or not, and hope that you can help me determine this and clean it if I am still infected.

This is what first happened (as far as I know now):

On the morning of Sunday, March 7, 2010, I was using StumbleUpon and hit a website that immediately opened a fake antivirus detection window and said I was infected. I tried to close the tab without clicking on anything, but it wouldn't let me. I tried repeatedly to kill the fake antivirus popup, but finally had to go into Task Manager and kill Firefox.

I have completed the steps in the Major Geeks READ & RUN ME FIRST Malware Removal Guide; however, before doing that there were some other things I did that may have affected the results. To the best of my recollection (and my son's), prior to completing the steps in Major Geeks READ & RUN ME FIRST Malware Removal Guide this is what we did.

Before running READ & RUN ME FIRST Malware Removal:

1. I did a Malwarebytes' Anti-Malware Quick Scan and it found two items, iIhr.sys in the Windows\system32\drivers directory infected with Rootkit.Agent and a registry key with a reference to that file.

2. I had to go out of town, but my son backed up the registry key and removed it from the registry and copied the file to a directory and renamed it as "iIhr.sys.DO NOT USE" and then deleted it from system32.

3. My son ran Rootkit Revealer and it said there were a number of registry keys with security mismatches and mismatches in filesize between the Windows API and hive file, but he was not quite sure how to read the results and the output was apparently not saved.

4. My son ran another Malwarebytes Quick Scan and it only found the .sys file in the Recycle Bin. He quarantined and deleted it and was then prompted to reboot the computer, which he did.

5. While the computer was shutting down, my son noticed that a new .sys file had been created in the drivers directory with a different random name. But after the reboot, the file was no longer shown in the drivers directory. My son was not certain if it was actually deleted or whether it might have been hidden by a rootkit, so he looked in the registry where the previous entry was found and noticed there was a new randomly named key with a reference to the new .sys file (the file that was no longer showing).

6. My son did another Malwarebytes Quick Scan, which showed nothing.

7. My son then did a full scan with Malwarebytes. The full scan found the renamed copy of the original file that he had saved plus two System Restore points that were also infected with Rootkit.Agent. About this time, I returned home from out of town. We kept the renamed copy of the original infected file and quarantined and deleted the two System Restore files.

8. We did another Malwarebytes Quick Scan and it showed nothing, and we could not find any more new .sys files in the drivers directory or any new registry keys with references to such files.

9. I did a SUPERAntiSpyware Quick Scan and it showed nothing.

10. I did a SUPERAntiSpyware Full Scan and it showed nothing.

11. I tried running GMER a number of times with little success (several blue screens of death and then a number of what appeared to be false positives, many of them jpg files).

12. I ran Sophos Anti-Rootkit and it found nothing.

13. I ran F-Secure Blacklight and it found nothing.

Major Geeks READ & RUN ME FIRST Malware Removal Guide:

At this point I ran all of the steps of the Major Geeks READ & RUN ME FIRST Malware Removal Guide.

NOTE: While running ComboFix, I had the firewall and all antivirus and antispyware software disabled at first, but when ComboFix rebooted the system, all of these started back up and I am not sure whether they interfered with anything after the reboot but before ComboFix completed.

Thanks!

 

Here are the rest of the logs.

Thanks!

 

In case you need them, here are the earlier Malwarebytes Anti-Malware logs that I have. These were from before running the steps in Major Geeks READ & RUN ME FIRST Malware Removal Guide.

Thanks.

 

Here is the fifth of five earlier Malwarebytes Anti-Malware logs that I have, in case you need them. All five were from before running the steps in Major Geeks READ & RUN ME FIRST Malware Removal Guide, but they give you a picture of what I saw before running the Major Geeks READ & RUN ME FIRST Malware Removal process.

Thanks.

 

Thanks for your help, I really appreciate it!

OK, here is what I have done now:

1. I cleaned up my Desktop as you recommended.

2. I ran C:\MGtools\analyse.exe and fixed these two items:

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: IUIDDF - Unknown owner - C:\DOCUME~1\Mike\LOCALS~1\Temp\IUIDDF.exe (file missing)

3. I have attached a file Qoobox.zip that includes the following files so you can check them to see if they were false detections:

C:\Qoobox\Quarantine\C\WINDOWS\system32\autorun.inf.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\ijl11.dll.vir
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk.vir

I am pretty sure that the last one is for a valid Bluetooth device that I use. If it checks out okay, how would I restore it?

4. I ran C:\MGtools\GetLogs.bat file and have attached the file MGlogs.zip.

As far as I can tell so far, things appear to be working normally. Of course I'm pretty paranoid after this, so I hope you can tell me whether you think my PC has a clean bill of health now!

Thanks!

 

Thanks so much!

I went ahead and moved the three false detections back to the appropriate directories and renamed them as you described.

Do I need to do any final steps? (I noticed you seem to have a routine of final steps.)

 

I have completed the cleanup procedures and "how to protect yourself" steps, and hopefully that does it. Looks good so far.

Thanks more than I can say.