I’ll try to make this brief. My system slowed to a halt yesterday (Internet). Ran Malwarebytes and I had system32\drivers\iqhelh.sys (Rootkit Agent) and system32\drivers\tdeigq.sys (Rootkit Agent).
Malware said it would delete on reboot but they never went away. I ran it 10 times and still no go. I can’t delete out the registry and it hass shut down my antivirus. After 8 hours and the kids not getting their home work done, I gave up. I went to Best Buy today and they told me that they could fix it for 250.00. A nice lady who worked there pulled me aside and told me about avast and that the root scan may work.
I installed it first at the office and it worked fine. I got home installed on my machine and after the install it rebooted on its own. There’s and red X in the yellow ball and it will not let me register. It also won’t run the boot scan on reboot it just boots up like normal where it did not do this on my uninfected office system.
I’ve uninstalled and reinstalled 3 times no go for registration or running the root scan (on reboot) or any antivirus.
What the heck can I do??
Follow this guide from Essexboy and post the log`s here
http://forum.avast.com/index.php?topic=53253.0
if the log`s are big, see down left corner: additional options > attach
Here are the logs
Thanks
Essexboy have been notified…
Thank you
One or more of the identified infections is a backdoor Trojan and a key logger.If this computer is ever used for on-line banking, I suggest you do the following immediately:
Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O4 - HKLM..\Run: [Qnuveti] C:\WINDOWS\uhehaxiq.DLL ()
O29 - HKLM SecurityProviders - (msansspc.dll) - File not found
[2010/06/05 09:39:05 | 000,741,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\tdeigq.sys
[2010/06/05 09:39:02 | 000,574,464 | ---- | M] () -- C:\WINDOWS\System32\drivers\iqhelh.sys
[2010/06/05 09:02:59 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Rsitakatikuno.bin
[2010/06/05 09:02:58 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ntatija.dat
[2010/05/06 18:09:06 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\LJJ\Application Data\qvjsge.dat
[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\zusoweli
[2004/08/12 09:31:53 | 000,179,200 | ---- | C] () -- C:\WINDOWS\uhehaxiq.dll
[2010/05/06 18:12:00 | 000,574,464 | ---- | C] () -- C:\WINDOWS\System32\drivers\iqhelh.sys
[2010/05/06 18:10:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Rsitakatikuno.bin
[2010/05/06 18:10:35 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Ntatija.dat
[2010/05/06 18:09:17 | 000,741,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\tdeigq.sys
[2010/05/06 18:08:47 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\LJJ\Application Data\qvjsge.dat
[2009/02/02 14:15:18 | 000,000,052 | ---- | M] () -- C:\bByjBI.txt
[2010/06/05 09:45:33 | 000,574,464 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\iqhelh.sys
[2010/06/05 09:45:39 | 000,741,376 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\tdeigq.sys
[2010/06/05 09:45:59 | 000,574,464 | ---- | M] () -- C:\WINDOWS\system32\drivers\iqhelh.sys
[2010/06/05 09:46:00 | 000,741,376 | ---- | M] () -- C:\WINDOWS\system32\drivers\tdeigq.sys
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\drivers\svchost.exe"=-
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Heres the log. Thanks again
Should I reinstall avast or wait to hear what to do next?
One of the rootkits is a bit stubborn - lets go for the nuclear option ;D
- Please download The Avenger by Swandog46 to your Desktop.
[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop - Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Drivers to delete:
tdeigq
Files to delete:
c:\windows\system32\drivers\tdeigq.sys
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Now, open the avenger folder and start The Avenger program by clicking on its icon.
[*] Right click on the window under Input script here:, and select Paste.
[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.
- The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. - Please copy/paste the content of c:\avenger.txt into your reply
THEN
Download OTL to your Desktop
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Check the box that says Scan All Users
[*]Under the Custom Scan box paste this in
netsvcs
drivers32
%SYSTEMDRIVE%*.*
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\System32\config*.sav
%systemroot%\system32\drivers*.sys /180
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open a notepad window. OTL.Txt
[*]Post the log
only Extract here,Extract Files and Extract to Advenger
Which one?
Extract files should do it Extract to Avenger
Sorry I did it as soon as you posted to Extract to Files
This is what we got:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver “tdeigq” deleted successfully.
File “c:\windows\system32\drivers\tdeigq.sys” deleted successfully.
Completed script processing.
Finished! Terminate.
Excellent - if I could have a fresh OTL now please, how is your system running now ?
Here it is.
Thanks
how is your system running now ?
I have done anything becuase on no antivirus. Waiting to get orders from you to proceed with the reinstall of avast
Reinstall Avast now and then let me know of any remaining problems
ok. Will do thanks
I had to run out for a few hours.
I installed avast and saw iqhelh agin. I deleted and ran the boot scan again and it’s gone.
Looked at the system 32 drivers and both are GONE.
Thank=you Thank-You very Much
I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.
SPRING CLEAN
Download TFC to your desktop
[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
THEN
Download Flush Flash from Here and follow the easy to use instructions on the same page
NEXT
Download and run Puran Disc Defragmenter
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.
http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit
[*]Microsoft Windows Update
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe