OS: XP Professional SP2 (5.1.2600)
Two days ago, I noticed my computer running significantly slower than usual. After poking around a bit and noticing that attempts to visit antivirus research destinations were being blocked or redirected, I concluded that there was obviously a problem. I saw a twex.exe entry in HijackThis and went to work.
My attempts to run Spybot were being blocked by the infection. I do not recall the precise sequence of events, but I believe it was something like this:
1. ComboFix (identified and claimed to remove rootkit infection, c:\windows\system32\drivers\TDSSghdi.sys and various other files)
2. Spybot (identified and claimed to remove agent.pz and banker.xe)
3. AVG Antivirus scan (identified and claimed to remove Cryptor, c:\program files\mozilla firefox\a.exe)
After that, I ran Spybot and MBAM and both came up clean.
AVG scan ran again overnight. It located and quarantined twex.exe and other files stored in ComboFix's C:\Qoobox directory, as well as various trojan files in C:\System Volume Information\_restore*.
This morning I ran Spybot again and it came up with one instance of agent.pz again.
4. Spybot (identified and claimed to remove agent.pz)
5. SDFix (didn't claim to find any infections or remove anything, but there are a few files identified in the "Files with Hidden Attributes" section which look suspicious--but searches tell me they may just be Divx related.)
As of this moment, MBAM Quick Scan returns no problems, and Spybot's only complaints are cookies. But unfortunately, that's exactly where I was at last night. I am hoping to go through a process to ensure that the system is firmed up so that I can proceed with an SP3 install and hopefully put this problem behind me. Please advise.
Edited by jcompton, 03 February 2009 - 02:19 PM.