I just returned to school today after being home for about three weeks. My computer was off and disconnected from the internet while I was away. The school used a program called Cisco Clean Access agent to monitor network use prior to me leaving and while I was away they transitioned to a new program called SafeConnect. Relevant information incoming: When I booted up my computer today, I had to set up the SafeConnect deal before it allowed me internet access - I am not 100% positive as to how these things work, but I believe this was the start of my (computer's) demise - I think, since internet access was limited, my antivirus - McAffee ( the school requires us to use it, I know there are far better programs out there...) - was unable to update its definitions. So I proceeded to tool around online for about an hour apparently unprotected. I found a new band that I really liked but whose music was not available for downloads over iTunes, etc, as it hasn't been officially released in the U.S. yet, and so I made mistake number two - I went to the pirate bay (unless I managed to contract this from some legitimate website, or someone managed to sneak it into the thing I downloaded for the SafeConnect deal...I don't know where else this could have come from....assuming my issues stem from my pirate bay usage as of right now...even though I didn't actually try to download any music or anything...? About the infections from legitimate websites thing, I read about it here: http://www.wired.com/threatlevel/2009/10/gawker/ ). I typed the bands name into the search box and pressed enter, and nothing happened (not sure if this is relevant.) There was some link on their homepage to some other band, who was apparently choosing to purposely release their music for free over pirate bay - this looked interesting, and so I stopped my search for the other band to check it out. The page loaded fine, I read the snippet, and about 45 seconds later a window that was supposedly from McAfee popped up onto my screen saying it had found a trojan (I don't remember the name of the file, but it was something with 'gen' in it...) It looked 100% like the McAfee GUI, and I clicked the 'X' button in the upper right hand corner to close the screen. My computer proceeded to "blue screen" - I am sure that that is not a technical term, but I think you know what I am talking about, and as I don't remember, and - foolishly - didn't take any time to write down what the error messages said, I am not sure how else to describe it .
Anyway, I hard rebooted (not sure if this is the proper technical term...I held the power button down until the computer just turned off) and found, after an agonizingly slow (I usually boot in ~3 minutes, this took closer to 5), many wonderous things waiting for me - links to pornographic sites had appeared on my desktop, multiple McAfee and Windows Defender windows littered my screen (some of which looked legitimate (but so had that last one...) and some of which looked downright fake, warning me about a few different infections, the first of which was the one in my title - Rootkit.Win32.Agent.pp. I don't remember the names of the others. After I clicked the 'X' to close that first Windows Defender window, the one that had warned me about Rookit.Win32.Agent.pp, another one would appear about 15 seconds later warning me about some other malicious thing. There were also these little windows that looked like pop-up advertisements - I wasn't connected to the internet at the time - asking me to buy a piece of malware protection software. At this point, I hard rebooted once again...
I booted into safe mode and did a system restore to about 2 months ago - no problems were present then. I booted back into normal mode (in the usual amount of time) and none of the unwelcome links were on my desktop. I am not 100% certain that this next part was well-advised, but it is almost 20 below here and I am the first one back in my building - access to another computer would require significant hardship, and so....I am now creating this post from the machine that I am having these problems on - although implied, just for clarity, I feel I should say that yes, I plugged it back into the internet. I know rootkits are generally a nasty breed, but things appear to be fine, and well...I am impatient and would like to immediately get to the bottom of this or be told by an expert that things are A-OKAY.
I ran a Malwarebytes' Anti-Malware quick scan, which didn't detect anything. A full scan is running as I write this up. As for system information, here you go (sorry if this is overkill, I honestly don't know how much of this is relevant, but I figure too much information can never be a bad thing...(as far as computer problems go) anyway, I apologize if you have to sift for what you need, let me know if there would be a better way to post the info. This came from going to start-->all programs-->accessories-->system tools-->system information, and then putting that into a text file) Edit: Your forums yelled at me, informing me that my post was too long! Leaving the barebones sysinfo here and posting the rest in another post:
System Information report written at: 01/10/10 17:15:54
System Name: STATION2
OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name STATION2
System Manufacturer Dell Inc
System Model Dimension C521
System Type X86-based PC
Processor x86 Family 15 Model 107 Stepping 1 AuthenticAMD ~2104 Mhz
BIOS Version/Date Dell Inc 1.1.6, 4/7/2007
SMBIOS Version 2.4
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume2
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name STATION2\Julie
Time Zone Central Standard Time
Total Physical Memory 2,048.00 MB
Available Physical Memory 976.40 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 3.85 GB
Page File C:\pagefile.sys
I apologize if that got a bit long...I wanted to provide as much detail as possible.
Thanks in advance for any help,
Max (Yes, I know if you browse through the sysinfo the username is Julie, and my forums username is Nixon Renaldo...it is all very confusing, and very irrelevant to this thread...)
Edited by DrNixonRenaldo, 10 January 2010 - 06:35 PM.