I appreciate your huge voluntary efforts on this subforum.
I've just got an agent_r infection similar to the following threads:
and I see a few other more recent active ones in the forum.
HW: Dell Studio 17 laptop
OS: Windows 7 Home Premium (processing all updates, including Java etc)
AV: AVG V.9?10? and Spybot S&D
Most obvious system files affected: wininit.exe and explorer.exe
Apparently this could be a TDL4 rootkit virus, it only seems to do google link redirections to commercial sites at this stage. Does anyone know if the agent_r trojan does anything nasty like capture banking details etc?
AVG initially told me I had an infected wininit.exe and explorer.exe infection. It couldn't clean it from either file. I replaced both files from winsxs copies, but it returns to the explorer.exe file in particular. I cleaned up some suspicious entries in the Registry, temp area, etc, but the damage is done and it's installed itself.
Running AVG and Spybot in Safe Mode hasn't cleaned the infection either. The system is now unstable in full boot, with frequent BSODs, due to conflict with the AV or other services or software. AVG no longer pops up with an infection warning, but still finds explorer.exe is still infected on a scan and can't repair of course.
I tried installing and running Avast! as it supposedly has a rootkit cleaner. I had to install it in Safe Mode for reliability, it found no infection at all, and it seems to cause more BSODs in full boot.
I'll post some DDS results in a minute, just getting this post kicked off for now. I'm forced to operate in Safe Mode for reliability, can you let me know if this is a problem in diagnosis and repair?
Also, GMER crashes while running on my system, in Safe Mode or full boot.
Can anyone recommend an AV package that will virtually guarantee this can't happen? These rootkit viruses are getting pretty serious. I'm amazed that with all the vulnerability patches and AV out there these things still get through -- and nobody is ever prosecuted for these sites, Bill Gates doesn't care how his critical computing environment is regularly degraded for users and does something about it, it just gets straight through and corrupts essential system files, etc etc. The whole exercise is a complete waste of time, including for the virus writer, as nobody is going to tolerate that sort of silly virus on their system for long, and it simply costs hours and hours of time eliminating the virus or reinstalling the OS. I really can't believe the industry can't crack down on these sites technically and the individuals behind them, nationally or internationally.
Attached are the DDS files, RKU report, etc. I deliberately haven't pasted in the full text inline of DDS.txt for brevity, let me know if this is a problem going forward (i.e. clear inability to follow instructions).
I've run Defogger.
OK, I've followed through the procedure pretty much as at:
2. BootKit Remover
for reporting purposes only, as attached in the previous note.
1. Then run TDSSKiller from Kapersky Labs and chosen 'Cure', which is the only thing I've really done to fix this problem.
2. Then run RKill which didn't produce much
3. I cannot run Combofix without uninstalling AVG, which is a bit of a nuisance. I am actually trying to run ComboFix in Windows Safe Mode with no AVG processes running, but unfortunately Combofix has been programmed to protest if it finds an AVG installation, not AVG running processes, and refuses to go on. Not sure if I should therefore uninstall AVG and run Combofix for completeness.
Running AVG on the system now produces a clean result, no infections reported, and it is a lot quicker starting up and running IE, and no BSODs.
uh-oh, straight back in with the C:\windows\temp\Ul0.exe problem trying to seed itself on the system again. Win32/Cryptor. Cryptic.BJB in mssconfiga.exe found as well
I'll sit and wait to be rescued...
OK, the virus came back, so re-ran TDSSKiller, RKill, deinstalled AVG and then ran ComboFix, which got rid of a lot of dodgy registry entries and files, rebooted twice, etc - log attached.
GMER still crashes or even causes a BSOD every time I run it.
Again, the system seems better, for now... DDS is now reporting no TDL4 infection, malwarebytes can't find anything. I'm now running free Avast instead of free AVG to trial it for a while, but is there any definitively good software that will trap rootkits etc?
Avast found one more infected DLL, which I think and hope was unrelated, might have been a false positive, but probably legit. Re-running fast and full scans over 1 day continue to come up clean. Avast also found 7 quarantined viruses in combofix's Qoobox which are 'deactivated' with new extensions, but I chose to delete them anyhow, and it's found nothing since - but a useful test of Avast's signature scanning capability.
Can anyone recommend the 'ideal' AV package that can actually prevent TDL4 rootkit and other similar viruses invading a system? No matter what price? Free AVG obviously isn't up to it, despite saying 'You Are Protected' in big letters when you have the latest updates.
Kaspersky Labs seems at least to have an effective working tool to remove a TDL4 rootkit virus and presumably many others -- is this product embedded in their standard AV offering to prevent infection in the first place? ComboFix was even better. Any other recommendations?
EDIT: Posts merged ~BP
Edited by Budapest, 05 December 2010 - 07:52 PM.