Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Link Redirect Virus + Trojan horse Agent_r


  • This topic is locked This topic is locked
3 replies to this topic

#1 Sean001

Sean001

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 30 November 2010 - 05:20 PM

Hi all,

I appreciate your huge voluntary efforts on this subforum.

I've just got an agent_r infection similar to the following threads:

http://www.bleepingcomputer.com/forums/topic270894.html
http://www.bleepingcomputer.com/forums/topic309220.html
http://www.bleepingcomputer.com/forums/topic357101.html
and I see a few other more recent active ones in the forum.

HW: Dell Studio 17 laptop
OS: Windows 7 Home Premium (processing all updates, including Java etc)
AV: AVG V.9?10? and Spybot S&D
Most obvious system files affected: wininit.exe and explorer.exe

Apparently this could be a TDL4 rootkit virus, it only seems to do google link redirections to commercial sites at this stage. Does anyone know if the agent_r trojan does anything nasty like capture banking details etc?

AVG initially told me I had an infected wininit.exe and explorer.exe infection. It couldn't clean it from either file. I replaced both files from winsxs copies, but it returns to the explorer.exe file in particular. I cleaned up some suspicious entries in the Registry, temp area, etc, but the damage is done and it's installed itself.

Running AVG and Spybot in Safe Mode hasn't cleaned the infection either. The system is now unstable in full boot, with frequent BSODs, due to conflict with the AV or other services or software. AVG no longer pops up with an infection warning, but still finds explorer.exe is still infected on a scan and can't repair of course.

I tried installing and running Avast! as it supposedly has a rootkit cleaner. I had to install it in Safe Mode for reliability, it found no infection at all, and it seems to cause more BSODs in full boot.

I'll post some DDS results in a minute, just getting this post kicked off for now. I'm forced to operate in Safe Mode for reliability, can you let me know if this is a problem in diagnosis and repair?

Also, GMER crashes while running on my system, in Safe Mode or full boot.

Can anyone recommend an AV package that will virtually guarantee this can't happen? These rootkit viruses are getting pretty serious. I'm amazed that with all the vulnerability patches and AV out there these things still get through -- and nobody is ever prosecuted for these sites, Bill Gates doesn't care how his critical computing environment is regularly degraded for users and does something about it, it just gets straight through and corrupts essential system files, etc etc. The whole exercise is a complete waste of time, including for the virus writer, as nobody is going to tolerate that sort of silly virus on their system for long, and it simply costs hours and hours of time eliminating the virus or reinstalling the OS. I really can't believe the industry can't crack down on these sites technically and the individuals behind them, nationally or internationally.

Attached are the DDS files, RKU report, etc. I deliberately haven't pasted in the full text inline of DDS.txt for brevity, let me know if this is a problem going forward (i.e. clear inability to follow instructions).

I've run Defogger.

OK, I've followed through the procedure pretty much as at:

http://www.bleepingcomputer.com/forums/topic361604.html

I've run:
1. RKUnhooker
2. BootKit Remover
3. MBRCheck

for reporting purposes only, as attached in the previous note.

1. Then run TDSSKiller from Kapersky Labs and chosen 'Cure', which is the only thing I've really done to fix this problem.
2. Then run RKill which didn't produce much
3. I cannot run Combofix without uninstalling AVG, which is a bit of a nuisance. I am actually trying to run ComboFix in Windows Safe Mode with no AVG processes running, but unfortunately Combofix has been programmed to protest if it finds an AVG installation, not AVG running processes, and refuses to go on. Not sure if I should therefore uninstall AVG and run Combofix for completeness.

Running AVG on the system now produces a clean result, no infections reported, and it is a lot quicker starting up and running IE, and no BSODs.

Update:
uh-oh, straight back in with the C:\windows\temp\Ul0.exe problem trying to seed itself on the system again. Win32/Cryptor. Cryptic.BJB in mssconfiga.exe found as well

I'll sit and wait to be rescued...

Update 2:

OK, the virus came back, so re-ran TDSSKiller, RKill, deinstalled AVG and then ran ComboFix, which got rid of a lot of dodgy registry entries and files, rebooted twice, etc - log attached.

GMER still crashes or even causes a BSOD every time I run it.

Again, the system seems better, for now... DDS is now reporting no TDL4 infection, malwarebytes can't find anything. I'm now running free Avast instead of free AVG to trial it for a while, but is there any definitively good software that will trap rootkits etc?

Avast found one more infected DLL, which I think and hope was unrelated, might have been a false positive, but probably legit. Re-running fast and full scans over 1 day continue to come up clean. Avast also found 7 quarantined viruses in combofix's Qoobox which are 'deactivated' with new extensions, but I chose to delete them anyhow, and it's found nothing since - but a useful test of Avast's signature scanning capability.



Can anyone recommend the 'ideal' AV package that can actually prevent TDL4 rootkit and other similar viruses invading a system? No matter what price? Free AVG obviously isn't up to it, despite saying 'You Are Protected' in big letters when you have the latest updates.

Kaspersky Labs seems at least to have an effective working tool to remove a TDL4 rootkit virus and presumably many others -- is this product embedded in their standard AV offering to prevent infection in the first place? ComboFix was even better. Any other recommendations?

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 05 December 2010 - 07:52 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:37 PM

Posted 07 December 2010 - 08:22 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Sean001

Sean001
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 08 December 2010 - 02:41 AM

Hi M0le,

thanks for your reply. I've followed through a procedure as outlined above, and seem to have eradicated the TDL4 bootkit virus and other associated virii and things mainly by using ComboFix as the last step. You can review the attached final log reports in the previous post if you like to see what I got up to. No virii seem to have come back for several days since, and Avast now comes up clean. There are also some queries about recommendations for good AV software on the thread, if you can answer them.

Are there any further checks I should run to make sure the virus is completely gone?

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:37 PM

Posted 08 December 2010 - 06:26 PM

From the logs your PC looks clean and the TDL4 rootkit has been removed. While you have done a great job here I must point out to you and anyone reading this thread that Combofix is not a tool to use lightly...

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Any queries you have regarding antivirus software can be asked via my PM :thumbup2:

-------------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users