Agent_r is driving me crazy

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tblake84, Aug 31, 2011.

  1. tblake84

    tblake84 Private E-2

    I recently found that any google searches would redirect me to random sites that I have never been to. After a Norton search found nothing, I downloaded AVG and it found a whole slew of files infected with the Agent_r.AKS virus. It was able to delete and/or quarantine most of them with the exception of C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini.

    Following the sticky for this forum, attached are the appropriate logs and I am currently going through the listed Malware removal procedures and will update if anything changes. Any help would be appreciated!
     

    Attached Files:

    tblake84, Aug 31, 2011
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Good, please attach the logs from running SUPERantispyware, Malware Bytes, Combofix and MGTools. :)
     
    Kestrel13!, Aug 31, 2011
    #2
  3. tblake84

    tblake84 Private E-2

    Here are the logs as required in the sticky.

    The problems seemed to be pretty expansive. SuperAntiSpyware and Malwarebyte wouldn't complete scans so I went on to ComboFix which seemed to get everything. I then went back to run SuperAntiSpyware and Malwarebyte again and they worked so those logs are attached.

    I wasn't using the computer when the problems first appeared. I left my computer in the morning and it seemed fine. I returned in the afternoon to a computer that was rife with issues. It is password protected, no one was home, and the wifi network it is connected to is also password protected so I don't know how the virus got on it.

    I have been using an old corporate version of Norton AV and the windows XP firewall. Until now, I have not had ANY virus issues. Can anyone recommend a good (preferably free) antivirus and firewall solution to prevent issues in the future?

    The computer seems to be working fine now. Are there any extra steps I should take to ensure the problem is gone? Thanks for your help.
     

    Attached Files:

    tblake84, Sep 1, 2011
    #3
  4. tblake84

    tblake84 Private E-2

    MGTools log attached.
     

    Attached Files:

    tblake84, Sep 1, 2011
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Delete these avg remnants. (All folders)
    • C:\documents and settings\Tim\Application Data\AVG
    • C:\$AVG
    • c:\documents and settings\All Users\Application Data\AVG10
    • c:\windows\system32\drivers\AVG
    • c:\program files\AVG
    • c:\documents and settings\All Users\Application Data\MFAData


    Now we need to use ComboFix sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
c:\windows\system32\c_61212.nl_
C:\Documents and Settings\Tim\Local Settings\Application Data\msesbucf.txt
C:\Documents and Settings\All Users\msrecovery.cfc
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini

DirLook::
c:\program files\Microsoft Analysis Services
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


    Please try and run TDSSKiller again and attach the new log, it did not run correctly.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Sep 1, 2011
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds