Avira Support Forum

Recently many forum users are reporting problems with certain viruses. It's possible that AntiVir detects and reports a corresponding file, but cannot fight or remove it effectively, since it's always recreated instantly. Currently known variants:

• TR/Agent.its
  
• TR/Agent.imh
  
• TR/PSW.Delf.AH
  
• TR/Spy.Delf.tge
  
• TR/PSW.Kates.C.25
  
• TR/Drop.Agent.qna.2

Please also consider:

• This scenario may also apply if you are unable to update AntiVir - especially over an extended period of time. A characteristic symptom is that the update report contains the error message "HTTP status code 403" or "403 Forbidden". If that's the case, please use a "manual" / offline update first.
  
• Also typical: If this malware is active, it may prevent execution of the registry editor (regedit.exe) and command prompt (cmd.exe). In this case these applications can only be started after renaming their executables.
  
• In a few cases these viruses seemingly were also able to prevent installation of the paid products (AntiVir Premium, resp. Avira Premium Security Suite), due to the fact that the license activation was impossible.

(Instead of a manual search and removal you may also use the program DanolFix.exe, see the second posting in this thread.)

Under these circumstances please proceed as follows:

Step 1:

Verify the "Drivers32" section of your registry: "Start" - "Run" - regedit.exe. (If it's not possible to open the registry editor, you'll have to rename regedit.exe first, e.g. to regwork.exe. See Footnote A.)

On the left-hand side ('tree view') navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32. To do this expand each 'branch' by clicking on the small plus sign (first HKEY_LOCAL_MACHINE, thereafter SOFTWARE, then Microsoft, ...). When you've reached the Drivers32 node, you'll see various "names" and values on the right-hand side - typically there are several "wdmaud.drv" among these values.



Now check the file names listed under "Data" for suspicious entries. You'll recognise those by two consecutive dots "...\..\..." contained within the file name, which never happens with regular values. In the forum we have observed these entries frequently either point to the Windows directory (C:\WINDOWS\system32\..\...) or to a temporary folder of the active (logged in) user (C:\DOCUME~1\<user name>\LOCALS~1\Temp\..\...). The actual file name normally will be a random combination of letters, e.g. hgwoeea.gry. (Pay special attention to the various aux<n> entries!) The above example shows the malware is located in "C:\DOCUME~1\John Doe\LOCALS~1\Temp\..\agugljj.cyq" and manifests itself under "aux2" in the registry. The file name normally is easy to find - it should noticably match the corresponding detection message of AntiVir! (addendum: Footnote B.)

(If you are unsure which entry belongs to the malware, please export this part of your registry as C:\drivers32.txt - see Footnote C. Open a new forum thread with a description of your problem, copy the contents of this file and insert (paste) it into your post. Helpful people in the forum will be glad to give you further assistance.)

Step 2:

Please write down the malware file name, make a screenshot or maybe print it - so you have this information available in case it is needed later.

Now select/highlight the malicious entry ("aux2" in our example) and delete it ("Del" key). Confirm the deletion, close the registry editor and reboot your computer (Important!).



Step 3:

(If you had to rename the registry editor, you may now change regwork.exe back to regedit.exe. However, it's possible that Windows' system file protection "SFP" has already restored regedit.exe automatically for you, just delete the no longer needed regwork.exe then.)

At this point cmd.exe, regedit.exe and the AntiVir update should be back to normal function, please check this! Additionally, the premium versions of AntiVir should also install without trouble again.

After updating AntiVir please run a "Complete system scan" now - to ensure no other malicious files have made it to your PC... Watch out for AntiVir to really recognize the virus file that you have identified above, and have it quarantined. If AntiVir does not detect the file in question, please submit it to www.virustotal.com and Avira, and report back the results to the forum.

Step 4:

To prevent your system from being easily re-infected, please take a bit of your time and use some protective measures.

There are some hints that this malicious code and the Drivers32 entry might have gotten to your PC through vulnerabilities of applications like Flash Player, Acrobat Reader or even Windows' own MDAC (Microsoft Data Access Components). Consider the following advice:

• "Active" internet content (JavaScript, ActiveX, ...) if possible should be blocked, disabled/denied or limited to trustworthy sites.
  
• Keep Windows up to date by applying security updates/patches. Activate / make use of "Automatic Updates", or check www.windowsupdates.com for updates yourself at regular intervals.
  
• Do the same for application programs - frequent example: the Java runtime environment (JRE). As vulnerabities or exploits become known, it's especially important to ugrade to patched versions of each application. A tool like Secunia Personal Software Inspector (PSI) might help you to detect problematic programs on your system.
  
• A lot of malware can only 'install' to your system, if it has unlimited access rights available ("administrator" account). It's much more secure if you setup and use a limited user account for your daily work!

With all of that: I wish you a virus-free time!

Regards, NiteHawk
___

Footnote A.:
If regedit.exe doesn't start (typically desktop and task bar will disappear for about 2 seconds and then reappear again), please open your Windows directory ("My Computer" --> "C:" --> "Windows") and temporarily change the file name to something different, e.g. regwork.exe:


Footnote B.:
Be aware that the (file) name plays 'hide and seek': The two dots result in the file being one directory 'above' what you would expect. The file "C:\WINDOWS\system32\..\hgwoeea.gry" isn't located under C:\WINDOWS\system32\, but points to C:\WINDOWS\hgwoeea.gry instead. The example file "C:\DOCUME~1\John Doe\LOCALS~1\Temp\..\agugljj.cyq" isn't in "Temp" either, but again one folder 'further up' - due to the path names shortened by Windows you ultimately would have to look for this file in C:\Documents and Settings\John Doe\Local Settings\agugljj.cyq.

Fußnote C.:
Please select the "Drivers32" key by clicking on it (it will be highlighted), then select "File" and "Export...". Type in C:\drivers32.txt for the file name:

___

[EDIT] Added new variant: "TR/Spy.Delf.tge".
[EDIT2] Modified title, brought known variants into list form, and added "TR/PSW.Kates.C.25".
[EDIT3] Hint at DaonolFix.exe, added "TR/Drop.Agent.qna.2".
[EDIT4] Recommendation of limited user accounts.

Instead of a manual search and removal you may use the program DanolFix.exe.

Download the file from http://jpshortstuff.247fixes.com/beta/DaonolFix.exe ("DaonolFix (15.04.09) by jpshortstuff", 98KB, MD5:7dc34c4d75b4a7aa9b515e2dfd3d0782) and save it e.g. to your desktop. Launch the program with a double click.

Select Option "1. Find Daonol (no fix)" to search for malicious entries (Step 1 above). The program will then list a lot of files - don't worry, they are just being scanned. Finally a report will open up, that also gets saved to your desktop as DaonolFix.txt. If needed, copy the contents of that file into the forum, as described above for the drivers32.txt. Watch out for lines that have been marked "<<-- Daonol Detected!" at the end, those are the ones we hunt for here.

The Option "2. Fix Daonol" will remove those suspicious entries (Step 2 above).

Please also continue with steps 3 and 4 from above afterwards!

Regards, NiteHawk

Warning
There is a number of reports indicating a connection between this malware and the massive series of trojans and exploits at gumblar.cn and martuz.cn. While early variants might have been relatively 'harmless', it's increasingly probable this malware causes more harm that can be detected at first sight. The early variants 'only' redirected search (engine) results, prevented updates and blocked execution of certain applications. However, by now it's possible that a backdoor gets installed at the same time, allowing unauthorized access to your PC.

A problem with all of this: 'the' (single) "gumblar" trojan actually doesn't exist. Instead, over the past few weeks an increasing number of 'customized' exploits was observed, explicitly tailored to exploit security vulnerabilities on the victim's PC for delivering an actual 'payload'. This (malicious) payload could be anything, and sometimes varies from minute to minute.

With the above malware at least one of these payloads actually 'made it' onto your PC! Your system got compromised - and, according to what was said before, it's difficult or impossible to tell to what degree that happened. Please consider seriously, if it wouldn't be better and also much more secure if you'd backup your personal data/documents and reinstall the system from scratch - or restore a (known clean!) backup/image.

If you own webspace (a personal homepage) or have FTP access to other computers, you need to thoroughly check the data stored in theses places, too! It's possible that content you uploaded got modified or credentials were stolen (username/password). Part of "Gumblar" spreading so fast is probably due to the fact of these numerous infected web sites, that result in unsuspecting visitors being redirected to the very next exploit...

Regards, NiteHawk

Some Links:
http://www.security-forums.com/viewtopic.php?p=298335
http://www.bleepingcomputer.com/forums/i…dpost&p=1162924
http://miekiemoes.blogspot.com/2008/10/f…archengine.html
http://blog.scansafe.com/journal/2009/5/14/gumblar-qa.html
http://www.martinsecurity.net/2009/05/20…-ataque-gumblar
http://www.gdata.de/ueber-g-data/pressec…nung-neuer.html (German, --> Google translation)

With thanks to Sebastian Lienau:


http://googleonlinesecurity.blogspot.com…ware-sites.html

Regards, NiteHawk