Author Topic: War inside my computer! Win32:Agent-LNK [Wrm]  (Read 63889 times)

0 Members and 1 Guest are viewing this topic.

djmichaelwenz

  • Guest
War inside my computer! Win32:Agent-LNK [Wrm]
« on: December 13, 2007, 10:17:59 PM »
Please Help Me!

I have gotten a Trojan virus about 4 days ago. Since then I have tried Adaware, Spybot Search and Destroy, AVG, Windows malicious Removal tool and now I am getting basically the same trouble with Avast Home free software. I have just done a repair installation of Windows XP pro.

Right now I have two Problems

1. After doing my repair installation My Windows Updates do not run. I get error code 0x80080008!!! I looked on Microsoft s site for the error code and I cant seem to make any sense of it...

2.Each time I power up the computer shorty after going on the internet I get this

C:\WINDOWS\system32\drivers\smtpdrv.sys

Win32:Agent-LNK [Wrm]

Virus/Worm

071213-0, 12/13/2007

If you could help I would be in your debt forever, please I have put over 20 hours into fixing this...I am not that smart when it comes to advanced computer managment so you might have to elaborate slightly more than usual.

Here is my Hijack this notes, ALSO I DO NOT KNOW WHAT OR WHY THERE IS A SITE CALLED www.iwalton.com I have never heard of it before????

Also what is the search at msn.com thing?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:33 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2AE4005E-689F-4FB9-8C3D-D2B8B58AC072} - C:\WINDOWS\system32\tuvsqnm.dll
O2 - BHO: {e7939e13-78b7-9fcb-76e4-0f2b7d425fe2} - {2ef524d7-b2f0-4e67-bcf9-7b8731e9397e} - C:\WINDOWS\system32\qgejfohm.dll (file missing)
O2 - BHO: (no name) - {31BD17DA-DB09-4DD7-BFFD-3976F8A6F41A} - (no file)
O2 - BHO: (no name) - {4732E7F4-DBCB-454F-81CF-AB4DA6F3F065} - C:\WINDOWS\system32\pmnnm.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E584C09D-3AEB-4029-B45B-E70B4F98BF6E} - (no file)
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs:  C:\WINDOWS\system32\alg.dll
O20 - Winlogon Notify: tuvsqnm - C:\WINDOWS\SYSTEM32\tuvsqnm.dll
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe

--
End of file - 5255 bytes



Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #1 on: December 13, 2007, 10:54:09 PM »
Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log  along with a new HJT
     log in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Run combofix first, the hijackthis.


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #2 on: December 13, 2007, 10:56:14 PM »
Try these steps

Please re-open HiJackThis and scan.  Check the boxes next to all the entries listed below.

O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: {e7939e13-78b7-9fcb-76e4-0f2b7d425fe2} - {2ef524d7-b2f0-4e67-bcf9-7b8731e9397e} - C:\WINDOWS\system32\qgejfohm.dll (file missing)
O2 - BHO: (no name) - {31BD17DA-DB09-4DD7-BFFD-3976F8A6F41A} - (no file)
O2 - BHO: (no name) - {4732E7F4-DBCB-454F-81CF-AB4DA6F3F065} - C:\WINDOWS\system32\pmnnm.dll (file missing)
O2 - BHO: (no name) - {E584C09D-3AEB-4029-B45B-E70B4F98BF6E} - (no file)
O20 - AppInit_DLLs:  C:\WINDOWS\system32\alg.dll
O20 - Winlogon Notify: tuvsqnm - C:\WINDOWS\SYSTEM32\tuvsqnm.dll
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\


Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis. 
________________________________

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\alg.dll
    C:\WINDOWS\SYSTEM32\tuvsqnm.dll
    C:\WINDOWS\system32\qgejfohm.dll
    C:\WINDOWS\system32\pmnnm.dll



  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose YesIf a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")
Click "Exit" to close OTMoveIt.

___________________________

Download and then run SuperAntispyware
  • On the first page select Check for Updates
  • On completion select SCAN YOUR COMPUTER
  • On the next page select COMPLETE SCAN and tick ALL your drives
  • The next stage will take a while as your entire drive(s), memory and registry are scanned
  • When it has completed click NEXT
  • The next screen shows the problems found click OK
  • On the next screen place a tick against all items and select NEXT
  • Now to get the log Go to the PREFERENCES button on the right bottom
  • Select the STATISTICS/LOG tab
  • Highlight the scan just completed and click VIEW LOG
  • This will open a notepad text file copy and paste this to your next reply


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #3 on: December 13, 2007, 10:56:44 PM »
OOOOPs

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88791
  • No support PMs thanks
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #4 on: December 13, 2007, 11:07:37 PM »
I had an OOOPs moment too I must improve my typing, but I managed to catch and delete mine was about 1 minute after yours and 2 after oldman.

However there doesn't appear to be an active firewall (probably XP only).

Also JAVA is out of date.
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://www.java.com/en/download/index.jsp
Or JRE version 6 update 3 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

djmichaelwenz

  • Guest
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #5 on: December 14, 2007, 12:07:37 AM »
Thanks for the swift reply's. I will do that when I get home from work tonight. I really appreciate it! DO you think this will fix my windows update problem?

Michael

djmichaelwenz

  • Guest
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #6 on: December 14, 2007, 06:12:55 AM »
Just did all that two seconds ago...Here is the results.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/13/2007 at 10:52 PM

Application Version : 3.9.1008

Core Rules Database Version : 3361
Trace Rules Database Version: 1360

Scan type       : Complete Scan
Total Scan Time : 00:45:23

Memory items scanned      : 368
Memory threats detected   : 2
Registry items scanned    : 6948
Registry threats detected : 71
File items scanned        : 41090
File threats detected     : 35

Adware.Vundo-Variant/Small
   C:\WINDOWS\SYSTEM32\TUVSQNM.DLL
   C:\WINDOWS\SYSTEM32\TUVSQNM.DLL
   Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\tuvsqnm
   C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20071213-215729-120.DLL

Trojan.WinFixer
   C:\WINDOWS\SYSTEM32\VTURO.DLL
   C:\WINDOWS\SYSTEM32\VTURO.DLL
   HKLM\Software\Classes\CLSID\{E668B37E-ED99-43CA-91BB-B5007CAA6B21}
   HKCR\CLSID\{E668B37E-ED99-43CA-91BB-B5007CAA6B21}
   HKCR\CLSID\{E668B37E-ED99-43CA-91BB-B5007CAA6B21}\InprocServer32
   HKCR\CLSID\{E668B37E-ED99-43CA-91BB-B5007CAA6B21}\InprocServer32#ThreadingModel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E668B37E-ED99-43CA-91BB-B5007CAA6B21}

Adware.Vundo Variant
   HKLM\Software\Classes\CLSID\{2AE4005E-689F-4FB9-8C3D-D2B8B58AC072}
   HKCR\CLSID\{2AE4005E-689F-4FB9-8C3D-D2B8B58AC072}
   HKCR\CLSID\{2AE4005E-689F-4FB9-8C3D-D2B8B58AC072}\InprocServer32
   HKCR\CLSID\{2AE4005E-689F-4FB9-8C3D-D2B8B58AC072}\InprocServer32#ThreadingModel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2AE4005E-689F-4FB9-8C3D-D2B8B58AC072}
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{2AE4005E-689F-4FB9-8C3D-D2B8B58AC072}
   HKCR\CLSID\{2AE4005E-689F-4FB9-8C3D-D2B8B58AC072}

Unclassified.Oreans32
   HKLM\System\ControlSet001\Services\oreans32
   C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
   HKLM\System\ControlSet002\Services\oreans32
   HKLM\System\CurrentControlSet\Services\oreans32
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
   HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
   HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
   HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
   HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
   HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
   HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
   HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
   HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
   HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
   HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
   HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Tracking Cookie
   C:\Documents and Settings\Michael\Cookies\michael@f3.thezirius[2].txt
   C:\Documents and Settings\Michael\Cookies\michael@thezirius[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@f5.thezirius[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@ad.zanox[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@f6.thezirius[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@f7.thezirius[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@ads.monster[2].txt
   C:\Documents and Settings\Michael\Cookies\michael@hornymatches[2].txt
   C:\Documents and Settings\Michael\Cookies\michael@mediaservices.myspace[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@adopt.euroclick[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@precisionclick[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@partner2profit[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@ads.pointroll[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@ultraxxxpasswords[2].txt
   C:\Documents and Settings\Michael\Cookies\michael@5.go.globaladsales[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@ads.adbrite[2].txt
   C:\Documents and Settings\Michael\Cookies\michael@advertising[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@www.teen-flicks[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@exact-find[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@adopt.specificclick[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@www.exact-find[1].txt
   C:\Documents and Settings\Michael\Cookies\michael@atdmt[1].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\system@footballfanatics.112.2o7[1].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\system@nextag[2].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\system@overture[1].txt
   C:\WINDOWS\system32\config\systemprofile\Cookies\system@server.iad.liveperson[1].txt

Trojan.Security Toolbar
   C:\Documents and Settings\Michael\Favorites\Antivirus Test Online.url

Adware.ClickSpring/Yazzle
   HKCR\YAZZLEACTIVEX.YazzleActiveXCtrl.1
   HKCR\YAZZLEACTIVEX.YazzleActiveXCtrl.1\CLSID
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YazzleActiveX.ocx
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YazzleActiveX.ocx#.Owner
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YazzleActiveX.ocx#{74CD40EA-EF77-4BAD-808A-B5982DA73F20}

Adware.E404 Helper/Hij
   HKCR\E404.e404mgr.1
   HKCR\E404.e404mgr.1\CLSID

Rootkit.RunTime2/CTLW32
   HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ctl_w32.sys
   HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ctl_w32.sys
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32#NextInstance
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000#Service
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000#Legacy
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000#ConfigFlags
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000#Class
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000#ClassGUID
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000#DeviceDesc
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000#Capabilities
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CTL_W32\0000\Control
   HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32
   HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32#ImagePath
   HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32#Type
   HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32#ErrorControl
   HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32#Start
   HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32#DependOnGroup
   HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32\Enum
   HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32\Enum#0
   HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32\Enum#Count
   HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32\Enum#NextInstance
   HKLM\SYSTEM\CurrentControlSet\Services\ctl_w32\Enum#INITSTARTFAILED

Rootkit.SMTPDrv-Variant
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA083575-C8BC-499D-A2BE-274576AA87D3}\RP24\A0000329.SYS
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA083575-C8BC-499D-A2BE-274576AA87D3}\RP52\A0000430.SYS

Adware.Vundo Variant/Rel
   C:\WINDOWS\SYSTEM32\MNNMP.INI

Trojan.Downloader-Gen
   C:\WINDOWS\SYSTEM32\STU.DLL



djmichaelwenz

  • Guest
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #7 on: December 14, 2007, 06:14:08 AM »
AS I AM TYPING THIS AVAST HAD ANOTHER VIRUS FOUND WINDOW POPUP... I JUST DELETED IT LIKE IN THE PAST...SO I AM STILL INFECTED

I JUST RAN ANOTHER HIJACK THIS

Here it is...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:35 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31BD17DA-DB09-4DD7-BFFD-3976F8A6F41A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe

--
End of file - 4575 bytes



THANK YOU ALL SO MUCH!!!!!!

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #8 on: December 14, 2007, 08:13:32 AM »
@Essexboy and DavidR, don't worry about the oops, you ain't stepping on my toes.  ;D

@djmichaelwenz

SAS seems to have gotten a lot of it. What was the detection?

Hold off on combofix for now. We'll get you to run a different scanner to see if there are some stray files laying around.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

djmichaelwenz

  • Guest
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #9 on: December 14, 2007, 09:04:50 AM »
Thank You !

I could not seem to get the logs under 1000 characters so here is the text saved on two note pad files...

MAIN
http://www.sendspace.com/pro/dl/b2rxdm

EXTRA
http://www.sendspace.com/pro/dl/x9o7tf



I also found this
http://windowssecrets.com/comp/070927/#story1

This describes my problems exactly...

THANK YOU A MILLION!!!!!!!!!!

 :)


wise-wistful

  • Guest
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #10 on: December 14, 2007, 11:19:39 AM »
Do this Rules from http://virusinfo.info/forumdisplay.php?f=91&styleid=5&langid=1.

Scan your PC:

1.Download the AVZ Antiviral Toolkit(http://z-oleg.com/avz4en.zip). Even if you have once downloaded AVZ, you should still download it again, because the new diagnostics options for the malware programs are being regularly updated. (About 2 mb)
* The utility offers a wide range of options for a system scan besides the malicious software neutralization: please read the help file of the Toolkit.

2. Extract it from the archive to its own folder.
* Start AVZ and update its databases ("File" => "On-line automatic update "). Close AVZ.

3. Download the last version of HijackThis.
* Even if you have once downloaded HijackThis, download it again to make sure you have the latest version. (About 200kb)

4. Extract HijackThis from the archive to its own folder.

5. Turn off System restore (Windows Me/XP).
*Follow the instructions in Appendix 1.


Prior to taking the following steps (6, 8, 10), please close all of your anti-virus programs, games, text editors and all other applications, except your Internet browser!!!

6. Start AVZ. Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box. Click on the “Execute selected scripts”.
Automatic scanning, healing and system check will be executed. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
7. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan. All applications will work properly after the system restart.
8. Start AVZ. Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box. Click on the "Execute selected scripts".
A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
9. Start HijackThis. If the program malfunctions or stops working right after the start, download the renamed file of HijackThis here and use it in the following instructions.
10. Click on the "Do a system scan and save a logfile ".
11. Save the logfile. The logfile will be saved in the program folder as hijackthis.log by default.

If you want go http://virusinfo.info/forumdisplay.php?f=91&styleid=5&langid=1

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #11 on: December 14, 2007, 02:27:30 PM »
Thank You !

I could not seem to get the logs under 1000 characters so here is the text saved on two note pad files...



You can either use multiple posts or use the extra options on the reply page to attach the logs . It's at the lower left corner of the reply box. Click it, scroll down a bit and you will see a box for attachments.   ;)

There's bit left, so go ahead and download and run combo fix as in the instructions earlier. Just let the scan complete. Even if it doesn't look like it, combofix is running if you see an kind of harddrive activity, lights etc. It may reboot your computer, that's ok.
« Last Edit: December 14, 2007, 02:49:16 PM by oldman »

djmichaelwenz

  • Guest
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #12 on: December 14, 2007, 10:06:37 PM »
Thank you so much again for all of your replys and help!

I ran the combofix twice and waited over an hour each time. It seemed to be frozen when it says removing files and folders... I am going to try again... I did get the windows updates to install by doing the fix on my previous post.

Thanks
Michael

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #13 on: December 14, 2007, 10:14:00 PM »
Okay, try pausing avast and any other resident scanner you have. I see you have spybot, make sure teatimer is off.

Physically disconnect from the internet before you do this. Pull the plug.

djmichaelwenz

  • Guest
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #14 on: December 15, 2007, 01:25:25 AM »
I disabled superantispyware and avast and ran the program it hangs on deleting files/folders... I have tried twice. My clock is changed when I reboot now tho...

Thanks again!!