Author Topic: War inside my computer! Win32:Agent-LNK [Wrm]  (Read 63890 times)

0 Members and 1 Guest are viewing this topic.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #15 on: December 15, 2007, 05:26:28 AM »
 
Quote
My clock is changed when I reboot now tho...

Just manually reset it. Combofix didn't finish, so let's thin it out a bit. You can turn avast on if you haven't all ready.

Submit these files to www.virustotal.com  Just copy and paste them one at a time in the submit a file box on their page, wait for the results and post them here  (tip: you can open multiple browsers and submit a file on each, please identify each when posting the results)

c:\windows\system32\drivers\fub04.sys
C:\WINDOWS\system32\drivers\ctl_w32.sys
C:\WINDOWS\system32\xpdx.sys
C:\-2132482456
C:\Install


Open OTMOVEIT and squash these ones

C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\systems.txt
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\logo1_.exe
C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\orutv.ini2
C:\Program Files\Helper


Please post the OTMOVEIT  results and a new DSS log.
« Last Edit: December 15, 2007, 07:57:46 AM by oldman »

djmichaelwenz

  • Guest
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #16 on: December 16, 2007, 01:29:09 AM »
Will do, Thank you so much for the help. Actually it seems that the viruses are gone!!!! (for now).I have been using my computer all day and nothing in avast came up! I have run super antispyware too and nothing... It looks like its gone!

Im going to submit the files and run omove it again.

The only thing that is going on now and I am not sure if this is related, when I shut down there is a Application Error message "the instructed memory at the selected application( something I cannot read cause it comes up so fast)" I downloaded the hive cleanup service and it still does it, but no more Virus warnings...

THANKS A MILLION

djmichaelwenz

  • Guest
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #17 on: December 16, 2007, 01:32:20 AM »
O move it results

File/Folder C:\WINDOWS\zts2.exe not found.
File/Folder C:\WINDOWS\system32\vcmgcd32.dll not found.
File/Folder C:\WINDOWS\system32\systems.txt not found.
File/Folder C:\WINDOWS\system32\iifgfgf.dll not found.
File/Folder C:\WINDOWS\rundll16.exe not found.
File/Folder C:\WINDOWS\rundl132.dll not found.
File/Folder C:\WINDOWS\logo1_.exe not found.
File/Folder C:\WINDOWS\system32\mnnmp.ini2 not found.
File/Folder C:\WINDOWS\system32\orutv.ini2 not found.
File/Folder C:\Program Files\Helper not found.
 
Created on 12-16-2007 18:31:54

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #18 on: December 16, 2007, 01:40:12 AM »
Could you please post another DSS log. OTMOVEIT didn't find the files/folders in question, so they are either indeed gone or very well hidden.


edit to add: Could you check this location for a text or log file?

C:\Combofix
« Last Edit: December 16, 2007, 03:00:54 AM by oldman »

djmichaelwenz

  • Guest
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #19 on: December 16, 2007, 06:37:13 AM »
Here is the DSS

djmichaelwenz

  • Guest
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #20 on: December 16, 2007, 06:40:15 AM »
The combofix folder has only two text doc's


Pend.txt
\??\C:\ntdetect.com\0\0
\??\C:\boot.ini\0\0
\??\C:\ntldr\0\0
\??\C:\WINDOWS\0\0
\??\C:\WINDOWS\explorer.exe\0\0
\??\C:\WINDOWS\system32\csrss.exe\0\0
\??\C:\WINDOWS\system32\lsass.exe\0\0
\??\C:\WINDOWS\system32\services.exe\0\0
\??\C:\WINDOWS\system32\smss.exe\0\0
\??\C:\WINDOWS\system32\svchost.exe\0\0
\??\C:\WINDOWS\system32\userinit.exe\0\0
\??\C:\WINDOWS\system32\winlogon.exe\0\0
\??\C:\WINDOWS\system32\hal.dll\0\0
\??\C:\WINDOWS\system32\ntdll.dll\0\0
\??\C:\WINDOWS\system32\config\0\0
\??\C:\WINDOWS\system32\drivers\0\0
\??\C:\WINDOWS\system32\wbem\0\0


and

cobbofix.txt

ComboFix 07-12-15.1 - Michael 2007-12-15 18:12:26.6 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.763 [GMT -6:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe


Geez Oldman, You are the best tech support I have ever received!!! You are the god of DATA!
Thank You Thank You!

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #21 on: December 16, 2007, 10:40:19 AM »
It looks like combofix died a valiant death, it took some with it. But there is more, possibly a rootkit involved.

Please delete the copy of combofix.exe you have and down load a new one. Don't run it yet.

Open Spybot and make sure teatimer is disabled. To do so do the following

Click mode
click Advanced mode
if you get a warning answer "yes"
click tools
click resident
uncheck resident "teatimer" and SDHelper if installed
click allow change
reboot

Open OTMOVEIT and kill these files

C:\WINDOWS\system32\hlvbfwoq
C:\WINDOWS\F?nts
C:\Program Files\winupdate
C:\WINDOWS\system32\drivers\ctl_w32.sys




I really need you to submit these files to www.virustotal.com and the results posted here. It will go along way in resolving this.



C:\Install
C:\-2132482456
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\4k98lr8i
C:\WINDOWS\ivtrm74h
C:\WINDOWS\system32\drivers\Fub04.sys




Download and run ERUNT http://www.larshederer.homepage.t-online.de/erunt/

(the download link is server1 or server2, or server3)

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click "..." to browse your computer's drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.


Next, select the backup options:

- System registry:

- Current user registy: .

- Other open user registries:

Click "OK" and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.



REGISTRY FIX
Quote
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zima]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2pnetworking]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dszyvsla]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bunebkbk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9a7adf1a.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\80e4e6c7]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\09b4ff53.exe]




Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file.  Ensure there is no space above the REGEDIT4.
Then in notepad click FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
make sure the box at the top is set to save in Desktop

This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.


Okay we'll give combofix another go.


Close all browsers and windows and run combofix. Let it run undisturbed, your desktop may appear frozen that's normal, watch for hardrive activityof any kind. Do not move the mouse, just let it run.


Let me know if you encounter any problems with the any of the above. Please do all the steps in order that they where posted.

In your next reply please include the OTMOVEIT results, the virustotal results, and the combofix log.










djmichaelwenz

  • Guest
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #22 on: December 16, 2007, 08:04:54 PM »
Ok, I will start doing the things on the list. Thank You so much, I figured out virus total just now, I was doing it wrong before...

« Last Edit: December 16, 2007, 08:15:46 PM by djmichaelwenz »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #23 on: December 16, 2007, 08:39:41 PM »
Okay, when you run combofix, please do it in safe mode. It should only take about 20 minutes or so. Please let me know if you have any poblems.

djmichaelwenz

  • Guest
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #24 on: December 16, 2007, 08:43:07 PM »
Uploading to virustoatal this file

C:\WINDOWS\system32\xpdx.sys

I get this on a blank page...

0 bytes size received / Se ha recibido un archivo vacio

same result uploading this file

C:\WINDOWS\system32\drivers\Fub04.sys

Results


File ivtrm74h received on 12.16.2007 20:28:05 (CET)
Antivirus   Version   Last Update   Result
AhnLab-V3   2007.12.15.10   2007.12.14   -
AntiVir   7.6.0.45   2007.12.16   -
Authentium   4.93.8   2007.12.16   -
Avast   4.7.1098.0   2007.12.16   -
AVG   7.5.0.503   2007.12.16   -
BitDefender   7.2   2007.12.16   -
CAT-QuickHeal   9.00   2007.12.15   -
ClamAV   0.91.2   2007.12.16   -
DrWeb   4.44.0.09170   2007.12.16   -
eSafe   7.0.15.0   2007.12.16   -
eTrust-Vet   31.3.5377   2007.12.15   -
Ewido   4.0   2007.12.16   -
FileAdvisor   1   2007.12.16   -
Fortinet   3.14.0.0   2007.12.16   -
F-Prot   4.4.2.54   2007.12.16   -
F-Secure   6.70.13030.0   2007.12.16   -
Ikarus   T3.1.1.15   2007.12.16   -
Kaspersky   7.0.0.125   2007.12.16   -
McAfee   5186   2007.12.14   -
Microsoft   1.3109   2007.12.16   -
NOD32v2   2723   2007.12.14   -
Norman   5.80.02   2007.12.13   -
Panda   9.0.0.4   2007.12.16   -
Prevx1   V2   2007.12.16   -
Rising   20.22.41.00   2007.12.14   -
Sophos   4.24.0   2007.12.16   -
Sunbelt   2.2.907.0   2007.12.15   -
Symantec   10   2007.12.15   -
TheHacker   6.2.9.160   2007.12.14   -
VBA32   3.12.2.5   2007.12.15   -
VirusBuster   4.3.26:9   2007.12.16   -
Webwasher-Gateway   6.6.2   2007.12.16   -
Additional information
File size: 426 bytes
MD5: 8f117a9afb313bde664ca941087ee140
SHA1: ea48cabdcdfef2cce64e103dbed40cabcf3b15a1
PEiD: -

Now onto spybot and the rest...




Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #25 on: December 16, 2007, 08:50:41 PM »
Uploading to virustoatal this file
C:\WINDOWS\system32\xpdx.sys
I get this on a blank page...
0 bytes size received / Se ha recibido un archivo vacio
Do you have access rights to the folder where the file is, I mean, are you logged as an administrator? If not, you won't be able to upload a system32 file.
Can you copy it to another folder (your desktop, for instance) and try?
Which is the size (bytes) of this file?

C:\WINDOWS\system32\drivers\Fub04.sys
Same here...
The best things in life are free.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #26 on: December 16, 2007, 08:52:28 PM »
Hi Tech. That result is usually from a file that is being hidden by a rootkit. It just comfirms my suspicion.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #27 on: December 16, 2007, 08:57:47 PM »
Hi Tech. That result is usually from a file that is being hidden by a rootkit. It just comfirms my suspicion.
Sorry... I'm not good on these things... you're seems right. Sorry again, just trying to help.
The best things in life are free.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #28 on: December 16, 2007, 09:01:42 PM »
No problem tech. ;D  Help is always good. The first time I saw that, I didn't know what to make of it either. I could see the file in windows, but scanners and some removal tools couldn't. Now it makes sense.

djmichaelwenz

  • Guest
Re: War inside my computer! Win32:Agent-LNK [Wrm]
« Reply #29 on: December 16, 2007, 09:36:30 PM »
omoveit
C:\WINDOWS\system32\hlvbfwoq moved successfully.
File/Folder C:\WINDOWS\F?nts not found.
File/Folder C:\Program Files\winupdate not found.
File/Folder C:\WINDOWS\system32\drivers\ctl_w32.sys not found.
 
Created on 12-17-2007 14:10:03

combofix
pend.txt
\??\C:\ntdetect.com\0\0
\??\C:\boot.ini\0\0
\??\C:\ntldr\0\0
\??\C:\WINDOWS\0\0
\??\C:\WINDOWS\explorer.exe\0\0
\??\C:\WINDOWS\system32\csrss.exe\0\0
\??\C:\WINDOWS\system32\lsass.exe\0\0
\??\C:\WINDOWS\system32\services.exe\0\0
\??\C:\WINDOWS\system32\smss.exe\0\0
\??\C:\WINDOWS\system32\svchost.exe\0\0
\??\C:\WINDOWS\system32\userinit.exe\0\0
\??\C:\WINDOWS\system32\winlogon.exe\0\0
\??\C:\WINDOWS\system32\hal.dll\0\0
\??\C:\WINDOWS\system32\ntdll.dll\0\0
\??\C:\WINDOWS\system32\config\0\0
\??\C:\WINDOWS\system32\drivers\0\0
\??\C:\WINDOWS\system32\wbem\0\0


combofix.txt
ComboFix 07-12-16.3 - Michael 2007-12-17 14:17:31.8 - NTFSx86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.861 [GMT -6:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
.


thank you!!!!!!