War inside my computer! Win32:Agent-LNK [Wrm]

[oldman]

Please post a new DSS log. Did combofix complete it's run?

[djmichaelwenz]

Yes, combofix did finish running! It rebooted.

Here is the dss log

[oldman]

Thanks. combofix log was incomplete.

Give me a few minutes to go over the log.

[oldman]

It's looking better. Did you do the reistry fix?

Please submit these files to www.virustotal.com  and post the results

C:\Install
C:\-2132482456
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\emptyregdb.dat

After you post the results we'll continue.

[djmichaelwenz]

Yes, I did the registry fix. Thank You Thank You!!! You are the best!!

I think I did this right... Here are the results in that order..

MD5:     3ad69c332ff5ea2c803d9fe468ad3005
Date:    12.10.2007 01:01:32 (CET) [>7D]
Results:    6/32
Permalink:    resultado.html?69d1b51410855db17342ec6072dbdaf6



File has already been analysed:
MD5:    444bcb3a3fcf8389296c49467f27e1d6
Date:    06.12.2007 14:58:16 (CET) [>187D]
Results:    2/31
Permalink:    resultado.html?9613fdd016f23aef25d7ce0e44d3c8b4


File has already been analysed:
MD5:    4aa1108231e158a00afbde5c719e54ee
Date:    11.20.2007 01:42:45 (CET) [>27D]
Results:    1/32
Permalink:    resultado.html?86348d7d19aeaf95e0df266917e63fbd




File emptyregdb.dat received on 12.17.2007 01:56:56 (CET)
Antivirus   Version   Last Update   Result
AhnLab-V3   2007.12.15.10   2007.12.14   -
AntiVir   7.6.0.45   2007.12.16   -
Authentium   4.93.8   2007.12.16   -
Avast   4.7.1098.0   2007.12.16   -
AVG   7.5.0.503   2007.12.16   -
BitDefender   7.2   2007.12.17   -
CAT-QuickHeal   9.00   2007.12.15   -
ClamAV   0.91.2   2007.12.17   -
DrWeb   4.44.0.09170   2007.12.16   -
eSafe   7.0.15.0   2007.12.16   -
eTrust-Vet   31.3.5377   2007.12.15   -
Ewido   4.0   2007.12.16   -
FileAdvisor   1   2007.12.17   -
Fortinet   3.14.0.0   2007.12.16   -
F-Prot   4.4.2.54   2007.12.17   -
F-Secure   6.70.13030.0   2007.12.17   -
Ikarus   T3.1.1.15   2007.12.17   -
Kaspersky   7.0.0.125   2007.12.17   -
McAfee   5186   2007.12.14   -
Microsoft   1.3109   2007.12.17   -
NOD32v2   2723   2007.12.14   -
Norman   5.80.02   2007.12.13   -
Panda   9.0.0.4   2007.12.16   -
Prevx1   V2   2007.12.17   -
Rising   20.22.41.00   2007.12.14   -
Sophos   4.24.0   2007.12.16   -
Sunbelt   2.2.907.0   2007.12.15   -
Symantec   10   2007.12.15   -
TheHacker   6.2.9.160   2007.12.14   -
VBA32   3.12.2.5   2007.12.15   -
VirusBuster   4.3.26:9   2007.12.16   -
Webwasher-Gateway   6.6.2   2007.12.17   -
Additional information
File size: 23348 bytes
MD5: ba73f9237d1c6878081736103f932cb9
SHA1: 982476d34fc5e2ffd792fc0a9759404c481326b2
PEiD: -

[oldman]

I asked about the regfix because I'm not seeing the changes.  Did you get a successful message?

But let's go forward

Please download The Avenger by Swandog46 to your Desktop.

1.
• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

Files to delete:
C:\WINDOWS\system32\drivers\Fub04.sys

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
  
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  
• Copy/Paste all the text  in the above quote box into this window by
• MAKE SURE THE TEXT MATCHES EXACTLY
  
• Click Done
  
• Now click on the Green Light to begin execution of the script
  
• Answer "Yes" twice when prompted.
  

3. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
  
  

4. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log  
[/quote]

[oldman]

Please note for avenger

All windows/browser except avenger should be closed BEFORE CLICKING THE GREEN LIGHT.

[djmichaelwenz]

I think I did this right...I did that and I got

Error:  selected file does not appear to be a valid script.
Error code: 0

[oldman]

I think I did this right...I did that and I got

Error:  selected file does not appear to be a valid script.
Error code: 0

Did you copy everything in the quote box including files to delete: ?

[djmichaelwenz]

I am pretty sure, I entered...

C:\WINDOWS\system32\drivers\Fub04.sys

[djmichaelwenz]

Oh wait, silly me

[djmichaelwenz]

DUH...

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tswaufuh

*******************

Script file located at: \??\C:\qdqcwemo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\WINDOWS\system32\drivers\Fub04.sys for deletion
Deletion of file C:\WINDOWS\system32\drivers\Fub04.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\Fub04.sys
Status: 0xc0000022


Completed script processing.

*******************

Finished!  Terminate.

[oldman]

Well, let's take a deeper look

Pay particular attention to notepad's format as given in the instructions.




Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  NOTE: no additional scan required at this time
  

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

This log will be quite long.  You can either use multiple post or attach the log file if its easier.  In either case make sure the last line is < End of Report >.

Just set it like in the image in the picture in this link, except change the two dates from 30 days to 90 days


http://forum.avast.com/index.php?topic=31261.msg260811#msg260811

click the pic to enlarge

[djmichaelwenz]

I am fairly certain that I got the options correct, I did the same as the image except I changed the two dates from 30 to 90...

THANK YOU FOR ALL THE SPECIAL ATTENTION!

Attached is the Log

[oldman]

Thanks, I'm at work right now, so I won't be able to go over it "till later.

How is everthing on your end?