Author Topic: How can I get rid of win32:mutant-ag ???  (Read 11527 times)

0 Members and 1 Guest are viewing this topic.

steve paper

  • Guest
How can I get rid of win32:mutant-ag ???
« on: May 23, 2008, 01:28:33 AM »
Hello,

   I discovered that a good number of files in my system32 folder are infected with win32:mutant-ag, and, a friend of his I guess, Win32:agent-vgv. I've put the infected files in Avast! quarantaine, but what to do now ?

Thanks

ardvark

  • Guest
Re: How can I get rid of win32:mutant-ag ???
« Reply #1 on: May 23, 2008, 01:43:04 AM »
I discovered that a good number of files in my system32 folder are infected with win32:mutant-ag, and, a friend of his I guess, Win32:agent-vgv. I've put the infected files in Avast! quarantaine, but what to do now ?

Hi....

Ouch :(

I would first ensure that you have cleaned out the system and that Avast caught everything. An online scan can help with that.....ewido being one as long as you use Internet Explorer:

http://www.ewido.net/en/onlinescan/

After that, if you are running Windows XP, you can open the "Run" command window and enter "chkdsk /r" (do not use the quotation marks) which should replace any system files that were infected.

Best Regards...
« Last Edit: May 23, 2008, 01:45:32 AM by ardvark »

steve paper

  • Guest
Re: How can I get rid of win32:mutant-ag ???
« Reply #2 on: May 23, 2008, 02:05:18 AM »
It's that bad ?
I'm scaning with Ewido right now. Thanks for the tip.
But I'm not sure what "Run command window" is, because I'm French speaking, and my computer is in French. Is it the command bar in Start menu, that's use to execute special commands to Windows ?

ardvark

  • Guest
Re: How can I get rid of win32:mutant-ag ???
« Reply #3 on: May 23, 2008, 02:19:12 AM »
It's that bad ?
I'm scaning with Ewido right now. Thanks for the tip.
But I'm not sure what "Run command window" is, because I'm French speaking, and my computer is in French. Is it the command bar in Start menu, that's use to execute special commands to Windows ?

Hi...

Yes to the latter question, possibly yes to the former. :(

Click "Start"---->"Run"---->type in "chkdsk /r" (do not use quotations.)

It will probably ask you if you want to schedule the scan upon restarting the computer, click "yes."

:)

Best Regards...
« Last Edit: May 23, 2008, 02:21:13 AM by ardvark »

steve paper

  • Guest
Re: How can I get rid of win32:mutant-ag ???
« Reply #4 on: May 23, 2008, 02:24:40 AM »
Many thanks.

If all of this changes nothing, it's reinitialisation ???  :o

ardvark

  • Guest
Re: How can I get rid of win32:mutant-ag ???
« Reply #5 on: May 23, 2008, 02:37:31 AM »
Many thanks.

If all of this changes nothing, it's reinitialisation ???  :o

Hi...

Most likely, yes. Antivirus programs can get rid of the viruses but usually cannot repair the damage done to the original files when they were infected. Most of the systems I have worked on required Windows to be reinstalled after a virus infection. :(


Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: How can I get rid of win32:mutant-ag ???
« Reply #6 on: May 23, 2008, 09:01:16 AM »
what about VRDB or a reinstall of service pack only?

steve paper

  • Guest
Re: How can I get rid of win32:mutant-ag ???
« Reply #7 on: May 24, 2008, 01:50:14 AM »

Hi...

Most likely, yes. Antivirus programs can get rid of the viruses but usually cannot repair the damage done to the original files when they were infected. Most of the systems I have worked on required Windows to be reinstalled after a virus infection. :(



Hi again,

Well, after scanning with Ewido, it founded a few other bad guys, highlighted in red, with the mention "High risk" next to them... Ewido offered me to get rid of them, wich I did, and then, I performed the "chkdsk /r" you suggested me. Everything went fine, and now, finaly, almost everything is back to normal (apparently at least). The only thing, Avast! keeps telling me it spoted Trojan Horses (at least one an hour). I keep putting them in quarantaine, they keep coming, and they're always different. Are they possibly related to something I have not done correctly ?

Thanks for helping, I appreciate it a lot.

steve paper

  • Guest
Re: How can I get rid of win32:mutant-ag ???
« Reply #8 on: May 24, 2008, 02:34:18 AM »
Oh, and I noticed something else : When I do Ctrl+Alt+Del, a message pops and tells me my Task Manager has been disable by my administrator, but I'm the administrator... ???
Am I the lady of my house no more ?
I heard malware could create administrator session when intruding, and thus control computers from away. I learned that I shouldn't access Internet with my administrator session, and create a visitor session just for that. But for now, is there anything I get do to reactivate my Task Manager ?

Thanks again.

ardvark

  • Guest
Re: How can I get rid of win32:mutant-ag ???
« Reply #9 on: May 24, 2008, 07:53:47 AM »
Hi again,

Well, after scanning with Ewido, it founded a few other bad guys, highlighted in red, with the mention "High risk" next to them... Ewido offered me to get rid of them, wich I did, and then, I performed the "chkdsk /r" you suggested me. Everything went fine, and now, finaly, almost everything is back to normal (apparently at least). The only thing, Avast! keeps telling me it spoted Trojan Horses (at least one an hour). I keep putting them in quarantaine, they keep coming, and they're always different. Are they possibly related to something I have not done correctly ?

Thanks for helping, I appreciate it a lot.

Hi...

Your latest posts suggest that it will end up like I suspected....reinstall time. :'(

What were the names and locations of the viruses and trojans reported by Ewido and Avast, besides the ones you first mentioned? Also, do you have System Restore turned on? They will attempt to hide out in there as well.

Best Regards...

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: How can I get rid of win32:mutant-ag ???
« Reply #10 on: May 24, 2008, 08:58:11 AM »
Quote
Task Manager Has Been Disabled, How to Fix It?

http://www.pchell.com/support/taskmanagerdisabled.shtml

SUPERAntiSpyware Free is capable of restoring many changes mad by malware. Spybot Search & Destroy also reverses registry changes made by malware and may restore missing functions.

A complete reinstall may still be the best option in terms of guaranteeing a stable and secure system, but you could also try the above options. It's up to you.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

steve paper

  • Guest
Re: How can I get rid of win32:mutant-ag ???
« Reply #11 on: May 24, 2008, 09:23:24 AM »

http://www.pchell.com/support/taskmanagerdisabled.shtml

SUPERAntiSpyware Free is capable of restoring many changes mad by malware. Spybot Search & Destroy also reverses registry changes made by malware and may restore missing functions.

A complete reinstall may still be the best option in terms of guaranteeing a stable and secure system, but you could also try the above options. It's up to you.

Wow ! SuperAntiSpyware did it ! That was simple. Thanks.   ;D

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: How can I get rid of win32:mutant-ag ???
« Reply #12 on: May 24, 2008, 09:26:40 AM »
HI

Agree with FWF on the superantispyware. After you download the program, open it, click on the prefences button, then the repair tab. Next find the re-enable taskmanger (or similar) in the center window. Left click on it, click preform repair

A repair install will not clean this machine. These files are not windows files, so they will be uneffected. A complete reformat will. It's too early to tell if you are at that point yet. Your best bet would be to post a hijackthis log. Right now, with just descriptions it's nearly impossible to determine the extent of the infection.

Follow all instructions.

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
I see you have all ready tried SAS. Post the HJT log and see if anyhing remains.

steve paper

  • Guest
Re: How can I get rid of win32:mutant-ag ???
« Reply #13 on: May 24, 2008, 09:38:11 AM »

What were the names and locations of the viruses and trojans reported by Ewido and Avast, besides the ones you first mentioned? Also, do you have System Restore turned on? They will attempt to hide out in there as well.

Best Regards...

I turned off System Restore to make sure. Also, because when I went to cheak, I realised it uses 12% of my computer's memory (12G), and for nothing, since when I wanted to do a system restore, it only had one point of restore to offer... two hours earlier.

Here are the names of me new friend : Vundo. Infected files were located in System32, some place called HKCR and HKLM (wich I really do not know what nor where that is...). That's for Ewido. Avast! detected plenty off .dll located in System32, also infected by Vundo...
At least, it's coherant...

steve paper

  • Guest
Re: How can I get rid of win32:mutant-ag ???
« Reply #14 on: May 24, 2008, 09:52:19 AM »
Hello,

   Thanks for helping.  :) I did what you asked, although steps 3,4 and 5 were not available... It went from installing to the "Do a system scan" page...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:46:18, on 2008-05-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cf.mg40.mail.yahoo.com/dc/launch?action=welcome&YY=2070394509&.rand=cehg9k68tfgsr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: (no name) - {601C468A-D2E9-459A-81EB-E2377061C192} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll