War inside my computer! Win32:Agent-LNK [Wrm]

system · 2008-01-04T02:43:09.000Z

I tried to download it and the link didn’t work… Im going to get you those results…

oldman960 · 2008-01-04T03:01:47.000Z

There’s glich in the syntax of that original one I gave you. This one works.

http://z-oleg.com/avz4.zip

actually either one works now, ah the power of edit

system · 2008-01-05T22:06:03.000Z

got it mailed to ya…

essexboy · 2008-01-06T14:39:53.000Z

Ref AVZ

AVZ FIX

[*] Double click on AVZ.exe
[*] Click File > Custom scripts
[*] Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )

begin SetAVZGuardStatus(True); SearchRootkit(true, true); DeleteFile('C:\Documents and Settings\Michael\Application Data\Microsoft\Installer\{57DC8980-73DA-481E-AFD4-5E2D44B7F1AD}\ARPPRODUCTICON.exe'); DeleteFile('C:\Documents and Settings\Michael\Application Data\Microsoft\Installer\{57DC8980-73DA-481E-AFD4-5E2D44B7F1AD}\SitExpander.exe_57DC898073DA481EAFD45E2D44B7F1AD.exe'); DeleteFile('C:\WINDOWS\Installer\512ff2.msi'); DeleteFile('C:\WINDOWS\system\WINASPI.BAK'); DeleteFile('C:\WINDOWS\system\WOWPOST.BAK'); DeleteFile('C:\WINDOWS\system32\WNASPI2K.BAK'); BC_ImportDeletedList; BC_Activate; RebootWindows(true); end.

[*] Note: When you run the script, your PC will be restarted [*] Click Run [*] Restart your PC if it doesn't do it automatically.

ON COMPLETION

[*] Start AVZ.

[] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach the zip file to your next post

system · 2008-01-06T17:11:28.000Z

got it done, It says I cannot attach a zip file…

I uploaded it here…

http://www.sendspace.com/pro/dl/iwd9gh

essexboy · 2008-01-06T17:15:42.000Z

I’ll hand you back to Oldman now as that was clean

essexboy · 2008-01-06T17:29:30.000Z

Just been reading the rest of your thread and it appears that this the file that is causing you problems C:\WINDOWS\system32\drivers\smtpdrv.sys

If so

Please download The Avenger by Swandog46 to your Desktop.
[*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

[QUOTE]drivers to unload:
smtpdrv

Files to delete:
C:\WINDOWS\system32\drivers\smtpdrv.sys
[/quote]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
[*] Under “Script file to execute” choose “Input Script Manually”.
[*]Now click on the Magnifying Glass icon which will open a new window titled “View/edit script”
[*] Paste the text copied to clipboard into this window by pressing (Ctrl+V).
[*] Click Done
[*] Now click on the Green Light to begin execution of the script
[*] Answer “Yes” twice when prompted.
The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

system · 2008-01-06T19:12:11.000Z

Sounds good, here they are…

oldman960 · 2008-01-06T19:38:30.000Z

Thanks essexboy, that’s the file that just won’t die.

Hi djmichaelwenz

I seems avenger didn’t find the file. So it’s either indeed gone or very well hidden.

Are you still experiencing virus warnings?

system · 2008-01-06T23:39:40.000Z

I have not had any warnings in a long time. Thanks for all your help!!!

MW

oldman960 · 2008-01-07T00:10:46.000Z

Let’s procede withe the tool clean up, we can always get them again if needed. I’ll post it again and you can do what’s left. I find out how to remove AVZ.

We’ll try it for awhile. Can you recall what was the last thing we did before the virus alerts stopped?

Looks like we are done.

Just a few loose ends to clean up.

If you have sent that file from the chest to avast, you can open the chest, click the users section button, right click on the file, click delete. If you haven’t sent it yet, please do so now.

Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u

Open OTMoveIt, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

Make a new clean restore point

To clear existing restore points

1.Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.

2.Click to add a check mark beside Turn off System Restore on all Drives, and click Apply.

When you are warned that all existing Restore Points will be deleted, click Yes to continue.

All system restore points are deleted. Now you should manually create a restore point.

1.Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.

2.Click Create a Restore Point, and then click Next.

3.Name your restore point. (use the date as well as a descriptive term such as “After Restore Point Deletion.”) click create, click close.

Your java is out of date

Open an Internet Explorer (only) window and go to http://www.java.com/en/download/manual.jsp > In the middle of the page, click on the Download button to the right of Java Runtime Environment (JRE) 6u3 > If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u3-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar except Java TM 6 Update 3 which you just installed.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders except the subfolder jre1.6.0_03 which was just created by the installation above.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

I didn’t see a third party firewall installed, you may want to check this thread for a good free 3rd party firewall which will provide outbound monitoring as well as inbound.

http://forum.avast.com/index.php?topic=30808.0

Keep ERUNT, cleanup and SAS. Use cleanup and SAS regularly to help keep the bad guys out, just make sure SAS is updated and do a complete scan.

oldman960 · 2008-01-07T03:03:26.000Z

Hey, this will assit you in removing the tools. Just follow the instructions

Please download, if you don’t have itOTMoveIt by OldTimer. Save it to your desktop and double-click OTMoveIt.exe to run it, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

system · 2008-01-07T03:15:39.000Z

I think I got all of it, I had Omoveit still and I did the cleanup in the order on the 2nd last post. Things are looking up! So was this one of the worst trojans you have had to deal with?

Thank You All SO much!!!

oldman960 · 2008-01-07T03:23:46.000Z

I don’t know if the worst, but it sure was the sneakiest. ;D

If you can remember what we did to stop the warnings, I’d sure like know.

system · 2008-01-07T04:22:14.000Z

I think it was around post 126-128. I mentioned every time I got a virus warning…

Thanks!

oldman960 · 2008-01-07T04:25:42.000Z

All right, I’ll check through this thread. It will help me down the road if I come across a case like this again. Sometimes these things hide in the most unusual places.

You’re welcome and thank you for being so patiant.

Take care.

system · 2008-01-16T09:27:48.000Z

Guys.
This thread is the only help I’ve had to get rid of this virus… Thanks guys.

My avast scanner kept picking up smtpdrv.sys as having a trojan , and it kept coming back.

Did various things, but the bit that worked was Combofix.

It found 2 files a c:\windows\system32\3_Exception.nls and a C:\windows\system32\drivers\Cin06.sys

drivers/services it changed
-------\LEGACY_CIN06
-------\Cin06
-------\nm
-------\runtime
-------\smtpdrv

These have been quarantined by Combofix now but as these files are different and Avast didnt appear to recognise these as viruses, do you want the files?

The only problem I had after the combofix worked, was that the GUI for Avast died, although the scanners worked!

I have now re-installed avast.

oldman960 · 2008-01-16T09:39:35.000Z

You should start a new thread and post your combofix log. Right now it appears as if something else is going on.

you could zip the quaratine folder in a password protected zip and send to virus@avast.com In clude the password in the body of the email.

system · 2008-01-16T13:41:22.000Z

New post created and quantined zip file sent.

system · 2008-01-23T17:03:29.000Z

Nothing anymore.

Announcements