War inside my computer! Win32:Agent-LNK [Wrm]

Viruses and worms
21

The combofix folder has only two text doc’s

Pend.txt
??\C:\ntdetect.com\0\0
??\C:\boot.ini\0\0
??\C:\ntldr\0\0
??\C:\WINDOWS\0\0
??\C:\WINDOWS\explorer.exe\0\0
??\C:\WINDOWS\system32\csrss.exe\0\0
??\C:\WINDOWS\system32\lsass.exe\0\0
??\C:\WINDOWS\system32\services.exe\0\0
??\C:\WINDOWS\system32\smss.exe\0\0
??\C:\WINDOWS\system32\svchost.exe\0\0
??\C:\WINDOWS\system32\userinit.exe\0\0
??\C:\WINDOWS\system32\winlogon.exe\0\0
??\C:\WINDOWS\system32\hal.dll\0\0
??\C:\WINDOWS\system32\ntdll.dll\0\0
??\C:\WINDOWS\system32\config\0\0
??\C:\WINDOWS\system32\drivers\0\0
??\C:\WINDOWS\system32\wbem\0\0

and

cobbofix.txt

ComboFix 07-12-15.1 - Michael 2007-12-15 18:12:26.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.763 [GMT -6:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe

Geez Oldman, You are the best tech support I have ever received!!! You are the god of DATA!
Thank You Thank You!

22

It looks like combofix died a valiant death, it took some with it. But there is more, possibly a rootkit involved.

Please delete the copy of combofix.exe you have and down load a new one. Don’t run it yet.

Open Spybot and make sure teatimer is disabled. To do so do the following

Click mode
click Advanced mode
if you get a warning answer “yes”
click tools
click resident
uncheck resident “teatimer” and SDHelper if installed
click allow change
reboot

Open OTMOVEIT and kill these files

C:\WINDOWS\system32\hlvbfwoq
C:\WINDOWS\F?nts
C:\Program Files\winupdate
C:\WINDOWS\system32\drivers\ctl_w32.sys

I really need you to submit these files to www.virustotal.com and the results posted here. It will go along way in resolving this.


C:\Install
C:-2132482456
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\4k98lr8i
C:\WINDOWS\ivtrm74h
C:\WINDOWS\system32\drivers\Fub04.sys

Download and run ERUNT http://www.larshederer.homepage.t-online.de/erunt/

(the download link is server1 or server2, or server3)

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click “…” to browse your computer’s drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.

Next, select the backup options:

  • System registry:

  • Current user registy: .

  • Other open user registries:

Click “OK” and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

REGISTRY FIX

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zima]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2pnetworking]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dszyvsla]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bunebkbk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9a7adf1a.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\80e4e6c7]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\09b4ff53.exe]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad click FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
make sure the box at the top is set to save in Desktop

This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Okay we’ll give combofix another go.

Close all browsers and windows and run combofix. Let it run undisturbed, your desktop may appear frozen that’s normal, watch for hardrive activityof any kind. Do not move the mouse, just let it run.

Let me know if you encounter any problems with the any of the above. Please do all the steps in order that they where posted.

In your next reply please include the OTMOVEIT results, the virustotal results, and the combofix log.

23

Ok, I will start doing the things on the list. Thank You so much, I figured out virus total just now, I was doing it wrong before…

24

Okay, when you run combofix, please do it in safe mode. It should only take about 20 minutes or so. Please let me know if you have any poblems.

25

Uploading to virustoatal this file

C:\WINDOWS\system32\xpdx.sys

I get this on a blank page…

0 bytes size received / Se ha recibido un archivo vacio

same result uploading this file

C:\WINDOWS\system32\drivers\Fub04.sys

Results

File ivtrm74h received on 12.16.2007 20:28:05 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.12.15.10 2007.12.14 -
AntiVir 7.6.0.45 2007.12.16 -
Authentium 4.93.8 2007.12.16 -
Avast 4.7.1098.0 2007.12.16 -
AVG 7.5.0.503 2007.12.16 -
BitDefender 7.2 2007.12.16 -
CAT-QuickHeal 9.00 2007.12.15 -
ClamAV 0.91.2 2007.12.16 -
DrWeb 4.44.0.09170 2007.12.16 -
eSafe 7.0.15.0 2007.12.16 -
eTrust-Vet 31.3.5377 2007.12.15 -
Ewido 4.0 2007.12.16 -
FileAdvisor 1 2007.12.16 -
Fortinet 3.14.0.0 2007.12.16 -
F-Prot 4.4.2.54 2007.12.16 -
F-Secure 6.70.13030.0 2007.12.16 -
Ikarus T3.1.1.15 2007.12.16 -
Kaspersky 7.0.0.125 2007.12.16 -
McAfee 5186 2007.12.14 -
Microsoft 1.3109 2007.12.16 -
NOD32v2 2723 2007.12.14 -
Norman 5.80.02 2007.12.13 -
Panda 9.0.0.4 2007.12.16 -
Prevx1 V2 2007.12.16 -
Rising 20.22.41.00 2007.12.14 -
Sophos 4.24.0 2007.12.16 -
Sunbelt 2.2.907.0 2007.12.15 -
Symantec 10 2007.12.15 -
TheHacker 6.2.9.160 2007.12.14 -
VBA32 3.12.2.5 2007.12.15 -
VirusBuster 4.3.26:9 2007.12.16 -
Webwasher-Gateway 6.6.2 2007.12.16 -
Additional information
File size: 426 bytes
MD5: 8f117a9afb313bde664ca941087ee140
SHA1: ea48cabdcdfef2cce64e103dbed40cabcf3b15a1
PEiD: -

Now onto spybot and the rest…

26

Do you have access rights to the folder where the file is, I mean, are you logged as an administrator? If not, you won’t be able to upload a system32 file.
Can you copy it to another folder (your desktop, for instance) and try?
Which is the size (bytes) of this file?

Same here…

27

Hi Tech. That result is usually from a file that is being hidden by a rootkit. It just comfirms my suspicion.

28

Sorry… I’m not good on these things… you’re seems right. Sorry again, just trying to help.

29

No problem tech. ;D Help is always good. The first time I saw that, I didn’t know what to make of it either. I could see the file in windows, but scanners and some removal tools couldn’t. Now it makes sense.

30

omoveit
C:\WINDOWS\system32\hlvbfwoq moved successfully.
File/Folder C:\WINDOWS\F?nts not found.
File/Folder C:\Program Files\winupdate not found.
File/Folder C:\WINDOWS\system32\drivers\ctl_w32.sys not found.

Created on 12-17-2007 14:10:03

combofix
pend.txt
??\C:\ntdetect.com\0\0
??\C:\boot.ini\0\0
??\C:\ntldr\0\0
??\C:\WINDOWS\0\0
??\C:\WINDOWS\explorer.exe\0\0
??\C:\WINDOWS\system32\csrss.exe\0\0
??\C:\WINDOWS\system32\lsass.exe\0\0
??\C:\WINDOWS\system32\services.exe\0\0
??\C:\WINDOWS\system32\smss.exe\0\0
??\C:\WINDOWS\system32\svchost.exe\0\0
??\C:\WINDOWS\system32\userinit.exe\0\0
??\C:\WINDOWS\system32\winlogon.exe\0\0
??\C:\WINDOWS\system32\hal.dll\0\0
??\C:\WINDOWS\system32\ntdll.dll\0\0
??\C:\WINDOWS\system32\config\0\0
??\C:\WINDOWS\system32\drivers\0\0
??\C:\WINDOWS\system32\wbem\0\0

combofix.txt
ComboFix 07-12-16.3 - Michael 2007-12-17 14:17:31.8 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.861 [GMT -6:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
.

thank you!!!

31

Please post a new DSS log. Did combofix complete it’s run?

32

Yes, combofix did finish running! It rebooted.

Here is the dss log

33

Thanks. combofix log was incomplete.

Give me a few minutes to go over the log.

34

It’s looking better. Did you do the reistry fix?

Please submit these files to www.virustotal.com and post the results

C:\Install
C:-2132482456
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\emptyregdb.dat

After you post the results we’ll continue.

35

Yes, I did the registry fix. Thank You Thank You!!! You are the best!!

I think I did this right… Here are the results in that order…

MD5: 3ad69c332ff5ea2c803d9fe468ad3005
Date: 12.10.2007 01:01:32 (CET) [>7D]
Results: 6/32
Permalink: resultado.html?69d1b51410855db17342ec6072dbdaf6

File has already been analysed:
MD5: 444bcb3a3fcf8389296c49467f27e1d6
Date: 06.12.2007 14:58:16 (CET) [>187D]
Results: 2/31
Permalink: resultado.html?9613fdd016f23aef25d7ce0e44d3c8b4

File has already been analysed:
MD5: 4aa1108231e158a00afbde5c719e54ee
Date: 11.20.2007 01:42:45 (CET) [>27D]
Results: 1/32
Permalink: resultado.html?86348d7d19aeaf95e0df266917e63fbd

File emptyregdb.dat received on 12.17.2007 01:56:56 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.12.15.10 2007.12.14 -
AntiVir 7.6.0.45 2007.12.16 -
Authentium 4.93.8 2007.12.16 -
Avast 4.7.1098.0 2007.12.16 -
AVG 7.5.0.503 2007.12.16 -
BitDefender 7.2 2007.12.17 -
CAT-QuickHeal 9.00 2007.12.15 -
ClamAV 0.91.2 2007.12.17 -
DrWeb 4.44.0.09170 2007.12.16 -
eSafe 7.0.15.0 2007.12.16 -
eTrust-Vet 31.3.5377 2007.12.15 -
Ewido 4.0 2007.12.16 -
FileAdvisor 1 2007.12.17 -
Fortinet 3.14.0.0 2007.12.16 -
F-Prot 4.4.2.54 2007.12.17 -
F-Secure 6.70.13030.0 2007.12.17 -
Ikarus T3.1.1.15 2007.12.17 -
Kaspersky 7.0.0.125 2007.12.17 -
McAfee 5186 2007.12.14 -
Microsoft 1.3109 2007.12.17 -
NOD32v2 2723 2007.12.14 -
Norman 5.80.02 2007.12.13 -
Panda 9.0.0.4 2007.12.16 -
Prevx1 V2 2007.12.17 -
Rising 20.22.41.00 2007.12.14 -
Sophos 4.24.0 2007.12.16 -
Sunbelt 2.2.907.0 2007.12.15 -
Symantec 10 2007.12.15 -
TheHacker 6.2.9.160 2007.12.14 -
VBA32 3.12.2.5 2007.12.15 -
VirusBuster 4.3.26:9 2007.12.16 -
Webwasher-Gateway 6.6.2 2007.12.17 -
Additional information
File size: 23348 bytes
MD5: ba73f9237d1c6878081736103f932cb9
SHA1: 982476d34fc5e2ffd792fc0a9759404c481326b2
PEiD: -

36

I asked about the regfix because I’m not seeing the changes. Did you get a successful message?

But let’s go forward

Please download The Avenger by Swandog46 to your Desktop.

1.[*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop

[QUOTE]Files to delete:
C:\WINDOWS\system32\drivers\Fub04.sys
[/quote]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, start The Avenger program by clicking on its icon on your desktop.
[*] Under “Script file to execute” choose “Input Script Manually”.
[*]Now click on the Magnifying Glass icon which will open a new window titled “View/edit script
[*] Copy/Paste [b]all[b] the text in the above quote box into this window by
[*] MAKE SURE THE TEXT MATCHES EXACTLY
[*] Click Done
[*] Now click on the Green Light to begin execution of the script
[*] Answer “Yes” twice when prompted.
3. The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
4. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log
[/quote]

37

Please note for avenger

All windows/browser except avenger should be closed BEFORE CLICKING THE GREEN LIGHT.

38

I think I did this right…I did that and I got

Error: selected file does not appear to be a valid script.
Error code: 0

39

Did you copy everything in the quote box including files to delete: ?

40

I am pretty sure, I entered…

C:\WINDOWS\system32\drivers\Fub04.sys