War inside my computer! Win32:Agent-LNK [Wrm]

system · 2007-12-17T04:42:40.000Z

Oh wait, silly me

system · 2007-12-17T04:46:44.000Z

DUH…

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tswaufuh

Script file located at: ??\C:\qdqcwemo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

Beginning to process script file:

Could not open file C:\WINDOWS\system32\drivers\Fub04.sys for deletion
Deletion of file C:\WINDOWS\system32\drivers\Fub04.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\Fub04.sys
Status: 0xc0000022

Completed script processing.

Finished! Terminate.

oldman960 · 2007-12-17T17:25:38.000Z

Well, let’s take a deeper look

Pay particular attention to notepad’s format as given in the instructions.

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

NOTE: no additional scan required at this time

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

This log will be quite long. You can either use multiple post or attach the log file if its easier. In either case make sure the last line is < End of Report >.

Just set it like in the image in the picture in this link, except change the two dates from 30 days to 90 days

http://forum.avast.com/index.php?topic=31261.msg260811#msg260811

click the pic to enlarge

system · 2007-12-17T19:02:29.000Z

I am fairly certain that I got the options correct, I did the same as the image except I changed the two dates from 30 to 90…

THANK YOU FOR ALL THE SPECIAL ATTENTION!

Attached is the Log

oldman960 · 2007-12-17T19:24:18.000Z

Thanks, I’m at work right now, so I won’t be able to go over it "till later.

How is everthing on your end?

system · 2007-12-17T19:26:21.000Z

Everything here seems really well, I have no signs of any viruses as far as I can tell!!! Thank You Thank you!!

oldman960 · 2007-12-18T07:24:09.000Z

Hi, I haven’t forgotten about you. Just takes time to read that log. Another member (mauserme) will be stopping by to comment on the log.

system · 2007-12-18T13:15:26.000Z

Hi guys - here I am.

djmichaelwenz - please start WinPFind3U.

Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Files/Folders - Created Within 90 days]
NY → b.tmp → %SystemDrive%\b.tmp
NY → dump_dvd.vob → %SystemDrive%\dump_dvd.vob
NY → STMMain.INI → %SystemRoot%\STMMain.INI
NY → 8_exception.nls → %System32%\8_exception.nls
NY → iymqopmu.ini → %System32%\iymqopmu.ini
NY → nadfilkb.ini → %System32%\nadfilkb.ini
NY → orutv.ini → %System32%\orutv.ini
NY → Fub04.sys → %System32%\drivers\Fub04.sys
[Files/Folders - Modified Within 90 days]
NY → custvoic.ini → %SystemRoot%\custvoic.ini

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan (90 day option again).

Also let me know of any problems you encounter performing these steps or any continuing problems you are having with the computer.

system · 2007-12-18T14:32:15.000Z

I ran WinPFind3U and it made me reboot pretty quickly. I went into the folder where I had it and I saw the log. Here is the log, there were seemingly no problems when running it. Thank you all so much!

[Files/Folders - Created Within 90 days]
C:\b.tmp moved successfully.
C:\dump_dvd.vob moved successfully.
C:\WINDOWS\STMMain.INI moved successfully.
C:\WINDOWS\SYSTEM32\8_exception.nls moved successfully.
C:\WINDOWS\SYSTEM32\iymqopmu.ini moved successfully.
C:\WINDOWS\SYSTEM32\nadfilkb.ini moved successfully.
C:\WINDOWS\SYSTEM32\orutv.ini moved successfully.
File move failed. C:\WINDOWS\SYSTEM32\drivers\Fub04.sys scheduled to be moved on reboot.
[Files/Folders - Modified Within 90 days]
C:\WINDOWS\custvoic.ini moved successfully.
< End of log >
Created on 12-19-2007 08:27:59

oldman960 · 2007-12-18T15:16:11.000Z

Hi djmichaelwenz

Could you re-run WinPFind3u as requested by mauserme

Post that information back here along with a new WinPFind3u scan (90 day option again).

system · 2007-12-18T17:26:26.000Z

I got this in the log…

[Files/Folders - Created Within 90 days]
File C:\b.tmp not found!
File C:\dump_dvd.vob not found!
File C:\WINDOWS\STMMain.INI not found!
File C:\WINDOWS\SYSTEM32\8_exception.nls not found!
File C:\WINDOWS\SYSTEM32\iymqopmu.ini not found!
File C:\WINDOWS\SYSTEM32\nadfilkb.ini not found!
File C:\WINDOWS\SYSTEM32\orutv.ini not found!
File move failed. C:\WINDOWS\SYSTEM32\drivers\Fub04.sys scheduled to be moved on reboot.
[Files/Folders - Modified Within 90 days]
File C:\WINDOWS\custvoic.ini not found!
< End of log >
Created on 12-19-2007 11:23:48

oldman960 · 2007-12-18T18:07:31.000Z

Sorry, I should have been clearer. We need you to re-run the scan, not the fix.

Just set it up like you did the first time you ran it. Please set it to 90 days.

See reply #42

http://forum.avast.com/index.php?topic=32022.msg268167#msg268167

system · 2007-12-18T19:15:55.000Z

I can’t tell from the WinPFind results if C:\WINDOWS\SYSTEM32\drivers\Fub04.sys is still on your computer or not, but I’m guessing it is.

Please boot to safe mode and navigate to the file. If you find it, try to rename it Fub04.vir, then reboot to normal mode. If you found the file and were able to rename it upload it to Virus Total and post the results.

system · 2007-12-18T20:03:50.000Z

I rebooted in safe mode, I searched and Found C:\WINDOWS\SYSTEM32\drivers\Fub04.sys I attempted to rename it and it said “cannot rename C:\WINDOWS\SYSTEM32\drivers\Fub04.sys Access Denied” I tried to delete it too, it said access denied.

I attempted to upload to virus total and got a white page with only the text…

0 bytes size received / Se ha recibido un archivo vacio

Thank you for all your trouble
Michael

oldman960 · 2007-12-19T03:29:24.000Z

Ok, just hang tough,we gotta find another way to see what this file is all about.

Experiencing any problems?

system · 2007-12-19T04:53:32.000Z

No problems here, everything seems really good actually…

system · 2007-12-19T12:12:07.000Z

If you don’t mind, let’s try a little different approach that might give us some clues.

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File
[Search]

Fub04.sys

[Exclude]

[Options]
Filter=KVDLUI

2. Download Registry Search to your desktop.
[*]Right click on the compressed RegSearch folder, and choose “Extract All”. In the box that pops open, click “Next”, then “Next” again, and then “Finish”. You now have another RegSearch folder on your desktop.
[*]Open the new folder, and double click on regsearch.exe
[*]Click “Import” in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
[]Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
[] Please reply here with the entire contents of the Notepad file from RegSearch.

system · 2007-12-19T14:47:47.000Z

Windows Registry Editor Version 5.00

; Results at 2007-12-20 8:46:00 AM for strings:
; ‘fub04.sys’
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Fub04]
; Contents of value:
; System32\Drivers\Fub04.sys
“ImagePath”=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,46,00,75,00,62,00,30,00,34,00,2e,
00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Fub04]
; Contents of value:
; System32\Drivers\Fub04.sys
“ImagePath”=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,46,00,75,00,62,00,30,00,34,00,2e,
00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fub04]
; Contents of value:
; System32\Drivers\Fub04.sys
“ImagePath”=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,46,00,75,00,62,00,30,00,34,00,2e,
00,73,00,79,00,73,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs]
“url2”=“C:\WINDOWS\SYSTEM32\drivers\Fub04.sys”

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
“000”=“Fub04.sys”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU*]
“f”=“C:\WINDOWS\system32\drivers\Fub04.sys”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys]
“b”=“C:\WINDOWS\system32\drivers\Fub04.sys”

; End Of The Log…

Thanks!

oldman960 · 2007-12-19T20:44:17.000Z

Thanks. Hopefully that will give mauserme what he was looking for.

translated
““ImagePath”=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,46,00,75,00,62,00,30,00,34,00,2e,
00,73,00,79,00,73,00,00,00”

system32\drivers\fub04.sys

There’s a lot of things pointed at that file.

system · 2007-12-20T00:16:43.000Z

I cant seem to find any info on the file either… Maybe its some hardware I have installed???

Thanks you guys!!!

Announcements