944,094 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > New Worm Agobot variant?
Ad:
Permalink
Sep 3rd, 2004
0

New Worm Agobot variant?

Expand Post »
Dear Friends,

If you've followed my threads [Zohar posts] you'll know the problems I've had this week trying to cure my Dell from really bad virus downloaded in an e-mail and apparently from someone who got it from a p2p program ...it was a Dreamweaver upgrade [MX2004-en]...
So anyway, the symptoms were [among other things] being denied access to the internet even though my ADSL modem was blasting away at 100mbps..[!?] Without opening any programs my CPU% was damn near 100%...
Every anti-virus/anti-spyware/anti-trojan I tried couldn't fix the bug no matter how many files they found , fixed or deleted.,,including an msbb.exe
On restart the bug was back again...

I finally turned of processes running one by one to see if anything helped..had noticed what i thought were suspect files..several taskmger.exe's were running from documents and settings folders..one was coming from a file..
-06144c13.pf another was coming from the RunServices folder in HKEY_LOCALMACHINE... when I opened RunServices I found the default and wnsvr.exe
I killed it and immediately my internet was restored..I could surf and download. On reboot however, they were back..
I found bad files in Windows Prefetch, deleted them, and then reset the value for prefetch to 1 meaning launch on application only..ran several scanners in safe mode[trend-micro-sygate,Norton, aVG 6.0,TrojanZapper, AdAware, RegMechanic.., they found some spyware from @180solutions and another nasty attached to our Audigy sound card..CTHelper.exe and removed them..was told there were no viruses..so I rebooted...The taskmger's were Back... I opened Search and typed in wnsvr.exe and found three suspicious copies..one in Local Settings, one in My Documents and another in the registry..HKEY_LOCALMACHINE\...CurrentVersion\Run as a value for Microsoft Manager. I deleted them..still had internet..all programs worked..so I rebooted..and again..same problems.
So I began shutting down other processes, leaving the taskmgr's alone
Then I noticed another file: wauclt.exe attached to local settings..
I killed it and the process tree..ALL the taskmger.exe's dissapeared from the dialogue box [!]

I went into the Hosts folder [%System%Drivers\Etc] and found dozens of URL's for antivirus sites [mcaffee, avg, trend micro, symantec, etc...and lots of sites I can't recognize..I deleted everything but 127.0.0.1 local host and closed the window.

I am now going to reboot and let you know the results..but..I'm not optimistic....if anyone has an idea of how to fix this....please send it..;-|
Thanking you in advance
-Sincerely
Zohar
Similar Threads
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Zohar818 is offline Offline
17 posts
since Aug 2004
Permalink
Sep 3rd, 2004
0

Re: New Worm Agobot variant?

What a nasty little bug you've gotten there.

btw, wauclt.exe should be Windows AutoUpdate service, (unless that virus replaced it, which doesn't sound entirely unlikely since you indicate the virus apparently replaced your cthelper.exe, which is part of Creative Labs software package).
Reputation Points: 15
Solved Threads: 6
Unverified User
DuncanIdaho is offline Offline
277 posts
since Aug 2004
Permalink
Sep 10th, 2004
0

Re: New Worm Agobot variant?

Quote originally posted by DuncanIdaho ...
What a nasty little bug you've gotten there.

btw, wauclt.exe should be Windows AutoUpdate service, (unless that virus replaced it, which doesn't sound entirely unlikely since you indicate the virus apparently replaced your cthelper.exe, which is part of Creative Labs software package).
Bitdefender has taken a very strong interest in this new bug which their best efforts cannot cure. They are calling it a variant of Trojan Downloader.Agent .AE
and until now it has only been identified in China and Hong Kong, and S.Korea but here is no bug killer for it yet.
It comes in through infected e-mail or Cd rom's and then sets itself up to execute at the very first time you strike the delete key on it. There it sends itself to the C:\Recycled and C:\SystemVolume Information\_restore files.
Every time you boot up it lanches a program and sets itself in Documets and Settings\AllUsers which downloads bugs on start-up.
It then attempts to change the registry while you are on-line or booted up. It installs folders in Docs & Settings and there it loads dummy progs that launch icons and messages saying automatic downloads are taking place, click ok.
It's the same little globe icon that Microsoft uses.
If you click ok you'll notice that there might be two little globes in your taskbar. I clicked away the inactive globe thinking it was left open from last-time or just a glitch.
That was my mistake.
Now in the taskmngr there are two wcault.exe's...one is WCAULT.EXE running from HKEY-HKEY_LOCAL_MACHINE\Software\Microsoft\WINDOWS\Current Version\Run and Run Services

The other from C:\Docs&Settings\Local User\Standard\....
and as soon as it loads it brings tskmger.exe with it..and that is a v rus program.

The only thing protecting the machine right now is Diamond's Registry protector which alerts me whenever a change is being attempted in the registry. So I can deny the virus access to the sytem but I cannot kill it.

Dell is coming to pick it up and see what the problem is...install a new registry or HDD..[its a Dimension XPS and doesn't have IDE so they can't diagnose it without bringing it back to the UK..since the Dutch don't know anything about the new Dimensions....]
Will let you know how it goes.
Thanks again.
-Zohar
will let you know.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Zohar818 is offline Offline
17 posts
since Aug 2004

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: HiJackThis Log
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: My HJT log after sp2 install





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC