PDA

Просмотр полной версии : Win32:Agent-OWW [trj]



Sherry
30.04.2008, 14:48
hi...my computer got the virus Win32:Agent-OWW [trj] a week ago and every time i boot the computer, the alert from anti-virus program appears...it seems no use to quarantine the file or to remove it...so i come to ask for help...i have done the suggested instructions and the 3 log files are attached...please help me to see if my computer is safe now and what i should do to prevent getting the virus again...
p.s. i am from Hong Kong so I can only read english or chinese....please reply me in english...thanks for your time^^

Rene-gad
30.04.2008, 15:12
Your problem began here

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
In a couple of weeks the service pack 3 (SP3) should be released, you don't have just SP1 :O
Fix with Hijackthis (http://virusinfo.info/showthread.php?t=9206)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\RunServices: [WinProfile] iexpIore.exe
O23 - Service: Windows Accounts Driver (wai3322) - Unknown owner - C:\WINDOWS\System32\50.exe (file missing)
Run the script in AVZ (http://virusinfo.info/showthread.php?t=9207)

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
StopService('wai3322');
DeleteService('wai3322');
StopService('oUltraf');
DeleteService('oUltraf');
QuarantineFile('C:\WINDOWS\System32\50.exe','');
QuarantineFile('C:\Program Files\Common Files\joipor.vxd','');
QuarantineFile('iexpIore.exe','');
QuarantineFile('C:\WINDOWS\wt\webdriver\webdriver. dll','');
DeleteFile('C:\WINDOWS\wt\webdriver\webdriver.dll' );
DeleteFile('iexpIore.exe');
DeleteFile('C:\Program Files\Common Files\joipor.vxd');
DeleteFile('C:\WINDOWS\System32\50.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
After reboot upload the quarantine and make and upload all 3 logs once more.
After healing immediately install SP2 and all follow patches >:(

Sherry
30.04.2008, 16:06
my computer is very old and i don't always upgrade either the software or hardware...as i am quite satisfied with the current performance...if i have spare money i will upgrade it soon...thanks for your comment...
but i am just a layman to these softwares...so i don't know what to do with these lines...

Fix with Hijackthis (http://virusinfo.info/showthread.php?t=9206)
Quote:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\RunServices: [WinProfile] iexpIore.exe
O23 - Service: Windows Accounts Driver (wai3322) - Unknown owner - C:\WINDOWS\System32\50.exe (file missing)


do you mean i have to type in these lines in order to fix the problems?

thanks again for your kind help...

Rene-gad
30.04.2008, 16:15
my computer is very old and i don't always upgrade either the software or hardware......if i have spare money i will upgrade it soon...You can have SP2 for free - it costs nothing. It's not very clever to surf without SP2 today. You could change your PC or the operation system.

do you mean i have to type in these lines
What I mean pls. read under the link Fix with Hijackthis in my previous posting.

That means that you are supposed to
- run HijackThis,
- do a system scan,
- check the enumerated items in the log
- click the "Fix Checked" button.
After the operation you should reboot the PC.

Sherry
30.04.2008, 18:58
i couldn't upload the log files as the attachment quota is exceeded

Rene-gad
30.04.2008, 20:25
i couldn't upload the log files as the attachment quota is exceededupload these files to any webspace and post the links here.

Sherry
01.05.2008, 05:02
http://brokenwingheero.netfirms.com/virusinfo_syscheck.zip
http://brokenwingheero.netfirms.com/virusinfo_syscure.zip
http://brokenwingheero.netfirms.com/hijackthis.log / to view the attachment to this reply if it is hard to read on browser

so...it's ready now..please take a look

Rene-gad
01.05.2008, 12:01
Your links are seems to be wrong or cannot be reached from non-registered persons.
Fix this at least

O4 - HKCU\..\Policies\Explorer\Run: [wuacult] C:\WINDOWS\wuacult.exe
Try to remove your old logs and upload the new one.

Sherry
01.05.2008, 14:54
here are the log files...
http://hk.geocities.com/paineverfades/hijackthis.log
http://hk.geocities.com/paineverfades/virusinfo_syscure.zip
http://hk.geocities.com/paineverfades/virusinfo_syscheck.zip

kps
01.05.2008, 15:13
AVZ - File - Custom scripts
Execute the following script (copy it, paste it in the script window of AVZ and execute):

begin
ClearQuarantine;
QuarantineFile('C:\WINDOWS\wt\webdriver\wthost.exe ','');
QuarantineFile('C:\Program Files\\setup50.exe','');
QuarantineFile('C:\Program Files\setup50.exe','');
QuarantineFile('C:\WINDOWS\wuacult.exe','');
QuarantineFile('C:\DOCUME~1\SHERRY~1\LOCALS~1\Temp \oUltraf.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\ip6fw. sys','');
QuarantineFile('C:\WINDOWS\system32\winlogon.exe', '');
BC_ImportQuarantineList;
BC_Activate;
RebootWindows(true);
end.
Your computer will reboot.
Upload the quarantined files according to the Appendix 3 of the rules (http://virusinfo.info/showthread.php?t=9184). (upload here http://virusinfo.info/upload_virus_eng.php?tid=22275 )

Rene-gad
01.05.2008, 15:22
These logs seems to be just clear ;) .
But it's not for a long time, if you stay at unpatched system.
Independent from patching you'd like to update OpenOffice (2.4) and JavaRE (1.6_06).

Sherry
01.05.2008, 16:35
then should i run these scripts now?


AVZ - File - Custom scripts
Execute the following script (copy it, paste it in the script window of AVZ and execute):

begin
ClearQuarantine;
QuarantineFile('C:\WINDOWS\wt\webdriver\wthost.exe ','');
QuarantineFile('C:\Program Files\\setup50.exe','');
QuarantineFile('C:\Program Files\setup50.exe','');
QuarantineFile('C:\WINDOWS\wuacult.exe','');
QuarantineFile('C:\DOCUME~1\SHERRY~1\LOCALS~1\Temp \oUltraf.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\ip6fw. sys','');
QuarantineFile('C:\WINDOWS\system32\winlogon.exe', '');
BC_ImportQuarantineList;
BC_Activate;
RebootWindows(true);
end.Your computer will reboot.
Upload the quarantined files according to the Appendix 3 of the rules (http://virusinfo.info/showthread.php?t=9184). (upload here http://virusinfo.info/upload_virus_eng.php?tid=22275 )


i don't use openoffice too often...is it a must to update it?!

Rene-gad
01.05.2008, 16:38
then should i run these scripts now?
Yes. And don't forget to upload the quarantine (http://virusinfo.info/upload_virus_eng.php?tid=22275)!

i don't use openoffice too often...is it a must to update it?!No, you mustn't.

Sherry
01.05.2008, 17:51
done...
thanks for your help!