Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.agent.pz Restart Loop When Ip Address Set


  • Please log in to reply
6 replies to this topic

#1 jsrail

jsrail

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 05 December 2007 - 10:51 PM

I'm new here, so please be understanding. I'm posting from my home computer.

My office desktop runs windows 2000 professional, cox security suite spybot (and now also counterspy). About 2 weeks ago I was searching the net for results for "57 chrysler saratoga" for a secret gift exchange for a car group I'm involved with. I clicked on one of the links and immediately pop-ups came up for "ultimate cleaner" which I then closed (of course, without downloading anything). I tried cleaning it with updated Spybot and ran anti-virus from Cox Security Suite. Amongst other things, Spybot listed "win32.agent.pz". I tried the fix thru Spybot and it said it couldn't delete this file but try again on restart. So I hit the restart and then my desktop started looping the start-up again and again, before it finished starting windows, it resatrted back at the first screen (where you can press F8 to enter the bios). I shut the computer down and unplugged my network cable (not wanting anything to get to the server). The computer restarts fine at that point. We looked at the ip address for the network and it was gone. Reentered the ip address and hit restart upon which the looping began again. I downloaded counterspy from the net thru another workstation and loaded it on my desktop (still disconnected from the network). It saw "win32.agent.pz" and deleted it (so it said). Restarted the computer and it worked fine, except it didn't connect to the network (cable still unplugged). Reentered the network ip address, reconnected the network cable, and hit restart, bingo, the loop was back. Did another scan and "win32.agent.pz" was back in my computer. It almost seems to reload this Trojan right at boot.

I've looked at some other threads on other forums, but didn't see anything specific to windows 2000, only XP. I cannot get to the internet on this computer, so downloading any programs to fix must come from another computer, unless you think taking it off the network and just plugging it into my home internet connection is the way to go.

How do I start, I really don't want to have to wipe my harddrive.

Thanks in advance,

Jay

Edited by jsrail, 05 December 2007 - 10:55 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 PM

Posted 05 December 2007 - 11:55 PM

Since you cannot use your Internet, you are going to need access to another computer (family member, friend, etc) with an Internet connection.

Please download the following programs and save to a USB stick or CD:
ATF Cleaner
SmitfraudFix
VundoFix.exe
SUPERAntiSpyware Free
SUPERAntiSpyware Free Definition files - (Be sure to download both the Core and Trace Definitions)
WinSockFix.
Be sure to print out and save the instructions provided in the Winsock Repair Tutorial in case we need to use this tool.
HijackThis Installer. This is HijackThis 2.0.2 but it is an automatic setup version which will install HJT in the proper location if we need to use it. DO NOT fix anything with HijackThis unless advised.

Print out the Smitfraudfix Instructions so you can follow along when we get to that part of the fix.

Transfer all these programs directly to the Desktop of the infected computer <- (Important!)

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Double-click smitfraudfix.exe to start the tool.
  • Select option #2 - Clean by typing 2 and press Enter to delete infected files.
  • Wait for the tool to complete and disk cleanup to finish.
  • You will be prompted: "Registry cleaning - Do you want to clean the registry?" Answer Yes by typing Y and press Enter.
  • The tool will now check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.
  • Answer Yes to the question "Replace infected file?" by typing Y and press Enter.
  • A reboot may be needed to finish the cleaning process.
  • If your computer does not restart automatically, please do it yourself manually (restart normally).
  • A text file will appear onscreen with results from the cleaning process. It can also be found at the root of the system drive, C:\rapport.txt.
IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move smitfraudFix.exe to the root of the system drive and run it from there.

Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Now double-click SUPERAntiSypware.exe and use the default settings for installation.
  • Navigate to the SUPERAntiSpyware folder in C:\Program Files and unzip both the Core and Trace defintion files.
  • An icon will have been created on your desktop. Double-click that icon to launch the program.
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.Do not run a scan just yet
  • Reboot in "Safe Mode using the F8 method and launch SUPERAntispyware.
  • In the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked to reboot, click "Yes".
  • If not, select Close to exit the program and reboot normally.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:24 PM

Posted 05 December 2007 - 11:57 PM

Hello Please follow the instructions in this link
How to remove Ultimate Cleaner (Removal Instructions)

Then download, install and update SUPERAntiSpyware

Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
-- Close browsers before scanning.
-- Scan for tracking cookies.
-- Terminate memory threats before quarantining.

CLOSE the program and reboot into Safe Mode
How to start Windows in Safe Mode
Open Super and Perform a Full Scan of the root drive (usually C:\)
Quarantine all Items found, be sure they have checks in the boxes at the Summary,
When removal is complete click OK then Finish
Reboot to Normal

Tell us how it goes
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 jsrail

jsrail
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 06 December 2007 - 03:14 PM

quietman7, I did as instructed and the desktop restarted fine without the network cable plugged in. As soon as the network cable is plugged in to my desktop's ethernet connection, the desktop goes into a restart loop. There is a very short blue screen after windows is starting screen turns black, but it is so fast I cannot read what it says except "Stop" and the screen is gone and the computer is going back to the start up screen.

What do I do now?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 PM

Posted 06 December 2007 - 04:39 PM

In Windows, the default setting is for the computer to reboot automatically when a fatal error occurs. You should be able to see the error by looking in the Event Log. Read "How To Use the Event Viewer Applet".

Also see "Windows Restarts Continuously with Blue Screen" and "Gathering Blue Screen Information After Memory Dump in Windows 2000".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 jsrail

jsrail
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 07 December 2007 - 04:46 PM

I found this in the event log:

The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e
(0x0000005, 0x00000000, 0x00000000, 0x00000000).
Microsoft Windows 2000 [v15.2195].
A dump was saved in: C:\WINNT\Minidump\Mini120707-01.dmp


I pulled the dump up and of course I can't read it. Does this help?

I looked up this bugcheck on Microsoft's website and it lists an article (#327194) which shows a list of problems fixed by Service Pack 4 (which my computer shows as installed) that is a mile long. Do you think an upgrade to XP Pro might fix this? Is this a trojan or something, or only a system problem?

Jay

P.S. I also tried restarting the server with all user logged off and my network cable plugged in, didn't work, same problem. A 2nd run of Superantispyware shows zero infections.

Edited by jsrail, 07 December 2007 - 04:49 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 PM

Posted 07 December 2007 - 06:39 PM

"How to read small memory dump files in Windows 200/XP/2003".
You can download and install Microsoft Debugging Tools to read and investigate minidump files.

"STOP 0x0000001E Errors".
scroll down to see a list of various causes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users