Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

inffected with some type of win32/ agent trojan


  • This topic is locked This topic is locked
7 replies to this topic

#1 jwilkins1121

jwilkins1121

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 22 November 2009 - 06:03 PM

can some one please help me. I have ran avg and avest! anti virus programs to get rid of these and they dont seem to be getting rid of anything. I do things on my pc but alot of programs i try running nothing will open. Now avg and avest! wont do anything. I tryed running spybot and that wont open either. Also whenever i try to search for anything on yahoo i takes me somewhere completely different then what i asked for. please help

BC AdBot (Login to Remove)

 


#2 jwilkins1121

jwilkins1121
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 22 November 2009 - 06:18 PM

also web shield keeps popping up and blocking something called win32/DH.CAFF950000. I tried using hijac this and it worked for about a minute and shut down. Wont let me open it back up

#3 jwilkins1121

jwilkins1121
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 23 November 2009 - 12:44 PM

can someone please help me. Will not let me run any anti virus or spyware program. Also in firefox it redirects everything i do. also i am running windows vista 32 bit. Avg alert keeps popping up with multiple threat detection. Infections are bevaccine.com/loaderadv799.exe and 91.212.226.178/setup_233.exe.

Edited by jwilkins1121, 23 November 2009 - 12:54 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:36 PM

Posted 23 November 2009 - 12:52 PM

Hello and welcome.. With all those replies I thought someone was already assisting you.
Some rootkits can terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Further investigation is required to determine if this is the case with the issues you have described.

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad, then copy and paste the entire contents starting with Running from... to Finished!) in your next reply.
Then go to Posted Image > Run..., and copy and paste this command into the open box: cmd
press OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop and open in Notepad.
Copy and paste the contents of that file in your next reply.

-- Vista users can refer to these instructions to open a command prompt.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 jwilkins1121

jwilkins1121
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 23 November 2009 - 01:10 PM

thank you for getting back with me. here is what you asked for.

Running from: C:\Users\JW\Downloads\Win32kDiag(2).exe

Log file at : C:\Users\JW\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.GpmgmtLib\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Private.GpmgmtpLib\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.GPOAdminGrid\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5CA0.tmp\ZAP5CA0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAD9C.tmp\ZAPAD9C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD078.tmp\ZAPD078.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPED1C.tmp\ZAPED1C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Crack\Crack

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\CSC\v2.0.6\pq

[1] 2008-02-01 22:45:11 64 C:\Windows\CSC\v2.0.6\pq ()


Volume in drive C is jeff
Volume Serial Number is 5A2E-7AF0

Directory of C:\Windows\System32

04/11/2009 01:28 AM 177,152 scecli.dll

Directory of C:\Windows\System32

04/11/2009 01:28 AM 592,896 netlogon.dll
2 File(s) 770,048 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e

11/02/2006 04:46 AM 176,640 scecli.dll
1 File(s) 176,640 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12

01/19/2008 02:36 AM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e

04/11/2009 01:28 AM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783

11/02/2006 04:46 AM 559,616 netlogon.dll
1 File(s) 559,616 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

01/19/2008 02:35 AM 592,384 netlogon.dll
1 File(s) 592,384 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3

04/11/2009 01:28 AM 592,896 netlogon.dll
1 File(s) 592,896 bytes

Total Files Listed:
8 File(s) 3,045,888 bytes
0 Dir(s) 249,514,962,944 bytes free

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:36 PM

Posted 23 November 2009 - 02:06 PM

You're welcome. It looks like there is a rootkit variant in this log. The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.

Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the above Win32kDiag.exe log.

Let me know how that went.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 jwilkins1121

jwilkins1121
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 23 November 2009 - 03:48 PM

ok i posted it on other forum. i will let you know once i hear something. thank you

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:36 PM

Posted 23 November 2009 - 08:50 PM

Ok..Log is good

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users