| physik3r |
| (new user) |
| Tue Apr 29 2008 02:37 AM |
Probs with malware, any help appreciated!
|
Had the same issue with Win32.Agent.frl
Ran the tool mentioned here and the problem is gone! Here's the log:
ComboFix 08-04-27.3 - gregg 2008-04-28 18:30:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1466 [GMT -7:00]
Running from: C:\Documents and Settings\gregg\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\amvo1.dll
.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.
2008-04-28 17:52 . 2008-04-28 17:52 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-28 17:24 . 2008-04-28 17:24 <DIR> d-------- C:\Program Files\BlackIsle
2008-04-27 14:05 . 2008-04-28 17:33 52,736 --a------ C:\WINDOWS\ipuninst.exe
2008-04-25 16:43 . 2008-04-27 20:07 <DIR> d-------- C:\Program Files\HP
2008-04-25 16:43 . 2008-04-25 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-25 16:43 . 2007-08-06 13:41 252,928 --a------ C:\WINDOWS\system32\HP1006LM.DLL
2008-04-25 16:43 . 2007-05-31 10:13 65,536 --a------ C:\WINDOWS\system32\HPPLVS.dll
2008-04-25 16:41 . 2008-04-25 16:41 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-04-25 16:40 . 2008-04-25 16:43 <DIR> d--h----- C:\Program Files\Avago-HP
2008-04-25 16:37 . 2008-04-25 16:37 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-04-25 16:35 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-25 16:35 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-15 11:35 . 2004-08-03 23:07 8,832 --a------ C:\WINDOWS\system32\drivers\wmiacpi.sys
2008-04-15 11:35 . 2004-08-03 23:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-04-07 10:04 . 2008-04-07 10:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-07 10:04 . 2008-04-07 11:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-06 16:44 . 2008-04-06 16:44 <DIR> d-------- C:\Documents and Settings\gregg\Application Data\Alien Skin
2008-04-06 16:39 . 2008-04-06 16:39 <DIR> d-------- C:\Program Files\Alien Skin
2008-03-30 21:35 . 2008-03-30 21:36 <DIR> d-------- C:\Lightroom Backup
2008-03-30 15:58 . 2007-10-25 20:36 8,454,656 --a------ C:\WINDOWS\system32\SET26.tmp
2008-03-30 15:58 . 2006-12-06 22:29 2,374,472 --a------ C:\WINDOWS\system32\SET23.tmp
2008-03-30 15:58 . 2007-10-29 03:26 115,712 --a------ C:\WINDOWS\system32\SET27.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-06 22:20 --------- d-----w C:\Program Files\Java
2008-03-20 01:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 22:26 --------- d-----w C:\Program Files\NovaStor
2008-03-13 03:10 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-04 02:22 20,992 ----a-w C:\WINDOWS\jestertb.dll
2008-03-03 19:29 --------- d-----w C:\Program Files\SQLyog Enterprise
2008-03-03 19:29 --------- d-----w C:\Documents and Settings\gregg\Application Data\SQLyog
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\SET169.tmp
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\SET161.tmp
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\SET162.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-10-23 22:17 5674352]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 07:16 171464]
C:\Documents and Settings\gregg\Start Menu\Programs\Startup\
Shortcut to taskmgr.exe.lnk - C:\WINDOWS\system32\taskmgr.exe [2002-08-28 12:20:00 135680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2006-09-08 13:29 24686 C:\WINDOWS\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\eclipse\\eclipse.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
R1 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2006-09-08 13:29]
R2 CP_OMDRV;Check Point Office Mode Module;C:\WINDOWS\system32\drivers\omdrv.sys [2006-09-08 13:29]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;C:\WINDOWS\system32\DRIVERS\vnasc.sys [2006-09-08 13:29]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2006-09-08 13:29]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95acdb45-8175-11dc-8a92-806d6172696f}]
\Shell\AutoRun\command - gjn2pjlw.exe
\Shell\explore\Command - gjn2pjlw.exe
\Shell\open\Command - gjn2pjlw.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b975bb47-8231-11dc-beb3-de5216b6f3fe}]
\Shell\AutoRun\command - G:\f.exe
\Shell\explore\Command - G:\f.exe
\Shell\open\Command - G:\f.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-29 00:58:48 C:\WINDOWS\Tasks\HP WEP.job"
- C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 18:31:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-28 18:32:00
ComboFix-quarantined-files.txt 2008-04-29 01:31:53
Pre-Run: 28,005,576,704 bytes free
Post-Run: 29,511,798,784 bytes free
117
| bricat |
| (HijackThis Helper) |
| Tue Apr 29 2008 09:44 AM |
|
Re: Probs with malware, any help appreciated!
|
Welcome to the Webuser forum.
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Quote:
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95acdb45-8175-11dc-8a92-806d6172696f}]
"gjn2pjlw.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b975bb47-8231-11dc-beb3-de5216b6f3fe}]
"G:\f.exe"=-
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
Referring to the picture above, drag CFScript.txt into ComboFix.exe.
This will start ComboFix again.(it may ask you to reboot your computer)
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please and
let me know how it is running.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*