Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE: http://rnd009.googlepages.com/google.html, Disabled TaskManager, Disabled RegistryEditor, Disabled Folder Option, gphone.exe, New Folder.Exe


  • This topic is locked This topic is locked
2 replies to this topic

#1 Carlos Leonhart

Carlos Leonhart

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 27 February 2009 - 12:03 AM

Hello there!
Please help me with may problem. I've been suffring from an "attack" I don't know what it caused.
I've some behavioral changes in may computer:
1) My IE homepage is set to http://rnd009.googlepages.com/google.html.
2) My TASK MANAGER, REGISTRY EDITOR and FOLDER OPTION IS DISABLED.
3) I've found out when I transfer a file into a CLEAN/NEWLY FORMATTED Flash Drive it also send gphone.exe as I look it into the attributes of my Flash Drive.
4) It also create a New Folder.exe as I transfer files. I've also notice that inside a specific folder it also created same folder. Example: I have Folder A when I transfer this Folder into my Flash Drive, it will create a folder inside my Folder A named after it.

Thanks in advance guys.
I also run dds for this and here is the result:
DDS (Ver_09-02-01.01) - NTFSx86
Run by cssioson at 11:45:17.43 on 02-27-2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.642 [GMT 8:00]

AV: avast! antivirus 4.8.1229 [VPS 090225-1] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\cssioson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://home.cocoplans.com:39920/ITD/default.aspx
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = mail.cocoplans.com:3128
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} -
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
uPolicies-system: Wallpaper = \\coconet\corporate wallpaper\Wallpaper_December_08.jpg
uPolicies-system: WallpaperStyle = 2
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2008-7-17 11264]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-9-15 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-9-15 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-9-15 147640]
R2 NBXPacket;NBX Packet Driver;c:\windows\system32\drivers\NBXPkt2k.sys [2008-7-18 8495]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-9-15 250040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-9-15 348344]
S4 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-2-18 33752]

=============== Created Last 30 ================

2009-02-27 10:52 <DIR> --d----- c:\windows\ERUNT
2009-02-27 10:50 <DIR> --d----- C:\backups
2009-02-27 10:50 <DIR> --d----- C:\backupreg
2009-02-27 10:50 146,432 a------- C:\editreg.exe
2009-02-27 10:50 27,136 a------- C:\rtsdnif.exe
2009-02-27 10:50 11,264 a------- C:\attrib.exe
2009-02-27 10:50 9,216 a------- C:\dnif.exe
2009-02-27 10:24 <DIR> --d----- C:\SDFix
2009-02-27 08:10 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-27 08:09 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-02-27 08:09 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-27 08:09 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-27 08:09 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-27 08:09 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-27 08:09 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-27 08:09 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-27 08:09 <DIR> --d----- C:\6744dfb33442ae9af86ec395d046df50
2009-02-27 08:07 <DIR> --d----- c:\program files\MSXML 6.0
2009-02-26 10:46 <DIR> a-dshr-- C:\autorun.inf
2009-02-26 08:15 <DIR> --d----- C:\Sys Dev't
2009-02-26 07:29 163,840 -c------ c:\windows\system32\dllcache\jgdw400.dll
2009-02-26 07:29 27,648 -c------ c:\windows\system32\dllcache\jgpl400.dll
2009-02-26 07:28 28,672 -------- c:\windows\system32\verclsid.exe
2009-02-26 07:27 453,120 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-02-24 14:01 <DIR> --d----- c:\program files\Trend Micro
2009-02-24 12:48 410,449 a--shr-- c:\windows\system32\gphone.exe
2009-02-24 12:48 410,449 a------- c:\windows\gphone.exe
2009-02-18 13:32 <DIR> --d----- c:\docume~1\cssioson\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-02-18 12:03 <DIR> --d----- C:\WebXML
2009-02-12 07:08 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-02-12 07:06 <DIR> --d----- c:\windows\system32\PreInstall
2009-02-11 08:34 2,180,352 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-11 08:34 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-11 08:34 2,057,600 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-11 08:34 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-11 08:33 172,416 -c------ c:\windows\system32\dllcache\kmixer.sys
2009-02-11 08:33 82,944 -c------ c:\windows\system32\dllcache\wdmaud.sys
2009-02-11 08:33 6,400 -c------ c:\windows\system32\dllcache\splitter.sys
2009-02-11 08:33 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-02-11 08:33 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-02-11 08:33 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-02-11 08:33 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-02-11 08:33 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-02-11 08:33 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-02-11 08:33 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-02-11 08:33 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-02-10 07:29 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-02-04 15:00 <DIR> --d----- C:\ITD Inventory Documents
2009-02-04 08:30 <DIR> --d----- c:\program files\MSN Messenger
2009-02-04 08:17 <DIR> --d----- c:\windows\SxsCaPendDel
2009-02-03 17:12 <DIR> --d----- c:\documents and settings\cssioson\Tracing
2009-02-03 17:05 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2009-02-03 16:59 <DIR> --d----- c:\program files\common files\Windows Live
2009-02-03 10:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\GRETECH
2009-02-03 10:17 <DIR> --d----- c:\program files\GRETECH
2009-02-03 07:18 268 a---h--- C:\sqmdata02.sqm
2009-02-03 07:18 244 a---h--- C:\sqmnoopt02.sqm

==================== Find3M ====================

2009-02-27 09:10 36,912 a------- c:\docume~1\cssioson\applic~1\GDIPFONTCACHEV1.DAT
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-20 07:57 249,856 -------- c:\windows\Setup1.exe
2009-01-05 16:10 354,560 a------- c:\windows\system32\TuneUpDefragService.exe
2008-12-21 07:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-16 09:07 25,504 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 11:45:43.52 ===============


Hope we can fix this out.

Keep safe and More Power

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:25 PM

Posted 06 March 2009 - 07:33 PM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:25 PM

Posted 12 March 2009 - 02:02 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users