Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mystery Malware to me


  • This topic is locked This topic is locked
2 replies to this topic

#1 deadender

deadender

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 04 September 2009 - 11:49 AM

I think this post has been overlooked and buried as there's been quite a few other posts with responses so I'm hoping this edit will draw attention to my problem. Thanks for looking!
Dell Laptop infected with insidious malware-- see this link for root repeal log and description of symptoms.

Attached are the additional logs I was directed to include.

Couple of questions: the user behind this laptop uses it for Facebook and nothing else. What are the precautions she needs to make to avoid this in the future? She's running Vista w/ UAC enabled.

Moreover, this machine as a Dell recovery partition. Could I just restore this machine and be done with it?

I'd also like to know the name of this malware. I've done numerous googles off the root repeal log and got no results or even clues as to HOW she was infected or WHAT this thing is. Any help on this would be appreciated!!!!!!

THANKS for your help!!!

dead
PS. I had to run this in safemode as the machine keeps bluescreening whenever it initiates the network unless in safe mode.

DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Terry at 9:24:00.77 on Fri 09/04/2009
Internet Explorer: 8.0.6001.18813

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.facebook.com/home.php?
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4081211
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client for internet explorer\YontooIEClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: []
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-09-03 18:35 0 a------- c:\windows\system32\settings.dat
2009-09-03 18:22 8,212 a------- c:\windows\mfebcdata
2009-09-03 16:36 --d----- c:\windows\pss
2009-09-01 19:48 --d----- c:\program files\Garmin GPS Plugin
2009-08-26 06:20 2,048 a------- c:\windows\system32\tzres.dll
2009-08-25 19:13 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-25 19:13 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-11 20:49 71,680 a------- c:\windows\system32\atl.dll
2009-08-11 20:49 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-11 20:49 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-11 20:49 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-11 20:49 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-11 20:49 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-11 20:49 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-11 20:49 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-11 20:49 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-11 20:49 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-11 20:49 18,432 a------- c:\windows\system32\amcompat.tlb

==================== Find3M ====================

2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-21 21:58 8,270,752 a------- c:\users\terry\appdata\roaming\DataSafeDotNet.exe
2009-07-21 14:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 14:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 14:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 13:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-10 19:03 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-10 19:03 86,016 a------- c:\windows\inf\infstor.dat
2009-07-10 19:03 51,200 a------- c:\windows\inf\infpub.dat
2009-06-15 08:24 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 08:20 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 08:20 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 05:52 289,792 a------- c:\windows\system32\atmfd.dll
2008-12-11 10:01 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 19:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-12-11 08:25 76 ---shr-- c:\windows\CT4CET.bin

============= FINISH: 9:32:50.27 ===============

Attached Files


Edited by deadender, 04 September 2009 - 10:55 PM.


BC AdBot (Login to Remove)

 


#2 deadender

deadender
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 10 September 2009 - 06:01 PM

please close- i've reinstalled the machine from the recovery partition. Ran new scans and machine appears to be free of infection.

#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:05 AM

Posted 21 September 2009 - 02:32 AM

Sorry we couldn't get to you sooner, but thanks for letting us know you sorted it :(

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users