Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Malware


  • Please log in to reply
1 reply to this topic

#1 banderson443

banderson443

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 11 June 2010 - 10:49 AM

I've got a computer that seems to be infected. When i visit any bank site im prompted with what looks like a phishing page, asking for ss# and other info the bank wouldn't ask for.

GMER BSOD's everytime i try to use it.

Everything else i've used comes up clean but i can't get this thing to go away.

Thanks,

Banderson443

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:22 AM

Posted 15 June 2010 - 04:51 PM

hi,

I copied in your DDS log for easier viewing. Comments at bottom.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Michael Tumminello at 10:16:38.34 on Fri 06/11/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1456 [GMT -5:00]



============== Running Processes ===============


C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\AddinForUNCFAT\UNCFATDMS.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\IEHistoryPH\IEHistoryShellNotifier.exe
C:\Program Files\AddinForUNCFAT\UNCFATDMS.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\taskmgr.exe
D:\HBCD\WinTools\Autorun.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Michael Tumminello\Desktop\dds.scr


============== Pseudo HJT Report ===============



BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Clss: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [{EA6B405D-6CAC-A95F-AFA5-771B9450E19C}] "c:\documents and settings\michael tumminello\application data\qimane\ehtym.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Acrobat Speed Launch] "c:\program files\adobe\acrobat 8.0\acrobat\acrobat_sl.exe"
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [IEHistory] c:\program files\iehistoryph\IEHistoryShellNotifier.exe
mRun: [OTFSDMS] c:\program files\addinforuncfat\UNCFATDMS.exe /p
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hid
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

dRun: [DWQueuedReportng] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: {260A2FEF-C0B2-4F36-97C4-4EAF9726312E} = 199.186.19.130,205.152.133.23,205.152.37.23
TCP: {C02266B8-D2E0-41DF-AF10-247D2F5E1868} = 199.186.19.34,199.186.19.130

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll



============= SERVICES / DRIVERS ===============



R1 watcher;watcher;c:\windows\system32\drivers\watcher.sys [2009-2-18 4608]

R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-12-31 104000]

R2 OTFSDMS;UNCFAT DMS;c:\program files\addinforuncfat\UNCFATDMS.exe [2006-12-13 129024]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2007-12-21 2521880]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [2008-1-3 18048]

S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S2 qoeimwiod;qoeimwiod;\??\c:\windows\system32\drivers\viqceks.sys --> c:\windows\system32\drivers\viqceks.sys [?]

S3 HPEWSFXBULK;HPEWSFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2009-10-7 17432]

S4 YWLI;YWLI;c:\docume~1\michae~1\locals~1\temp\ywli.exe --> c:\docume~1\michae~1\locals~1\temp\YWLI.exe [?]



=============== Created Last 30 ================



2010-06-08 19:41:09 0 d-----w- c:\windows\system32\appmgmt

2010-06-08 18:57:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-06-08 16:35:30 0 d-----w- C:\spoolerlogs

2010-06-08 16:26:35 0 d--h--w- c:\windows\PIF

2010-06-08 16:01:41 0 d-----w- c:\docume~1\michae~1\applic~1\Malwarebytes

2010-06-08 16:01:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-08 15:48:35 0 d-----w- c:\windows\pss

2010-06-08 14:03:16 215920 ----a-w- c:\windows\system32\muweb.dll

2010-06-07 22:29:32 0 d-----w- c:\windows\SQL9_KB970895_ENU

2010-06-07 21:03:44 0 d-sha-r- C:\cmdcons

2010-06-07 21:02:32 98816 ----a-w- c:\windows\sed.exe

2010-06-07 21:02:32 77312 ----a-w- c:\windows\MBR.exe

2010-06-07 21:02:32 256512 ----a-w- c:\windows\PEV.exe

2010-06-07 21:02:32 161792 ----a-w- c:\windows\SWREG.exe

2010-06-07 21:02:20 0 d-----w- C:\ComboFix

2010-06-07 17:17:40 120 ----a-w- c:\windows\Llonoqipofevinuy.dat

2010-06-07 17:17:40 0 ----a-w- c:\windows\Lmemadic.bin

2010-06-07 17:15:56 0 d-----w- c:\windows\system32\msapps



==================== Find3M ====================



2010-06-11 10:07:25 136192 ----a-w- c:\windows\system32\msv1_0.dll

2010-05-12 16:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll

2010-04-16 11:43:25 634656 ------w- c:\windows\system32\dllcache\iexplore.exe

2010-04-16 11:43:23 161792 ------w- c:\windows\system32\dllcache\ieakui.dll

2010-04-06 09:52:46 2462720 ------w- c:\windows\system32\dllcache\WMVCore.dll

2009-03-29 18:25:35 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032920090330\index.dat



============= FINISH: 10:17:40.23 ===============

Looks like you ran combofix. You can uninstall it like this:
start>run and type in combofix /u
click ok or enter
Note: there is a space after the x and before the /

Next: read through this guide to using combofix then apply the directions on your own computer:
Guide to using Combofix
Post the combofix log in your reply.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users