Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not sure what type of malware i have


  • Please log in to reply
1 reply to this topic

#1 andy2o3

andy2o3

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:06:56 PM

Posted 23 September 2011 - 12:55 PM

I think that the malware is C:\WINDOWS\844533844:2876221901.exe. i cannot delete or kill the task
Here is my DDS log. I wasnt able to perform gmer because the malware kept killing the task. Please HELP!!!!


.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Susan at 13:50:04 on 2011-09-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1697 [GMT -4:00]
.
AV: McAfee® Security-as-a-Service Anti-virus *Disabled/Updated* {8C354827-2F54-4E28-90DC-AD391E77808C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\844533844:2876221901.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Susan\LOCALS~1\Temp\LMIR0003.tmp\lmi_rescue.exe
C:\DOCUME~1\Susan\LOCALS~1\Temp\LMIR0003.tmp\lmi_rescue.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www.membersonline.com/mol/login.aspx
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080409
uSearch Bar =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110602044731.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [*LogMeInRescue_3136205870] "c:\docume~1\susan\locals~1\temp\lmir0003.tmp\lmi_rescue.exe" -runonce reboot
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [<NO NAME>]
mRun: [Logitech BT Wizard] LBTWiz.exe -silent
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MVS Splash] "c:\program files\mcafee\managed virusscan\desktopui\XTray.exe"
mRun: [McAfee Managed Services Tray] "c:\program files\mcafee\managed virusscan\agent\StartMyagtTry.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [HPPQVideo] "c:\program files\hp\scheduledlaunch\hp laserjet p2050 series\bin\hppschlnch.exe" -r software\hewlett-packard\scheduledlaunch\LJ_P2050_Series -f PQOptimizerVideo.xml -o RemindLater
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\susan\startm~1\programs\startup\eaglel~1.lnk - c:\3apps\catapult\3listen.exe
StartupFolder: c:\docume~1\susan\startm~1\programs\startup\eagles~1.lnk - c:\3apps\catapult\Sched.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: adp.com
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{30D5AB6A-AC73-453B-8D03-F9A88FD05023} : NameServer = 68.94.156.1,68.94.157.1
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt5.0.0.811.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-16 436728]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-19 88544]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-6-2 145936]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-9 135664]
S2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2010-3-3 136192]
S2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-6-2 159320]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2008-4-16 291064]
S2 RumorServer;McAfee Peer Distribution Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2008-4-16 291064]
S2 SWAGENT;SonicWALL Agent Service;c:\program files\mcafee\managed virusscan\agent\swAgent.exe [2008-4-16 189760]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-9 135664]
S3 MfeAVFK;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-16 171296]
S3 MfeBOPK;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-16 58456]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-19 85152]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2008-6-5 34248]
.
=============== File Associations ===============
.
chm.file=c:\windows\HH.exe %1
.
=============== Created Last 30 ================
.
2011-09-23 17:42:03 94896 ----a-w- c:\windows\system32\drivers\50086042.sys
2011-09-23 17:13:14 -------- d--h--w- c:\windows\PIF
2011-09-23 16:35:50 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-23 16:35:47 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-23 16:35:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-23 11:01:35 -------- d-----w- c:\windows\system32\appmgmt
2011-09-23 11:00:48 -------- d-sh--w- c:\windows\ftpcache
2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-08-27 13:44:04 281600 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpcpp093.DLL
2011-08-27 13:44:04 161280 ----a-w- c:\windows\system32\hpcpn093.dll
2011-08-27 13:44:03 59928 ----a-w- c:\windows\system32\fxcompchannel.dll
2011-08-27 13:44:03 331776 ----a-r- c:\windows\system32\hppcpr13.dll
2011-08-27 13:43:59 26136 ----a-r- c:\windows\system32\drivers\hpfxgen.sys
2011-08-27 13:43:59 188416 ----a-r- c:\windows\system32\hppcew13.dll
2011-08-27 13:43:59 17432 ----a-r- c:\windows\system32\drivers\hpfxbulk.sys
2011-08-27 13:38:54 -------- d-----w- c:\program files\HP
2011-08-27 13:38:50 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-08-27 13:38:50 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-13 19:48:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
============= FINISH: 13:50:33.10 ===============

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:06:56 PM

Posted 26 September 2011 - 10:18 PM

andy2o3,


The information provided shows the characteristics of the ZeroAccess Rootkit.

First, let's take care of this file:
C:\WINDOWS\844533844:2876221901.exe

It throws a wrench in the works, and programs will not run successfully...

Please download DummyCreator.zip

Unzip the folder:
•Right-click and select: Extract all?
•Follow the prompts to extract

Open the new folder that appears on the Desktop:
•Double-click DummyCreator/DummyMaker to run the tool.

•Now, copy/paste the following into the blank area:

C:\WINDOWS\844533844

•Press the Create button.

Save the content of the Result.txt to your Desktop, and post it in your reply.

Next, restart the computer!


Please do not run any malware removal programs while we are in the process of malware repairs. Doing so may just make matters worse, and that, you do not want!

Thanks!

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users