Jump to content

Malware attempts to steal and/or disrupt my "log-in" info

Recommended Posts

Hi Everyone,

The other day I received a e-mail from Citi-bank saying I needed to click the e-mail link to log on and change my password. Of course I didn't, because Citi-bank doesn't send such e-mails to debit card holders. But when I tried to log on, from their web-page, I found that my password/user name no longer worked. I called them, and they re-set my password.

And tonight, when I tried I clicked to log on my Net-Spend debit card web-site, I received a download pop-up, asking me to Run or Save some sort of Font file. I knew something was wrong so I canceled, which means I couldn't log on.

This happened with Internet Explorer 8. But when I used my Opera browser, the suspicious download pop-up didn't appear, and I was able to successfully log on via Opera.

I was afraid some sort of malware was in Internet Explorer 8, so I used Revo to totally UN-install Internet Explorer 8 from my computer. And I won't re-install tell I get some answers.

I ran both a Malwarebytes and a AVG scan, but nothing turned up with either scan.

Any ideas what sort of malware could be trying to disrupt and steal my log on info ?

And how could I go about detecting and removing it ?



DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 10.6.2

Run by Lawrence Oliver at 16:56:18 on 2012-08-23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.377 [GMT -5:00]


AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}


============== Running Processes ===============


C:\WINDOWS\system32\svchost -k DcomLaunch


C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup



C:\Program Files\AVG\AVG2012\avgwdsvc.exe



C:\Program Files\Java\jre7\bin\jqs.exe

C:\Program Files\UPHClean\uphclean.exe



C:\Program Files\RAM Idle LE\RAM_XP.exe

C:\Program Files\Keybreeze\Keybreeze.exe

C:\Program Files\AVG\AVG2012\avgtray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe



C:\Program Files\PeerBlock\peerblock.exe

C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe

C:\Program Files\Task Killer\TaskKiller.exe



============== Pseudo HJT Report ===============


uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com

uDefault_Page_URL =

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: NitroPDFBHO Class: {cf070cb8-f02f-4af4-a7b7-8d45cad4bb54} - c:\program files\nitro pdf\pdf download\NitroPDF.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe

uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe

uRun: [Task Killer] c:\program files\task killer\TaskKiller.exe

mRun: [DVDSentry] c:\windows\system32\DSentry.exe

mRun: [RAM Idle Professional] c:\program files\ram idle le\RAM_XP.exe

mRun: [Keybreeze] c:\program files\keybreeze\Keybreeze.exe

mRun: [KeePass 2 PreLoad] "c:\program files\keepass password safe 2\KeePass.exe" --preload

mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [RunNarrator] Narrator.exe

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

StartupFolder: c:\docume~1\lawren~1\startm~1\programs\startup\autorunsdisabled\openoffice.org 3.2.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM

IE: Save Page As PDF ... - file://c:\program files\nitro pdf\pdf download\nitroweb.htm

IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {AD9E6088-E00B-42f9-9F0C-8480525D234E} - {FF5073C0-28A0-4223-9BDF-59FF020FE77C} - c:\program files\nitro pdf\pdf download\NitroPDF.dll

Trusted Zone: dell.com

Trusted Zone: emprise.com\www2

Trusted Zone: paypal.com\www

DPF: DirectAnimation Java Classes

DPF: Microsoft XML Parser for Java

TCP: DhcpNameServer =

TCP: Interfaces\{43F019D5-B7B3-4FAB-8237-86AEAEB0BECA} : DhcpNameServer =

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = :\windows\system3 scecli scecli


================= FIREFOX ===================


FF - ProfilePath - c:\documents and settings\lawrence oliver\application data\mozilla\firefox\profiles\72a5vqgl.default\

FF - prefs.js: browser.startup.homepage - about:home

FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll

FF - plugin: c:\windows\system32\npdeployJava1.dll

FF - plugin: c:\windows\system32\npptools.dll

FF - plugin: c:\windows\system32\npwmsdrm.dll


============= SERVICES / DRIVERS ===============


R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]

R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [2007-2-14 50606]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]

R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2012-7-2 132768]

R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2004-3-5 34712]

R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-8-16 19056]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 VRDVC20;Sony VRD-VC20 [Video Capture];c:\windows\system32\drivers\VRDVC20X.SYS [2006-3-12 31104]

S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2012-5-27 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2012-5-27 8456]

S3 exdisk;Express Disk Service;c:\windows\system32\drivers\exdisk.sys --> c:\windows\system32\drivers\exdisk.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-8-22 40776]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-2 113120]

S3 PROCEXP150;PROCEXP150;\??\c:\windows\system32\drivers\procexp150.sys --> c:\windows\system32\drivers\PROCEXP150.SYS [?]

S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?]

S3 ptiusbf;PTI USB Filter;c:\windows\system32\drivers\ptiusbf.sys [2001-4-14 22474]

S3 TJOJDBN;TJOJDBN;c:\windows\temp\tjojdbn.exe --> c:\windows\temp\TJOJDBN.exe [?]

S4 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]


=============== Created Last 30 ================


2012-08-22 22:02:33 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-08-14 21:39:15 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-08-14 21:38:46 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-08-01 19:25:47 -------- d-----w- c:\program files\DVDStyler


==================== Find3M ====================


2012-08-14 21:38:04 821736 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-08-14 21:38:04 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-07-16 14:58:20 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-16 14:58:20 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll

2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-07-03 18:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys

2012-06-10 04:00:06 21768 ----a-w- c:\windows\system32\drivers\PROCEXP141.SYS

2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll

2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll

2012-06-04 22:35:26 222448 ----a-w- c:\windows\system32\muweb.dll

2012-06-04 04:31:23 153088 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 20:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 20:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 20:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 20:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 20:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 20:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-06-02 20:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui

2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll


============= FINISH: 16:59:13.14 ===============



Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:


  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.