Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde


  • This topic is locked This topic is locked
1 reply to this topic

#1 joshfx

joshfx

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 28 February 2009 - 11:50 PM

I noticed a couple days ago while I was surfing that something had hijacked my computer. Spybot-SD Resident gave me a warning that some activitiy was going on.

On bootup I have 2 dialog boxes that popup that are titled: "RUNDLL".

One says:
"Error loading C:\WINDOWS\system32\huhomolu.dll The specified module could not be found" with the OK button.

The other says:
"Error loading C:\WINDOWS\system32\yunewoti.dll The specified module could not be found" with the OK button.

I also get pop ups when I run IE6. These also populate when I run Firefox but they are IE boxes, not firefox.

I've tried multiple times to remove with Malwarebytes, which identify those two but they keep coming back after reboot. PLEASE HELP. THANKS! :-)



DDS (Ver_09-02-01.01) - NTFSx86
Run by Josh Williams at 23:41:29.89 on Sat 02/28/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1024.601 [GMT -5:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
FW: Sygate Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Josh Williams.JOSH\Application Data\Microsoft\Internet Explorer\Quick Launch\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Josh Williams.JOSH\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Washer] c:\program files\washer\washer.exe /0
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Aim6]
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
mRun: [Samsung Common SM] "c:\windows\samsung\comsmmgr\ssmmgr.exe" /autorun
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [pavumuhojo] Rundll32.exe "c:\windows\system32\yunewoti.dll",s
mRun: [5cdd0018] rundll32.exe "c:\windows\system32\huhomolu.dll",b
mRunServicesOnce: [washindex] c:\program files\washer\washidx.exe "Josh Williams"
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joshwi~1.jos\applic~1\mozilla\firefox\profiles\y3fhtqxd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-7-1 468224]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-8 24652]
S1 nbbatuhq;nbbatuhq;\??\c:\windows\system32\drivers\nbbatuhq.sys --> c:\windows\system32\drivers\nbbatuhq.sys [?]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2009-02-28 12:59 <DIR> --d----- c:\program files\PeerGuardian2
2009-02-28 12:47 127 a------- c:\windows\system32\MRT.INI
2009-02-28 12:47 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-02-27 12:12 <DIR> --d----- c:\docume~1\joshwi~1.jos\applic~1\Malwarebytes
2009-02-27 12:12 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-27 12:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-27 12:11 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-02-27 12:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-27 12:00 <DIR> --d----- C:\VundoFix Backups
2009-02-27 11:43 <DIR> --d----- c:\program files\Trend Micro
2009-02-26 11:39 142,848 a--sh--- c:\windows\system32\qsxcns.dll
2009-02-25 12:53 143,872 a--sh--- c:\windows\system32\qqptjd.dll

==================== Find3M ====================

2009-02-28 18:30 2,370 a------- c:\windows\system32\tmp.reg
2009-02-26 11:39 142,848 a--sh--- c:\windows\system32\wotitiha.dll
2009-02-25 12:53 110,080 a--sh--- c:\windows\system32\tisuleto.dll
2009-02-25 12:53 143,872 a--sh--- c:\windows\system32\yezoyihu.dll
2009-02-24 23:52 145,408 a--sh--- c:\windows\system32\wolijuke.dll
2009-01-18 23:55 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-05 17:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-12 00:57 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-05 20:39 499,712 a------- c:\windows\system32\msvcp71.dll
2008-12-05 20:39 348,160 a------- c:\windows\system32\msvcr71.dll
2008-12-05 13:53 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-02 22:24 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 23:41:59.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 joshfx

joshfx
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 10 March 2009 - 09:20 PM

Please close this post. Thank You.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users