Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

another virtumonde infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 flyinmonky

flyinmonky

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 25 December 2008 - 01:55 PM

I've tried everything i can think of thanks for your help. Ive attached my dss and kaspersky scans.


DDS (Version 1.1.0) - NTFSx86
Run by bob at 20:06:25.40 on Wed 12/24/2008
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.536 [GMT -8:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\bob\Desktop\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
Yahoo! Toolbar
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
Yahoo! Toolbar
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [Universal Installer] "c:\program files\comcastui\universal installer\uinstaller.exe" /fromrun /starthidden
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: ydkscv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bob\applic~1\mozilla\firefox\profiles\cor5g2v8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npsnapfish.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 ffnmesu;ffnmesu;c:\windows\system32\drivers\ffnmesu.sys [2008-12-24 30720]
R1 pctfw2;pctfw2;\??\c:\windows\system32\drivers\pctfw2.sys [2008-12-23 160792]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-5-12 611664]
R3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-12-23 40840]
R3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-12-23 66952]
R3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-12-23 81288]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-23 359248]
S3 gsplittm;gsplittm;\??\c:\docume~1\bob\locals~1\temp\gsplittm.sys []
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-12-23 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-12-23 1079176]

=============== Created Last 30 ================

2008-12-24 19:44 <DIR> a-dshr-- C:\cmdcons
2008-12-24 19:44 <DIR> --d----- C:\ComboFix
2008-12-24 17:52 30,720 a------- c:\windows\system32\drivers\ffnmesu.sys
2008-12-24 17:52 <DIR> --d----- c:\docume~1\bob\applic~1\Online Solutions
2008-12-24 14:11 <DIR> --d----- c:\program files\Online Solutions
2008-12-24 14:11 <DIR> --d----- c:\program files\common files\Online Solutions Shared
2008-12-24 13:31 <DIR> --d----- c:\docume~1\bob\applic~1\Malwarebytes
2008-12-24 13:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-24 13:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 13:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 13:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-24 13:18 161,792 a------- c:\windows\SWREG.exe
2008-12-24 13:18 98,816 a------- c:\windows\sed.exe
2008-12-24 10:18 <DIR> --d----- c:\program files\Unlocker
2008-12-23 23:59 160,792 a------- c:\windows\system32\drivers\pctfw2.sys
2008-12-23 23:59 <DIR> --d----- c:\program files\common files\PC Tools
2008-12-23 23:59 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2008-12-23 23:59 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2008-12-23 23:59 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2008-12-23 23:59 29,576 a------- c:\windows\system32\drivers\kcom.sys
2008-12-23 23:59 <DIR> --d----- c:\program files\Spyware Doctor
2008-12-23 23:59 <DIR> --d----- c:\docume~1\bob\applic~1\PC Tools
2008-12-23 23:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2008-12-23 20:49 143,360 a------- c:\windows\system32\dunzip32.dll
2008-12-23 20:44 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2008-12-23 20:43 <DIR> --d----- c:\program files\common files\McAfee
2008-12-23 20:42 <DIR> --d----- c:\program files\McAfee
2008-12-23 17:17 <DIR> --d----- c:\program files\Trend Micro
2008-12-22 13:43 <DIR> --d----- c:\program files\iPod
2008-12-22 13:43 <DIR> --d----- c:\program files\iTunes
2008-12-22 13:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-18 21:30 <DIR> --d----- C:\Netgear
2008-12-17 12:11 <DIR> --d----- c:\program files\ComcastUI
2008-12-14 11:13 <DIR> --d----- c:\program files\common files\SWF Studio
2008-12-14 11:05 <DIR> --d----- c:\program files\LWW
2008-12-06 23:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CCP

==================== Find3M ====================

2008-11-10 20:42 410,976 a------- c:\windows\system32\deploytk.dll
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 02:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-28 20:07 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-07-27 15:38 0 a------- c:\program files\temp01
2008-02-24 15:09 47,360 a------- c:\docume~1\bob\applic~1\pcouffin.sys
2006-06-06 22:28 1 a------- c:\documents and settings\bob\SI.bin

============= FINISH: 20:06:35.48 ===============

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 25, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 24, 2008 23:57:15
Records in database: 1511202
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 102020
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:43:28


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\trwdmmnc.dll.vir Infected: Trojan.Win32.Monder.afdj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ydkscv.dll.vir Infected: Trojan.Win32.Monder.afdj 1

The selected area was scanned.

Attached Files



BC AdBot (Login to Remove)

 


#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 06 January 2009 - 11:51 AM

Hello flyinmonky,

I apologise for the delay, the forum is extremely busy.

I will be assisting you with your malware issues.
  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
  • If you fail to reply in 5 days period from now, this thread will close, and you will have to open another topic, and wait for another helper.
----------------------------------------------
Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 11 January 2009 - 03:01 AM

Due to the lack of feedback, this Topic is now closed and will not be reopened.
If you still need help, begin a new topic.

Applies only to the original poster, anyone else with similar problems please start a new topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users