Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virtumonde


  • This topic is locked This topic is locked
2 replies to this topic

#1 englishmagic

englishmagic

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 31 December 2008 - 09:16 PM

Hi
I'm sorting a friends pc out, I think it's full of virus'. When i do a scan with Spybot i keep getting Virtumonde popping up in the scan. Plus other programs wont run properly.

Thanks in advance Englishmagic


DDS (Version 1.1.0) - NTFSx86
Run by Comet at 1:34:36.36 on 01/01/2009
Internet Explorer: 7.0.5730.13

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_GB&Sys=DTP&M=E4040
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {1AFD34A8-AD06-46F0-B19C-9717908C08AA} - No File
BHO: adssite: {22c8cebf-00b4-1055-6399-620777348d83} - c:\windows\system32\nsk93.dll
BHO: {5237F075-BDAF-4312-B67D-A8C38B88D648} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {58A900D9-77AA-435B-9E3A-EA6EE6A549C9} - No File
BHO: {7452EC2D-1624-4A1A-A9CD-198E3CF5835E} - No File
BHO: {7532880B-F940-45BD-A919-4B66A370FC58} - No File
BHO: {79B12314-5A74-4B7F-8293-03657990A14F} - No File
BHO: {81147C3E-5336-4CD5-86C8-430A65B0110C} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {B8754114-53BA-4b82-9B87-AB07B3AC07BB} - No File
BHO: {c5183abc-eb6e-4e05-b8c9-500a16b6cf94} - No File
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: EWPP - No File
BHO: {F2DB439B-0177-4B47-9306-7956773AB948} - No File
BHO: {f8d3b490-a386-48c3-8214-11284964ea8b} - No File
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\comet\applic~1\mozilla\firefox\profiles\kwbzzcsw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www1.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://english.icrfast.com/index.php?rvs=hompag
FF - prefs.js: keyword.URL - hxxp://www1.yoog.com/search.php?q=
FF - component: c:\progra~1\mozill~1\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\nsadssite.dll
FF - component: c:\program files\mozilla firefox\components\nsbads.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www1.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www1.yoog.com/search.php?q=

============= SERVICES / DRIVERS ===============

RSPR?S?C?P?P?01234RSPR?S?C?P?P?01234

=============== Created Last 30 ================

2009-01-01 00:56 <DIR> --d----- c:\program files\CCleaner
2009-01-01 00:47 <DIR> a-dshr-- C:\cmdcons
2009-01-01 00:26 161,792 a------- c:\windows\SWREG.exe
2009-01-01 00:26 98,816 a------- c:\windows\sed.exe
2009-01-01 00:22 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-01 00:22 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-01 00:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 00:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-31 15:57 299,904 a----r-- c:\windows\system32\drivers\MRVW225.sys
2008-12-30 11:35 683,520 a------- c:\windows\system32\nsk93.dll

==================== Find3M ====================

2009-01-01 00:39 69,396,512 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-01 00:39 801,620 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-30 13:08 85,265 a------- c:\windows\system32\cont_adssite-remove.exe
2008-09-18 15:40 82,944 a--sh--- c:\windows\system32\mojohigu.dll
2008-09-23 16:43 77,824 a--sh--- c:\windows\system32\pubulasi.dll
2008-09-18 15:40 12,288 a--sh--- c:\windows\system32\tayoweyi.dll

============= FINISH: 1:35:36.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 05 January 2009 - 03:21 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 12 January 2009 - 02:59 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users