Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP VIRTUMONDE COMES BACK AFTER REBOOTING!


  • This topic is locked This topic is locked
2 replies to this topic

#1 ozne64

ozne64

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 02 January 2009 - 11:06 PM

after being infected with something nasty(stuff was being installed on his ownon my pc) i used spyware doctor to clean up found i had the"virtumonde"trojan!but could not completely get rid of !so i tried this sequence of programs: first superantispyware than spybot than mbam i have all the logs if you guys need them! they all found some variant of virtumonde crap!i've also have a hijack log that was done after everything else if you need it!
i still found that in firefox and ie7 when i search some with google and i click on a link result the first time ,rather than go to the site i clicked it goes to a site called:"shopica"!if i close the tab and re-click the link than it goes correctly to the link site!
help i'm still infected!!!! when i turn my pc of and than restart the crap comes back!how???????
PLEASE HELP!!!!!
ps:for now i have attached the dds log

DDS (Version 1.1.0) - NTFSx86
Run by porcamiseria at 22:16:51.62 on Fri 01/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2578 [GMT -5:00]

AV: avast! antivirus 4.8.1296 [VPS 090102-0] *On-access scanning enabled* (Updated)
FW: COMODO Firewall Pro *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\porcamiseria\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: RefresherBand Class: {b24ba06e-fb7b-4757-95c2-dc01125f750e} - c:\progra~1\yrefre~1\YREFRE~1.DLL
TB: {CB789373-04D5-4EF4-9C16-871463FD0830} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\CPF.exe" /background
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [EPSON Stylus CX6000 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibia.exe /fu "c:\windows\temp\E_S124.tmp" /EF "HKLM"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: rqRHaWNd - rqRHaWNd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap c:\windows\system32\awtRiGww

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\porcam~1\applic~1\mozilla\firefox\profiles\i2659uoc.default\
FF - prefs.js: browser.search.selectedEngine - Webster
FF - prefs.js: browser.startup.homepage - www.google.com/firefox
FF - plugin: c:\documents and settings\porcamiseria\application data\mozilla\firefox\profiles\i2659uoc.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - HiddenExtension: XUL Cache: {312439A5-B08A-4ECB-8C27-2C705B1E8CF3} - c:\documents and settings\porcamiseria\local settings\application data\{312439A5-B08A-4ECB-8C27-2C705B1E8CF3}

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.01.06);user_pref(general.useragent.extra.zencast,
============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-8-31 111184]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-22 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-31 20560]
R2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashServ.exe" [2008-8-31 155160]
R2 CmdAgent;Comodo Application Agent;c:\program files\comodo\firewall\cmdagent.exe [2008-8-30 361040]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashMaiSv.exe" /service [2008-8-31 254040]
R3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashWebSv.exe" /service [2008-8-31 352920]
S3 PciCon;PciCon;\??\D:\PciCon.sys []
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]

=============== Created Last 30 ================

2009-01-02 21:39 <DIR> --d----- c:\program files\Trend Micro
2009-01-02 16:22 <DIR> --d----- c:\docume~1\porcam~1\applic~1\Malwarebytes
2009-01-02 16:22 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-02 16:22 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 16:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 16:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-02 00:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-02 00:49 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-02 00:49 <DIR> --d----- c:\docume~1\porcam~1\applic~1\SUPERAntiSpyware.com
2009-01-01 23:29 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-01-01 16:43 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-01 01:41 <DIR> --d----- c:\program files\Spyware Doctor
2008-12-26 23:31 <DIR> --d----- C:\VundoFix Backups
2008-12-26 23:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2008-12-26 22:27 1,299,082 a--sh--- c:\windows\system32\mtghxlqv.ini
2008-12-26 14:41 <DIR> --d----- c:\documents and settings\porcamiseria\Pavark
2008-12-25 22:57 <DIR> --d----- c:\program files\World Machine
2008-12-24 18:22 <DIR> --d----- c:\program files\VirtualDub-1.8.7
2008-12-23 21:53 <DIR> --d----- c:\program files\e-on software
2008-12-23 21:50 327 a------- c:\windows\Vue 6 xStream.reg
2008-12-22 21:04 114,048 a------- c:\windows\system32\drivers\snapman.sys
2008-12-22 18:10 971,168 a------- c:\windows\system32\drivers\tdrpm140.sys
2008-12-22 18:10 395,744 a------- c:\windows\system32\drivers\timntr.sys
2008-12-22 18:10 39,264 a------- c:\windows\system32\drivers\tifsfilt.sys
2008-12-16 20:27 23 a------- c:\windows\DownloadStudio.INI
2008-12-16 19:33 <DIR> --d----- c:\windows\system32\Adobe
2008-12-15 21:04 <DIR> --d----- c:\program files\sfArk
2008-12-13 21:03 <DIR> --d----- c:\program files\CamStudio
2008-12-12 17:55 <DIR> --d----- c:\docume~1\porcam~1\applic~1\Cakewalk
2008-12-12 17:53 233,472 a------- c:\windows\system32\REX Shared Library.dll
2008-12-12 17:53 487,424 a------- c:\windows\system32\msvcp70.dll
2008-12-12 17:51 <DIR> --d----- c:\program files\Cakewalk
2008-12-12 17:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Cakewalk
2008-12-12 17:51 <DIR> --d----- C:\Cakewalk Projects

==================== Find3M ====================

2008-10-19 20:55 29,285 a------- C:\bluebox.bin
2008-10-14 16:24 90,112 a------- c:\windows\DUMP3681.tmp
2008-10-11 23:02 90,112 a------- c:\windows\DUMP442d.tmp
2008-08-31 22:07 87,608 a------- c:\docume~1\porcam~1\applic~1\inst.exe
2008-08-31 22:07 47,360 a------- c:\docume~1\porcam~1\applic~1\pcouffin.sys
2008-09-13 20:34 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-09-13 20:34 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-09-13 20:34 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 22:17:23.73 ===============
Attached File  Attach.txt   18.9KB   3 downloads

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:04 PM

Posted 05 January 2009 - 08:35 AM

Hello Ozne64 and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder

Edited by Thunder, 05 January 2009 - 08:38 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:04 PM

Posted 03 February 2009 - 05:43 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users