Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Started as Virtumonde, don't know what it is now... slow, crashes unexpectedly and repeatedly


  • Please log in to reply
1 reply to this topic

#1 malwhipped

malwhipped

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 19 January 2009 - 08:02 PM

This started off as Virtumonde, which I learned came from an old version of Java that was exploited. I have since updated Java, thought I had removed Virtumonde, but now when I boot the computer up, it intermittently crashes (blue screen), and throws other nasty Windows errors. So, something is still up. I have tried running about everything -- AdAware, Spybot Search & Destroy, and Super Antispyware. Interestingly, if I try to download Windows Defender, it gets to the point where it starts the download (so I make it through the genuine windows test and the download starts), but it never downloads and just times out. I have to believe it is being blocked because something is still there.... any help you might be able to provide would be appreciated. (Note that I did remove the user real name... just replaced with [REMOVED] below.) THANK YOU!!

====


DDS (Ver_09-01-18.01) - NTFSx86
Run by [REMOVED] at 17:47:26.09 on Mon 01/19/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.498 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
AV: Sunbelt VIPRE *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mozy\mozybackup.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DynDNS Updater\DynUpPs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\DynDNS Updater\DynTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\[REMOVED]\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dyndns~1.lnk - c:\program files\dyndns updater\DynUpPs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
TCP: {20CD7BCE-3B38-40DD-B8FE-EE313CEB69AD} = 208.67.222.222,208.67.222.220
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: oqehlo.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll schannel.dll digest.dll msnsspc.dll digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jennif~1\applic~1\mozilla\firefox\profiles\tc8inzlu.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?.home=ytff
FF - plugin: c:\documents and settings\[REMOVED]\application data\mozilla\firefox\profiles\tc8inzlu.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll

============= SERVICES / DRIVERS ===============

R1 MozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2006-12-9 53752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-1-19 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-1-18 202928]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090116.004\naveng.sys [2009-1-16 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090116.004\navex15.sys [2009-1-16 876112]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-1-19 69168]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-10-7 1822648]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S4 DNSerSvc;DNSerSvc;c:\program files\dns\dnsersvc.exe --> c:\program files\dns\DNSerSvc.exe [?]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]
S4 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2008-10-28 886056]

=============== Created Last 30 ================

2009-01-19 14:25 69,168 a------- c:\windows\system32\drivers\sbapifs.sys
2009-01-19 14:25 13,360 a------- c:\windows\system32\drivers\sbaphd.sys
2009-01-19 12:54 0 a------- c:\windows\system32\CMMGR32.EXE
2009-01-18 17:38 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-01-18 17:37 <DIR> --d----- c:\windows\ERUNT
2009-01-18 17:36 <DIR> --d----- C:\SDFix
2009-01-18 17:28 161,792 a------- c:\windows\SWREG.exe
2009-01-18 17:28 98,816 a------- c:\windows\sed.exe
2009-01-18 17:28 <DIR> --d----- C:\ComboFix
2009-01-18 16:45 <DIR> --d----- c:\docume~1\jennif~1\applic~1\Sunbelt
2009-01-18 16:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-01-18 16:35 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-18 16:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-18 16:30 202,928 a------- c:\windows\system32\drivers\sbtis.sys
2009-01-18 16:29 <DIR> --d----- c:\program files\Sunbelt Software
2009-01-18 15:58 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-18 15:58 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-17 23:25 <DIR> --d----- c:\program files\temp
2009-01-17 23:20 <DIR> --d----- c:\program files\Trend Micro
2009-01-17 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-17 23:18 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-17 23:18 <DIR> --d----- c:\docume~1\jennif~1\applic~1\SUPERAntiSpyware.com
2009-01-01 10:45 <DIR> --d----- c:\program files\iPod
2009-01-01 10:45 <DIR> --d----- c:\program files\iTunes
2009-01-01 10:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================== Find3M ====================

2008-12-12 10:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 03:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 03:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-10-28 16:28 65,320 a------- c:\windows\system32\sbbd.exe
2008-10-24 04:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 05:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 05:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2007-05-01 17:57 56 ---shr-- c:\windows\system32\2398AA7967.sys
2006-05-31 21:37 88 ---shr-- c:\windows\system32\6779AA9823.sys
2007-05-01 17:57 6,580 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 17:47:55.31 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:46 AM

Posted 30 January 2009 - 08:30 AM

Hello malwhipped

Welcome to BleepingComputer :thumbup2:
========================
If you are still in need of assistance please post a new dds log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users