Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumondo and redirects


  • This topic is locked This topic is locked
2 replies to this topic

#1 coconut

coconut

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sarasota, Florida
  • Local time:01:09 AM

Posted 26 January 2009 - 11:27 AM

My computer is hopelessly infected! I may have to just feed it to the alligators!
The problem is so bad that, for example when I went to this website and tried to go to the forum.. this virus blocks from going past your homepage.. and then the popups and redirects start.
Since i can't move around on my desktop computer, I am going to disconnect the desktop computer and will have to access the internet and your site through my laptop. I will post the logs and attachments by saving them to disc and uploading them through the 2nd computer.
Anything you can do to guide me would be appreciated and I will happily make a donation!
Thank you,
coconut

DDS (Ver_09-01-07.01) - NTFSx86
Run by user at 11:08:45.43 on Mon 01/26/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.374 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\DMI\Win32\bin\Win32sl.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Danny\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://cibng.ibanking-services.com/cib/CEB...FIFID=263190757
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
uInternet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~2\COMCAS~1.DLL
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jkkIARig.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: {df95b7ff-c8fe-5978-6c04-c2130925c2dc}: {cd2c5290-312c-40c6-8795-ef8cff7b59fd} - c:\windows\system32\btnpzt.dll
BHO: {d49dc2f3-ce1e-4bd3-bb99-6554ee3b3eb5} - c:\windows\system32\ssqrRjIX.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~2\COMCAS~1.DLL
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [autochk] rundll32.exe c:\docume~1\networ~1\protect.dll,_IWMPEvents@16
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McAfee Backup] c:\program files\mcafee\mbk\McAfeeDataBackup.exe
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [<NO NAME>]
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
StartupFolder: c:\documents and settings\danny\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\danny\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: compaq.com
Trusted Zone: fndmansota.org
Trusted Zone: novell.com
Notify: igfxcui - igfxsrvc.dll
Notify: jkkIARig - jkkIARig.dll
AppInit_DLLs: btnpzt.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jkkIARig.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssqrRjIX
LSA: Notification Packages = msv1_0 scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\danny\applic~1\mozilla\firefox\profiles\fpm3pgty.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-14 201320]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-1-14 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-14 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-14 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-14 40488]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-8-8 359248]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-1-14 144704]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-12 24652]
S3 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S3 CSQ200;CSQ driver;c:\windows\system32\drivers\CSQ200.sys [2005-1-21 18816]
S3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [2006-5-4 9344]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-14 33832]
S4 ProLiant Performance Analyzer;ProLiant Performance Analyzer;c:\program files\hp\proliant performance analyzer\ppa.exe --> c:\program files\hp\proliant performance analyzer\ppa.exe [?]

=============== Created Last 30 ================

2009-01-25 21:05 129,024 a------- c:\windows\system32\btnpzt.dll
2009-01-25 21:05 129,024 a------- c:\windows\system32\searuyqx.dll
2009-01-25 21:03 72,704 a------- c:\windows\system32\rvbmarjj.dll
2009-01-25 21:02 460,442 a--sh--- c:\windows\system32\XIjRrqss.ini2
2009-01-25 21:02 460,442 a--sh--- c:\windows\system32\XIjRrqss.ini
2009-01-25 21:02 315,904 a------- c:\windows\system32\ssqrRjIX.dll
2009-01-25 20:58 21,504 a--sh--- c:\documents and settings\danny\protect.dll
2009-01-25 20:58 21,504 a--sh--- c:\windows\system32\autochk.dll
2009-01-25 20:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-01-25 20:57 36,352 a------- c:\windows\system32\jkkIARig.dll
2009-01-25 20:56 20,480 a------- c:\windows\system32\~.exe
2009-01-19 09:46 <DIR> --d----- C:\Archive
2009-01-17 23:11 2,201 a------- c:\windows\system32\TDSSlxwp.dll
2009-01-17 23:11 441 a------- c:\windows\system32\TDSSlrvd.dat
2009-01-12 10:33 <DIR> --d----- c:\program files\common files\Software Update Utility
2009-01-12 10:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2009-01-10 13:59 <DIR> --d----- c:\windows\system32\scripting
2009-01-10 13:59 <DIR> --d----- c:\windows\l2schemas
2009-01-10 13:59 <DIR> --d----- c:\windows\system32\en
2009-01-10 13:15 <DIR> --d----- C:\ComboFix
2009-01-10 13:15 388,608 a------- c:\windows\system32\CF12772.exe
2009-01-10 13:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-10 06:48 <DIR> --d----- c:\program files\Trend Micro
2009-01-08 23:26 <DIR> --d----- c:\docume~1\danny\applic~1\McAfee
2009-01-07 21:06 <DIR> --d----- c:\windows\SxsCaPendDel
2009-01-07 18:49 <DIR> a-dshr-- C:\cmdcons
2009-01-06 22:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-01-06 22:26 <DIR> --d----- c:\program files\common files\iS3
2009-01-06 22:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-01-06 11:31 <DIR> --d----- C:\Netgear

==================== Find3M ====================

2009-01-10 14:05 87,981 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-18 10:49 37,027 a------- c:\windows\atmoUn.exe
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-07-09 20:25 0 a------- c:\documents and settings\danny\jagex_runescape_preferences.dat
2007-05-01 15:40 722,176 ac------ c:\documents and settings\danny\gotomypc_428.exe
2006-10-27 12:36 563,712 a------- c:\documents and settings\danny\gotomypc_370.exe
2004-03-04 17:10 126,488 ac------ c:\docume~1\danny\applic~1\Winsock2.reg
2004-07-23 15:37 56 -c-shr-- c:\windows\system32\5DA565F361.sys
2007-07-12 13:58 1,682 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 11:11:12.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 01 February 2009 - 09:46 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 10 February 2009 - 05:44 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users