Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have Virtumondo--Tried everything, always comes back...please help


  • This topic is locked This topic is locked
4 replies to this topic

#1 tr1p69

tr1p69

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 15 May 2009 - 06:03 PM

Hi,

There is a process that constantly changes names on reboot, right now it is VOD440.exe. My google searches are sometimes redirected and my computer is running extremely slow. When trying to delete the virus with S&D I got a message somewhere along the line of "...\recovery\virtumondeDLL.zip <5AA: Insufficient system resources exist to complete the requested service". I really have no idea what to do and I don't want to risk completely destroying my computer. Your help is GREATLY appreciated. Thanks, Here's the log...


DDS (Ver_09-05-14.01) - NTFSx86
Run by George Franklin at 18:48:11.84 on 15/05/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.511.61 [GMT -4:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {DDD7C048-8526-4D14-B801-DE2DB417C128}
AV: Webroot Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\TEMP\VOD440.EXE
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmproxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Cobian Backup 9\Cobian.exe
C:\Program Files\Cobian Backup 9\cbInterface.exe
C:\Documents and Settings\George Franklin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = google.ca
uInternet Connection Wizard,ShellNext = iexplore
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [MAFWTaskbarApp] "c:\windows\system32\MAFWTray.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [94ed2104] rundll32.exe "c:\windows\system32\mawoyasa.dll",b
mRun: [CPM97de1298] Rundll32.exe "c:\windows\system32\jagameji.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\vodonuwe.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\clykjfd4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.ca
FF - plugin: c:\documents and settings\george franklin\application data\mozilla\firefox\profiles\clykjfd4.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2008-3-24 16384]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-25 29808]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2008-11-4 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-11-4 36368]
R2 WebrootSpySweeperService;Moteur Webroot Spy Sweeper;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-2-25 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-4-6 1178728]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
R3 tmcfw;tmcfw;c:\windows\system32\drivers\TM_CFW.sys [2008-11-4 335888]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2008-11-4 488768]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-11-4 652552]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-12-7 17149]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-5-15 34760]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2008-12-7 362944]

=============== Created Last 30 ================

2009-05-15 18:42 <DIR> --d----- c:\program files\Cobian Backup 9
2009-05-15 16:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-15 16:08 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-15 16:08 <DIR> --d----- c:\docume~1\george~1\applic~1\SUPERAntiSpyware.com
2009-05-15 16:08 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-15 13:13 34,760 a------- c:\windows\system32\drivers\Partizan.sys
2009-05-15 12:08 <DIR> --d----- C:\ComboFix
2009-05-14 10:49 32,480 a------- c:\windows\system32\Partizan.exe
2009-05-06 22:47 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-06 22:47 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-20 17:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ZoomBrowser

==================== Find3M ====================

2009-05-15 15:58 2,222 a------- c:\windows\system32\tmp.reg
2009-03-26 16:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 16:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-23 19:00 78,699 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-22 22:38 2,934,725 a----r-- C:\ComboFix.exe
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-05 17:10 1,553,784 a------- c:\windows\WRSetup.dll
2009-03-02 19:04 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 04:11 3,068,416 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-20 04:10 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2009-02-20 04:10 81,920 -------- c:\windows\system32\ieencode.dll
2009-02-20 04:10 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2008-01-04 15:06 32 ac------ c:\docume~1\alluse~1\applic~1\ezsid.dat
2002-08-29 06:00 94,784 ac-sh--- c:\windows\TWAIN.DLL
2008-04-13 20:12 50,688 a--sh--- c:\windows\twain_32.dll
2008-04-13 20:11 1,028,096 a--sh--- c:\windows\system32\mfc42.dll
2008-04-13 20:12 57,344 ---sh--- c:\windows\system32\msvcirt.dll
2008-04-13 20:12 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-13 20:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 18:49:35.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:58 AM

Posted 16 May 2009 - 12:39 PM

Hello tr1p69,

Welcome to Bleeping Computer.

Sorry for delayed response. Forums have been really busy.

My name is fireman4it and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Please make no further changes or run any other tools unless instructed to. This may hinder the cleaning of your machine.

I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:58 AM

Posted 18 May 2009 - 07:04 AM

Hello tr1p69,

Please follow all instructions in order given.
If you don't understand a step or having problems STOP there and post your problem. So we can come up with a solution.

1.
  • Click on yourStart Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
  • When shown the disclaimer, Select "2"
This will remove files/folders assoicated with combofix and uninstall it.

2.
Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

3.
Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply:
MBAM report
Combofix.txt
A new DDS log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:58 AM

Posted 19 May 2009 - 07:14 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :thumbup2:

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:58 PM

Posted 21 May 2009 - 11:10 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users