Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.tdss.rtk and virtumonde... HELP!!!


  • Please log in to reply
1 reply to this topic

#1 Her Miss Steak

Her Miss Steak

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 18 May 2009 - 03:51 PM

Can't get rid of pop ups. they come and go as they please. scanned using spybot search and destroy. it finds win32.tdss.rtk and virtumonde trojens everytime. says they are gone but still having issues. also used avg...... same problems occur.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Police_Gleaves at 16:36:09.50 on Mon 05/18/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.433 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\TEMP\bhkd7se.exe
C:\WINDOWS\TEMP\bhkd7se.exe
C:\WINDOWS\TEMP\647117506.exe
C:\Documents and Settings\Police_Gleaves\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: c:\windows\system32\had732ufn8.dll: {a6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\had732ufn8.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Aim6]
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe" -autorun
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Diagnostic Manager] c:\docume~1\police~1\locals~1\temp\586023756.exe
uRunOnce: [SpybotDeletingB1654] command /c del "c:\windows\system32\ovfsthfntfbpopkljsklceagpdpjarjvdtavmd.dll"
uRunOnce: [SpybotDeletingD4085] cmd /c del "c:\windows\system32\ovfsthfntfbpopkljsklceagpdpjarjvdtavmd.dll"
uRunOnce: [SpybotDeletingB9347] command /c del "c:\windows\system32\ovfsthidgcmryagfirfxjbkabgrnqppyorbctx.dll"
uRunOnce: [SpybotDeletingD2816] cmd /c del "c:\windows\system32\ovfsthidgcmryagfirfxjbkabgrnqppyorbctx.dll"
uRunOnce: [SpybotDeletingB8586] command /c del "c:\windows\system32\ovfsthwjojbohorejvtogtuabyvdadvpkeotmn.dll"
uRunOnce: [SpybotDeletingD3842] cmd /c del "c:\windows\system32\ovfsthwjojbohorejvtogtuabyvdadvpkeotmn.dll"
mRun: [SunKist] c:\program files\digital media reader\shwicon2k.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [UIUCU] c:\docume~1\police~1\locals~1\temp\UIUCU.EXE -CLEAN_UP -S
mRun: [AtiPTA] atiptaxx.exe
mRun: [\\SMILEY\EPSON Stylus CX4600 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fati9aa.exe /p35 "\\smiley\EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [SpybotDeletingA7085] command /c del "c:\windows\system32\ovfsthfntfbpopkljsklceagpdpjarjvdtavmd.dll"
mRunOnce: [SpybotDeletingC3252] cmd /c del "c:\windows\system32\ovfsthfntfbpopkljsklceagpdpjarjvdtavmd.dll"
mRunOnce: [SpybotDeletingA5678] command /c del "c:\windows\system32\ovfsthidgcmryagfirfxjbkabgrnqppyorbctx.dll"
mRunOnce: [SpybotDeletingC4192] cmd /c del "c:\windows\system32\ovfsthidgcmryagfirfxjbkabgrnqppyorbctx.dll"
mRunOnce: [SpybotDeletingA8148] command /c del "c:\windows\system32\ovfsthwjojbohorejvtogtuabyvdadvpkeotmn.dll"
mRunOnce: [SpybotDeletingC7439] cmd /c del "c:\windows\system32\ovfsthwjojbohorejvtogtuabyvdadvpkeotmn.dll"
mRunOnce: [SpybotDeletingA2816] command /c del "c:\windows\system32\ovfsthfntfbpopkljsklceagpdpjarjvdtavmd.dll"
mRunOnce: [SpybotDeletingC652] cmd /c del "c:\windows\system32\ovfsthfntfbpopkljsklceagpdpjarjvdtavmd.dll"
mRunOnce: [SpybotDeletingA9024] command /c del "c:\windows\system32\ovfsthidgcmryagfirfxjbkabgrnqppyorbctx.dll"
mRunOnce: [SpybotDeletingC8127] cmd /c del "c:\windows\system32\ovfsthidgcmryagfirfxjbkabgrnqppyorbctx.dll"
mRunOnce: [SpybotDeletingA673] command /c del "c:\windows\system32\ovfsthwjojbohorejvtogtuabyvdadvpkeotmn.dll"
mRunOnce: [SpybotDeletingC3321] cmd /c del "c:\windows\system32\ovfsthwjojbohorejvtogtuabyvdadvpkeotmn.dll"
dRun: [A00F61D2E8.exe] c:\windows\temp\_A00F61D2E8.exe
dRun: [<NO NAME>] c:\windows\temp\bhkd7se.exe
dRun: [uidenhiufgsduiazghs] c:\windows\temp\bhkd7se.exe
dRun: [Diagnostic Manager] c:\windows\temp\647117506.exe
StartupFolder: c:\docume~1\police~1\startm~1\programs\startup\ypops.lnk - c:\program files\ypops\YPOPs.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234997307890
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189961035562
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: __c00EC032 - c:\windows\system32\__c00EC032.dat
AppInit_DLLs: c:\windows\system32\tubehasa.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\mobahibe.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\mobahibe.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\mobahibe.dll
STS: c:\windows\system32\had732ufn8.dll: {a6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\had732ufn8.dll
SEH: RadExeExt Class: {35b2861b-2b26-4691-9ff0-09083722c736} - c:\windows\system32\RadExe.dll
LSA: Notification Packages = scecli c:\windows\system32\tubehasa.dll

============= SERVICES / DRIVERS ===============

R1 atitray;atitray;c:\program files\ray adams\ati tray tools\atitray.sys [2006-11-30 14336]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-16 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-16 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-16 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-16 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-16 298776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-17 24652]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-11-22 392824]

=============== Created Last 30 ================

2009-05-18 16:27 46 a------- c:\windows\system32\p2hhr.bat
2009-05-18 16:27 15,000 a------- c:\windows\system32\had732ufn8.dll
2009-05-18 16:27 20,480 a------- c:\windows\system32\ak1.exe
2009-05-18 16:18 <DIR> --d----- c:\program files\Trend Micro
2009-05-18 16:12 28,160 a------- c:\windows\system32\__c00EC032.dat
2009-05-18 16:12 37,376 a------- c:\windows\system32\glsetup.exe
2009-05-18 15:56 268,648 a------- c:\windows\system32\mucltui.dll
2009-05-18 15:56 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-05-17 23:44 61,440 a------- c:\windows\system32\drivers\jyfwo.sys
2009-05-17 23:25 <DIR> --d----- c:\docume~1\police~1\applic~1\Malwarebytes
2009-05-17 23:25 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-17 23:25 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-17 23:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-17 23:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-16 23:10 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-16 23:00 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-16 23:00 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-16 23:00 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-16 23:00 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-13 08:35 <DIR> --d----- c:\program files\Project64 1.6
2009-05-11 08:20 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-05-11 08:20 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-05-07 11:42 262,144 a------- C:\ntuser.dat

==================== Find3M ====================

2009-04-17 14:54 35,870 a------- c:\windows\DIIUnin.dat
2009-04-17 14:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-17 13:55 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-04-17 13:55 17,212 a------t c:\windows\system32\SIntf32.dll
2009-04-17 13:55 12,067 a------t c:\windows\system32\SIntf16.dll
2009-04-13 21:23 94,208 a------- c:\windows\DIIUnin.exe
2009-04-13 21:23 2,829 a------- c:\windows\DIIUnin.pif
2009-04-13 20:44 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-04-11 14:46 18,495 a------- c:\windows\DIIDUnin.dat
2009-04-11 14:46 102,400 a------- c:\windows\DIIDUnin.exe
2009-04-11 14:46 2,829 a------- c:\windows\DIIDUnin.pif
2009-02-18 19:55 465 a------- c:\program files\InstallWoW.log
2009-02-18 19:37 1,131,176 a------- c:\program files\WoW-installer-3.0.1.8874-x86-Win-enUS.exe

============= FINISH: 16:36:48.75 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Clark76

Clark76

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:29 PM

Posted 22 May 2009 - 07:57 PM

Hello and welcome to Bleeping Computer


I see you have P2P software (uTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

------------------------------

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
See this link for instructions on how to do this:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Please include the C:\ComboFix.txt in your next reply for further review.

Proud Member of ASAP

Proud Member of UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users