Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde I think


  • This topic is locked This topic is locked
2 replies to this topic

#1 Nixit

Nixit

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 02 January 2010 - 06:28 PM

Ok at first I noticed my browser running very slowly. Then I started to get pop up's when before I didn't. Even I would get redirected when I used google or even trying to open a page from yahoo. So I tried running Spybot Search and Destroy and it would get about 3/4 of the way through the scan and would freeze. I could see in the scan window Virtumonde.prx,.dll,.atr,.sdn. I also would get a "low on virtual memory" warning "windows is trying to create more" or something to that effect. Now Spybot will not even get an 1/8th of the way through the scan and blah will freeze. When I try to close it out the"program not responding" window comes up and I have to "end now" to close it. That's where I am at now. I think I have a virus but, can't run anything I have to detect/remove it. At least to the best of my ability. Avg also gave me a warning today that "scammer PC 2010.net was trying to access my computer". So I am not really sure who is attacking me but, it feels like from all angles. Thanks for all your help here is my reports.


*****DDS*****


DDS (Ver_09-12-01.01) - NTFSx86
Run by Nick at 16:51:19.18 on Sat 01/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.53 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\iRacing\iRacingService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nick\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [fagijuyin] Rundll32.exe "c:\windows\system32\gumeyesu.dll",a
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
dRunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212687591812
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212687575671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
TCP: {FEA34DA5-1AEF-4E49-8524-49435789A84C} = 193.104.110.38,4.2.2.1,192.168.15.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: yikapoya.dll c:\windows\system32\ c:\documents and settings\all users\application data\busoguze\ c:\documents and settings\all users\application data\busoguze\busoguze.dll c:\windows\system32\gumeyesu.dll c:\windows\system32\jupabone.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: kenukufeh - {4ebd8840-92d2-42f8-9217-a2bc2302d2f1} - c:\windows\system32\gumeyesu.dll
STS: mujuzedij: {4ebd8840-92d2-42f8-9217-a2bc2302d2f1} - c:\windows\system32\gumeyesu.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli c:\documents and settings\all users\application data\momewohu\momewohu.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nick\applic~1\mozilla\firefox\profiles\pfevfjv9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-10 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-25 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-10 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-10 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-10 297752]
R2 iRacingService;iRacing helper service;c:\program files\iracing\iRacingService.exe [2008-8-9 472664]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]

=============== Created Last 30 ================

2010-01-02 16:30:21 0 d-----w- c:\docume~1\alluse~1\applic~1\zobumava
2010-01-02 16:30:21 0 d-----w- c:\docume~1\alluse~1\applic~1\yejoreko
2010-01-02 16:30:21 0 d-----w- c:\docume~1\alluse~1\applic~1\ludozagi
2010-01-02 16:30:21 0 d-----w- c:\docume~1\alluse~1\applic~1\lodivime
2010-01-02 16:30:21 0 d-----w- c:\docume~1\alluse~1\applic~1\lelasuba
2010-01-02 16:30:21 0 d-----w- c:\docume~1\alluse~1\applic~1\konazuki
2010-01-02 16:30:21 0 d-----w- c:\docume~1\alluse~1\applic~1\jileyemu
2010-01-02 16:30:21 0 d-----w- c:\docume~1\alluse~1\applic~1\busoguze
2010-01-02 16:30:21 0 d-----w- c:\docume~1\alluse~1\applic~1\biluguki
2010-01-02 16:29:52 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2010-01-02 16:29:50 0 d-----w- c:\program files\SystemRequirementsLab
2009-12-30 15:10:34 0 d-----w- c:\docume~1\alluse~1\applic~1\momewohu
2009-12-26 18:44:21 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll
2009-12-26 18:44:21 265728 -c----w- c:\windows\system32\dllcache\http.sys
2009-12-26 18:44:21 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll
2009-12-26 00:14:30 0 d-----w- c:\windows\ie8updates
2009-12-25 22:58:23 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe
2009-12-25 22:58:22 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-12-25 22:58:19 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2009-12-25 22:58:19 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
2009-12-25 22:58:16 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2009-12-25 22:58:13 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-12-25 22:58:13 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2009-12-25 22:58:10 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2009-12-25 22:58:07 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2009-12-25 22:58:01 345600 -c----w- c:\windows\system32\dllcache\localspl.dll
2009-12-25 22:57:53 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2009-12-25 22:57:50 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-12-25 22:57:47 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2009-12-25 22:57:43 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-12-25 22:57:40 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-12-25 22:56:33 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-25 22:56:33 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-25 22:56:12 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-12-25 22:56:01 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2009-12-25 22:55:47 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-12-25 22:55:47 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-12-25 22:55:47 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-12-25 22:55:45 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-12-25 22:55:19 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-12-24 15:44:36 0 d-----w- c:\docume~1\nick\applic~1\Malwarebytes
2009-12-24 15:44:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-24 13:29:57 40 ---ha-w- c:\windows\system32\ivireg.ivr
2009-12-09 03:02:16 0 d-sh--w- c:\documents and settings\nick\PrivacIE
2009-12-09 03:00:42 0 d-sh--w- c:\documents and settings\nick\IETldCache
2009-12-09 02:47:48 0 dc-h--w- c:\windows\ie8

==================== Find3M ====================

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\bawawaza.dll
1601-01-01 00:03:28 93696 --sha-w- c:\windows\system32\gumeyesu.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\hogumana.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\kukolare.dll
1601-01-01 00:03:28 12927 --sha-w- c:\windows\system32\muhoyawa.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\nizedage.dll
1601-01-01 00:03:28 2707 --sha-w- c:\windows\system32\rezalefe.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\wegagolu.dll
1601-01-01 00:03:28 61440 --sha-w- c:\windows\system32\yoduvofa.dll
1601-01-01 00:03:28 45568 --sha-w- c:\windows\system32\zukepive.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\zuvusibo.dll
2008-09-09 23:10:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090920080910\index.dat

============= FINISH: 16:52:31.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Nixit

Nixit
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 05 January 2010 - 10:42 PM

Uh I think I have it fixed! I appreciate the help but, I have gotten rid of the infection.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:13 PM

Posted 06 January 2010 - 01:22 AM

Hello

Thank you for letting us know. I'm glad that your computer problems have been fixed. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users