Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/constant pop-ups


  • This topic is locked This topic is locked
14 replies to this topic

#1 toddrs93

toddrs93

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 28 December 2010 - 12:51 AM

ORIGINAL POST:

Computer runs slow from time to time and annoying.
Symptoms:

-Constant pop-up ads "AD served by netbits"
-Constant "congratulations you've won" ads
-Error message once a browsing session "Generic Host Process for Win32 Services has encountered a problem and needs to close"
-Malwarebytes and Spybot scans constantly show "security center disabled"
When I go to services.msc to enable this, it shows status as stopped, and when I try to start it, it gives me error 1068 the dependency service or group failed to start, under the dependencies tab there is nothing at all listed
-When I try to go to any windows update site it always says can not find server or the connection was reset while loading the page
-When I try to check the firewall it is also off and it says it can not be started because the associated service is not running
-Spybot also constantly brings up "doubleclick" and "win32auto"
-When I try to start in safe mode, many times it locks up at a black screen and will not proceed
-Malwarebytes also brings up
"trojan.fake.alert registry key HKEY_CURRENT_USER\SOFTWARE\qnpn7rjv93lf"
"trojan.fake.alert registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Window..."
-Browsing with firefox and multiple pages open will frequently lock up and close saying "firefox has encountered a problem and needs to close" when it restarts it will not restore the previous tabs

Just trying to get an idea where to go next



DDS (Ver_10-12-12.02) - NTFSx86
Run by Mindy at 1:01:52.26 on Tue 12/28/2010
Internet Explorer: 6.0.2900.2180

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:59274
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AC-Pro: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\program files\autocompletepro\AutocompletePro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: {3392a512-7833-498f-853a-e0a77822e128} - telowewa.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SPSTEALT] "c:\program files\smart protector pro\SmartProtector-Pro.exe" /stealt
uRun: [SecurityCenter] c:\documents and settings\administrator\application data\desktop security\securitycenter.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [EPSON Stylus Photo R280 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticka.exe /fu "c:\windows\temp\E_SB3.tmp" /EF "HKCU"
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe" -autorun
uRun: [ClearAllHistory] c:\program files\clearallhistory\cah.exe
mRun: [bbaka11] c:\documents and settings\administrator\application data\msa\bbaka11.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRunServices: [mscjmQuick] c:\documents and settings\administrator\application data\msa\bbaka11.exe
mRunServices: [bbaka11] c:\documents and settings\administrator\application data\msa\bbaka11.exe
StartupFolder: c:\docume~1\mindy\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: &Search
IE: Add to AMV Converter... - c:\program files\mp3 player utilities 4.18\amvconverter\grab.html
IE: Translate this web page with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - c:\program files\common files\g7ps\shared files\g7psdll\G7PS.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: tavisidip - {dd0e04b6-1746-4b8f-8391-3d4587f9bc6f} - No File
STS: tokatiluy: {804d4bfe-e645-44cb-987d-d3604ab53e16} - c:\windows\system32\musesiwo.dll
STS: gahurihor: {0f2f8345-1e77-4fcc-a5f2-e3eadf0b6cc5} - c:\windows\system32\popujubi.dll
LSA: Notification Packages = scecli zugahohe.dll
uASetup: {233807B5-2H60-15D0-A31Q-00BB00B32C03} - c:\windows\fonts\fonts.exe
Hosts: 91.212.127.226 windows-shield.microsoft.com
Hosts: 91.212.127.226 windows-shield.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mindy\applic~1\mozilla\firefox\profiles\gdzosb3x.default\
FF - component: c:\program files\mozilla firefox\extensions\{ef657d20-6f4c-13ce-85ae-20447c01b768}\components\bce4c8e4-e87e-08cc-8f55-7a51b3a7879f.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: z: {ef657d20-6f4c-13ce-85ae-20447c01b768} - c:\program files\mozilla firefox\extensions\{ef657d20-6f4c-13ce-85ae-20447c01b768}
FF - Ext: XULRunner: {BD1D9B5A-B6CB-4560-9D4B-93EC07F45902} - c:\documents and settings\mindy\local settings\application data\{BD1D9B5A-B6CB-4560-9D4B-93EC07F45902}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-12-27 20:27:49 -------- d-----w- C:\Mp3 Output
2010-12-27 20:27:43 8676883 ----a-w- c:\windows\system32\mp3Media2.dll
2010-12-27 20:27:42 -------- d-----w- c:\program files\Smallvideosoft
2010-12-27 16:13:47 -------- d-----w- c:\docume~1\mindy\applic~1\Malwarebytes
2010-12-27 07:05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-27 07:05:38 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-12-27 07:05:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-27 07:05:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-26 23:49:56 -------- d-----w- c:\documents and settings\mindy\dwhelper
2010-12-26 23:45:16 -------- d-----w- c:\program files\ConvertHelper
2010-12-16 15:47:25 -------- d-----w- c:\program files\AutocompletePro
2010-12-12 08:30:39 -------- d-sh--w- C:\found.000
2010-12-10 21:34:01 81920 --sha-r- c:\windows\system32\ieapfltrw.dll
2010-12-07 06:02:47 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-12-07 06:02:46 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-12-07 06:01:41 -------- d-----w- c:\program files\common files\DivX Shared
2010-12-07 06:00:36 -------- d-----w- c:\program files\DivX
2010-12-07 06:00:09 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\DivX

==================== Find3M ====================

2010-11-18 16:49:16 0 ----a-w- c:\windows\Plifuqavivam.bin
2010-11-17 17:54:16 0 ----a-w- C:\164.tmp
2010-10-06 21:15:33 0 ---ha-w- c:\documents and settings\mindy\dwmrwdyvlb.tmp
2010-10-06 21:15:15 203776 --sh--w- c:\windows\system32\unrar.exe
2007-05-31 23:23:56 77160 ----a-w- c:\program files\DSETUP.dll
2007-05-31 23:23:56 503144 ----a-w- c:\program files\DXSETUP.exe
2007-05-31 23:23:56 1673576 ----a-w- c:\program files\dsetup32.dll
2010-01-02 20:18:11 86016 --sh--w- c:\windows\fonts\DotMSN.dll
2010-01-02 20:18:11 192512 --sh--w- c:\windows\fonts\ICSharpCode.SharpZipLib.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP1604N rev.TM100-24 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8228C446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82292504]; MOV EAX, [0x82292580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E3D45] -> \Device\Harddisk0\DR0[0x822A8AB8]
3 CLASSPNP[0xF859705B] -> nt!IofCallDriver[0x804E3D45] -> \Device\0000005e[0x82352208]
5 ACPI[0xF83D4620] -> nt!IofCallDriver[0x804E3D45] -> [0x82347940]
\Driver\atapi[0x823232F8] -> IRP_MJ_CREATE -> 0x8228C446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_SP1604N_________________________TM100-24#30533331314a5830393339353634202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8228C292
\Driver\atapi -> 0x823721f8
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 1:03:29.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 toddrs93

toddrs93
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 02 January 2011 - 11:55 PM

This seems to be getting worse, firefox is shutting down and closing on me every single time I'm on.

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:01 AM

Posted 03 January 2011 - 02:02 PM

Hello toddrs93 ,

Posted Image

Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 toddrs93

toddrs93
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 06 January 2011 - 07:10 AM

OK it had one item, and another suspicious item

Attached Files



#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:01 AM

Posted 06 January 2011 - 08:05 AM

Hello,

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. IF YOU USE AVG IT MUST BE UNINSTALLED OR THIS WILL NOT RUN.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to toddrs.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 toddrs93

toddrs93
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 07 January 2011 - 07:48 PM

Problem, it won't let me uninstall AVG. Gives this error:

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005

I tried in safe mode and it does the same thing.

#7 toddrs93

toddrs93
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 07 January 2011 - 08:32 PM

Problem, it won't let me uninstall AVG. Gives this error:

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005

I tried in safe mode and it does the same thing.

Nevermind, I found an uninstall package on the AVG forums that worked,

so I ran the combo fix and attached is the log

Attached Files

  • Attached File  log.txt   13.92KB   2 downloads


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:01 AM

Posted 09 January 2011 - 08:07 AM

Hello,

Could you please have another run with ComboFix? I want to see if that infected file was indeed replaced. If not, we'll replace it ourselves. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 toddrs93

toddrs93
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 10 January 2011 - 03:23 PM

Hello,

Could you please have another run with ComboFix? I want to see if that infected file was indeed replaced. If not, we'll replace it ourselves. :thumbup2:

Thanks,
tea

Here it is, I doubt it fixed everything because I still got the netbits pop-ups today

Attached Files



#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:01 AM

Posted 10 January 2011 - 03:28 PM

Hi there,

Indeed.....so let's see if this way works first. :) Simply upgrade to SP3, then have another run with ComboFix. The log will be larger than you're used to seeing it, but it's all right. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 toddrs93

toddrs93
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 11 January 2011 - 01:23 AM

Hi there,

Indeed.....so let's see if this way works first. :) Simply upgrade to SP3, then have another run with ComboFix. The log will be larger than you're used to seeing it, but it's all right. :thumbup2:

Thanks,
tea

OK, the update is done and I ran it
I could not upload the whole log because it said the file was too big so I did the beginning portion and the end portion and left out the middle, snapshot portion,
is this OK, or should I do it a different way?

Attached Files



#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:01 AM

Posted 11 January 2011 - 07:54 AM

Hello,

That's just fine, thank you. :thumbup2:

How is it running now?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 toddrs93

toddrs93
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 13 January 2011 - 12:43 AM

Hello,

That's just fine, thank you. :thumbup2:

How is it running now?

Well, its definitely like ten times better, but I still get the occasional "ad served by netbits" pop up page, so there must be some kind of tracker on here still.

It is rare and all the other issues seem to be gone.

Gosh this thing is well hidden whatever it is lol.

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:01 AM

Posted 13 January 2011 - 07:53 AM

Hello there,

I don't see any entries for Netbits Contextual Tracking, but have a look anyway in Add/Remove Programs for it, and also do a Windows search for anything to do with Netbits. Lwet mem know what you find. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:01 AM

Posted 19 January 2011 - 08:23 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users