Tech Support Forum - View Single Post - IE popups (Virtumonde?) and disabled Windows Update

10011 · 12-01-2008, 01:35 PM

Hello. I have a recurring problem where Windows Automatic Updates keeps getting disabled, presumably by malware. Additionally, last night I seem to have been infected with Virtumonde (according to SpyBot S&D). I was out of town for the holidays with my computer powered down. After boot-up, I was browsing the internet with Firefox when the popups began. I have not recently installed any new software or visited any suspicious webpages.

When running Gmer, the following error box appeared:
Windows - Drive Not Ready
"Exception Processing Message c00000a3 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c"

I had options to Try Again, Cancel, or Continue. Try Again reproduced the same error message, so I Continued and completed the log.

Here's my DDS.txt:

DDS (Version 1.0) - NTFSx86
Run by 10011 at 12:18:48.82 on Mon 12/01/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1098 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\10011\Desktop\gmer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\10011\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\gebXQihe.dll
BHO: {C70B421F-A5D8-4D0E-A525-49A0C9C0FAB3} - c:\windows\system32\pmnoMGxw.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.17\AsRunHelp.exe
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 2007\pccguide.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
StartupFolder: c:\docume~1\10011\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\10011\startm~1\programs\startup\foldin~1.lnk - c:\program files\folding@home\winFAH.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll
Notify: gebXQihe - gebXQihe.dll
AppInit_DLLs: eralhq.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\gebXQihe.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnoMGxw

============= SERVICES / DRIVERS ===============

R2 cvintdrv;cvintdrv;c:\windows\system32\drivers\cvintdrv.sys [2007-2-21 4096]
R2 MSSQL$AUTODESKVAULT;SQL Server (AUTODESKVAULT);"c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe" -sAUTODESKVAULT [2008-2-26 29183504]
R2 mxssvr;NI Configuration Manager;"c:\program files\national instruments\max\nimxs.exe" [2007-2-22 12696]
R2 NITaggerService;National Instruments Variable Engine;"c:\program files\national instruments\shared\tagger\tagsrv.exe" [2007-2-6 703264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-10-28 24652]
R3 cm102u32;C-Media CM6501 Like Sound Interface;c:\windows\system32\drivers\c6501.sys [2007-9-15 1419968]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2008-8-20 42512]

=============== Created Last 30 ================

2008-12-01 11:43 250 a------- c:\windows\gmer.ini
2008-12-01 10:50 921,554 a--sh--- c:\windows\system32\wxGMonmp.ini2
2008-12-01 10:14 173 a------- c:\windows\wininit.ini
2008-12-01 03:57 <DIR> --d----- c:\program files\Lavasoft
2008-12-01 03:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-12-01 03:55 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-01 03:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-01 03:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-30 19:14 129,024 -------- c:\windows\system32\eralhq.dll
2008-11-30 19:14 129,024 a------- c:\windows\system32\syerjrpt.dll
2008-11-30 19:10 72,704 a------- c:\windows\system32\gihloesa.dll
2008-11-30 19:05 921,554 a--sh--- c:\windows\system32\wxGMonmp.ini
2008-11-30 19:05 318,464 a------- c:\windows\system32\pmnoMGxw.dll
2008-11-30 18:59 <DIR> --d----- c:\docume~1\10011\applic~1\GetModule
2008-11-30 18:59 25,600 a------- c:\windows\system32\jkKawTjJ.dll
2008-11-30 18:59 25,600 a------- c:\windows\system32\gebXQihe.dll
2008-11-30 18:59 198,760 a------- c:\windows\system32\wpv431228088626.cpx
2008-11-30 18:59 38,476 a------- c:\windows\system32\wpv131227968766.cpx
2008-11-30 18:59 34,816 a------- c:\windows\system32\wpv651228079860.cpx
2008-11-22 13:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ATI
2008-11-22 13:02 0 a------- c:\windows\ativpsrm.bin
2008-11-22 12:59 <DIR> --d----- c:\program files\ATI
2008-11-22 12:46 <DIR> --d----- C:\ATI
2008-11-22 11:31 <DIR> --d----- c:\program files\Steam
2008-11-20 12:44 42,320 a------- c:\windows\system32\xfcodec.dll
2008-11-17 14:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2008-11-11 12:26 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 12:25 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-01 17:09 <DIR> --d----- c:\docume~1\10011\applic~1\Red Alert 3

==================== Find3M ====================

2008-12-01 11:21 8,142 ac------ c:\windows\system32\ealregsnapshot1.reg
2008-12-01 10:19 <DIR> --d----- c:\program files\Xfire
2008-12-01 04:40 <DIR> --d----- c:\docume~1\10011\applic~1\Azureus
2008-12-01 03:20 <DIR> --d----- c:\docume~1\10011\applic~1\Xfire
2008-11-23 10:14 <DIR> --d----- c:\program files\Folding@Home
2008-11-22 12:58 <DIR> --d----- c:\program files\ATI Technologies
2008-11-21 11:42 <DIR> --d----- c:\program files\Azureus
2008-11-19 20:10 <DIR> --d----- c:\program files\Trend Micro
2008-11-17 14:23 <DIR> --d----- c:\program files\AIM6
2008-11-17 14:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-10-31 17:20 <DIR> --d----- c:\program files\Bethesda Softworks
2008-10-31 16:52 <DIR> --d----- c:\program files\Messenger
2008-10-31 16:46 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-31 16:38 <DIR> --d----- c:\program files\Windows NT
2008-10-28 21:05 593,920 a------- c:\windows\system32\ati2sgag.exe
2008-10-28 18:23 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-10-28 18:22 314,880 a------- c:\windows\system32\ati2dvag.dll
2008-10-28 18:11 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-10-28 18:11 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-10-28 18:11 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-10-28 18:11 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-10-28 18:10 10,973,184 a------- c:\windows\system32\atioglxx.dll
2008-10-28 18:10 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-10-28 18:09 585,728 a------- c:\windows\system32\ati2evxx.exe
2008-10-28 18:07 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-10-28 17:57 4,041,472 a------- c:\windows\system32\ati3duag.dll
2008-10-28 17:49 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-10-28 17:41 2,472,832 a------- c:\windows\system32\ativvaxx.dll
2008-10-28 17:40 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2008-10-28 17:40 3,107,788 a------- c:\windows\system32\ativva5x.dat
2008-10-28 17:40 887,724 a------- c:\windows\system32\ativva6x.dat
2008-10-28 17:25 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-10-28 17:21 389,120 a------- c:\windows\system32\atikvmag.dll
2008-10-28 17:19 44,032 a------- c:\windows\system32\atiadlxx.dll
2008-10-28 17:19 17,408 a------- c:\windows\system32\atitvo32.dll
2008-10-28 17:18 253,952 a------- c:\windows\system32\atiok3x2.dll
2008-10-28 17:12 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-10-28 09:54 410,976 a------- c:\windows\system32\deploytk.dll
2008-10-22 15:15 <DIR> --d----- c:\program files\Starcraft
2008-10-21 09:51 118,784 a------- c:\windows\system32\atibrtmon.exe
2008-10-16 12:56 <DIR> --d----- c:\docume~1\10011\applic~1\Sites
2008-10-16 12:56 <DIR> --d----- c:\docume~1\10011\applic~1\SiteClasses
2008-10-11 08:57 <DIR> --d----- c:\program files\SanrioTown
2008-10-04 10:44 <DIR> --d----- c:\docume~1\10011\applic~1\SPORE
2008-10-02 16:40 <DIR> --d----- c:\docume~1\10011\applic~1\Bioshock
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-14 01:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LightScribe
2008-09-14 00:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2008-09-11 08:27 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-09-09 20:38 <DIR> --d----- c:\docume~1\10011\applic~1\SPORE Creature Creator
2008-09-09 17:14 1,307,648 a------- c:\windows\system32\msxml6.dll
2008-09-04 09:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-24 01:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SimCity Societies
2008-08-18 16:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Autodesk
2008-06-17 12:27 <DIR> --d----- c:\docume~1\10011\applic~1\Autodesk
2008-06-06 18:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MGTEK
2008-05-20 19:55 <DIR> --d----- c:\docume~1\10011\applic~1\LimeWire
2008-05-18 17:36 <DIR> --d----- c:\docume~1\10011\applic~1\Armagetron
2008-05-18 17:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Armagetron
2008-04-30 15:30 <DIR> --d----- c:\docume~1\10011\applic~1\Ansys
2008-03-12 03:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\National Instruments
2007-12-11 16:16 <DIR> --d----- c:\docume~1\10011\applic~1\Command & Conquer 3 Tiberium Wars
2007-12-01 00:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2007-10-25 18:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Mathematica
2007-10-25 18:43 <DIR> --d----- c:\docume~1\10011\applic~1\Mathematica
2007-09-29 21:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2007-09-17 11:35 <DIR> --d----- c:\docume~1\10011\applic~1\Dynamic
2007-09-16 21:03 <DIR> --d----- c:\docume~1\10011\applic~1\Viewpoint
2007-09-16 10:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus

============= FINISH: 12:20:35.07 ===============

Thank you for your time.