Trojans, Malware, pop-up ads in IE and Firefox

Pepe Silvia · 12-04-2008, 09:49 PM

For the past few days I've been getting pop-up ads on IE and Firefox, and my computer is running slower. I have done full scans with AVG and Spybot 3 times so far, and they turn up problems each time. Last S&D scan came up with 14 problems, Virtumonde and Virtumonde.generic having the most entries.

Also, Windows updates have been disabled. The Windows Security Alert is indicating that Automatic Updates is turned off, though when I check the actual settings, it still shows as on. System Restore is also not functioning.

DDS (Version 1.0) - NTFSx86
Run by Mia at 19:56:38.59 on Thu 12/04/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.884 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Mia\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dellnet.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: {1f5a768f-3d15-4b5c-8989-a1b3f1a8897a} - c:\windows\system32\beoxzy.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\khfFXQGW.dll
BHO: {B4FF83D7-4299-4939-8574-847CBBCA71B4} - c:\windows\system32\awtRiiIX.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\program files\microsoft money\system\mnyviewer.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [Dell|Alert] c:\program files\dell\support\alert\bin\DAMon.exe
mRun: [Athan] c:\program files\athan\Athan.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zoneal~1.lnk - c:\program files\zone labs\zonealarm\zapro.exe
uPolicies-explorer: NoSMMyPictures = 01000000
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\program files\icq\ICQ.exe
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\program files\icqlite\ICQLite.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\program files\icq\ICQ.exe
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\program files\icqlite\ICQLite.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: khfFXQGW - khfFXQGW.dll
Notify: WB - c:\progra~1\stardock\object~1\window~1\fastload.dll
AppInit_DLLs: wbsys.dll beoxzy.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\khfFXQGW.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\awtRiiIX

============= SERVICES / DRIVERS ===============

R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [2004-5-29 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [2004-5-29 5504]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-5-26 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2005-10-23 4224]
R1 Avg7RsXP;AVG7 Rezident Driver;c:\windows\system32\drivers\avg7rsxp.sys [2006-3-15 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-3-7 10760]
R2 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys [2003-5-23 177280]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [1979-12-31 142336]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [1979-12-31 524288]
S2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-3-7 418816]
S2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-3-7 49664]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2003-4-4 30336]

=============== Created Last 30 ================

2008-12-04 11:25 250 a------- c:\windows\gmer.ini
2008-12-04 11:22 592 a--sh--- c:\windows\system32\XIiiRtwa.ini2
2008-12-04 11:22 592 a--sh--- c:\windows\system32\XIiiRtwa.ini
2008-12-04 08:44 143 a------- c:\windows\system32\mcrh.tmp
2008-12-03 22:18 129,024 a------- c:\windows\system32\beoxzy.dll
2008-12-03 22:18 129,024 a------- c:\windows\system32\unpqygup.dll
2008-12-03 19:18 129,024 a------- c:\windows\system32\mkrytb.dll
2008-12-03 19:18 129,024 a------- c:\windows\system32\myxedsgh.dll
2008-12-03 13:56 1,426,531 a--sh--- c:\windows\system32\syqqnfnr.tmp
2008-12-03 13:56 129,024 a------- c:\windows\system32\tofzjg.dll
2008-12-03 13:56 129,024 a------- c:\windows\system32\ukaneyhl.dll
2008-12-03 13:31 72,704 -------- c:\windows\system32\tftkfndj.dll
2008-12-03 13:31 129,024 a------- c:\windows\system32\mslfdowh.dll
2008-12-03 13:31 129,024 a------- c:\windows\system32\lirfkb.dll
2008-12-03 13:28 72,704 -------- c:\windows\system32\ypqwugqh.dll
2008-12-03 13:28 129,024 a------- c:\windows\system32\dqwbtd.dll
2008-12-03 13:28 129,024 a------- c:\windows\system32\ldrfisrk.dll
2008-12-03 07:32 129,024 a------- c:\windows\system32\iilzlt.dll
2008-12-03 07:31 129,024 a------- c:\windows\system32\lcffwblq.dll
2008-12-03 07:29 72,704 -------- c:\windows\system32\tasaywek.dll
2008-12-03 07:24 302,592 a------- c:\windows\system32\awtRiiIX.dll
2008-12-01 10:18 260 a------- c:\windows\_delis32.ini
2008-11-30 20:28 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-30 20:28 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-30 20:28 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-30 20:15 32,768 a------- c:\windows\system32\ddcBRhhI.dll
2008-11-30 20:15 <DIR> --d----- c:\docume~1\mia\applic~1\NI.GSCNS
2008-11-30 20:06 32,768 a------- c:\windows\system32\khfFXQGW.dll
2008-11-12 05:31 <DIR> --d----- C:\5f582f17051f5fba323323d66b427188
2008-11-11 12:56 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 12:55 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-12-04 08:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-03 22:11 <DIR> --d----- c:\program files\LimeWire
2008-12-03 22:11 <DIR> --d----- c:\docume~1\mia\applic~1\uTorrent
2008-12-03 22:09 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-03 08:59 <DIR> --d----- c:\docume~1\mia\applic~1\AVG7
2008-12-03 08:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-12-03 08:40 <DIR> --d----- c:\program files\Viewpoint
2008-12-01 12:17 306,688 a------- c:\windows\IsUninst.exe
2008-12-01 09:36 <DIR> --d----- c:\program files\BroadJump
2008-11-26 08:49 <DIR> --d----- c:\program files\AIM6
2008-11-01 08:07 <DIR> --d----- c:\program files\Skype
2008-10-31 11:54 <DIR> --d----- c:\program files\Lavalys
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 08:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 09:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-15 04:12 1,846,400 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-09 17:14 1,307,648 a------- c:\windows\system32\msxml6.dll
2008-09-09 17:14 1,307,648 -------- c:\windows\system32\dllcache\msxml6.dll
2008-09-08 02:41 333,824 -------- c:\windows\system32\dllcache\srv.sys
2008-09-07 09:17 <DIR> --d----- c:\docume~1\mia\applic~1\Unity
2008-06-22 22:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2007-06-21 16:10 <DIR> --d----- c:\docume~1\mia\applic~1\DelinvFile
2007-06-05 17:26 <DIR> --d----- c:\docume~1\mia\applic~1\Finding Nemo Communicator(2)
2007-02-23 02:11 <DIR> --d----- c:\docume~1\mia\applic~1\My Games
2006-09-30 18:31 <DIR> --d----- c:\docume~1\mia\applic~1\AOL
2006-09-27 20:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\espionServerData
2006-03-28 18:57 <DIR> --d----- c:\docume~1\mia\applic~1\ICQLite
2004-12-18 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Grisoft
2004-11-21 01:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2004-09-05 10:08 <DIR> --d----- c:\docume~1\mia\applic~1\The Learning Company
2004-06-04 17:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Pure Networks
2004-06-04 17:36 <DIR> --d----- c:\docume~1\mia\applic~1\You've Got Pictures Screensaver
2004-02-22 15:29 <DIR> --d----- c:\docume~1\mia\applic~1\Steganos Internet Anonym Pro 6
2004-01-07 13:58 <DIR> --d----- c:\docume~1\mia\applic~1\Jasc
2003-11-22 23:49 <DIR> --d----- c:\docume~1\mia\applic~1\Phoenix
2003-11-06 21:21 <DIR> --d----- c:\docume~1\mia\applic~1\Kazaa Lite
2003-05-24 16:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2002-08-06 10:17 <DIR> --d----- c:\docume~1\mia\applic~1\ACD Systems
2002-06-04 06:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\JASC
2002-06-04 06:09 <DIR> --d----- c:\docume~1\mia\applic~1\Symantec
2002-06-04 06:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI
2001-08-18 03:00 94,784 ---sh--- c:\windows\TWAIN.DLL
2008-04-13 16:12 50,688 ---sh--- c:\windows\twain_32.dll
2004-06-06 13:45 848 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-04-13 16:12 57,344 a--sh--- c:\windows\system32\msvcirt.dll
2008-04-13 16:12 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-13 16:12 551,936 a--sh--- c:\windows\system32\oleaut32.dll
2008-04-13 16:12 84,992 a--sh--- c:\windows\system32\olepro32.dll
2008-04-13 16:12 11,776 a--sh--- c:\windows\system32\regsvr32.exe
2008-08-29 20:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 20:00:46.37 ===============

Pepe Silvia · 12-05-2008, 09:00 PM

Sorry I don't mean to bump this thread but I can't find an edit option for my previous post.

I scanned my computer using Malwarebytes' Anti-Malware this morning and over 60 threats were found. They were deleted and all seems well again; Automatic Updates are back on and I haven't had any pop-up ads.

ndmmxiaomayi · 12-06-2008, 01:04 AM

Hi Pepe Silvia,

Welcome to Tech Support Forum.

Please post the following the logs again:

1. DDS.txt
2. Attach.txt
3. Gmer.txt

In addition, please post the Malwarebytes Anti-Malware log.

Open Malwarebytes Anti-Malware.
Select the Logs tab.
Select the first log and click on Open.

There are a couple of things which we need to check.

tetonbob · 12-29-2008, 10:06 AM

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

12-05-2008, 09:00 PM	#2 (permalink)
Pepe Silvia Registered User Join Date: Dec 2008 Posts: 2 OS: Windows XP Home, SP3	Re: Trojans, Malware, pop-up ads in IE and Firefox Sorry I don't mean to bump this thread but I can't find an edit option for my previous post. I scanned my computer using Malwarebytes' Anti-Malware this morning and over 60 threats were found. They were deleted and all seems well again; Automatic Updates are back on and I haven't had any pop-up ads.

12-06-2008, 01:04 AM	#3 (permalink)
ndmmxiaomayi Analyst, Security Team Join Date: Jun 2006 Posts: 714 OS: immune system, circulatory system, central nervous system, muscular system, skeletal system, digesti	Re: Trojans, Malware, pop-up ads in IE and Firefox Hi Pepe Silvia, Welcome to Tech Support Forum. Please post the following the logs again: 1. DDS.txt 2. Attach.txt 3. Gmer.txt In addition, please post the Malwarebytes Anti-Malware log. Open Malwarebytes Anti-Malware. Select the Logs tab. Select the first log and click on Open. There are a couple of things which we need to check. __________________ Done your best? Really?

12-29-2008, 10:06 AM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,254 OS: 2000 Pro; XP Pro; XP Home	Re: Trojans, Malware, pop-up ads in IE and Firefox Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here: NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009