tlo06

I have had this problem for months now and have tried every anti-virus program known to man to remove the virus. I think it might be virtumonde but i'm not so sure anymore. I ran Spybot Search and Destroy and Virtumonde was on there a couple times but now when I scan it, it doesn't show up. Instead, other Ad-Type stuff show up..and they keep coming back.
Things such as Double Click, Fast CLick, etc.

I open up IE and a bunch of windows keep popping up and I'm unable to close them therefore I have to end it through task manager. I've been using Firefox but I still get a bunch of pop ups, just not continuously. If anyone can help me fix this problem, I would be very grateful!

Here's the DDS log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Tina at 16:58:18.35 on Mon 06/29/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.266 [GMT -4:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\bcmntray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tina\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.html.com/
uInternet Settings,ProxyOverride = *.local
BHO: {0A92387D-E9BE-491F-9FBE-8D28073E1963} - No File
BHO: {36f05721-f6f1-4883-bac0-4f9bde7fd917} - c:\windows\system32\byXOhIyY.dll
BHO: {1006ea03-e0bd-6469-c1b4-5c8b3fdb2b83}: {38b2bdf3-b8c5-4b1c-9646-db0e30ae6001} - c:\windows\system32\hcwoqe.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6D3EFB66-AD1F-4B0F-BF5D-DDCAE2E55211} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {EF331C97-39F4-4776-AEDF-9672C979D088} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\bcmntray
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\tina\startm~1\programs\startup\bhodem~1.lnk - c:\program files\bhodemon 2\BHODemon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228403100984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {D6F3A017-8FF4-4342-B666-4B9CEF28F84C} = 71.252.0.12,71.242.0.12
TCP: {E884C94A-A8A6-4D8D-9216-8133BA0F6C4E} = 71.252.0.12,71.242.0.12
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: cbXNGxyw - cbXNGxyw.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: hcwoqe.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\byXOhIyY

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tina\applic~1\mozilla\firefox\profiles\ek1a2kkc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-24 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-24 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-24 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-24 108552]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-24 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-24 298776]
S0 daqyuacf;daqyuacf;c:\windows\system32\drivers\fpqpijmh.sys --> c:\windows\system32\drivers\fpqpijmh.sys [?]
S1 edasrokn;edasrokn;\??\c:\windows\system32\drivers\edasrokn.sys --> c:\windows\system32\drivers\edasrokn.sys [?]

=============== Created Last 30 ================

2009-06-28 17:21 <DIR> --d----- c:\program files\BHODemon 2
2009-06-28 17:04 <DIR> --d----- C:\VundoFix Backups
2009-06-28 11:54 <DIR> --d----- c:\windows\system32\LogFiles
2009-05-31 19:09 <DIR> --d----- c:\program files\CCleaner
2009-05-31 18:11 95 a------- c:\windows\wininit.ini

==================== Find3M ====================

2009-06-11 08:58 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-30 09:34 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-01-26 02:29 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-01-26 02:19 88 ---shr-- c:\docume~1\alluse~1\applic~1\2E98638424.sys

============= FINISH: 16:59:29.89 ===============

Attached Files

Attach.zip (3.0 KB, 2 views)

KB.

Hello, and welcome to TSF.

I am currently reviewing your log. I will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

tlo06

Alright :) Thank you very much!

KB.

We'll need to disable SpyBot's Tea Timer 'feature' before proceeding.

How to disable Spybot Tea Timer:

• Open Spybot Search & Destroy.
• In the Mode menu, click Advanced mode if not already selected.
• Choose Yes at the Warning prompt.
• Expand the Tools menu.
• Click Resident.
• Uncheck the Resident TeaTimer box.
• Click File > Exit to close.
  
  
• You must reboot for these changes to take effect.

Also see this step-by-step tutorial: http://www.malwarehelp.org/how-to-en...-teatimer.html

If you don't completely understand what Tea Timer does and how it does it, leave it permanently disabled.

ComboFix cleanup
Download ComboFix from any of the links below. You must rename it to Combo-Fix before saving it. Save it to your Desktop.

If you are using Firefox, go to Tools > Options > Main and select 'Always ask me where to save files' and click OK.

Link 1
Link 2
Link 3





* IMPORTANT !!! Save Combo-Fix.exe to your Desktop

------------------------------------------------------

• Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
  
• Help with disabling your antivirus application can be found here => here
  
• Double-click on Combo-Fix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes to continue scanning for malware.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Good Luck

tlo06

I had an issue with this...I couldn't disable AVG and tried uninstalling it but apparently there's files that are still present. I open Combofix and it still detects that AVG is still there..Not really sure what to do

KB.

That's unfortunate and I'm unsure if you've re-installed AVG or not.

I wouldn't recommend re-installing it with your current infection as it's questionable whether or not you'd get a clean installation.

I would rather you ran the AVG cleanup utility found on this site => http://www.avg.com/download-tools


Once you've finished cleaning up AVG, go ahead and run ComboFix per my prior instructions. You can re-install AVG after running ComboFix.

Post back with the information I requested in my first post when you're finished, please.

Good Luck

KB.

Are you still having problems and need help?

Please let me know, otherwise we can close this thread.

Thanks and Good Luck

tlo06

Yeah, I ran the AVG remover and it's still saying that I have it installed when I try to run Combofix. I'm not really sure why it won't.

KB.

Ok, since AVG is still getting in the way I'd like to have you re-run DDS as described in our pre-cleaning instructions here => Pre-Cleaning Instructions so that we can isolate and remove items that are alerting ComboFix. Once we remove them we should be able to run CF and help you solve your problem.

Post back with your new DDS report, please.

Good Luck

tetonbob

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help