Home General Chat
If you need urgent support, call 999 or go to your nearest A&E. To contact our Crisis Messenger (open 24/7) text THEMIX to 85258.

AHH HELP! I have a TROJAN called Virtumonde?!

Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
And it's slowly taking over my computer! :(

It's stopping me from EVEN typing properly, I've tried every scan on Spybot, AVG Center, AdAware all online and offline, too and I keep getting shite like this in the pics I attached.

OH MY SHITTING CHRIST, IT WOULDN'T EVEN LET ME UPLOAD THE SECOND PIC UNTIL I TOOK OUT THE WORD 'VIRUS'

I brought this poxy virus on myself, AVG Center told me not to go into a a website for a crack I was trying to get for Music Rescue and I downloaded a virus instead. :(

WOE.

Please please help my beautiful PC!! It's been completely reformated not even two days ago by a kind gentleman fr £25, but I don't have another £25 at the moment! Can you help? oh please say y'caaan!

I need some Tech savvy chaps advice.

I am sort of intermediate(ish) in computer literacy! Be gentle! :blush:

Comments

  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Download and install Hijack-This. Run it then post the log onto here. I'll tell you which ones to take out.

    In future, don't visit 'warez' sites. I learnt the hard way back in 1999. If you want to do illegal stuff, then I hear good things about "torrents". Dunno which torrent programs are highly rated though.
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Try this if you're able to download it.

    Haven't tried it myself, but I saw it mentioned in a few usually reliable places. Scroll down for instructions.
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Monserrat wrote: »
    Download and install Hijack-This. Run it then post the log onto here. I'll tell you which ones to take out.

    In future, don't visit 'warez' sites. I learnt the hard way back in 1999. If you want to do illegal stuff, then I hear good things about "torrents". Dunno which torrent programs are highly rated though.

    Thanks so much for attempting a bash! :) I know, I tried to cut a major corner. Lesson well and truly learnt, let me tell you. I can't type, my wireless keyboard is missing so many letters out despite new batteries! Friggin hell.

    I'm stil waiting for that Major Geeks website to load, It's currently at a white screen with the green blocks letting me know it's slowly loading.

    To keep me company waiting, I am getting a plethora of full screen popups such as Viral Videos, PaddyPower, Live Sex Cam in Stevenage with a Latina Lady and 4 Free O2 Sim Cards from Free Exchange.

    Sigh.
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Scott. wrote: »
    Try this if you're able to download it.

    Haven't tried it myself, but I saw it mentioned in a few usually reliable places. Scroll down for instructions.

    Yeah I tried that, it says it can't find any errors. Spybot found 5 of them and deleted them after I 'healed' them whilst disconnected to the internet and I rebooted.
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Hijack file

    Bit of a long one! This means nothing to me, BTW :nervous:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:18:51, on 28/07/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\AVG\AVG8\avgui.exe
    C:\Program Files\AVG\AVG8\avgscanx.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: {28dce750-e66b-d61a-e184-ff3a7d2ddc84} - {48cdd2d7-a3ff-481e-a16d-b66e057ecd82} -

    C:\WINDOWS\system32\aqpsky.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

    Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

    Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

    Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} -

    C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O2 - BHO: (no name) - {DE6EBD0B-49EF-4B79-A57F-2E96FBDC8CA3} - C:\WINDOWS\system32\fccyaARi.dll (file

    missing)
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} -

    C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device

    Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [24ccd607] rundll32.exe "C:\WINDOWS\system32\iijtdvvp.dll",b
    O4 - HKLM\..\Run: [BM27ffe59b] Rundll32.exe "C:\WINDOWS\system32\jvwwcqst.dll",s
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

    Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

    C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) -

    https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -

    http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1217169536990&h=4bec2

    b95a97360e5dc293b2820ac7c1c/&filename=jinstall-6u7-windows-i586-jc.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

    Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program

    Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

    Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. -

    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 6570 bytes
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Looks clean to me, unsure as to what these are though:
    O4 - HKLM\..\Run: [24ccd607] rundll32.exe "C:\WINDOWS\system32\iijtdvvp.dll",b
    O4 - HKLM\..\Run: [BM27ffe59b] Rundll32.exe "C:\WINDOWS\system32\jvwwcqst.dll",s

    Have you tried the second tool on here - VirtumondoBegone?
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Have you tried system restore? Since you know when the problem started you should be able to find an earlier restore point and roll your computer back to that.

    programs>accessories>system tools>system restore
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    If all else fails, good old system restore!
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Hellooo!

    I tried so much! I tried SDFix, VirtumondeBeGone, VirtuFix and nothing worked!

    Spybot kept saying it was trying to delete the few files it found of Virtumonde, but my net was slow and the typing was still out of control.

    I went here http://forums.afterdawn.com/thread_view.cfm/521858 and tried the SUPERAntiSpyware which FINALLY got rid of it.

    I have lost a few .dll files from when I reboot, two popup windows show saying that they can't run? I looked at the thread from where I got the idea to get the SuperAntiSpyware, and the user said he lost a .dll file too? I think it's related to whatever was on my PC.

    I did a System Restore there, but the .dll popups after a reboot still appear. I will take a screenshot of it later but apart from that no popups, nor slow internet, nor threats showing on AVG!

    Cheers for the replies so far, chaps.

    Post a screen shot soon! :)
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    CoolMe wrote: »
    If all else fails, good old system restore!

    Yup - always served me well, especially when drunk at 3 am I actually clicked on some bullshit 'click here to protect your computer from spyware' pop-up... or as it should have been called 'click here to brainfuck your computer with a million bloody trojans...'
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Howdoo! Okay, here's what the popups at the start look like.

    I had AVG tell me a Trojan EQ? was still on my PC, earlier with a 'threat detected popup' but my Superantisyware thingy couldn't find it. :(

    Help?
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    There is a way to check all the windows files, such as the .dll files, are there:

    Go to start... run... type in "CMD" and press enter.

    In the command prompt (black window) type in "sfc /scannow" (without the quotes). Press enter.

    (more info)
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    I just had the same problem, thankgod for safe mode!
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Thank god for not using IE.
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    It was most likely down to user input, not the browers fault.

    If the user wants to navigate to a nasty website, The browers must do as they are instructed!
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    CoolMe wrote: »
    It was most likely down to user input, not the browers fault.

    If the user wants to navigate to a nasty website, The browers must do as they are instructed!
    If security settings are done right, the website shouldn't be able to run scripts anyway. I stick with Firefox and noscript.
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    Jim V wrote: »
    Have you tried system restore? Since you know when the problem started you should be able to find an earlier restore point and roll your computer back to that.

    programs>accessories>system tools>system restore

    That doesn't work with this particular virus.

    Run anti v in safe mode and disconected from the net.
    Being disconected is important.
    Do an indepth scan.
    Also run any anti spy ware ...spy bot etc kind of stuff you have.
    When you restart the comp make sure you cannot connect to the net.
    Being disconected is all important.
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    I had a lot of trouble with virtumonde not long back.
    I got it again a few weeks ago and got rid a lot easier this time.
    Virtumonde replicates itself and will be all over the place ...including in your
    system restore.
    It connects constantly to malicious sites in the background...inviting all manner of other bad stuff in.
    This is why it is essential you disconect and don't auto reconnect when you restart.
    When you restart ...it is worth doing the scans again ...and then resterting again and connecting manualy.
    It took me avbout four hours ...........
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    If security settings are done right, the website shouldn't be able to run scripts anyway. I stick with Firefox and noscript.

    But then there antivirus and firewall should fall into place. :yum:
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    CoolMe wrote: »
    But then there antivirus and firewall should fall into place. :yum:

    It's pretty simple to knock up some undetectable malware and hook into a program the firewall is configured to allow access.
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    CoolMe wrote: »
    But then there antivirus and firewall should fall into place. :yum:

    I too have now moved over to firefox.
    Much safer.
    I have discovered a thing called UBUNTU.
    Google it.
    Download to your desktop.Copy to disc.
    Bios set to boot from disc.
    You can physicaly remove the hard drive ...and still come on here or anywhere else.
    You can play the games that come with it.
    Chess card games that Chinese tile thing and more.
    When on the net without a hard drive your limited in what you can do of course but
    youi can copy and paste as normal. send and recieve emails.And it's fast.
    It's handy to have on disc
    should your puter be knackered and you still wanna come here or whatever.
  • Former MemberFormer Member Posts: 1,876,323 The Mix Honorary Guru
    You lot are a bit fab! I'll do more tomorrow for it and keep you posted you lacky feengs.
Sign In or Register to comment.