Over 1 million tech questions and answers.

Possible Virtumonde Infection

Q: Possible Virtumonde Infection

I have run Malware Bytes, SuperAnti Spyware, Dr. Web CureIt, AdAware and Spybot all in safe mode. A few non-critical items were found and removed. But during the last Spybot scan i noticed a lot of scaaning of files with the Virtumonde file name even though none were found or reported by any of the afore-mentioned tools. Makes me a little nervous. Just wondering what my next step should be. Dell laptop, Windows XP, Service Pack 2.

thanks

tj

RELEVANCY SCORE 200
Preferred Solution: Possible Virtumonde Infection

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

A: Possible Virtumonde Infection

Hi,I still think our best shot is to see a log so...Rerun MBAMOpen MBAM in normal mode and click Update tab, select Check for Updates,when doneclick Scanner tab,select Quick scan and scan.After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Read other 7 answers
RELEVANCY SCORE 47.2

I clicked on an .exe I shouldn't have and now WinPatrol pops up with .dlls from system32 folder for addition of these IE helpers. My homepage wants to change to slobstyle.com and other times I can't get online because of a rundll32 in processes. I have run Adaware, AVG, Spybot, Vundofx,Virtumondebegone , and others with no luck. I have deleted registry keys but they reappear after a refresh of regedit.Deckard's System Scanner v20071014.68Run by Daddio on 2008-06-09 10:51:28Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------System Restore is disabled; attempting to re-enable...success.-- Last 1 Restore Point(s) --1: 2008-06-09 15:51:33 UTC - RP1 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as Daddio.exe) ----------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:52:59 AM, on 6/9/2008Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG... Read more

A:Virtumonde Infection?popups And .dll Infection

Hello Plato12 and welcome to BleepingComputer,1. * Clean your Cache and Cookies in IE:Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tabUnder Browsing History, click Delete. Click Delete Files, Delete cookies and Delete historyClick Close below.* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):Go to Tools > Options.Click Privacy in the menu..Click the Clear now button below.. A new window will popup what to clear.Select all and click the Clear button again.Click OK to close the Options window* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.2. Please download Malwarebytes' Anti-Malware from Here or HereDoubleclick mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed... Read more

Read other 10 answers
RELEVANCY SCORE 44.8

I have attached log files from SpySweeper and HijackThis run this afternoon. Thanks very much for the help!

A:Virtumonde Infection

Hello and Welcome to Bleeping Computer. My name is SpySentinel and I will be assisting you with your malware problem today. You may wish to Subscribe to this thread (Options --> Track this topic) so that you are notified when you receive a reply.Please give me some time to analyze your log, and I will post back with instructions ASAP.

Read other 21 answers
RELEVANCY SCORE 44.8

Random Popups. Random Dll running. Random startup entries. I have been deleting them manually. I have also use various tools to remove them. I have spybot search and destroy program running. and it is able to interfere with the registry change that the virus is making. I am also able to scan the virus and remove them by using spybot but when i restart the pc it all comes back. need serious help on this one.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:12:03 PM, on 6/2/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\TGTSoft\StyleXP\StyleXPService.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\RTHDCPL.EXEC:\Program Files\VDOTool\TBPanel.exeC:\PROGRA~1\FlashGet\flashget.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\VM_STI.EXEC:... Read more

A:Virtumonde Infection

Hello Ec2recol!

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I'm in Hijackthis school and Teachers will check my posts.

Read other 8 answers
RELEVANCY SCORE 44.8

Greetings TSF,

I was online earlier to day, on World of Warcraft to be specific, and I had an enormous surge of lag. I minimized the game and I had several instances of Firefox running with many tabs open to the same search sites and anti-virus sites. I found it odd that my Windows Update was turned off also, noted by the red X'd Window Security Icon. I ran AVG and it was detected and removed, however it sprouted up again in minutes. I then downloaded Spybot and it found something called "Virtumonde" on my computer. I did not attempt to use Spybot to act on it, I decided to come here.


DDS (Version 1.0) - NTFSx86
Run by Thad at 0:02:08.28 on Sun 12/07/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1464 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
... Read more

A:Virtumonde Infection.

Hello and welcome to TSF

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

========

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present.

Please DO NOT Attach logs to your posts unless you are advised to do so.

==========

P2P

P2P - I see you have P2P software BitTorrent 5.0.7 installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are Here,
Here and Here.

=========

Download Combofix from any of the links below, and save it to your desktop.
... Read more

Read other 15 answers
RELEVANCY SCORE 44.8

ive been trying to get rid of the Virtumonde virus for days now, any help would be much appreciated, thanks guys.Logfile of random's system information tool 1.04 (written by random/random)Run by LaFranco at 2008-12-03 09:09:39Microsoft? Windows Vista? Home Premium Service Pack 1System drive C: has 31 GB (41%) free of 76 GBTotal RAM: 3070 MB (50% free)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:09:51 AM, on 03/12/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Windows\RtHDVCpl.exeC:\Program Files\ASUS\ATK Media\DMedia.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Windows\System32\rundll32.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\PROGRA~1\Java\jre6\bin\jp2launcher.exeC:\Program Files\Java\jre6\bin\java.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Windows\system32\SearchFilterHost.exeC:\Users\LaFranco\Downloads\RSIT.exeC:\Program Files\trend micro\LaFranco.exeR1 - HKCU\Software\Microsoft\Inte... Read more

A:Virtumonde infection

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following....Please download SDFix by Andy Manchesta and save it to your desktop.Double click SDFix.exe and it will extract the files to %systemdrive%(Drive that contains the Windows Directory, typically C:\SDFix)Please reboot into Safe Mode In Safe Mode, right click the SDFix.zip folder and choose Extract All, A new folder will be extracted to your %systemdrive%, typically C:\SDFix Open the extracted folder and double click RunThis.bat to start the script. Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC. Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.NEXTPlease make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1Link 2Link 3Double click combofix.exe and follow t... Read more

Read other 22 answers
RELEVANCY SCORE 44.8

I have been infected with the Virtumonde virus on my Acer laptop. Im running windows xp pro. I have followed all of the instructions provided in the preparation guide. I am running GData antiviruskit as my antivirus, however when the virus was contracted I was running Avast antivirus. I had 600+ infected files prior to finally getting it down to a few of these bugs hanging around.Just when I think Im clean, the stupid virus comes back. It deleted all of my restore points, and wont let me load my ePower management on my laptop. My hijack this log is posted below... Im about ready to reformat, Please help me!!!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:59:35 PM, on 12/28/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exec:\program files\common files\logitech\lvmvfm\LVPrcSrv.exeC:�... Read more

A:Virtumonde Infection Help Me!

Welcome to the BleepingComputer HijackThis Logs and Analysis forum hozzi19My name is Richie and i'll be helping you to fix your problems.Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.When VundoFix re-opens,click the "Scan for Vundo" button.Once it's done scanning,click the "Remove Vundo" button.You will receive a prompt asking if you want to remove the files, click "YES".Once you click yes, your desktop will go blank as it starts removing Vundo.When completed,it will prompt that it will reboot your computer,click "OK".Post the contents of C:\vundofix.txt into your next reply.Note: It is possible that VundoFix encountered a file it could not remove.In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.If you have previously downloaded ComboFix,please delete that version now.WarningYou should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert,not for private use. Using this tool incorrectly could render your system/pc inoperable.Now download Combofix and save to your desktop:Note It is important that it is saved directly to your desktop Close any open browsers.Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the e... Read more

Read other 9 answers
RELEVANCY SCORE 44.8

I have run the following:-Latest version of Ad-Aware. Found Virtumonde, clicked to delete, yet problem persists.-VundoFix. I ran it after Ad-Aware. The program didn't find anything.-VirtumondoBeGone. Followed the different steps. Didn't fix anything.I downloaded HijackThis as a last resource and here's the log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 00:20: VIRUS ALERT!, on 8/25/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\ICQ6Toolbar\ICQ Service.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\UAService7.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\stsystra.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program File... Read more

A:Virtumonde Infection

Hello Macaco_224,Welcome to Bleeping Computer This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.1. Download this file - combofix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.Thanks,tea

Read other 2 answers
RELEVANCY SCORE 44.8

Hi everyone. So this is a quick one, I hope. Virtumonde, just wont come out. And since Ive invested a day or so trying, and checking the calendar, Im due for my clean wipe in a month or so, so Im gonna do it early.

So the question isnt how to eradicate virtumonde, its in terms of what it can do. I want to back up a few folders on the infected machine, just random movies, jpg, and computer files, nothing in the system registry or dlls or the like. The folders are: the documents folder, my pictures folder, the desktop folder, and a projects folder. Nothing in the system, nothing in the programs folder. Before I backup to the server and accidentaly infect it, I wanted to bounce this off the forum. Does virtumonde attack anything other than the system registry and internet browsers? We'll probably lose 2 weeks of work if we dont back up, but its better than losing the years worth of stuff. And um...no, we cant back up the backup. Thats just silly :-)

-Rallyfanche

A:Virtumonde Infection: Not What You Think

bump?

Read other 2 answers
RELEVANCY SCORE 44.8

help.The log:ComboFix 08-05-25.5 - Owner 2008-05-27 17:36:49.1 - NTFSx86Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.1034 [GMT 8:00]Running from: C:\Users\Owner\Desktop\ComboFix.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\ProgramData\Microsoft\Network\Downloader\qmgr0.datC:\ProgramData\Microsoft\Network\Downloader\qmgr1.datC:\Windows\setup.exeC:\Windows\system32\ACER.exeC:\Windows\system32\efcDSJBu.dllC:\Windows\system32\fcccbxxu.dllC:\Windows\system32\lccfxbpf.exeC:\Windows\system32\pmnnMdaa.dllC:\Windows\System32\uBJSDcfe.iniC:\Windows\System32\uBJSDcfe.ini2C:\Windows\system32\uhfyrcgx.exeC:\Windows\System32\uxxbcccf.iniC:\Windows\System32\uxxbcccf.ini2C:\Windows\System32\yxxwayxx.iniC:\Windows\System32\yxxwayxx.ini2----- BITS: Possible infected sites -----hxxp://downloads.networkmagic.com.((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 ))))))))))))))))))))))))))))))).2008-05-27 17:27 . 2008-05-27 17:32 <DIR> d-------- C:\327882R2FWJFW2008-05-27 06:25 . 2008-05-27 06:25 124,928 --a------ C:\Windows\System32\rhxefvbj.dll2008-05-26 21:47 . 2008-05-26 21:47 124,928 --a------ C:&... Read more

A:Infection: Virtumonde

Hello annonWelcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to. If you have not resolved your issue and still need assistance, post a new HJT log please as your system may have changed since your original post.Download Trendmicros Hijackthis to your desktop.Double click it to installFollow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exeOpen HJT Scan and Save a Log File, it will open in Notepad Go to Format and make sure Wordwrap is UncheckedGo to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.Ken

Read other 2 answers
RELEVANCY SCORE 44.8

Hello all and thanks in advance.

A link on Facebook has led to a pretty heinous Virtumonde.dle infection. Multiple scans and repairs later, including Spybot - Search and Destroy tells me the virus is still there and unharmed, as well as my Windows Firewall being compromised (I'm downloading Comodo right now). If you guys could help out, that would be unbelievably helpful.

Many thanks and have a great day.
----
DDS (Ver_09-09-29.01) - NTFSx86
Run by Administrator at 15:46:22.01 on Wed 10/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2731 [GMT -5:00]

AV: avast! antivirus 4.8.1351 [VPS 091007-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\... Read more

A:Virtumonde.prx Infection

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No inp... Read more

Read other 2 answers
RELEVANCY SCORE 44.8

I have been having issues with malware for over a week. I have attempted to detect and remove using Spybot S&D and Adaware 2007. I have even run a registry repair program and virus scan. If I log in safe mode w/ networking I get much improved speed and less problems (obviously) and my spyware programs claim they have removed the problems. Someting also keeps installing Deewoo Network Manager, Enhancement Browser Tools Gooochi, getPlus®_ocx, MySidesearh Assistant Adzgalore, and a Twain program (recently showed up and I don't have a scanner device installed). I believe but I am not 100% certain that all of those additonal programs are a result of the Vurtumonde.Please see logs below: _______________________________________________________________________________________Deckard's System Scanner v20071014.68Run by Rontai on 2008-04-25 19:26:44Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------System Restore is disabled; attempting to re-enable...success.-- Last 1 Restore Point(s) --1: 2008-04-25 23:27:57 UTC - RP1 - System CheckpointBacked up registry hives.Performed disk cleanup.Percentage of Memory in Use: 76% (more than 75%).Total Physical Memory: 239 MiB (512 MiB recommended).-- HijackThis (run as Rontai.exe) ----------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:36:00 PM, on 4/25/20... Read more

A:Virtumonde Infection

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download ComboFix and save it to your desktop.Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.Double click combofix.exe and follow the prompts.When it's done running it will produce a log for you. Please post that log in your next reply.Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Read other 12 answers
RELEVANCY SCORE 44.8

I ran Spybot and removed 900 items. One of them was virtumonde so I wanted to make sure I have no other remaining issues on the machine. Also spybot seems to have uninstalled itself after restart. Not sure if that was affected by an infection or not. Thanks in advance! I appreciate the help with these computers, I am the nominated tech guy in my house.



DDS (Ver_09-06-26.01) - NTFSx86
Run by Leanna at 20:19:56.62 on Mon 07/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2349 [GMT -7:00]

AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link DWA-652 Xtreme N Notebook Adapter\acs.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
... Read more

A:Possible Virtumonde Infection

72 hour bump

Read other 1 answers
RELEVANCY SCORE 44.8

I am having problems with the internet. At first as the computer is on as long as the internet is not activated nothing happens. As soon as the internet is activated there is a advertisement pop up every 2-3 mins every time. The advertisement varies sometimes, but usually it has something to do with which website im on. I have run norton and fix some viruses but stll active. I then ran ad-ware lavasoft and it detected 5 virtumonde and delete 3. I run windows xp. I also ran vundofix after using the ad ware and found nothing, i have tired running virtumundobegone in safe mode and still active. please i would really appreciate you guys help as soon as you can, big project coming up.Logfile of random's system information tool 1.04 (written by random/random)Run by Andrew Chiang at 2002-01-01 00:27:04Microsoft Windows XP Professional Service Pack 3System drive C: has 9 GB (8%) free of 114 GBTotal RAM: 2047 MB (64% free)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:27:33 AM, on 1/1/2002Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\Progr... Read more

A:Virtumonde Infection

Part 2 of 2
info.txt logfile of random's system information tool 1.04 2002-01-01 00:27:45

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E47302B-8081-46D3-9FEA-BEB2E5F5C3EC}\setup.exe" -l0x9 anything
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Add or Remove Adobe Creative Suite 3 Master Collection-->C:\Program Files\Common Files\Adobe\Installers\5ac697db6c6103f6f8b5198d25f73f7\Setup.exe
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe After Effects 7.0-->ms... Read more

Read other 14 answers
RELEVANCY SCORE 44.8

Symantec Antivirus is telling me I'm infected with Virtumonde...
DDS (Ver_09-10-13.01) - NTFSx86
Run by dan at 20:39:20.76 on Thu 10/22/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.385 [GMT -4:00]

AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.... Read more

A:Virtumonde infection

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 9 answers
RELEVANCY SCORE 44.8

I'm having a hell of a time with a Virtumonde infection. I've run SpyBot and Trend Micro Housecall a couple of times each and they always fine Virtumonde and say they delete it, but they never really do. I'm getting popup windows, usually from "url.adtrgt.com" and my SpyBot keeps asking me if I want to approve changes to my registry. It's freaking me out. I'm also unable to connect to Windows Security Alerts (I can't get the setting to be "automatic" and I can't do a manual check for updates either). I'm worried that's some sort of registry thing as well.Anyhow, I'm waaaaaaaaaaay out of my league, so I would be eternally grateful for any help you could provide. Thanks!!Here are the log and info texts you requested. I was unable to do a Kaspersky scan because I got an error when it was trying to update the database saying I had an "invalid signature" or something like that.LOG:Logfile of random's system information tool 1.04 (written by random/random)Run by Pete at 2008-12-07 20:01:27Microsoft Windows XP Professional Service Pack 3System drive C: has 25 GB (35%) free of 71 GBTotal RAM: 1022 MB (37% free)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:02:21 PM, on 12/7/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:&... Read more

A:Virtumonde Infection

Please download FileAssassin and unzip it to your Desktop.Double-click FileASSASSIN and tick on Attempt FileASSASSIN's method of file processingMake sure ALL four options are selected (including "Delete file")Copy/paste below file to the boxC:\WINDOWS\system32\Bdcddccf.ini2Press Execute button..Repeat this step with this file...C:\WINDOWS\system32\Bdcddccf.iniC:\WINDOWS\system32\fccddcdB.dllTell me whether FileAssassin succeed deleting all files or not..NEXTPlease make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1Link 2Link 3Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall

Read other 17 answers
RELEVANCY SCORE 44.8

i run the spybot and have un spiwere name virtumonde
the wornings the pc it?s in risk and for dowload the anti virus 2008 are borings
the spybot don?t clean and I have pass the combofix and I think the problem are eliminet
i?have the results from analise of combofix if someone wont see if is the correct way or i dont
make the right thing
thaks
Idont now if the place is the right for this question and am sory the englhis it?s not very good

A:I Have Un Infection By Virtumonde

Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue with the removal process.Back at the main Scanner screen:Click on the Show Results button to see a list ... Read more

Read other 1 answers
RELEVANCY SCORE 44.8

I am working on a friends computer with a pretty persistent Virtumonde infection. He is running Win XP Home Edition. Tried Ad Aware, SpyBot, etc with no help.

Also tried VUNDOFIX and that did not work either. I installed HiJackThis and ran a scan. Here is the scan.

Thanks in Advance,

Paul Hastings

A:Virtumonde Infection

Hello Paul Hastings, and welcome to BC.My apologies for the delay. We're all volunteers, and we've been swamped.We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.-screen317

Read other 3 answers
RELEVANCY SCORE 44.8

My laptop's recently contracted the Virtumonde trojan, and everything i've tried so far hasn't worked. Spybot - Search & Destroy detects the trojan, but no matter how many times I run "Fix selected problems" it keeps coming back (along with Tinybar. C and Smitfraud-C, those won't go away either). I tried the Wikihow topic on how to remove Virtumonde, but the programs the directions tell you to use (VundoFix, Trojan.Vundo Removal Tool by Symantec, VirtumundoBeGone) didn't detect the trojan at all. I tried to manually delete the malicious files that Spybot mentioned in it's report, but the infections popped up again when I repeated the scan (although, the number of entries for Tinybar.C went down from 4 to 1! This is progress, I hope).

Oh, and also, everytime I click on something (specifically when I clicked "Upload" to clip on the Attach file to this post) it goes "The information you have entered is to be sent over an unencrypted connection and could easily be read by a third party." This message hasn't occurred as much before this dilemma, so it sounds alarming.

Please help! As soon as anyone can, to the best of their ability, and with godspeed.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 21:02:46.07 on Sat 02/14/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.445.25 [GMT -8:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning ena... Read more

A:Virtumonde infection

Hi delutedpsyche,

Sorry for the delay. We have many logs backed up.

If you still need help, then please post a fresh DSS log and we will take it from there.

Read other 2 answers
RELEVANCY SCORE 44.8

I have started to get many popups while using Firefox 3 and many times Firefox will just lock up when attempting to visit http://www.google.com.The sites that the popups goto are 89.188.16.*, cativern.com, www.registrydefender.com, roia.biz, www.quizrocket.com, plus many others.I have ran Search & Destroy a few times, Ad-Aware a few times, SDFix in Safe Mode and followed all the instructions.Any help would be greatly appreciated.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:22:26 PM, on 8/27/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeC:\Program Files\Network Associates\Common Framework\FrameworkService.exeC:\Program Files\Network Associates\VirusScan\Mcshield.exeC:\Program Files\Network Associates\VirusScan\VsTskMgr.exeC:\Program Files\Co... Read more

A:Possible Virtumonde Infection

HelloApologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.Thanks and again sorry for the delay.Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)NextPlease do a scan with Kaspersky Online ScannerNote: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.Click on the Accept button and install any components it needs.The program will install and then begin downloading the latest definition files.After the files have been downloaded on the left side of the page in the Scan section select My ComputerThis will start the program and scan your system.The scan will take a while, so be patient and let it run.Once the scan is complete, click on View scan reportNow, click on the Save Report as button.Save the file to your desktop.Copy and paste that information in your next post.

Read other 2 answers
RELEVANCY SCORE 44.8

Hi,It looks like I might have another Virtumonde outbreak. The owner of this system doesn't really use the spyware removal tools on it, so there hasn't been much prevention going on.Anyway, the system's apparently seemed a lot slower recently, and Eset turned up a Virtumonde.dll, which was deleted. I can't imagine the virus being stupid enough to telegraph itself like that, but I get the feeling there's probably another infection.Can someone take a look? Thanks.My Log:Deckard's System Scanner v20071014.68Run by Glendora Wooding on 2008-06-22 02:46:07Computer is in Normal Mode.--------------------------------------------------------------------------------Percentage of Memory in Use: 79% (more than 75%).Total Physical Memory: 224 MiB (512 MiB recommended).-- HijackThis (run as Glendora Wooding.exe) ------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 02:48, on 2008-06-22Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\S24EvMon.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\... Read more

A:Virtumonde Infection?

Hello Cunnysmythe,Welcome to BC!Sorry for the delay.If you are still out there and needing help, I would like you to do a few things for me:Please download Malwarebytes' Anti-Malware from http://www.besttechie.net/tools/mbam-setup.exe or http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html Double Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Quick Scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy&Paste the entire report in your next reply. Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.Next, Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomp... Read more

Read other 11 answers
RELEVANCY SCORE 44.8

A friend of mine was watching movies on a website and he got alot of AV alerts, I scanned with spybot search & destroy and theres 3 virtumonde infections that keep coming back after deletion, help me please.


DDS (Version 1.0) - NTFSx86
Run by Andrew at 18:47:55.18 on Sat 12/06/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2431 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Andrew\Desktop\remover\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC... Read more

A:Virtumonde infection, need help please.

Delete your existing copy of ComboFix.exe. Then visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Download & save ComboFix to your Desktop but don't run it yet
Open NOTEPAD and copy/paste the text in the quotebox below into it:


Code:
File::
C:\windows\system32\wpv521228549885.cpx
C:\windows\system32\mlJCSLee.dll
C:\windows\system32\~.exe
C:\windows\system32\tmpC923.tmp
C:\docume~1\andrew\applic~1\22.cmd
Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt.

Read other 19 answers
RELEVANCY SCORE 44.8

I have run adaware (unable to fix) spybot (sometimes bluescreens the pc) to no avail. the red circle with white x is still there. Here is the log. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:10:18 PM, on 6/1/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\ehome\ehtray.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\WINDOWS\stsystra.exeC:\WINDOWS\eHome\ehRecvr.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\Program Files\Trend Micro\Internet Security 12\pccguide.exeC:\WINDOWS\eHome\ehSched.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\Program Files\Dell Network Assistant\hnm_svc.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC... Read more

A:What I Believe To Be A Virtumonde Infection

Hi,* Please visit this webpage for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixThis includes installing the Windows XP Recovery Console in case you have not installed it yet.Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Read other 2 answers
RELEVANCY SCORE 44.8

My first clue of infection was a pop-up ad in an Internet Explorer window; I use Firefox exclusively. I disconnected my computer from the internet immediately, switched to Safe Mode, and I've run Spybot S&D. Have gone in and manually deleted all offending registry items; hopefully that didn't cause too much extra damage. Then rebooted back into Safe Mode and spybot scan shows clean--no immediate threat. When I then reboot into Windows Normal Mode and open any Windows Explorer folder, the following two registry items are added:Hkey local machine\software\Microsoft\windows\Current version\run\guvajekefeHkey local machine\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\C:\WINDOWS\system32\explorer.exeRebooting back into Safe Mode and Spybot picks up these two registry entries again. The trojan appears to be latent until I try to open a Windows Explorer window in Normal Mode. I haven't done anything else to my computer.EDIT: I did do one other thing that I remember now. I got three of what appear to be adware programs in my system32 folder: infmgr, axmgr, and onbar. They would run immediately upon startup and show up on the Task Manager applications window. I renamed these with a .old suffix so I could work on the computer without those programs running. Again, I hope that didn't cause too much additional damage.------... Read more

A:Help with Virtumonde Infection

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.Please download ComboFix from one of these locations:Link 1Link 2Link 3Important!You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Make sure that you save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow... Read more

Read other 9 answers
RELEVANCY SCORE 44.8

Okay, I'm having some major problems. My brother's pc was infected with Virtumonde (I believe) not too long ago. I used a system restore point, and everything was gone, but I forgot to delete the older/newer restore points, so I guess this infection was still slumbering somewhere inside the system. The syptoms are quite severe: when starting up normally, almost three quarters of the usual icons have vanished, and two or three new icons apperantly belonging to some virus/malware removal tools have popped up. They're not icons but url's however, which I haven't clicked on off course. I'm afraid I'm not sure exactly what they were called seeing as I deleted them asap. Next to that, it is (almost) impossible to open either the explorer or the task manager, as it gives a prompt saying something like: "the administrator has locked the task manager/explorer". Furthermore, in the right bottom corner it says in capitals VIRUS WARNING, and every once in a while a pop-up comes up saying I'm infected blablaba.So, here's what I tried myself:First of all, my brother ran both Ad-Aware, AVG and Spybot S&D. They found something, but I wasn't there, so my brother clicked Fix, which it obviously didn't do very adequately. Then I got home and tried some things. I booted up into safe mode and ran HJT. I know a little about reading these logs, so I researched all the entries and deleted the files that were obviously malware-related and fixed their entries. However, on restarting the ... Read more

A:Virtumonde Infection

Okay, never mind. The infection had gotten so bad that even safe mode wasn't safe any more, so my bro's decided to do a total clean install. No more help needed, but thanks anyways.

Read other 1 answers
RELEVANCY SCORE 44.8

I posted this yesterday, but am not sure if I did it right.Spybot runs a huge amount of files names virtumundo. I ran vundofix and virtumundobegone and found nothing on both. They reported clean.

A:Virtumonde infection

Hello DottieR, You forgot to post the log.txt. Double click on RSIT.exe to run RSIT.Select Files and Folders created in last 1 monthClick Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of log.txt (<<will be maximized). You dont have to post the info.txt file, as that is already posted.

Read other 14 answers
RELEVANCY SCORE 44.8

This is a repost with additional information (the original post with actions/symptoms did not go "live" do to an old HJT format).I apparently still have a Virtumonde infection.I have completed the pre suggestions. Ran AntiVir Scan which qurantined several issues. Ran Vundofix. Ran Vundobegone in the safe mode with Networking. All clean now. Ran Adware scan. Removed issues. Spybot sill shows a VIrtumonde instance that has not been removed (c:\WINNT\sytem32\kbdave.dll). Ran Housecall 6.5 which cleaned all but: (WINNT\system32\tmp47.tmp.dll). Ran Stinger. Loaded Firewall.Still receiving unwanted pop-ups and the wild thing is the speed metal music that sometimes comes on while on line when there is no Application running in the TaskManager.Here is my HJT log: any assistance is appreciated.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:51:41 PM, on 8/30/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: NormalRunning processes:C:\WINNT\System32\smss.exeC:\WINNT\System32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\Program Files\PC Tools Firewall Plus\FWService.exeC:\WINNT\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Syman... Read more

A:Virtumonde Infection

Hello,I notice from the log that there are running more than one different Anti-Virus programs with Auto-protect enabled. Norton and Avira Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously! The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time. Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown. So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.Then reboot after uninstalling.Then, * Download Combofix to your desktop.Doubleclick combofix.exeFollow the prompts.Don't click on the window while the fix is running, because that will cause your system to hang.When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt. Post the contents of this log in your next reply together with a new hijackthislog.Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Read other 9 answers
RELEVANCY SCORE 44.8

My operating system is Windows XP Service Pack 2, and my anti-virus program is Norton Antivirus.

I can't open any folders on my desktop, or change my display settings. I also can't add or remove programs. Whenever I open Internet Explorer or Mozilla Firefox, I get bombarded with pop-up ads (I'm using Opera at this time). Based on some of the other threads, I think that this is the Virtumonde virus.

I know that this problem has been posted in the "Users Self Help Malware Removal Guide" thread, but I'm not particularily computer savvy and I don't want to accidently mess something up. Also, I read the "five steps before you post a log" thread, but couldn't complete most of the steps. Here's my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:46 PM, on 27/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\... Read more

A:Virtumonde infection

Hi Christian Nack

Thank you for your patience. I will be helping you deal with the issues raised in your log from this point onwards

Before we start jumping into things, here is a quick basic note which I mention to everyone. The fix which I have provided for you is for this computer only, it should not be used on any other computer. Each fix is tailor made for the specific task in hand. If for some reason you have system restore disabled, then please re-enable it before proceeding, an infected restore is better than none. Please read through the fix first and set enough time aside to complete the task in one session. If there is anything you feel needs clarification then please ask - do not guess! Thanks.

If this is a business machine then please make sure that you have both the authority and full administration rights to the computer system.

Please follow these directions in the order they are set out for you.

On with the fix.....

We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure that combofix is saved to (and run from) your desktop

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

Read other 19 answers
RELEVANCY SCORE 44.8

Hello! I'm having a bit of trouble with my pc. Started off with several "about: blank" pop-ups after closing AOL email in the last week. Pop-ups started going haywire today. Several pop-ups come up whenever I try to navigate to a site.

Tried running Norton AntiVirus, Spybot and Ad Aware in normal and safe modes--pc froze several times. Got a blue screen message three times: once indicating that there was a "fatal error" and that Windows had to shut down, and two times with "Driver_irql_not_less_than_or_equal" at the top, and a note about the "physical memory" being dumped at the bottom.

Finally got the computer to start, ran Norton and Ad Aware to completion this time--both programs found Virtumonde. (Ran Spybot again. It also registered virtumonde and other programs, but froze when it was 75% done and crashed the system.) When I restarted the computer, a window popped up saying the "system recovered from a fatal error." Clicked "ok" to report the error to Microsoft, but the error report would freeze, and pop ups would surface (even though I didn't click on internet explorer).

I'm new to the forum and a novice pc user, so if you need more specific info to assess my problem please let me know. Thanks in advance.

Ran DDS. The log is as follows:
DDS (Ver_09-02-01.01) - NTFSx86
Run by RCouncil at 16:50:26.45 on Fri 02/20/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.... Read more

A:Possible Virtumonde infection?

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Read other 3 answers
RELEVANCY SCORE 44.8

Hi,

I'm having a serious Virtumonde infection. I have tried various programs to remove it, including Spybot Search and Destroy, Ad Aware, Vundofix, VirtumondeBeGone, and FixVundo. None of these have managed to get rid of it from my computer. I am experiencing all the symptoms of a typical Virtumonde infection, including (but not confined to): internet connection issues, slow internet, continual pop-ups, inability to navigate to certain sites, and occcasionally after a restart, my icons and/or menu bar do not appear.

I have reason to believe the trojan has been in my computer now for several months and I am desperate to get it out. Please help! Thanks!
DDS (Ver_09-02-01.01) - NTFSx86
Run by Bethany Boulden at 9:55:35.00 on Fri 02/20/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.919 [GMT -8:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG... Read more

A:Virtumonde Infection

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

First of all, uninstall the outdated version of AVG and install the latest version AVG8.
Let it update and then perform a full scan and quarantine everything it is finding.
Reboot afterwards.

After reboot, rescan with DDS and post a new DDS log in your next reply. Then we'll start from there.

Read other 2 answers
RELEVANCY SCORE 44.8

I was doing maintenance on a customer's PC, and found a Virtumonde infection. I followed the directions at the top of the Forum, and also ran VundoFix and VirtumondeBegone. It seems to be gone, but I want to make sure. Here's the HiJackThis log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:54:01 PM, on 2/23/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\program files\common files\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\PROGRA~1\McAfee.com\Agent\mcagent.exeC:\WINDOWS\system... Read more

A:Virtumonde Infection; Is It Gone?

Hello Daimeion,

Welcome back to Bleeping Computer

Sorry about the delay. If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea

Read other 3 answers
RELEVANCY SCORE 44.8

This infection started out with spyheal, which I thought I removed thanks to online guides, but there are still files on my computer (vtstq.dll, and pretty sure a file called byxyxvw.dll has got something to do with it too) which I just can't seem to remove. I've tried following the instructions of guides on here and other sites, and they all want me to use either VundoFix or virtumondebegone. Now, this would all be fine and dandy, if it wasn't for those programs not working for me. They just kill all other processes, and then nothing happens (can't open up task manager or anything after that)! So... I need all the help I can get. Thanks in advance!Logfile of HijackThis v1.99.1Scan saved at 16:35:57, on 2006-11-09Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program\Alwil Software\Avast4\aswUpdSv.exeC:\Program\Alwil Software\Avast4\ashServ.exeC:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program\CACHEM~1\CachemanXP.exeC:\Program\DAEMON Tools\daemon.exeC:\Program�... Read more

A:Virtumonde Infection

Hello Bradega, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks

Read other 6 answers
RELEVANCY SCORE 44.8

Greetings!
As you can see I have a problem. According to my other anti-malware programs I have somehow contracted the virtumonde program. SpyBot,AVG,AdAware, would detect the problem and supposedly delete it, yet it was back within seconds. VundoFix 7.0.6 simply did not detect it however I am fairly confident that I am infected as my Laptop is running very slowly, and unsolicited pop-ups have begun to appear. As per your request I am including the DDS information. Apologies if this is in the wrong forum.
TSU
DDS (Ver_09-02-01.01) - NTFSx86
Run by Jamie McLoughlin at 21:27:54.10 on Sat 02/14/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.284 [GMT -7:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Firewall *disabled*
FW: Norton Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin ... Read more

A:Help! Virtumonde Infection

Hello The Squirrel Unit,How many antivirus programs are running on this computer? Is Norton Internet Security outdated? We need to disable Spybot S&D's "TeaTimer"TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.If prompted with a legal dialog, accept the warning.Click and then on "Advanced Mode"
You may be presented with a warning dialog. If so, press Click on Click on Uncheck this checkbox:
Close/Exit Spybot Search and DestroyPlease download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Full Scan", then click Scan. The scan may take some time to finish, so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log ... Read more

Read other 4 answers
RELEVANCY SCORE 44.8

Hi! This is my first post here, so I'm sorry if I fail to properly conform with protocol as a result of my ignorance. I'm no Windows expert, and especially not when it comes to removing Malware, so please also excuse any misinformed newbie mistakes I make.I've recently been infected with a virus. Upon scanning with SpyBot, Ad-Aware, and MBAM, twice, and disabling System Restore, I've discovered that the virus is Virtumonde, and I believe I've done all I can on my own to stop its trespasses, having deleted all of the infected items these scans have produced. I've restarted my machine more times tonight than I probably have in a year.I've managed to stop the popups from appearing, and the performance of my machine is back up to where it was (perhaps even a little better), but one problem persists: My Google results are being redirected to other webpages, be they search engines, or offers for anti-virus software, or job search websites, or whathaveyou. I am sure this is a familiar symptom of Virtumonde, or maybe even a worse problem.Anyway, having scanned and re-scanned my hard drive with no results, I decided to download HJT in my frustration and post a log here, as per a friend's suggestion. This is the data produced by said log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:53:58 PM, on 2/12/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:... Read more

A:Virtumonde (?) Infection Help

Please download Malwarebytes' Anti-Malware from HERE or HERENote: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"Double Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Full Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.NEXTPlease download RSIT by random/random and save it to your Desktop.Double click on RSIT.exe to run RSITBefore you click "Continue", make sure you change the List files/folders created or modified in the last 3 monthsClick Continue at the disclaimer screen.Once it has finished, two lo... Read more

Read other 23 answers
RELEVANCY SCORE 44.8

Hello again,I was having trouble with our new most common friend, Virtumonde. Spybot found it and said it was deleted, but I was still having problems. AdAware didn't find anything, Malwarebyte did find other things but not Virtumonde. I would like somebody to check my HJT log to see if I am clean of Virtumonde as well as anything else that may be hiding that the above programs may have missed.As always, thanks for your time. You guys are incredible and always helpful.HJT log+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:43:49 PM, on 1/17/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\RTHDCPL.EXEC:\Program Files\HP\HP Software Update\HPwuSchd2.exeC:\Program Files\McAfee.com\Agent\mcagent.exeC:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Progra... Read more

A:Virtumonde Infection

Hi The Grog,Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.Tell me if you have done anything since previous post. Or you have run any other tools. Also tell me how is the current condition of your computer.

To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Set the scan files/folders to 3 mounts.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Note 1: If you have difficulty finding the logs, the logs are in this folder: C:\rsit

Note 2: The tool takes not more than one minute to scan the system.You might want to save this page on your favorites, so you can find it again when you return.

Read other 29 answers
RELEVANCY SCORE 44.8

Hi. I'm a poor slob running Vista 64. Its got Spybot S&D Tea Timer. My UAC is off since it was constantly asking me to okay things; I use an RME Fireface audio app amongst other things and so with UAC on every time I start my system it needs to be told 2 dozen programs are okay to run - maybe it was worth it, but Tea Timer does a pretty good job and at least Tea Timer is tailorable - it remembers what you've chosen to okay. It actually does this for you!! (Bill Gates try and keep up - this is amazing, unfathomable technology that you could have never thought of - yeah, right Mr. Back Door Bill). As from the Title of this post I've been exposed to a Virtumonde infection as of last night. I have seen a few load fail errors pop up (without me loading anything) since nod32 found and quarantined (and I deleted) the virtumonde.nax (gotten from an old install file I had on CD) along with about six files it had created. I have rebooted, and just got another error, which indicated a message did not go through, and since I'm not sure what that is I thought I would post a log here for the first time.

I should note that this kinda thing happened to me before (Virtumonde but a different one maybe - on a different computer, that didn't get exposed to the same file), and I realized Spybot was being prevented from functioning. I uninstalled Spybot and to my amazement a new version of Spybot appeared.

I could not believe my senses, so I made a test where I created a ... Read more

A:Virtumonde infection.

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No inp... Read more

Read other 2 answers
RELEVANCY SCORE 44.8

I am having problems with the internet. At first as the computer is on as long as the internet is not activated nothing happens. As soon as the internet is activated there is a advertisement pop up every 2-3 mins every time. The advertisement varies sometimes, but usually it has something to do with which website im on. I have run norton and fix some viruses but stll active. I then ran ad-ware lavasoft and it detected 5 virtumonde and delete 3. I run windows xp. I also ran vundofix after using the ad ware and found nothing, i have tired running virtumundobegone in safe mode and still active. please i would really appreciate you guys help as soon as you can, big project coming up.Logfile of random's system information tool 1.04 (written by random/random)Run by Andrew Chiang at 2008-12-08 18:53:31Microsoft Windows XP Professional Service Pack 3System drive C: has 12 GB (10%) free of 114 GBTotal RAM: 2047 MB (63% free)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:53:45 PM, on 12/8/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\Pro... Read more

A:Virtumonde Infection really need help

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1Link 2Link 3Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..Note: DO NOT mouseclick combofix's window while its running. That may cause it to stallNEXTPlease download GMER and unzip it to your Desktop.Open the program and click on the Rootkit tab.Make sure all the boxes on the right of the screen are checked, EXCEPT for ?Show All?.Click on Scan.When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.Post these logs in your next reply..1. ComboFix2. A fresh HijackThis log3. Attach GMER reportRegardsfenzodahl512Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..Please download ComboF... Read more

Read other 2 answers
RELEVANCY SCORE 44.8

Hi there. Hope you can help me out. A friend asked to look at their PC as it was really slow as of late and suffered from multiple pop ups in I.E. 6. Ran Ad Aware and Spybot and both cleaned up a pile of items but can't get rid of a Virtumonde infection. After some research on the web, figured I was out of my league so here I am. :)

Anyway, read through the 5 steps and think I got it all covered. Note that previsouly, I was unable to go to the Windows Update site at all. I now go but it only says I have two driver updates and nothing more which makes no sense - don't think this HP Home version is that up to date.

As well, I did disable an Internet Add On in I.E. - vtUkhiHw.dll - just before posting this and it seems to have stopped things. Just really not sure.

My Panda log is attached and my HijackThis log is below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:14 PM, on 8/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Sym... Read more

A:Virtumonde (sp.?) Infection

Bump :)

Read other 12 answers
RELEVANCY SCORE 44.8

I had NOD32 to start out (and I didn't realize my firewall was switched off). IE started popping up on its own and going to strange sites. NOD32 scans found some stuff associated with Virtumonde and deleted those files, but the problem continued. I downloaded Windows Defender and SpySweeper. They also found some Virtumonde files, but the problem continued.Ad-aware found nothing but cookies. Spybot found and cleaned Virtumonde and Virtumonde.ddc, but the problems continued.Housecall Antivirus found and removed a threat called Freeloader/... (I don't remember the full name). Still no change overall.Currently, my NOD32 antivirus program picks up a threat file immediately and continuously after I start my computer (c:\WINDOWS\system32\opnlllk.dll). I delete it but it says it will be cleaned after the next restart. NOD32 then immediately pops back up with the same threat.Ok, that's all I can think of right now. My HijackThis log is below. I really appreciate the help!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:07:40 PM, on 12/8/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDO... Read more

A:Virtumonde, Etc. Infection

Hello DawnTreader,Welcome to Bleeping Computer I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:1) Run Spybot-S&D2) Go to the Mode menu, and make sure "Advanced Mode" is selected3) On the left hand side, choose Tools -> Resident4) Uncheck "Resident TeaTimer" and OK any promptsYou can reenable TeaTimer once your system is clean.Your Java is way out of date, which leaves your computer vulnerable.Updating JavaDownload the latest version of Java Runtime Environment (JRE) 6u3.Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".Click the "Download" button to the right.Check the box that says: "Accept License Agreement".The page will refresh.Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.Close any programs you may have running - especially your web browser.Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.Check any item with Java Runtime Environment (JRE or J2SE) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java version.Reboot your computer once all Java components are removed.Then from your desktop double-click on jre-6-windows-i586.ex... Read more

Read other 6 answers
RELEVANCY SCORE 44.8

Hi,Windows defender keeps trying trying to fix a Trojan:Win32/Vundo.gen!R error and everytime I reboot it keeps appearing again.Spybot is constantly reporting BootExecute change attempts - which I currently have on auto-deny...Here are my logsDeckard's System Scanner v20071014.68Run by Alun on 2008-07-16 10:58:35Computer is in Normal Mode.---------------------------------------------------------------------------------- Last 5 Restore Point(s) --8: 2008-07-16 09:37:17 UTC - RP52 - Windows Defender Checkpoint7: 2008-07-16 08:19:03 UTC - RP50 - Removed Ad-Aware6: 2008-07-16 06:53:16 UTC - RP49 - Removed Norton Save and Restore5: 2008-07-16 06:38:24 UTC - RP48 - Removed Norton Save and Restore4: 2008-07-15 21:14:59 UTC - RP47 - Installed Ad-Aware-- First Restore Point -- 1: 2008-07-15 19:47:53 UTC - RP43 - Windows Defender CheckpointBacked up registry hives.Performed disk cleanup.Percentage of Memory in Use: 76% (more than 75%).Total Physical Memory: 1022 MiB (1024 MiB recommended).-- HijackThis (run as Alun.exe) ------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:01:58, on 16/07/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\ESET\ESET NOD32 Antivirus\egui.ex... Read more

A:Virtumonde Infection

Hello Alun and welcome to BleepingComputer,1. * Clean your Cache and Cookies in IE:Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tabUnder Browsing History, click Delete. Click Delete Files, Delete cookies and Delete historyClick Close below.* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):Go to Tools > Options.Click Privacy in the menu..Click the Clear now button below.. A new window will popup what to clear.Select all and click the Clear button again.Click OK to close the Options window* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.2. Please download Malwarebytes' Anti-Malware from Here or HereDoubleclick mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a... Read more

Read other 3 answers
RELEVANCY SCORE 44.8

Internet explorer keeps opening on its own and going to ad sites. I've run SpyBot in safemode and it found a bunch of stuff including Virtumonde. I fixed everything in spybot, but then I tried restarting and the problem just started happening again immediately. Here's my HijackThis Log. Any help would be greatly appreciated.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:43:11 PM, on 12/12/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16915)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\IPSSVC.EXEC:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exeC:\Program Files\Sepialine\Argos Print Monitor\WorkstationMonitor.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeC:\Program Files ... Read more

A:Virtumonde infection

Hello and welcome to Bleeping Computer.My name is km2357 and I will be helping you to remove any infection(s) that you may have.I will be giving you a series of instructions that need to be followed in the order in which I give them to you.If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.Please do not start another thread or topic, I will assist you at this thread until we solve your problems.Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh HiJackThis Log

Read other 4 answers
RELEVANCY SCORE 44.8

virtmonde infection in wvuvs.exeran vundofix and virtmondobegonenow ran combofix -- combofix log and hijackthis log attached Thanx muchcombofixComboFix 08-03-05.1 - Rob 2008-03-05 21:03:14.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.162 [GMT -8:00]Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\PROGRA~1\mcafee.com\agent\mcregwiz.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Common Files\AOL\IPHSend\IPHSend.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exec:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exeC:\Program Files\QdrDriveC:\Program Files\QdrDrive\QdrDrive10.dllC:\Program Files\QdrDrive\qdrloader.exeC:\Program Files\QuickTime\qttask .exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\WINDOWS\BMff4443bc.xmlC:\WINDOWS\cookies.iniC:\WINDOWS ... Read more

A:Virtumonde Infection

Hello robshaWelcome to the Bleeping Computer Malware Removal Forum The variant of Vundo that your infected with includes a File Infector All the files and folders inside the Blue Code Box have been infected by this Trojan. We are going to Attempt to clean those files, the ones that cannot be cleaned I am afraid your going to have to uninstall and reinstall.First go to your Add Remove Programs in the Control Panel and uninstall ViewpointC:\Program Files\Viewpoint <-- Delete this folder.Drag the copy of Combofix to the trash and download a fresh copy as its updated on a regular basis. Make sure you save it to your desktopDownload Combofix from any of the links below, and save it to your desktop. <-- ImportantLink 1Link 2Link 3Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Killall::Killall::

RenV::
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
C:\Program Files\Adobe&... Read more

Read other 2 answers
RELEVANCY SCORE 44.8

Hello,Two days ago I noticed I have a Virtumonde Infection on my PC. I have scanned the PC with McAfee 8.0 and with Spywareblaster which removes the infection, but after a while it gets back. With OneCare I have removed the infections (Vundo gen! I and VundoGen H), but OneCare says that there was also an infection in a backup file of HiJackThis.I have run ATF cleaner and OTSScanIt and made a Hijack Log. If you want I can also make a ComboFix Log. Any Help would be appreciated! Thanks a lot.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 0:07:32, on 23/05/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\McAfee\VirusScan Enterprise\mcshield.exeC:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exeC:\Program Files\Eset\nod32krn.exeC:\Program Files\Common Files\Protexis&#... Read more

A:Virtumonde Infection

Hello JanValgaeren,I have run ATF cleaner and OTScanIt and made a Hijack Log. If you want I can also make a ComboFix Log. You should not be running either OTScanIt or ComboFix unless a malware expert asks you to run them. We will start out with Malwarebytes' Anti-Malware. Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy and Paste the entire report in your next reply along with a fresh HijackThis log.Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

Read other 2 answers
RELEVANCY SCORE 44.8

Hello, new to this site and so far its helped me out a lot. But now Im having some trouble removing this Virtumonde infection that I got just the other day.I went thorugh the how guide posted on here to remove the virus but its still there. Spybot says that the problem has been fixed but then I scan it again and it pops back up. Also I think this virus has disabled my realtime protection with NAV as it wont start up any more, im getting "Realtime protection failed to load" Well heres my log if anyone could take the time to look at it and make a suggestion that would be GREAT! ThanksLogfile of Trend Micro HijackThis v2.0.2Scan saved at 5:19:57 PM, on 11/24/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\NavNT... Read more

A:Virtumonde Infection

Its getting worse lol(i donno why im laughing either). But I keep getting notiifcations from XP that my computers internet connection and computer are being slowed down significantly due to spyware/adware. So I looked at my processes and a new one popped up. iexplorer.exe , did a search and found out thats its another spyware problem tjhat needs to be dealt with. so heres my updated hijack this log hopefully someone could help me out with this and I hate seeing my pc being crippledalso windows says i have [email protected] of Trend Micro HijackThis v2.0.2Scan saved at 3:25:32 PM, on 11/25/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\NavNT\vptray.exeC:\WINDOWS\system32\CTHELPER.EXEC:\Program Files\Winamp\winampa.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXEC:\Program Files\PowerISO\PWR... Read more

Read other 3 answers
RELEVANCY SCORE 44.8

Hello,
I hope I am posting in the right area, if not Im sorry. Any way I'm pretty sure I am infected with virtumonde in the last couple days, I ran spybotSD and have five entry's under Virtumonde when I expand it. Ive ran vundofix with no luck and have noticed that when I check my startup programs I have two suspicious ones, one that if I uncheck comes back after a restart ( 50f55450 ), and then the other ( MSServer ). If someone could give me instructions on how to remove this it would be much appreciated. Thank you.

A:Virtumonde infection need

Hello franticopic and welcome to BC ,I see that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/183765/virtumonde-infection/ We do not allow more than one topic for the same computer and the same issue as this causes confusion, and in this case may make the disinfection process more difficult.This leaves you with a choice:1) Have this thread reopened and the HiJack This log topic deletedOR2) Keep this thread closed and wait for assistance in the HiJack This log forum. Please note that that forum is VERY busy.Please send a Private Message indicating your choice.Assuming you wish assistance in the HiJack This forum, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon a... Read more

Read other 1 answers
RELEVANCY SCORE 44.8

Long story short, I have a Virtumonde infection that has been detected by Spy-Bot, AdAware and McAfee. McAfee has been all but useless and the other two have detected and removed it only for Virtumonde to immediately reappear. (Probably irrelevant but my thoughts...I think it was time delayed activation in being hit with it. McAfee quarantined the adaware file back on 12/7/08 but it must have made its way into my computer as it suddenly activated around Midnight -Christmas Evening/Day after Christmas.) Anyway I need help.

Two other notes: Windows Security Alerts has been disabled and is unable to be reenabled. Mozilla Firefox no longer adds a tab when I open link from a program but instead opens a new Firefox window. Both side affects I assume from Virtumonde.

Edit: Forgot to attach the Attach.txt file. Sorry

I did a DDS scan and here is the log:

DDS (Version 1.1.0) - NTFSx86
Run by emryn at 22:53:30.18 on Sat 12/27/2008
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2634 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Security\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system3... Read more

A:VirtuMonde Infection

Hi,We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review.jedi

Read other 2 answers