Over 1 million tech questions and answers.

Possible Virtumonde Infection

Q: Possible Virtumonde Infection

I have run Malware Bytes, SuperAnti Spyware, Dr. Web CureIt, AdAware and Spybot all in safe mode. A few non-critical items were found and removed. But during the last Spybot scan i noticed a lot of scaaning of files with the Virtumonde file name even though none were found or reported by any of the afore-mentioned tools. Makes me a little nervous. Just wondering what my next step should be. Dell laptop, Windows XP, Service Pack 2.

thanks

tj

RELEVANCY SCORE 200
Preferred Solution: Possible Virtumonde Infection

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

A: Possible Virtumonde Infection

Hi,I still think our best shot is to see a log so...Rerun MBAMOpen MBAM in normal mode and click Update tab, select Check for Updates,when doneclick Scanner tab,select Quick scan and scan.After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Read other 7 answers
RELEVANCY SCORE 47.2

I clicked on an .exe I shouldn't have and now WinPatrol pops up with .dlls from system32 folder for addition of these IE helpers. My homepage wants to change to slobstyle.com and other times I can't get online because of a rundll32 in processes. I have run Adaware, AVG, Spybot, Vundofx,Virtumondebegone , and others with no luck. I have deleted registry keys but they reappear after a refresh of regedit.Deckard's System Scanner v20071014.68Run by Daddio on 2008-06-09 10:51:28Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------System Restore is disabled; attempting to re-enable...success.-- Last 1 Restore Point(s) --1: 2008-06-09 15:51:33 UTC - RP1 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as Daddio.exe) ----------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:52:59 AM, on 6/9/2008Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG... Read more

A:Virtumonde Infection?popups And .dll Infection

Hello Plato12 and welcome to BleepingComputer,1. * Clean your Cache and Cookies in IE:Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tabUnder Browsing History, click Delete. Click Delete Files, Delete cookies and Delete historyClick Close below.* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):Go to Tools > Options.Click Privacy in the menu..Click the Clear now button below.. A new window will popup what to clear.Select all and click the Clear button again.Click OK to close the Options window* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.2. Please download Malwarebytes' Anti-Malware from Here or HereDoubleclick mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed... Read more

Read other 10 answers
RELEVANCY SCORE 45.2

Im getting random popups, and when my computer boots it gets an error loading pawovuda.dll or somtehing similar. problems with my hotmail account.
DDS (Ver_09-03-16.01) - NTFSx86
Run by Jack at 23:19:45.45 on Fri 04/17/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1436 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
G:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\... Read more

A:virtumonde infection?

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Read other 2 answers
RELEVANCY SCORE 45.2

Hi, I have a virtumonde infection and I am having trouble removing it - I've tried MalWarebytes and AdAware with no success. HJT log is below. Thanks!

----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:58 PM, on 12/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Synap... Read more

Read other answers
RELEVANCY SCORE 45.2

Hopefully I got the correct place to post this this time. Sorry to the person who had to correct me the first time.I have been struggling with getting rid of the virtumonde issues on my PC.I have used several tools that I have read about on this site. and some report that I am infected and some report that I am not. I ran through several tools and included information below about the results of each of them.I appreciate any feedback that might be able to help me clean this up. Thank you in advance.Ad-Aware SEbuild 1.06r1latest definitionsresults:MRU List (3 Object Total)These objects do not pose a threatI removed the objectsSpybot S&Drelease 1.4latest definitionsresults:It showed a virtumonde infection that I allowed it to fix. The log is below:Spybot log:Virtumonde: System Service (Registry key, nothing done)HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---2005-05-31 blindman.exe (1.0.0.1)2005-05-31 SpybotSD.exe (1.4.0.3)2005-05-31 TeaTimer.exe (1.4.0.2)2006-12-01 unins000.exe (51.41.0.0)2005-05-31 Update.exe (1.4.0.0)2007-05-23 advcheck.dll (1.5.3.0)2005-05-31 aports.dll (2.1.0.0)2005-05-31 borlndmm.dll (7.0.4.453)2005-05-31 delphimm.dll (7.0.4.453)2005-05-31 SDHelper.dll (1.4.0.0)2007-07-31 Tools.dll (2.1.2.0)2005-05-31 UnzDll.dll (1.73.1.1)2005-05-31 ZipDll.dll (1.73.2.0)2007-12-05 Includes\Cookies.sbi (*)2007-10-31 Includes\Dialer.sbi (*)2007-12-05 Includes... Read more

A:Virtumonde Infection That Won't Go Away

Hello btah,Let's see what we can do about this 1. Download this file - combofix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.Thanks,tea

Read other 14 answers
RELEVANCY SCORE 45.2

Symantec Antivirus is telling me I'm infected with Virtumonde...
DDS (Ver_09-10-13.01) - NTFSx86
Run by dan at 20:39:20.76 on Thu 10/22/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.385 [GMT -4:00]

AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.... Read more

A:Virtumonde infection

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 9 answers
RELEVANCY SCORE 45.2

I have had problems with PC simpley stopping dead, no blue screen even, just stops. Eventually i found it had Virtumonde infection and have used all tools available on internet to kill it. Although i am supposed to be cleaned, im still having problems so could someone look at my HJT or combofix logs please.---------------------------------------------------------------------BEFORE CLEANED--- Report generated: 2009-06-17 22:43 ---Virtumonde.sdn: [SBI $2CF65D3D] Library (File, fixed) C:\WINDOWS\system32\_000006_.tmp.dll Properties.size=0 Properties.md5=D41D8CD98F00B204E9800998ECF8427EVirtumonde.sdn: [SBI $2CF65D3D] Library (File, fixed) C:\WINDOWS\system32\_000007_.tmp.dll Properties.size=0 Properties.md5=D41D8CD98F00B204E9800998ECF8427E--- Spybot - Search & Destroy version: 1.6.1 (build: 20090120) ---2009-01-24 blindman.exe (1.0.0.8)2009-01-24 SDFiles.exe (1.6.1.7)2009-01-24 SDMain.exe (1.0.0.6)2009-01-24 SDShred.exe (1.0.2.5)2009-01-24 SDUpdate.exe (1.6.0.12)2008-07-07 SDWinSec.exe (1.0.0.12)2009-01-24 SpybotSD.exe (1.6.1.44)2009-03-05 TeaTimer.exe (1.6.6.32)2009-02-04 unins000.exe (51.49.0.0)2009-01-24 Update.exe (1.6.0.7)2009-01-24 advcheck.dll (1.6.2.15)2007-04-02 aports.dll (2.1.0.0)2008-06-14 DelZip179.dll (1.79.11.1)2008-09-15 SDHelper.dll (1.6.2.14)2008-06-19 sqlite3.dll2008-10-22 Tools.dll (2.1.6.8)2009-01-16 UninsSrv.dll (1.0.0.0)2009-05-19 Includes\Adware.sbi (*)2009-06-02 Includes\AdwareC.sbi (*)2009-01... Read more

A:i have virtumonde infection

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 45.2

Below is the logfile after 'highjackthis' was run:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:28:23 PM, on 10/1/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Dell Support Center\bin\sprtsvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Progr... Read more

A:Virtumonde Infection

Hello, kwarten. Welcome to BC.Before we get into the fixes, please disable Spybot's TeaTimer, as it may interfere with the process.Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.On the left hand side, click on Tools, then click on the Resident Icon in the list.Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.Click on the "System Startup" icon in the ListUncheck the "TeaTimer" box and "OK" any prompts.If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.Exit Spybot S&D when done.(When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]Download ATF Cleaner to your Desktop.Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.If you use Firefox browser, do this also:Click Firefox at the top and choose Select All from the list.
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser, do this also:Click Opera at the top and choose Select All from the list.
Close ALL Internet browsers (very important).
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please c... Read more

Read other 2 answers
RELEVANCY SCORE 45.2

Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exec:\Program Files\Research In Motion\BlackBerry Unite\MDS\bin\bmds.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\Juniper Networks\Common Files\dsNcService.exeC:\Program Files\Google\Update\GoogleUpdate.exeC:\Program Files\Marketcetera\mysql\bin\mysqld-nt.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Softex\OmniPass\Omniserv.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exeC:\Program Files\Softex\OmniPass\OPXPApp.exeC:\Documents and Settings\All Users\Application Data\wzgxivap\ibopgdmv.exeC:\windows\system\hpsysdrv.exeC:\Program Files\USB Storage RW\udsi.exeC:\HP\KBD\KBD.EXEC: ... Read more

A:Virtumonde Infection

Hi

I'm sorry it took so long to get a reply. Forums have been very busy

If you still need help with this post a fresh hjt log, please.

Read other 2 answers
RELEVANCY SCORE 45.2

Hello, I have Virtumonde i need help removing it. I tried multiple scanners and vundofix not working. Halp pl0x. I will attach the logs.

Thanks in Advance, Moody
DDS (Ver_09-05-14.01) - NTFSx86
Run by pat at 20:49:35.62 on Tue 06/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.538 [GMT -7:00]
============== Running Processes ===============

C:\WINDOWS2\system32\svchost -k DcomLaunch
C:\WINDOWS2\system32\svchost -k rpcss
C:\WINDOWS2\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS2\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS2\system32\svchost.exe -k NetworkService
C:\WINDOWS2\system32\svchost.exe -k LocalService
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
G:\TeamViewer\Version4\TeamViewer_Se... Read more

A:Virtumonde infection

BumpHello Moody550,While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large, as are other comparable sites that help others with malware issues. Athough our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, you wouldn't want someone to assist you who is not familiar with your issue and attempt to fix it, would you?We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the ... Read more

Read other 3 answers
RELEVANCY SCORE 45.2

This is on my work laptop, so it is kind of important that I get this cleaned up and taken care of. One other side note: Whatever is infecting this laptop turned off Windows Update.

DDS.txt:
DDS (Ver_09-01-19.01) - NTFSx86
Run by redant at 0:28:28.75 on Wed 01/28/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.74 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Intel\PROSetWireless\NCS&#... Read more

A:Possible Virtumonde infection

I apologize for bumping my post. I went left my computer running on a dial-up connection. I left the computer running for about three hours. Sure enough, after coming back I saw that McAfee had caught three trojan files that were deletable and one that wasn't:

file:brihdn.dll
in folder: c:\windows\system32
detected as: generic.dx
detection type: trojan
status: no action taken (delete failed)
application: **\sbtraymanager.e**
username: [removed]
client id: 0 ()

Read other 22 answers
RELEVANCY SCORE 45.2

I made a post a few weeks ago on these forums, but I forgot about it and it was subsequently closed. This is the link to that post: http://www.bleepingcomputer.com/forums/ind...view=getnewpost. Anyhow, I'm still keen to remove Virtumonde from my computer, so I'd really appreciate any help.AVG anti-virus seems to have removed the 'nadusajo.dll' file since my first post and so the 'Bad Image' errors have stopped. However I'm still having trouble removing some parts of the trojan from my computer. One of the registry keys seems to keep coming back after I remove it. I've used Malwarebytes' Anti-Malware, SuperAntiSpyware and AVG anti-virus, but the key keeps returning upon the next scan.Here is my DSS.txt log:DDS (Version 1.1.0) - NTFSx86 Run by Patrick's at 17:23:11.28 on Sat 01/03/2009Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.180 [GMT 10:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)AV: McAfee VirusScan *On-access scanning enabled* (Outdated)FW: McAfee Personal Firewall *enabled*============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Intel�... Read more

A:Virtumonde Infection

Hello Pat and welcome to BleepingComputer,1. * Clean your Cache and Cookies in IE:Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tabUnder Browsing History, click Delete. Click Delete Files, Delete cookies and Delete historyClick Close below.* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):Go to Tools > Options.Click Privacy in the menu..Click the Clear now button below.. A new window will popup what to clear.Select all and click the Clear button again.Click OK to close the Options window* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.2. Please download ComboFix from one of the locations below, and save it to your Desktop.LinkLinkLinkDouble click the ComboFix icon to run it.If ComboFix askes you to install the Recovery Console, please do so..The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.Once the Recovery Console is installed, continue with the malware scan.Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.Please post the log from ComboFix (can also be found as C: ... Read more

Read other 11 answers
RELEVANCY SCORE 45.2

Last night, I started receiving pop ups in Firefox (running Windows Vista Home Premium). Most of them were of the "work from home!" variety, though a few were anti-spyware and anti-virus ads. I ran Ad-Aware, which located a dabuloje.dll file it said was a Virtumonde infection. I had Ad-Aware quarantine and then remove the file. I also attempted to use Malwarebytes Anti-Malware to root out further infection, but the application would automatically close before I could run a scan. I rebooted into safe mode and ran both applications. Ad-Aware discovered the dabuloje.dll file again, and I had it remove the file again. Malware discovered nothing. I thought I had solved the issue. But this morning, I've received pop ups again, and Ad-Aware identified a different .dll file. So I'm here, hoping to get things cleaned up.Below is the content of the DDS.txt file, and the Attach.txt and Ark.txt files are attached:DDS (Ver_10-03-17.01) - NTFSx86 Run by Campbell at 11:49:08.19 on Thu 03/18/2010Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_18Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.3325.1861 [GMT -6:00]SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\P... Read more

A:Possible Virtumonde Infection

Hello kharybdis, Welcome to Bleeping Computer. My name is fireman4it and I will be helping you with your Malware problem.Please take note of some guidelines for this fix: Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.1.Download and Run RKillPlease download RKill by Grinler from one of the 4 links below and save it to your desktop.Link 1Link 2Link 3Link 4 Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how. Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator) A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed. If ... Read more

Read other 8 answers
RELEVANCY SCORE 45.2

Hi everyone. So this is a quick one, I hope. Virtumonde, just wont come out. And since Ive invested a day or so trying, and checking the calendar, Im due for my clean wipe in a month or so, so Im gonna do it early.

So the question isnt how to eradicate virtumonde, its in terms of what it can do. I want to back up a few folders on the infected machine, just random movies, jpg, and computer files, nothing in the system registry or dlls or the like. The folders are: the documents folder, my pictures folder, the desktop folder, and a projects folder. Nothing in the system, nothing in the programs folder. Before I backup to the server and accidentaly infect it, I wanted to bounce this off the forum. Does virtumonde attack anything other than the system registry and internet browsers? We'll probably lose 2 weeks of work if we dont back up, but its better than losing the years worth of stuff. And um...no, we cant back up the backup. Thats just silly :-)

-Rallyfanche

A:Virtumonde Infection: Not What You Think

bump?

Read other 2 answers
RELEVANCY SCORE 45.2

I used Ad-Aware, Spybot-S&D, ...basically everything that was in the "Preparation Guide for use before posting a HijackThis Log" When I do scan and remove any threats it looks like everything goes back to normal but then when I reboot my comp the threats will come back. When I'm online I get pop-up ads and redirected to other sites. Every 10 minutes I get a Windows Security Alert that says "Warning! Potential Spyware Operation! Your computer is making unauthorized copies of your system and Internet files. Run full scan now to prevent any unauthorized access to your files! Click here to download spyware remover..." (Obviously it's an ad) How do I PERMANENTLY remove Virtumonde and any other adware, malware, spyware,....whatever off my comp. Thanks ahead of time for the help.Here's my HiJackThis LogLogfile of Trend Micro HijackThis v2.0.2Scan saved at 12:13:04 PM, on 3/11/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared... Read more

A:Virtumonde Infection, Pop Up Ads

Hi wfgchris!

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I'm in Hijackthis school and Teachers will check my posts.
Sorry that it took us so long to get back to you, but as you can see we're stumped with the amout of logs.

Before we can start, please post a fresh hijackthis log back here.

Read other 6 answers
RELEVANCY SCORE 45.2

XP 2002 home service pack 3.norton anti virus and firewall package. loads of p2p filesharing which is possibly the culprit, but it could be the massive amount of surfing dodgy sites that i do.internet explorer is not performing correctly, loads of pop-ups and hanging of program.if i go into process's and stop iexplorer and explorer, i can manually open opera and any other software through the CTRL+ALT+DEL >APPLICATIONS>NEW TASK they perform perfectly, but the minute i start up internet explorer i have the problems again. keyboard seems to perform slowly at times or miss out on keys at times. have tested with other keyboards and have the same result. has only been happening as long as i have had the infection. thats the infection on the pc not the other one that just itches all night and smells funny.by the way spybot finds problems but they dont seem to get fixed as after a rescan they are back again. norton has the same issues, finds virtumonde but when it is removed it comes straight back. virtumundobegone and vundofix dont find any problems at all, so not sure that it is a virtumonde problem. here is the hijack this log.... i really hope this is an easy one for youLogfile of Trend Micro HijackThis v2.0.2Scan saved at 17:12:47, on 9/24/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS&#... Read more

A:Possible Virtumonde Infection. Not Too Sure. Help

Hello pyrosian,Can you please disable Tea-Timer Open Spybot Search & Destroy.In the Mode menu click "Advanced mode" if not already selected.Choose Yes at the Warning prompt.Expand the Tools menu.Click Resident.Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.In the File menu click Exit to exit Spybot Search & Destroy.Next please download MalwareBytes Anti-malware (MBAM) from one of the following links:http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.htmlhttp://www.besttechie.net/tools/mbam-setup.exeDouble-click mbam-setup.exe and follow the prompts to install the program.At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select Perform full scan, then click Scan.When the scan is complete, click OK, then Show Results to view the results.Be sure that everything is checked, and click Remove Selected.When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txtPlease post a new HijackThis log and the MalwareBytes results.

Read other 20 answers
RELEVANCY SCORE 45.2

Hi all,When my system started getting incredibly sluggish I started by running Spybot S&D and AdAware 2008 which located Virtumonde and IRC.crt infections. I had caught a quick display of AntiVirusXP 2008 or 2009 from one website recently but the page didn't get a chance to fully load before I quickly closed the tab in FireFox and closed the AntiVirus XP 2008/2009 window. I figured it made its way onto the system anyway so I had AdAware fix the issues. IRC.crt keeps popping up but it claims that Virtumonde is gone. Avira AVG also flagged a file in the C:\Windows\system32\EV19 folder which I did a web search on and deleted manually.I ran Vundo Fix and VirtumundoBegone as per http://www.bleepingcomputer.com/forums/lof...php/t18610.html without successful detection. I had found this forum by googling to the http://www.bleepingcomputer.com/forums/lof...hp/t173231.html solution page but wanted to make sure I got a personalized solution for my problem. I do have some of the files that are indicated in the posted fix I found such as %systemroot%\system32\drivers\ksecddd.sys but I won't do anything until I hear from someone about a proper fix.I've run DDS Tool and here is the DDS.txt log:DDS (Version 1.1.0) - NTFSx86 Run by Jeff two at 16:39:33.48 on Fri 12/26/2008Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.509 [GMT -5:00]AV: Avira AntiVir PersonalEdition *On-a... Read more

A:Possible Virtumonde infection?

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_ScanFollow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable ... Read more

Read other 3 answers
RELEVANCY SCORE 45.2

i run the spybot and have un spiwere name virtumonde
the wornings the pc it?s in risk and for dowload the anti virus 2008 are borings
the spybot don?t clean and I have pass the combofix and I think the problem are eliminet
i?have the results from analise of combofix if someone wont see if is the correct way or i dont
make the right thing
thaks
Idont now if the place is the right for this question and am sory the englhis it?s not very good

A:I Have Un Infection By Virtumonde

Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue with the removal process.Back at the main Scanner screen:Click on the Show Results button to see a list ... Read more

Read other 1 answers
RELEVANCY SCORE 45.2

I have been infected with virtumonde. Following instructions from other posts, I downloaded and ran Malwarebytes.
Here is a copy of the log:

Malwarebytes' Anti-Malware 1.32
Database version: 1629
Windows 5.1.2600 Service Pack 2

1/7/2009 5:39:08 PM
mbam-log-2009-01-07 (17-39-08).txt

Scan type: Quick Scan
Objects scanned: 54425
Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 15
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ljJCvSjj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yadzkw.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qoMcdCsq.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3f87738b-2a9a-4def-9e4e-d4030fa69770} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3f87738b-2a9a-4def-9e4e-d4030fa69770} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5b81125f-4497-4eb1-aa8c-4928c6330873} (Trojan.Vundo.H) -> Delete on reboot.
H... Read more

A:Virtumonde infection

I rebooted and ran malwarebytes again. Here is the log

Malwarebytes' Anti-Malware 1.32
Database version: 1629
Windows 5.1.2600 Service Pack 2

1/7/2009 6:06:31 PM
mbam-log-2009-01-07 (18-06-31).txt

Scan type: Quick Scan
Objects scanned: 54146
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fyikekuv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bkowiwakec (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks, Vinny

Read other 10 answers
RELEVANCY SCORE 45.2

Thanks in advance for any help. I have long used these forums to discover how to remove malware on other's PCs, but tonight I am stumped on my wife's. Spybot scan continually results in finding a Virumonde infection, however, I am skeptical that I am actually infected by Virtumonde. I have ran the VundoFix.exe program, but nothing was found. I have also scanned with Ad-Aware 2007, but it only found ClickSpring. Other items I have found were outerInfo and Internet Speed Monitor, both of which I have removed using Add/Remove Programs. AVG Antivirus has removed the Lop Virus as well as trojans to include Win32.Banker, Win32.Small and others that my wife removed without getting the name of.After all of the above steps, most of which I have performed in Safe Mode, Popups still occur in Windows. Here is a HJT Log. Please help.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:18:21 PM, on 1/29/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: Safe modeRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Documents and Settings\Administrator\Desktop\HiJa... Read more

A:Virtumonde Infection?

Hello theMike,

Welcome to Bleeping Computer

Can you please post a log made in normal mode? HijackThis can't see everything it needs to when in safe mode, which means I can't either.

Thanks,
tea

Read other 2 answers
RELEVANCY SCORE 45.2

Hello all and thanks in advance.

A link on Facebook has led to a pretty heinous Virtumonde.dle infection. Multiple scans and repairs later, including Spybot - Search and Destroy tells me the virus is still there and unharmed, as well as my Windows Firewall being compromised (I'm downloading Comodo right now). If you guys could help out, that would be unbelievably helpful.

Many thanks and have a great day.
----
DDS (Ver_09-09-29.01) - NTFSx86
Run by Administrator at 15:46:22.01 on Wed 10/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2731 [GMT -5:00]

AV: avast! antivirus 4.8.1351 [VPS 091007-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\... Read more

A:Virtumonde.prx Infection

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No inp... Read more

Read other 2 answers
RELEVANCY SCORE 45.2

G'day

I have recently downloaded a file which infected my computer with the virtumonde virus.

I use Kaspersky Internet Security and Spybot S&D on Vista 64 with SP1.

Kaspersky reports the file as containing Win32.Monderc.gen (although it didn't until after I had run the file), and every 2nd or 3rd scan reports the virtumonde or Win32.Monderc.gen in \users\...\AppData\Local\Temp\ which i don't seem to be able to permanently remove.

Spybot S&D says that i have the virtumonde virus.

I do not really get any other symptoms except the occasional kaspersky popup asking me to allow a windows rundll to access the internet. Unfortunately i didn't write down which files they were, but i think they were located in the WOW64 folder.

Any help removing would be much appreciated.

Below is the Deckard's System Scanner log, and i've attached extra.txt document.

Cheers
Phil

Deckard's System Scanner v20071014.68
Run by PHildO on 2008-06-30 16:38:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as PHildO.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:58 PM, on 30/06/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe ... Read more

A:Virtumonde Infection

BUMP, please

Read other 1 answers
RELEVANCY SCORE 45.2

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:13:20 PM, on 2/19/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\basfipm.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Powerware\LanSafe\Bin\PowerMonitor.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exeC:\Program Files\Symantec AntiVirus\SavRoam.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\WINDOWS\system32\MsPMSPS... Read more

A:Virtumonde Infection

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today. Download Combofix to your Desktop.Double click combofix.exeFollow the prompts that are displayed. Don't click on the window while the fix is running, because that will cause your system to hang.When finished, it should produce a log, combofix.txt. Post that in your next reply with a fresh HijackThis log.

Read other 27 answers
RELEVANCY SCORE 45.2

Hello:I have been pestered with "popup" ads for scamware for various antivirus products. A SpySweeper scan revealed "virtumonde" but it is proving difficult to remove.I have tried: SpySweeper, ZoneAlarm, Kaspersky, ThreatFire, VundoFix, and Symantec Virtumonde Removal Tool without success. These programs seem to detect it, but do not remove it. Kaspersky identified: G:\WINDOWS\SYSTEM32\gqxjrinv.dllbut will not allow me to remove it after performing a search function. I assume I have some sort of pervasive varient of this trojan. Any help is greatly appreciated!Results of hijackthis:Deckard's System Scanner v20071014.68Run by Tom and Carol on 2008-08-02 16:37:27Computer is in Normal Mode.---------------------------------------------------------------------------------- HijackThis (run as Tom and Carol.exe) ---------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:38:30 PM, on 8/2/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:G:\WINDOWS\System32\smss.exeG:\WINDOWS\system32\csrss.exeG:\WINDOWS\system32\winlogon.exeG:\WINDOWS\system32\services.exeG:\WINDOWS\system32\lsass.exeG:\WINDOWS\system32\svchost.exeG:\WINDOWS\system32\svchost.exeG:\WINDOWS\System32\svchost.exeG:\WINDOWS\system32&... Read more

A:Virtumonde Infection

Hello KMS and welcome to BleepingComputer,1. * Clean your Cache and Cookies in IE:Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tabUnder Browsing History, click Delete. Click Delete Files, Delete cookies and Delete historyClick Close below.* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):Go to Tools > Options.Click Privacy in the menu..Click the Clear now button below.. A new window will popup what to clear.Select all and click the Clear button again.Click OK to close the Options window* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.2. Please download Malwarebytes' Anti-Malware from Here or HereDoubleclick mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a ... Read more

Read other 7 answers
RELEVANCY SCORE 45.2

Hello All:I am very new to all of this posting thing. Sorry if I do something incorrectly. Not my intention. I had a problem with virtumonde. To start, I have Avast anti-virus, Webroot Spysweeper and ZoneAlarm running on my system. Don't know why they didn't pick up on the virus. By the way, are these good anti-virus/spyware and firewall programs? Anyway, I performed the steps in a post I found on this forum and below, I'm including the logs from the RSIT scan and also the results from the Kaspersky scan. Hope I didn't forget anything. With all this info, is it possible to get this thing completely out of my computer and will it 'pop up' in a couple days from now? Also, will it be safe to do any secure transactions via internet or no? Thanks in advance to all who contribute to my post. Here's my info:Run by Administrator at 2008-12-20 08 _linenums:3'>Logfile of random's system information tool 1.05 (written by random/random)Run by Administrator at 2008-12-20 08:03:02Microsoft Windows XP Professional Service Pack 3System drive C: has 16 GB (11%) free of 146 GBTotal RAM: 1023 MB (70% free)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:03:23 AM, on 12/20/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Prog... Read more

A:Virtumonde Infection

Hello! My name is Sam and I will be helping you. I would not feel safe doing any secure transactions on this computer right now.In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on Download_mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.The sc... Read more

Read other 17 answers
RELEVANCY SCORE 45.2

My machine was idle and I started to get one of those fake anti virus scan windows. I have had problems with Virtumond and Vundo, but have cleaned it up, but never sure if it was complete.

This last time, I scanned using Malwarebytes, found some Trojans, let it do it's thing and rebooted, which is when I started getting the message about monigula.dll.

I tried running Combofix and Malwarebytes, but it doesn't let me, though the Task Manager shows that they are running. Curiously, I can run IE but not Firefox. I can't run HijakThis, so I am unsure what to do next.

Thanks for any assistance you can give me.

A:Virtumonde Infection

I posted yesterday, but had no responses. I suspect the topic title was not clear enough. Ad-Aware scanned and found Virtumomde. Malwarebytes had found the same thing. After cleaning up most of the problems, it said that I needed to reboot to removal the remaining items. On reboot, I get the window that says "Bad Image - The application or DLL c:\windows\system32\monigula.dll is not a valid Windows image.". It does this for almost any application that I open.

If I try to start in Safe Mode, it just keeps taking me back to the regular boot screen. I can't run Malwarebytes or Combofix. I can't run Firefox, yet here I am using IE and Ad-Aware, which identifies the Virtumonde/C and then asks me to reboot.

I would appreciate some assistance in next steps to rid my machine of this pesky thing.

Read other 15 answers
RELEVANCY SCORE 45.2

Hello, I've run adaware and it seems that I've got the Virtumonde, but if I try to remove it, it comes back immediately. It also does things like get rid of my quicktray (bottom left launch buttons) at startup, and it turns off my automatic updates, and other typical popup and browser issues. I've included the DDS logs below. Thanks so much in advance!
DDS (Version 1.0.1) - NTFSx86
Run by Eliot at 19:45:09.21 on Mon 12/15/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2201 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:... Read more

A:Virtumonde Infection

Hello dr_udders,Sorry about the delay. If you still need help, please post a new log to make sure nothing has changed, and I'll be happy to look at it for you.Thanks,tea

Read other 11 answers
RELEVANCY SCORE 45.2

Spybot finds Virtumonde and Win32.BHO.je. I ahve gone through the recommended five steps. Here are my HJT and ActiveScan logs. NOte that Active scan didnot help with disinfection.
PLEASE HELP


HJT
----------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:20 PM, on 15/07/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Sony\VAIO Center Access Bar\VCAB.exe
C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe
C:\Program Files\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Java\jre1.6.0\bin\juche... Read more

Read other answers
RELEVANCY SCORE 45.2

Ugh, can't get rid of "virtumonde" malware which causes popups. Tried adaware + spybot, both can't permanently get rid of it. Here's my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:06 AM, on 12/3/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
H:\WINDOWS\System32\IoctlSvc.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
H:\Program Files\QuickTime\qttask.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\AIM6\aim6.exe
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE
H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
H:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
H:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
H:\Program Files\AIM6\aolsoftware.exe
H:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\System32\HPZipm12.exe
H:\Program Files\AIM... Read more

A:Virtumonde infection, HJT log.

bump!

i'm dying here, tried a lot of stuff that aint working.
 

Read other 2 answers
RELEVANCY SCORE 45.2

I've been trying to remove a virtumonde infection for a week or so, ever since I accidentally ran an executable that was masked as a video file. I've been running scans with Ad-Aware, which finds nothing, and with Spybot S&D as well as Malwarebytes Anti-Malware, which find multiple Virtumonde entries and (apparently) successfully removes them only to see them reappear on further scans. Both VundoFix and VirtumondeBeGone failed to find any infection.Any help would be greatly appreciated.Here's my HijackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:01:44 PM, on 11/8/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Creative\Shared Files\Module Loader\DLLML.exeC:\Program Files\Google\Gmail Notifier\gnotify.exeC:\WINDOWS\system\wcdvtray.exeC:\WINDOWS\SYSTEM32\CTXFISPI.EXEC:\Program Files\Logitech\G-series Software\LGDCore.exeC:\Program Files\Lo... Read more

A:Virtumonde Infection

Hi,I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!This is somewhat suicidal in today's digital world.That's why I want you to install one first!!* Please install Avira Antivirus: http://www.free-av.com/This is a free Antivirus.Perform a full scan with Avira and let it delete everything it is finding.Then reboot.After reboot, open your Avira and select "reports".There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.Also, I see you have Viewpoint installed...Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.ViewpointViewpoint ManagerView... Read more

Read other 2 answers
RELEVANCY SCORE 45.2

Ok, I have tried quite a few things to no avail. Then I found you guys. I have been infected with Virtumonde and probably quite a few other things because of it. My little brother came over and wanted to go to Myspace and did....almost immediately I began having pop ups and fake warnings. My Cox cable spyware catcher went nuts then Virtumonde captured it. That is the background info.Upon reading your answers to people, I downloaded "combofix" and ran it. It helped alot. Then I turned the computer off, awaiting your help from there. Below is the combofix log.Thanks for your help.ComboFix 08-01-31.1 - main 2008-01-30 21:39:26.1 - NTFSx86Running from: E:\ComboFix.exe * Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Program Files\Cox\Applications\App\start .exeC:\Program Files\inetget2C:\Program Files\QdrDriveC:\Program Files\QdrModuleC:\Program Files\QdrPackC:\Program Files\RouterC:\Program Files\Router\UnInstall.exeC:\Program Files\sstem3~1C:\Program Files\TemporaryC:\Program Files\Temporary\kernInst.exeC:\Program Files\Windows Defender\MSASCui.exeC:\WINDOWS\b116.exeC:\WINDOWS\b122.exeC:\WINDOWS\b149.exeC:\WINDOWS�... Read more

A:Virtumonde Infection

Welcome to the BleepingComputer HijackThis Logs and Analysis forum. My name is Richie and i'll be helping you to fix your problems.Apologies for the late response,as i'm sure you can appreciate we are extremely busy.If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.If you have not followed the info in the link below prior to posting your log then please do so now:Preparation Guide for use before posting a HijackThis Log:http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/If you still require help,please post a new Hijackthis log into this topic in your next reply.Also post a detailed description of the issues you're experiencing.*Note*Post all reports/logs directly into this topic,not as attachments,thanks.

Read other 1 answers
RELEVANCY SCORE 45.2

Spybot and Ad-Aware recognize it as Virtumonde but neither clean it completely. Even cleaned out the boot startup stuff in Sysinternals Autorun and deleted suspect DLL files running in Linux but they still came back. The pop ups are so bad I'm entering this from another computer. Ran RSS and then HJT. Here is the logs. Thanks in advance...HJT Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:44:53 PM, on 5/15/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16441)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeC:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exeC:\WINDOWS\Explorer.EXEc:\program files\common files\mcafee\mna\mcnasvc.e... Read more

A:Virtumonde Infection

Hi, Welcome to Bleeping Computer Forums!My name is Renato Mejias, and I will help you to solve your problems .You might want to save this page on your favorites, so you can find it again when you return.Please take note of the following:I will be handling your log and helping you, please do not make any system changes yet.The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.The fixes are specific to your problem and should only be used for this issue on this machineIf there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.Please reply to this thread. Do not start a new topic.

Read other 19 answers
RELEVANCY SCORE 45.2

spy bot and ad aware both detected virtumonde in my system. But when i downloaded vudofix, it doesn't detect the infection. so what i did was to download virtumundo be gone. but the same thing happend. it doesn't detect any thing. here's my hijack this log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:19:07 PM, on 10/19/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\TGTSoft\StyleXP\StyleXPService.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files ... Read more

A:Virtumonde Infection

Welcome to the BleepingComputer HijackThis Logs and Analysis forum gian0819 My name is Richie and i'll be helping you to fix your problems.You have Avast4 and AVG7 installed.Its definitely not a good idea to have more than one antivirus program installed on your computer. Each program may interpret the actions of the other as viral, therefore giving you false virus warnings about virus-related activities.It could also lead to system slowdowns and other problems within the operating system,due to the two conflicting with each other.You should uninstall one of them now,then restart your pc.With you having Service Pack 2 installed i'm presuming you're using the Windows Firewall.You may be behind a hardware firewall(router),but it would'nt hurt to install a third party software firewall to henhance protection.A word of warning regarding the Windows Firewall in Service Pack 2,it only filters INCOMING traffic. That means if malware happens to compromise your PC,it will be able to SEND OUT out your credit card data,and any other personal information.I suggest you install a more robust third party firewall that filters both INCOMING and OUTGOING traffic.Download\install one of the following freeware firewalls from below:Sygate Personal Firewall Free Edition:http://www.filehippo.com/download_sygate_personal_firewall/Zone Alarm Free:http://download.zonelabs.com/bin/free/1001..._737_000_en.exeComodo Personal Firewall:http://www.personalfirewall.comodo.com/Outpost Firewall Free:htt... Read more

Read other 5 answers
RELEVANCY SCORE 45.2

Happy New Year (but not for my computer)

I appear to have a virtumonde infection and from perusing the web, it sounds like one needs special help to get rid of it. I would greatly appreciate the help. I've tried to do my homework, but I'm a newbie with some of this stuff. Per the instructions on this site I tried to run the DDS script, but it wanted to open in Internet Explorer, and it didn't seem to do anything from that point? If you have further instructions for me, please let me know.
Instead I've attached a HJT log file to get started.

Thanks for any help

A:virtumonde infection

OK, I finally got the DDS to run, don't know what finally worked. The results are attached.
Some more details (my last post was a little short because I suddenly started getting IE popup like mad (I use firefox)... suspected something was up with my computer about Dec. 22 and started taking some actions like updating and running Spybot and AdAware. My computer is on a network at work, and is setup with McAfee Virusscan. Whenever I've opened it to check to see if it is functioning properly it always said that it checks of updates daily and runs fulls scan at 5am (I don't always leave my computer on, but occasionally I do to let the scans happen). However, at this point I was getting suspicious because of the behavior of my computer. It turns out that it hadn't been updated in about a year, which is why I'm guessing I got the trojan in the first place. I was used to using AVG, previous to working here, and appreciated the reminders when things weren't current. (but that's another story). McAfee, Spybot and AdAware have all been detecting and deleting Virtumonde entries since then. I've been getting some random popups, and usually they seem to go to dead links. Today has been bad as the IE popups come so fast that I can barely keep up.

From browsing other posts, the stuff you all do is incredible, wish I could contribute.

Read other 18 answers
RELEVANCY SCORE 45.2

Hi,

I had tried to clean the virtumonde infections few times with ad-aware, spybot and kaspersky.. however.. whenever I restart the computer the infections would just come back.. please advise how to get rid of such infections.

Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:59:38, on 2008-1-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\int... Read more

A:Virtumonde Infection.. Please Help

Anyone help? Prevx also detected some malware
 

Read other 1 answers
RELEVANCY SCORE 45.2

Hi People

Have typed this twice now as must have been kicked last time?

I am having the same problem as "turbinestress" with constant pop ups and strange leaps to other websites?
Panda found Vitumonde but did not remove it? I have not been able to set up antivirus on the machine due to VERY slow and STOP browser?
Uable to use the update service either and have used Services.msc to start but get error 1058 even when activating BITs?

Will Install Antivirus Later tonight if possible!!!

Have just been able to install IE7 also but thats it really.

I pasted both reports as could not attach?

Thanks in advance
Peter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:24:28, on 19/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\c... Read more

Read other answers
RELEVANCY SCORE 45.2

Hello BleepingComputer Team. This is my first post and I hope you can help me. My PC is infected with Virtumonde and I am having a hard time getting rid of it. (Go figure, right?) Upon startup I am getting two error messages:1) Windows cannot find "logon.exe"2) Error loading C:/windows/system32/(some random .dll file)Adaware keeps picking up virtumonde running in the backround, but every time it is deleted it comes back and adaware picks it up and tries to delete it again.I've tried malwarebytes, but can't get it to run after installation. It says can't fine mbam.exe. I think this is because of virtumonde, or so I've read.I have enclosed my HiJackthis log. I know you guys can help. Thanks alot.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:22:08 PM, on 11/12/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS... Read more

A:Virtumonde Infection!!!

HelloInstall Recovery Console and Run ComboFixDownload Combofix from any of the links below, and save it to your desktop. Link 1Link 2 Link 3Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.Close any open windows, including this one.Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If you did not have it installed, you will see the prompt below. Choose YES.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help youshould your computer have a problem after an attempted removal of malware. It is a simple procedure that wi... Read more

Read other 11 answers
RELEVANCY SCORE 45.2

I had an infection on one of my computers and I used Spybot and SUPERAntiSpy to scan and it showed me Virtumonde and several other malware infections that I promptly removed. I did this while I had all internet devices disabled, and kept scanning until it found nothing else. My problem is now the computer is going very slow, and so are webpages under IE and Firefox. Also I'm unable to install some programs like ZoneAlarm and JavaRE..Here is the HijackThis log, now updated now that I have gotten Zone Alarm to install and disabled TeaTimer and uninstalled UnibluLogfile of Trend Micro HijackThis v2.0.2Scan saved at 5:01:50 PM, on 11/12/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\WLTRAY.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program ... Read more

A:Virtumonde Infection

Just to clarify I got Zone Alarm to install but the computer is still running way slower than it used to and the internet is barely responsive and every once in a while I scan it comes up with something new, so obviously there must be remnants on my computer.

Read other 21 answers
RELEVANCY SCORE 45.2

I've tried everything i can think of thanks for your help. Ive attached my dss and kaspersky scans.DDS (Version 1.1.0) - NTFSx86 Run by bob at 20:06:25.40 on Wed 12/24/2008Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_10Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.536 [GMT -8:00]AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\WINDOWS\system32\Ati2evxx.exesvchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Electronic Arts\EADM\Core.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\System32\svchost.exe -k imgsvcC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\sys... Read more

A:another virtumonde infection

Hello flyinmonky,I apologise for the delay, the forum is extremely busy. I will be assisting you with your malware issues.Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!Please bookmark or favourite this page. In case you need it as reference or etc.If you fail to reply in 5 days period from now, this thread will close, and you will have to open another topic, and wait for another helper.----------------------------------------------Download and Run HijackThis Download HJTInstall.exe to your Desktop. Doubleclick HJTInstall.exe to install it. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. Once installed, it will launch Hijackthis. Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Copy/Paste the log to your next reply please.Don't use the Analyse This button, its findings are dangerous if misinterpreted. Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Read other 2 answers
RELEVANCY SCORE 45.2

I've run Spybot several times and it always finds this Virtumonde infection, even if it was removed before. Thanks a lot.
DDS (Ver_09-05-14.01) - NTFSx86
Run by Igor at 19:28:21.12 on Mon 05/18/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.125 [GMT -4:00]

AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Explorer.EXE
C:\Program... Read more

A:Virtumonde infection

Hello iggi916, Uninstall Spybot - Search & Destroy 1.4 as it is ancient. Do not install Spybot Teatimer when you download Spybot, as that will interfere with our fixes. Please download, update and run Spybot 1.6.2 I see Viewpoint installed. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546 I suggest you remove the program now, if you did not install it. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present. Viewpoint Viewpoint Manager Viewpoint Media Player If you uninstalled, please navigate to and delete the following folders C:\Program Files\Viewpoint*****************Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java: Download the latest version of Java SE Runtime Environment (JRE) 6 Update 13. Click the "Download" button to the right. At the Select Platform and Language for your download drop down box
Select Windows and Mult-Language Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. ) The page will refresh. Click on the link to download Win... Read more

Read other 17 answers
RELEVANCY SCORE 45.2

Hi guys,

Yesterday McAfee suddenly detected the virtumonde.sdn trojan on my computer, amongst other things and my browser was intermittently hijacked, so I downloaded spybot and removed whatever it found in a routine scan (in addition to what McAfee immediately removed following a full scan).

There were no more hijacking problems, although the internet seemed to be running a bit slower than usual.

I wanted to check if the problem would be resolved on restart, but after initially booting up in normal mode, the comp powers off due to overheating. I have a Dell Inspiron 6400 notebook (2Ghz processor, 2Gb ram, running XP SP2) and it has overheated a handful of times over the last 2 years.

Alternately, once McAfee has loaded, it gives an error message and the blue windows error screen came up following boot up:

A few different error messages, including: page fault in nonpaged area

Instructions to disable BIOS memory options such as caching and shadowing

Stop: 0x00000050(0xC0000005, 0xB08CD92D, 0xAD43CFB4, 0x00000000) amongst other similar errors

I attempted to boot in safe mode with networking for internet access, but that caused a shutdown too, and I wasn't able to access the internet in any case.

A boot in safe mode offered a little more time and I was able to run HijackThis, and SpyBot, but I have no way of getting the HijackThis log from here.

I also ran the onboard diagnostics utility, which showed no problems with memory etc.

I'm suspecting this is still v... Read more

A:Virtumonde Infection

This has happened to me when trying to clean client's computers with McAfee installed, in normal mode the infection and McAfee render the computer unusable.You will need to work from safe mode and use a clean computer to download files and fixes and then transfer to the infected computerThis program will protect the clean computer and a usb drivePlease download Flash_Disinfector.exe by sUBs and save it to your desktop.Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.Wait until it has finished scanning and then exit the program.Reboot your computer when done.Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Read other 14 answers
RELEVANCY SCORE 45.2

I believe that I may be infected with virtumonde. I am running windows XP and I'm constantly getting tons of pop ups. Initially when it happened my homepage and desktop were hijacked. I installed Webroot Spysweeper with anti-virus, and while it has help a lot it has not completely removed it. The desktop still occasionally gets hijacked (red background, biohazard symbol, saying I'm infected) and still lots of pop ups. When I run a scan with spysweeper, it detects virtumonde everytime and says that it is quaranting it it still seems like it is working. I've tried running the Kaspersky online scan a couple of times but it keeps saying that the scan has failed. Below is my DSS report. Thanks in advance for your help. Deckard's System Scanner v20071014.68Run by Doug on 2008-05-24 22:57:57Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --17: 2008-05-25 02:58:29 UTC - RP17 - Deckard's System Scanner Restore Point16: 2008-05-24 03:01:36 UTC - RP16 - System Checkpoint15: 2008-05-22 17:42:06 UTC - RP15 - System Checkpoint14: 2008-05-21 12:27:53 UTC - RP14 - System Checkpoint13: 2008-05-20 01:23:50 UTC - RP13 - Last known good configuration-- First Restore Point -- 1: 2008-05-20 01:22:37 UTC - RP1 - System CheckpointBacked up registry hives.Performed d... Read more

A:Possible Virtumonde Infection

Hi,I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!This is somewhat suicidal in today's digital world.That's why I want you to install one first!!* Please install Avira Antivirus: http://www.free-av.com/This is a free Antivirus.Perform a full scan with Avira and let it delete everything it is finding.Then reboot.After reboot, open your Avira and select "reports".There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

Read other 14 answers
RELEVANCY SCORE 45.2

I tried begone and vundo fix without help.I discovered with with adware, but I could not clean itI run nod 32Here is my hjkplease helpLogfile of HijackThis v1.99.1Scan saved at 7:43:53 AM, on 7/7/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Eset\nod32krn.exeC:\Program Files\Prevx Home\PXAgent.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\M-Audio Uno\UnoInst.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exeC:\Program Files\PeerGuardian2\pg2.exeC:\Documents and Settings\Owner\Desktop\utorrent.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\regsvr32.exeC:\WINDOWS\system32\taskmgr.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Documents an... Read more

A:Virtumonde Infection

Hi senderoIt is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out!* Download win32delfkil.exe: http://users.telenet.be/marcvn/tools/win32delfkil.exeSave it on your desktop.Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkilClose all windows, open the win32delfkil folder and double click on fix.bat.Please read the instructions you'll get.It will ask you to shutdown your system using the power button instead of the normal shut down procedure.* Open hijackthis, click 'config' (bottom right)Choose the tab 'misc Tools' on top.Choose 'delete a file on reboot'In the field, copy and paste next:C:\WINDOWS\SYSTEM32\winuqw32.dllClick open.Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.When asked if you want to reboot now, say No. * Open notepad and copy and paste next in it:sc delete IUWAKKBSsc delete PrevxAgentSave this as fix.batChoose to save as all files.This is how the batch must look afterwards: Doubleclick fix.bat and copy the contents of the text file that opens back here.Please download VundoFix.exe to your desktop.Double-click VundoFix... Read more

Read other 35 answers
RELEVANCY SCORE 45.2

Hi Chaps,I'm doing my best to help my Dad out with his PC which seems to be infected with the Virtumonde trojan.I've run a whole variety of removal tools all of which were unsuccessful (including the removal advice on this forum).Please find below my HJT log run whilst on a regular boot:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 21:57:42, on 03/12/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\SiteAdvisor\6172\SiteAdv.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WI... Read more

A:Another Virtumonde Infection....

Hello Adam PV and welcome to BC My name is SNOWHITE and I will be helping you with your Malware problem.Please follow the steps below exactly in the order they are written:Step #1Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below. O2 - BHO: (no name) - {FDED1C12-AD76-613C-344C-A3BD5C6415B2} - C:\PROGRA~1\COMMON~1\System\D_4362.dllO2 - BHO: (no name) - {FDED2C12-A476-A13C-3B4C-A3BD546415C2} - C:\PROGRA~1\COMMON~1\System\D_4362.dllNow close all windows other than HiJackThis, then click Fix Checked.Step #21. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.2. Download combofix from one of these links:Link1Link23. Double click combofix.exe & follow the prompts.4. When finished, it shall produce a log for you. Post that log in your next replyNote:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Note:Combofix should never take more that 20 minutes including the reboot if malware is detected.If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of find... Read more

Read other 10 answers
RELEVANCY SCORE 45.2

I ran vundofix also and it cleaned some files.. however i believe this pc is still infected.

any help would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 4:21:19 PM, on 9/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\yair zur\Desktop\VundoFix(2).exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\puppy.exe

R1 - HKCU\Software\Microsoft\Internet Explore... Read more

A:virtumonde infection

Read other 8 answers
RELEVANCY SCORE 45.2

Hello, I have followed all of the steps requested in the "Read this Post first" section. I have an infection that I believe is called virtumonde. I have run Windows defender, microsoft safety scan, VundoFix and MalWareBytes all to no avail. I have a basic working knowledge of computers but this is far beyond my scope. Any help you can offer would be greatly appreciated.Here are the results of the DDS scan requested:DDS (Ver_09-03-16.01) - NTFSx86 Run by Michelle Grimes at 18:47:11.23 on Mon 04/27/2009Internet Explorer: 7.0.5730.11Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.239 [GMT -7:00]AV: McAfee VirusScan *On-access scanning enabled* (Updated)FW: McAfee Personal Firewall *enabled*============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k NetworkServiceC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\Program Files\Quicken Online Backup\AgentSrv.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\PROGR... Read more

A:Virtumonde infection

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1Link 2Link 3Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Read other 4 answers