Hi, I have the remnants of some dodgy .dlls in system start up that were associated with a virtumonde virus I had a while ago, they are still there in bold despite seemingly being cleaned off everywhere else on the system (I hope).

I have tried deleting them from within S&D tools - system start up but they won't go away!

Please advise how too delete or if i should just ignore them, I have daily anti-virus, anti-spyware scans set up (AVG) and updated S&D last week and did a full scan and no problems are detected.

Thanks,

Hello,

Please download the latest detection update (2007/02/14):
http://www.safer-networking.org/en/download/index.html
This should fix it.
Or choose the direct installation file:
http://www.safer-networking.org/updates/files/spybotsd_includes.exe

If this doesn't solve the problem please send us your *complete* Spybot bug report: Run Spybot - Search & Destroy and switch to Advance Mode via the menu item Mode, let it scan, try to fix the problems (!) and then go to "Tools --> View Report". Tick on all of the 10 checkboxes (leave "Do not report disabled or known legitimate items" unchecked) you can find there and click on "View Report". Now choose "Export" and save the file to your desktop. Please attach this file to your email and send it again to detections(at)spybot.info.

Best regards
Sandra
Team Spybot

Hi Sandra,

Thanks for replying, perhaps I haven't expained myself very well.

I have already removed the .exe that was reproducing the .dlls and deleted the .dlls off my system and the virus no longer appears to be present, ms process explorer and avg anti virus/spyware software show no traces of the .exe or the .dlls

My query is why the .dlls still appear ONLY in Spybots Tools/System Start Up and can't be deleted from there, although having said that they don't seem to be doing anyharm, they are unchecked and nowhere else to be found on my machine which is strange?

Hope that explains it better,

PS. I updated & ran spybot scan couple of days ago no threats found.

Bump anyone?

Bump again :-)

Hello,

Seems like there is still something left.
Perhaps you have just deleted the startup dll's - and there are still some active prozesses. A report would help.

Best regards
Sandra
Team Spybot

Hello,

Seems like there is still something left.
Perhaps you have just deleted the startup dll's - and there are still some active prozesses. A report would help.

Best regards
Sandra
Team Spybot

Thank you,
I can see no active processes anywhere, ms process explorer show non of these .dlls it did when the lop.AH pop up warning was happening but now it all seems gone except the .dlls are still showing in spybot system tools start up (NOWHERE ELSE!) that's what confuses me? (they are bold and unchecked)

What report would help you understand this better?

Hello,

Please download HijackThis: http://www.downloads.subratam.org/hijackthis.zip
Double click HijackThis.exe.
Just start the program.
Hit Scan.
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Please mail that log to our detectives at detections(at)spybot.info.

Best regards
Sandra
Team Spybot

Hello,

Please download HijackThis: http://www.downloads.subratam.org/hijackthis.zip
Double click HijackThis.exe.
Just start the program.
Hit Scan.
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Please mail that log to our detectives at detections(at)spybot.info.

Best regards
Sandra
Team Spybot

My HJT log is clean that is why I am asking why are the .dlls still showing in Spybot 'Tools' 'System Start Up' even though the Trojan Lop.AH .exe program and the .dlls it produced have been killed?

PS. I have also cleared volume information as well to make sure nothing hidden in there, as far as I can tell my pc is clean apart from these 'dead' .dlls in spybot system start up, as I say they are absolutely nowhere else to be seen does the snapshot need refreshing or something?

Twonk:

If you would like an answer to your question, I fail to understand why you are refusing to provide any of the reports that spybotsandra (http://forums.spybot.info/member.php?u=5) requested or even name the .dll file(s) that you are unable to delete from Spybot's System Startup listing.

In the first response to your post, spybotsandra (http://forums.spybot.info/member.php?u=5) asked for a SpybotSD.Report that would have shown the System Startup entries that you are trying to delete as well as other information about your system. You dismissed her request with:


… perhaps I haven't expained (sig) myself very well.

… I updated & ran spybot scan couple of days ago no threats found.
The fact that you ran Spybot and found not threats has nothing to do with providing the information required to trace the source of your problem.

If you would like to get to the bottom of the problem that you are having, I strongly suggest that you follow the instructions that spybotsandra (http://forums.spybot.info/member.php?u=5) posted here:
http://forums.spybot.info/showpost.php?p=70713&postcount=2
As an alternative you can trace source of the startup entry in Spybot's System Startup listing by looking at the following guide that indicates were startup entries can be located and trying to figure out why the entry can not be deleted or is reestablishing itself:
A Collection Of Autostart Locations, by Tony Kleinkramer
http://forums.subratam.org/index.php?act=ST&f=29&t=1063

A printable version of the same topic:

A Collection Of Autostart Locations, by Tony Kleinkramer
http://forums.subratam.org/index.php?act=Print&client=printer&f=29&t=1063

I am not refusing or dismissing anything, what I am aiming at is a quick response as to why spybot is STILL showing 6 system.ini files that no longer exist, my HJT log is clean, my pc is clean, further 74 pages of a spybot report is not funny least of all helpful when I learnt nothing new from it I doubt you would too thats why I thought I would save you the trouble :-)

For your information the 'system.ini's' spybot list in bold as disabled in start up are,

awtqqro.dll
fccdayy.dll
hggefc.dll
khfdaxv.dll
ssqpqqo.dll
vtuttuv.dll
WRLogonNTF.dll

Again these files are NOwhere else on my machine other than spybot, and located in system.ini is that even a valid location in XP?

Again these files are NOwhere else on my machine other than spybot, and located in system.ini is that even a valid location in XP?Look in the subkeys of following registry key for DLLName:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Note: WRLogonNTF.dll is used by Webroot Spy Sweeper 4.5.

From the reference I provided:
A Collection Of Autostart Locations, by Tony Kleinkramer
http://forums.subratam.org/index.php?act=ST&f=29&t=1063

3. System.ini

Windows 95/98/Millennium:

[boot]
Shell=Explorer.exe file.exe


Windows XP/NT/2000

During system startup, Windows XP, NT and Windows 2000 consult the "Shell" registry value at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, to determine the name of the executable that should be loaded as the Shell.

By default, this value specifies Explorer.exe.

This can also be specified on a per-user-profile basis (i.e., the corresponding registry key/value under HKEY_CURRENT_USER).

Example of malware using this startup method:

http://www.symantec.com/avcenter/venc/data...or.nithsys.html
http://www.symantec.com/avcenter/venc/data...oor.nibu.h.html
http://www.trendmicro.com/vinfo/virusencyc...L%2EBDD&VSect=T
http://securityresponse.symantec.com/avcen...dss.trojan.html


Additionally, Explorer.exe is searched by the system at boot, starting from the root C:\ and finishing at C:\windows\explorer.exe

If malware is named "explorer.exe" and is placed in the root of the drive, the file will be launched without the necessity of modifying any boot files, and it can then launch the real explorer.exe without any notice from the user.

27. Winlogon\Notify (Win XP/2000/NT)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Another well known registry key added to in order to communicate to Winlogon.exe and let it know which procedures to run during an event notification; examples of malware using this technique:

http://vil.nai.com/vil/content/v_100441.htm
http://sarc.com/avcenter/venc/data/pf/adware.look2me.html
http://www.sophos.com/virusinfo/analyses/trojhaxdooru.html
http://www.symantec.com/avcenter/venc/data/w32.naras.html

Look in the subkeys of following registry key for DLLName:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Note: WRLogonNTF.dll is used by Webroot Spy Sweeper 4.5.


Hmmm, Spysweeper was uninstalled weeks ago?

And NONE of the.dlls I list above or Webroot are anywhere in the registry either?

I am beginning to think what we have is a problem with the Spybot application itself, I have uninstalled it as it is past being useful for me. Thank you for all you help.

I was going to suggest that you refresh/create the Spybot's snapshot of the startup list by going into Spybot > Mode > Advanced mode > Tools > System startup > then right clicking on the listing and selecting "Create snapshot" as you asked about in the following post:
http://forums.spybot.info/showpost.php?p=71127&postcount=9
But since you indicated that you have uninstalled Spybot because "... it is past being useful for me.", I guess that suggestion comes too late.

:oops: I owe you guys an apology the .dlls were there after all but in Folder 'Notify Disabled' just under 'Notify' (Durr).

Suffice to say I reinstalled Spybot to check the registry edit had worked and it has all the .dlls are vanquished once and for all *cheers*

This virus has frustrated yet intrigued me at the same time and in hindsight without Spybot I couldn't have won this battle, I have made a small donation via paypal to show my gratitude and best intentions.

Keep up the good work folks, must go the humble pie is getting cold :)