PDA

View Full Version : cannot remove virtumonde with spybot, very frustrated--now on 2 computers



prairiegirl
2009-06-07, 07:04
I have this on my desktop and laptop now; on the laptop, a search box kept on reopening spontaneously & kept flashing, would not close down; I ran sophos, malaware and spybot (version1.5.2.20)-only spybot found the virtumonde at <c:\windows\ system32\zipfld.dll> file; I followed instructions to fix problem after disconnecting the internet but as soon as spybot finishes scanning, it again points to the same file that virtumonde is apparently inserted; the initial instructions said to reboot the computer after scanning with spybot, and when I did, a repetitive beep sounds after rebooting the laptop;
Unfortunately I have the same problem on my desktop, and there the user profiles for 2 users in the family have been deleted. Preciously a different user profile was deleted but it has shown up again- probably after one of the reboots.

I backed up files from the desktop on an external hard drive (altho one wonders if they are contaminated as well) but haven't yet backed up the laptop.

I read the instructions about downloading ERUNT on this forum to backup the registry but it makes me nervous as the site one is directed to has many potential downloads on the page and they are at a url that I am not familiar with-- when i tried to download from the first page no download appeared but i was directed to try to download from the next page --is this a safe place to go to and which one to choose--ERUNT1.1j --big red free download box or a smaller red box-- will I simply be picking up another trojan???

don't feel very trusting now and have killed 2 work days

also don't see how to get to files of spybot scan activity reports into this forum either

what to do????

prairiegirl
2009-06-07, 08:01
I figured out how to get my last sptbot scan analysis in here

Is my problem posted in the correct place?


--- Search result list ---
Virtumonde: [SBI $92386332] Library (File, nothing done)
C:\WINDOWS\system32\zipfldr.dll


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-05-28 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-10-22 Tools.dll (2.1.6.8)
2009-05-19 Includes\Adware.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-02 Includes\HijackersC.sbi (*)
2009-05-06 Includes\Keyloggers.sbi (*)
2009-06-02 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-05-12 Includes\Malware.sbi (*)
2009-06-02 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-06-02 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-06-02 Includes\SpywareC.sbi (*)
2009-04-07 Includes\Tracks.uti
2009-06-02 Includes\Trojans.sbi (*)
2009-06-02 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ Windows / SP1: Microsoft

pskelley
2009-06-08, 12:54
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You must have read and followed the "Before you Post" instructions.

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count.

I have this on my desktop and laptop now
I really can say since it appears you have yet to read the directions. I can only work on one computer per thread and if the computers were networked it's possible they are both infected? I don't know if I would have asked for a Spybot report or not, but as you can see in the directions, we start with a HijackThis log.

I am wondering, when you ran Spybot S&D, why did you do nothing with the junk it found?
--- Search result list ---
Virtumonde: [SBI $92386332] Library (File, nothing done)
C:\WINDOWS\system32\zipfldr.dll

I am also wondering why you are running an out of date version?
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---


If you want me to try and help, start like this.

1) Read the directions

2) Make sure TeaTimer is not running.

3) Post the HJT log required.

4) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks

pskelley
2009-06-14, 14:20
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.