Hello,

I ran Spyboy and it found out the Virtumonde.dll infection.
Awindow appears suggesting to run spybot also when booting.
In both cases the infection is not removed and still appears when running
spybot. Until this morning I didn't see anything wrong with my computer.

This morning, any document that I tried to see, or any site that I tried to connect, I saw only a mess of letters on the screen, and I barely could do something on the computer. Everything was stuck.

I reboot the computer, and ran spybot during reboot. Still, receiving Virtumonde.sdn.
So far, I can't see a problem. Maybe its because I didn't run the IE yet?

Any help will be appriciated,
Thanks.

P.S. I attach a .rar file instead of .zip file because I don't have zip.
I hope this is ok.


Here is the spybot log:
----------------------
Virtumonde.dll: [SBI $DB0322C4] Library (File, fixed)
C:\WINDOWS\system32\mfc40.dll
Properties.size=924432
Properties.md5=8F4CE043F4F6401EB05D21E8EC16D566
Properties.filedate=998568000
Properties.filedatetext=2001-08-23 14:00:00

Virtumonde.dll: [SBI $4792FFB9] Library (File, fixed)
C:\WINDOWS\system32\mfc40.dll_tobe_deleted
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

DoubleClick: Tracking cookie (Firefox: xxxx yyyy (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: xxxx yyyy (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: xxxx yyyy (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: xxxx yyyy (default)) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-06-21 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-06-29 Includes\Adware.sbi (*)
2010-10-12 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-09-22 Includes\Dialer.sbi (*)
2010-10-12 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2010-11-16 Includes\Hijackers.sbi (*)
2010-11-16 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-08-02 Includes\Keyloggers.sbi (*)
2010-10-12 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-09-13 Includes\Malware.sbi (*)
2010-11-23 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-10-12 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-10-12 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-29 Includes\Spyware.sbi (*)
2010-10-26 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-11-02 Includes\Trojans.sbi (*)
2010-10-12 Includes\TrojansC-02.sbi (*)
2010-10-12 Includes\TrojansC-03.sbi (*)
2010-10-12 Includes\TrojansC-04.sbi (*)
2010-11-24 Includes\TrojansC-05.sbi (*)
2010-11-23 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

====================================================

Here is the DDS:
----------------
DDS (Ver_10-11-27.01) - NTFSx86
Run by xxxx yyyy at 16:27:30.20 on Tue 11/30/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.1790.896 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\012Net\012Net-Cable dialer\fts.exe
C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\MP4 Player\mp4Player.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\xxxx yyyy\Local Settings\Temporary Internet Files\Content.IE5\NL8LMIN0\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ynet.co.il/home/0,7340,L-8,00.html
uURLSearchHooks: Radio Israel Toolbar: {889eb3f6-f16b-4bc0-bc81-9c407c8a3240} - c:\program files\radio_israel\tbRad2.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Radio Israel Toolbar: {889eb3f6-f16b-4bc0-bc81-9c407c8a3240} - c:\program files\radio_israel\tbRad2.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Radio Israel Toolbar: {889eb3f6-f16b-4bc0-bc81-9c407c8a3240} - c:\program files\radio_israel\tbRad2.dll
uRun: [MP4 Player] "c:\program files\mp4 player\mp4Player.exe" hmw
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [%FP%012-L2TP fts.exe] "c:\program files\012net\012net-cable dialer\fts.exe"
mRun: [%FP%012-L2TP FWPortal.exe] "c:\program files\012net\012net-cable dialer\FWPortal.exe" -no_dialog
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [sysgif32] c:\windows\temp\~TM37.tmp
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: {8CADDAA8-8F50-443B-A036-A64CB328DC3D} = 80.179.52.100 80.179.55.100
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\xxxxyy~1\applic~1\mozilla\firefox\profiles\ts9ex8x9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.il/
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-21 64160]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-5-20 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-20 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-20 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-20 61960]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R3 USR1806;U.S. Robotics Faxmodem Driver 1806;c:\windows\system32\drivers\USR1806.SYS [2009-6-16 793598]
S2 gupdate1c9e6154bdb26c8;שירות Google Update (gupdate1c9e6154bdb26c8);c:\program files\google\update\GoogleUpdate.exe [2009-6-5 133104]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero 7\incd\nbhregincdsrv.exe --> c:\program files\nero\nero 7\incd\NBHRegInCDSrv.exe [?]
S3 Wirelecf;Friendly WI-FI Wirelesscfg Util Win2000 XP;c:\windows\system32\drivers\Wirelecf.SYS [2005-9-7 17230]

=============== Created Last 30 ================


==================== Find3M ====================

2010-10-10 14:39:45 1200 ----a-w- c:\windows\system32\ressfsee.dat

============= FINISH: 16:27:47.18 ===============

Hello ma02shi,



I ran Spyboy and it found out the Virtumonde.dll infection.
Awindow appears suggesting to run spybot also when booting.
In both cases the infection is not removed and still appears when running spybot.
Please see the following topics.

Fixed: mfc40.dll
http://forums.spybot.info/showpost.php?p=389557&postcount=9
http://forums.spybot.info/showpost.php?p=389842&postcount=15

out of schedule update?
http://forums.spybot.info/showthread.php?p=389854#post389854



This morning, any document that I tried to see, or any site that I tried to connect, I saw only a mess of letters on the screen, and I barely could do something on the computer. Everything was stuck.

That may be a separate Windows issue.

Best regards.

Hello tashi,

I've read all the links you put in your message.
I downloaded a new version of spybot and ran it.
This time the Virtumonde did not appear.
My documents seem to be fine.

Thanks for your quick response.

Hi ma02shi,

:bigthumb: Thank you for letting us know, I will close this thread.

Best regards. :)