Hello, updated my Spybot detections last night (I do weekly) and did a scan of my PC (Windows XP). Came back showing the virtumonde.dll. Spybot is unable to fully remove it as a subsequent scan showed virtumonde.dll again.

Here is the contents of my DDS.txt file:

DDS (Ver_10-11-27.01) - NTFSx86
Run by Admin at 20:16:30.46 on Wed 12/01/2010
Internet Explorer: 6.0.2600.0000
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.1535.898 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = sasr.r1.attbi.com:8000
uInternet Settings,ProxyOverride = *r1.attbi.com;<local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IE DevToolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
EB: IE DOM Explorer: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229550956375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38023.8717361111
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_04-win.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\9ycr2qbq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\9ycr2qbq.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll
FF - plugin: c:\documents and settings\admin\application data\mozilla\firefox\profiles\9ycr2qbq.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - Extension: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\9ycr2qbq.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Extension: Firebug: http://forums.spybot.info/misc.php?do=email_dev&email=ZmlyZWJ1Z0Bzb2Z0d2FyZS5qb2VoZXdpdHQuY29t - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\9ycr2qbq.default\extensions\firebug@software.joehewitt.com
FF - Extension: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\9ycr2qbq.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Extension: Live HTTP Headers: {8f8fe09b-0bd3-4470-bc1b-8cad42b8203a} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\9ycr2qbq.default\extensions\{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}
FF - Extension: Move Media Player: http://forums.spybot.info/misc.php?do=email_dev&email=bW92ZXBsYXllckBtb3ZlbmV0d29ya3MuY29t - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\9ycr2qbq.default\extensions\moveplayer@movenetworks.com
FF - Extension: Prism for Firefox: http://forums.spybot.info/misc.php?do=email_dev&email=cmVmcmFjdG9yQGRldmVsb3Blci5tb3ppbGxhLm9yZw== - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\9ycr2qbq.default\extensions\refractor@developer.mozilla.org
FF - Extension: Page Speed: {e3f6c2cc-d8db-498c-af6c-499fb211db97} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\9ycr2qbq.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}
FF - Extension: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\9ycr2qbq.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-2-9 75904]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-5-24 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2005-11-27 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2006-3-14 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2006-12-10 10760]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2006-7-18 284184]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2006-7-18 91672]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2005-12-6 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2005-11-27 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe [2005-12-6 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2005-11-27 4960]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 12800]
S3 2242w39a;2242w39a;\??\c:\docume~1\admin\locals~1\temp\et29gitz --> c:\docume~1\admin\locals~1\temp\ET29gItZ [?]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-6-16 23296]
S3 QCAbsee;Logitech QuickCam Web(PID_0801);c:\windows\system32\drivers\lvca.sys [2004-7-27 31232]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2005-6-16 225375]
S4 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-3-30 245760]
S4 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2004-8-23 106496]

=============== Created Last 30 ================

2067-02-24 23:21:18 79947 ----a-w- c:\windows\fw20.vxd
2010-12-01 04:18:22 -------- d-----w- c:\program files\TweetDeck

==================== Find3M ====================

2010-10-23 19:13:39 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2007-02-17 16:56:40 1035271 ----a-w- c:\program files\wrar362.exe
1998-12-08 19:53:00 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-08 19:53:00 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-08 19:53:00 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-08 19:53:00 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-08 19:53:00 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-08 19:53:00 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

============= FINISH: 20:18:29.35 ===============

Here's what Spybot reports after a 3rd scan:

--- Search result list ---
Virtumonde.dll: [SBI $ECC83F1C] Library (File, nothing done)
C:\WINDOWS\system32\docprop2.dll
Properties.size=45056
Properties.md5=942E252CFD3A9976ADCB404D4C06938E
Properties.filedate=998568000
Properties.filedatetext=2001-08-23 04:00:0

Hi,

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitComet
Soulseek

I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


Please read this: http://forums.spybot.info/showthread.php?t=425 and install service pack 1a.



Post fresh dds logs when done.

I can't install service pack 1a, I get a dialog "the product key used to install windows is invalid."

Then I have to ask you to contact Microsoft (http://www.microsoft.com/genuine/) if your operating system license is a legit one.

Would a re-install of the OS work? I might have the OS on cd, but I don't know the details of the OS. I had the PC "custom built" (and I use that term loosely) by a guy advertising on Craigslist. Custom in that I choose the hard drive/ram capacity. This was perhaps 6 or 7 years ago so the computer is a bit old. He had a side business building/selling PCs.

I don't think I became infected by using BitComet or Soulseek because I used BitComet once and never got the hang of it, haven't used it in years. It's been quite some time since I used Soulseek as well.

Also, Spybot just reported the problem at the beginning of the month and I update/run it every week. So I either picked up virtumonde recently or I got Spybot updates that finally detected it.

Hi,

Reinstall should work if you have valid license for your OS. Main point is that we won't support cases where illegal OS is related.

Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.