Hello,
My computer it is infected with Virtumonde.dll and Virtumonde.prx, and SpyBoot S&D can not clean it. Can you please help me?
Virtumonde infection
Hello,
My computer it is infected with Virtumonde.dll and Virtumonde.prx, and SpyBoot S&D can not clean it. Can you please help me?
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
I don't know if we can help or not, but you need to start with the directions. They are pinned (sticky) to the top of this forum and posted above. Once you have followed the directions, post the required HijackThis log.
Thanks
MS-MVP Consumer Security 2007-08-09
Proud Member ASAP
UNITE Member 2006
HJT log
Thanks for the replay below is the HJT log requested.
Logfile of HijackThis v1.99.1
Scan saved at 15:23:40, on 31.08.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
D:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\rundll32.exe
D:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\rundll32.exe
D:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
E:\KITURI\2\Antivirusi\ANTI TROJAN si ANTI SPY\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [diagnostics] "d:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [BMcf0db949] Rundll32.exe "C:\WINDOWS\System32\smvwkhwt.dll",s
O4 - HKLM\..\Run: [cc3e8ad5] rundll32.exe "C:\WINDOWS\System32\vtryxmjj.dll",b
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~2\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1189081624015
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D8A54AF-B841-4845-A580-AB9262D3520C}: NameServer = 193.231.100.130 193.231.100.134
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - d:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: V2i Protector - PowerQuest Corporation - D:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
How about reading those directions again and following them this time. The HJT log is out of date and located unsafely
Thanks
MS-MVP Consumer Security 2007-08-09
Proud Member ASAP
UNITE Member 2006
New HJT log
I apologize for the inconvenience, here is the new HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:36:24, on 01.09.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [diagnostics] "d:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [cc3e8ad5] rundll32.exe "C:\WINDOWS\System32\vtryxmjj.dll",b
O4 - HKLM\..\Run: [BMcf0db949] Rundll32.exe "C:\WINDOWS\System32\smvwkhwt.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\scrcons32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\scrcons32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\scrcons32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\scrcons32.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~2\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1189081624015
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D8A54AF-B841-4845-A580-AB9262D3520C}: NameServer = 193.231.100.130 193.231.100.134
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - d:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: V2i Protector - PowerQuest Corporation - D:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
--
End of file - 3591 bytes
Please follow all directions carefully.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
2) Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here to your Desktop
- Double click combofix.exe and follow the prompts.
- When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial
http://www.bleepingcomputer.com/comb...o-use-combofix
Thanks
MS-MVP Consumer Security 2007-08-09
Proud Member ASAP
UNITE Member 2006
I tried to run Combofix but I encountered a problem. The program starts but at the point were it says that the clock settings will be chance it reboots, I tried this 3 times and the result was the same.
We are using a tool here that is downloaded around one million times a month. Click on some of the other members topics and look, in most topics you will see combofix being run. I suggest you delete whatever you downloaded and start by reading the tutorial I posted carefully so you will know what you are doing, then before you start, make sure your clock is set on the correct time. If not, right click the clock then click adjust time/date and set it to the correct time. When this is all done, then follow these very basic directions:
Download ComboFix from Here to your Desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Save that file to your DESKTOP
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
MS-MVP Consumer Security 2007-08-09
Proud Member ASAP
UNITE Member 2006
I read carefully and followed exactly your instruction. Combfix starts but when initiates the scan the computer reboots. I tried several times canceling and reinstalling Combofix but the result it is still the same. I do not know what could by the problem. I can only send to you a new HJT log.
Delete combofix from your computer, you may want to start reviewing this information in case it comes to that?
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-...stall-faq.html
http://helpdesk.its.uiowa.edu/window...s/reformat.htm
Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
Thanks
MS-MVP Consumer Security 2007-08-09
Proud Member ASAP
UNITE Member 2006
Posting Permissions
