Home > General > [solved]VirtuMonde


Thank you Print these instructions out. Most Virtumonde is installed without user knowledge. EXPLORER.EXE Antivirus Version Last Update Result a-squared 2009.04.10 Trojan.Win32.Patched!IK AhnLab-V3 2009.04.10 Win32/Virut.F AntiVir 2009.04.10 W32/Virut.Gen Antiy-AVL 2009.04.10 - Authentium 2009.04.10 W32/Patched.E.gen!Eldorado Avast 4.8.1335.0 2009.04.10 Win32:Vitro AVG Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! this contact form

Win32/Virtumonde is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files. Most of them were Virtumonde. Mozilla Firefox Open Firefox Go to Help > Troubleshooting Information in menu. DDS (Ver_09-03-16.01) - NTFSx86 Run by user at 22:02:52.67 on Tue 04/07/2009 Internet Explorer: 7.0.5730.13 AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) ============== Running Processes =============== ============== Pseudo HJT Report

Join over 733,556 other people just like you! Support the fighting against Virtumonde by receiving our Virtumonde removal tool and perfecting Virtumonde removal operation. We recommend you to use free option "Reset Browsers" under "Tools" in Stronghold AntiMalware to reset all the browsers at once. Several functions may not work.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection. My web page My help doesn't cost a penny, but if you'd like to consider a donation to WindowsBBS, click HERE broni, #8 2009/07/15 one278 Inactive Thread Starter Joined: 2008/08/12 Messages: Popey Back to top BC AdBot (Login to Remove) BleepingComputer.com Register to remove ads #2 Zllio Zllio Members 1,107 posts OFFLINE Local time:12:58 AM Posted 17 November 2008 - Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Yahoo!

Post HijackThis log. O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Toolbar-->C:\PROGRA~1\Yahoo!\Common\unyt.exe======Security center information======AV: Symantec AntiVirus Corporate EditionSystem event logComputer Name: L-GREVDIGMEvent Code: 26Message: Application popup: Low Battery : You should change your battery or switch to outlet power immediately to keep Avoid downloading pirated software.

My web page My help doesn't cost a penny, but if you'd like to consider a donation to WindowsBBS, click HERE broni, #12 2009/07/16 one278 Inactive Thread Starter Joined: 2008/08/12 Messages: For example:   HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39D2FC9B-041C-470E-AE72-F8C001247626}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DBF02DA-4360-4A7E-BEA1-347B87816327}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBE0D59D-F985-4AC6-8826- FEE957065D42} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5AEFF965-B1A9-4675-966A-26C2E812AD51}   In some variants, several data files are also created in the same location, using the same name but with the following file extensions (as opposed to IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 198136][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{672B204D-AE8B-465A-9FB1-84090E33025B}][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]Java Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-26 320920][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{836A209D-8D5B-42B9-BDDF-A4BABE9605E1}]C:\WINDOWS\system32\awtrQIYO.dll [][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A2ABE3A-5806-44D9-8527-6EFAC5B5B361}][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]Google Toolbar Helper - c:\program I've found also that sometimes when I scan w/AVG8 or w/Spybot, the computer will automatically shut itself off before finishing.

RESTART COMPUTER STEP 4. https://www.securitystronghold.com/gates/virtumonde.html Please be patient while it scans your computer. * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. scanning hidden autostart entries ... Register now!

Contents of the 'Scheduled Tasks' folder "2007-10-05 21:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job" - C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe "2007-10-06 00:54:20 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job" - C:\Program Files\AdwareAlert\AdwareAlert.exe "2007-09-27 16:45:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe weblink First, try renaming it using this method... Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. or read our Welcome Guide to learn how to use this site.

I am not on 24x7 and have a life! PC Safety and Security--What Do I Need? Installation Members of the Virtumonde family may compromise an affected system in a number of different ways. navigate here A strong password is one that has at least 8 characters, and combines letters, numbers, and symbols.

scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(636) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll - - - - The last Hijackthis scan showed this: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:21:38 PM, on 10/5/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot STEP 2.

Removes all registry entries created by Virtumonde.

Post that log Note: Do not mouseclick combofix's window while its running. Keep your eyes open for any return symptoms of Virtumonde as it's a virus which generates random files and can come back. Use caution when clicking on links to Web pages. Click the Reset Firefox button.

I ran hijackthis and this is what I got: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:20:45 PM, on 10/5/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer Your system is infected with a polymorphic file infector called Virut. We recommend you to use Virtumonde Removal Tool for safe problem solution. 4. http://webadapt.org/general/solved-spoolsv-exe.php If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.) *

Download - ATF Cleaner This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. My web page My help doesn't cost a penny, but if you'd like to consider a donation to WindowsBBS, click HERE broni, #10 2009/07/16 one278 Inactive Thread Starter Joined: 2008/08/12 Messages: NOTE. SpywareBlaster to help prevent spyware from installing in the first place.Install & update SpywareBlaster with the latest definitions.

In some variants, the trojan may utilize an executable component that may be copied to the any of the following locations:   %windir%\addins%windir%\AppPatch%windir%\assembly%windir%\Config%windir%\Cursors%windir%\Driver Cache%windir%\Drivers%windir%\Fonts%windir%\Help%windir%\inf%windir%\java%windir%\Microsoft.NET%windir%\msagent%windir%\Registration%windir%\repair%windir%\security%windir%\ServicePackFiles%windir%\Speech%windir%\system%windir%\system32%windir%\Tasks%windir%\Web%windir%\Windows Update Setup Files%windir%\Microsoft\   Virtumonde may make Here is my HijackThis logfile:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:21:52 PM, on 12/29/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Basically, this prevents your computer from connecting to those sites by redirecting them to which is the IP of your local computer.Download Host.zip to your desktop. Please re-enable javascript to access full functionality.

Warning: This option will also clean all your account passwords for all websites. BleepingComputer is being sued by Enigma Software because of a negative post of SpyHunter. DO NOT backup any executable files (softwares) and screensavers (*.scr). Tech Support Guy is completely free -- paid for by advertisers and donations.

Here you can also learn: Technical details of Virtumonde threat. Several functions may not work. All of them will pull up some form of Virtumonde or Vundo and get rid of it, but everytime I reboot and run another scan it comes back. If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Using the site is easy and fun. For full access please Register. Features of SpyHunter 4 Removes all files created by Virtumonde. Delete the following malicious registry entries and\or values: Key: software\microsoft\windowsupd Key: software\targetsoft Key: CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}Value: @ Key: CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\InprocServer32Value: @ Key: Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}Value: @ Key: Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\iexploreValue: @ Key: Software\Classes\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}Value: @ Key: Software\Classes\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\InprocServer32Value: @ Key:

They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ". Fixes browser redirection and hijack if needed. "Toolbar Remover" tool will help you get rid of unwanted browser extensions. Can fix browser problems and protect browser settings. How to turn on Automatic Updates in Windows 7 How to turn on Automatic Updates in Windows Vista How to turn on Automatic Updates in Windows XP Use up-to-date antivirus software