How can I remove the Virtumonde virus when I cant find it?

Discussion in 'Computer Security' started by audiobahn1000, Mar 5, 2007.

  1. audiobahn1000

    audiobahn1000 New Member

    Messages:
    461
    Please read the ENTIRE post before replying.


    I have a very nasty virus I cant find that I need to remove. It’s the infamous pop up generator called Virtumonde. I have done scans with AVG anti-virus, AVG Anti-Spyware, Ad-Aware SE personal, Spyware Terminator and Spybot Search and Destroy. Although they did find a bunch of trojens that I have removed, none of them can remove Virtumonde. Spybot S&D found one instance of it and allegedly removed it, but it still exists. I know it still exists because even though all programs say I am clean, I still get pop-ups that are clearly from a pop-up generator. Further more Spyware Doctor detected the virus. However I have to pay to remove it with that program. The part that troubles me is that I cant find the virus. Spyware Doctor gives me a specific address where it is but the address it gives me does not exist. It says the virus is located at C:\WINDOWS\system32\ddaby.ddl Well I typed that into the search function in Windows and it came back as a invalid address. Further more I went to the s32 folder and arranged the files by name, and there is no ddaby.ddl in there. In the image below it shows where a file named ddaby.ddl would have to be if it existed in the s32 folder.

    I have one other problem. I installed Actual Spy (a keystroke logger) on my computer to see if my anti sypware software could detect it. Well the software did detect it and I manually uninstalled the program. Further more I did a search for “Actual Spy” and I deleted every file with that name in it. But Spyware Doctor still says it’s on my computer. Once again it gives me the alleged address where its suppose to be, but the address is not valid and when I did a search for Actual Spy, I came back with nothing.

    I did all virus scans in and out of safe mode. I have deleted every file that has come up as a virus / spyware.

    [​IMG]

    I also ran VundoFix. It came back clean (in a way). The only two files it found are the two files it always finds. There are two files on my computer that come up as soon as I run VundoFix, and they cannot be removed. I have tried many time to have VundoFix remove them, and the program is never able to, even if I restart the computer.

    Here is my HJT log:


    Logfile of HijackThis v1.99.1
    Scan saved at 10:12:51 PM, on 3/4/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Documents and Settings\Me!\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.realmofexcursion.com/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh.exe (file missing)
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
     
    Last edited: Mar 5, 2007
  2. PC eye

    PC eye banned

    Messages:
    21,116
    First pf all the reason Spyware Doctor tells you that there are?(ha!) bugs on your system and NEED TO buy the full version to see them? removed is just that. YOU NEED TO BUY! bunk! That's the typical scam type selling gimic! And you can post a hundred logs and never find out "just where" any actual "bug" is located. The only done there is remove some values in the system registry. A few days later and "They're back"! again. You need a spcialized remover like the one found at http://www.spywareremove.com/removeVirtuMonde.html

    The following registry values are the ones specific to this type of malware.

    HKEY_CLASSES_ROOT\atlevents.atlevents
    13589181-4f0d-4553-b9f8-b4b72172c139

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\*winlogon

    HKEY_CURRENT_USER\software\microsoft\windowsupd

    HKEY_LOCAL_MACHINE\software\microsoft\windowsnt\currentversion\winlogon\notify\catw

    HKEY_LOCAL_MACHINE\software\microsoft\windowsnt\currentversion\winlogon\notify\psdrv

    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\windowsupd

    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\*catw

    HKEY_LOCAL_MACHINE\software\targetsoft
    1B34D3EC-4AC7-41EC-ACC8-C9A2C0CBA2E5

    Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnno
    68616403-4FFB-4B19-B360-0B0B1F55D5EC
    22B271AB-3D0A-4CCB-8AD9-DD08183C356A

    Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssttr
    D714A94F-123A-45CC-8F03-040BCAF82AD6

    Software\Microsoft\Internet Explorer\Explorer Bars\83B28A74-640D-48F4-9F51-E80EED7CC7E0
    83B28A74-640D-48F4-9F51-E80EED7CC7E0
    2FCAB754-0535-470E-8F80-BACB6CA1ACC1

    Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnlk
     
  3. audiobahn1000

    audiobahn1000 New Member

    Messages:
    461
    I didn’t understand 3/4ths of what you wrote. Mainly due to improper grammar / spelling and incomplete sentences. Can you retype what you said in a legible format please?
     
  4. audiobahn1000

    audiobahn1000 New Member

    Messages:
    461
    Also I ran the scanner you gave a link to and it did not find it. It found one Trojan in the registry that I went and manually deleted. I went through the registry and could not find any of the registry entries you listed above.

    However in the last four registry entries you listed there is no main group. I looked under the HKEY_LOCAL_MACHINE group for the last four entries. Should I have looked somewhere else?
     
  5. Kazoon

    Kazoon New Member

    Messages:
    297
    Turn off system restore!

    Then clean your registry download regcleaner http://www.worldstart.com/weekly-download/archives/reg-cleaner4.3.htm
    Go to the very top of the program and select tools> registry cleanup> do them all.

    Download superantispyware http://www.superantispyware.com/ update the definitions and then boot into safemode by holding down the f8 key while your pc reboots. Run a complete system scan.

    Have hijackthis fix this entry O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh.exe (file missing).
     
    Last edited: Mar 5, 2007
  6. PC eye

    PC eye banned

    Messages:
    21,116
    The last few groups are acually two different values seen under the same reg key by number. Besides the download of the removal tool they weren't too good at providing much else there.
    The "Software\Microsoft\Internet Explorer\Explorer Bars\83B28A74-640D-48F4-9F51-E80EED7CC7E0
    83B28A74-640D-48F4-9F51-E80EED7CC7E0
    2FCAB754-0535-470E-8F80-BACB6CA1ACC1
    should be seen as
    Software\Microsoft\Internet Explorer\Explorer Bars\83B28A74-640D-48F4-9F51-E80EED7CC7E0-83B28A74-640D-48F4-9F51-E80EED7CC7E0
    and
    Software\Microsoft\Internet Explorer\Explorer Bars\83B28A74-640D-48F4-9F51-E80EED7CC7E0-2FCAB754-0535-470E-8F80-BACB6CA1ACC1
    if those precise values can be found.

    Symantec itself lists several registry keys that are made by the adware. These can be compared at http://www.symantec.com/security_response/print_writeup.jsp?docid=2003-120914-4108-99

    The file or files to look for are the WindowsUpd1.exe, WindowsUpd2.exe, and WindowsUpd4.exe with a search of the drive and more then always in the "C:\Windows\" or "C:\WIN NT" directory for NTor 2K. Another set of instructions involves removing the problem manually.
    Manual removal


    Please follow the instructions below if you would like to remove VirtuMonde manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If VirtuMonde remains on your system after stepping through the removal instructions, please double-check by stepping through them again.
    1. Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
    2. Browse to the key:
      'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
    3. In the right pane, delete the values called 'WindowsUpd', 'WindowsUpd1', 'WindowsUpd2' and 'WindowsUpd4', if they exists.
    4. Exit the registry editor.
    5. Restart your computer.
    6. Start Windows Explorer and delete:
      %WinDir%\WindowsUpd1.exe
      %WinDir%\WindowsUpd2.exe
      %WinDir%\WindowsUpd4.exe
      Note: %WinDir% is a variable (?). By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).
    Problems uninstalling? Click here. http://www.kephyr.com/spywarescanner/uninstallproblems.phtml
     
  7. audiobahn1000

    audiobahn1000 New Member

    Messages:
    461
    I tried to have HJT fix it but it wont. Everytime I check it and click fix, it comes back when I do a new scan. Should I just find and delete the file manually?
     
  8. PC eye

    PC eye banned

    Messages:
    21,116
    First you have id the process if running and end that with the taskmanager. Rushing into the system registry blindly is a fool's game. The "(file missing)" is commonly seen on a number of items when using HT. I would ignore that one since that can point at a service available while nothing has been installed for it. Do you have a printer installed?
     
  9. audiobahn1000

    audiobahn1000 New Member

    Messages:
    461
    No I dont have a printer installed. I have used a plug and play on this computer before, but its not currently connected. I searched the processes running and I could not find any listed as psmchs.exe. I did a search of the entire C drive for WindowsUpd1, WindowsUpd2, and WindowsUpd4 and the search came back empty.
     
  10. audiobahn1000

    audiobahn1000 New Member

    Messages:
    461
    I ran the registery cleaner and removed every listing it gave me. The pop up generator still exists.
     
  11. Buzz1927

    Buzz1927 Digaredd Staff Member

    Messages:
    7,890
    Rename Hijackthis.exe to something else (ending in .exe) then post a new log.
     
  12. PC eye

    PC eye banned

    Messages:
    21,116
    This is one little bug like I suspected poses as a system file. It mainly hides itself as a normal Winlogon notification package in the "C:\Windows\system32" folder. It has a random sequencer to avoid removal.
    Detailed Description
    Virtumonde is adware that displays pop-up advertisements. Some advertisements are for rogue antispyware applications such as Winfixer. Pop-ups are not marked as having originated from Virtumonde.

    Virtumonde runs hidden from the user. It installs itself as a Winlogon notification package and locks its own module. The module has a random 5 character name and is installed to the windows\system32 folder.

    Virtumonde infects Windows XP and 2000.
    A specialized removal tool is available for this at http://www.f-secure.com/sw-desc/virtumonde.shtml
     
  13. audiobahn1000

    audiobahn1000 New Member

    Messages:
    461
    I renamed HJT and here is the log:


    Logfile of HijackThis v1.99.1
    Scan saved at 10:46:38 PM, on 3/6/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Documents and Settings\Me!\Desktop\blah.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.realmofexcursion.com/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {7F5A2699-38CD-4B98-B193-5916D6566B01} - C:\WINDOWS\system32\ljjgecd.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - (no file)
    O2 - BHO: (no name) - {FA87CDCE-767E-4495-A0F2-D88B13281B0C} - C:\WINDOWS\system32\jkhhg.dll
    O2 - BHO: (no name) - {FC77FBEE-BF70-45F4-83B6-9ED10B5C6A09} - (no file)
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll
    O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
    O20 - Winlogon Notify: vtstt - C:\WINDOWS\
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh.exe (file missing)
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe






    Ok some things have changed. As of yesterday every single one of my anti virus / spyware programs said I was clear. I found the Virtumonde file that Sypware Doctor listed and I removed it. However the pop up generator is not gone so either it was not Virtumonde causing the problem, or it is and the program is still there and I cant find it. I left my computer on over night and today when I rescaned stuff after surfing the net for an hour I had many trogens again. So this pop up generator is constantly downloading new threats to my computer and I am having trouble removing them as fast as they are coming in. I find that it constantly downloads the CWS virus. I keep deleting the folder but it keeps redownloading. So at the moment none of my anti virus programs can detect the pop up generator...

    Also I noticed almost all the pop ups were trying to get me to buy an antivirus program or something else. They are not spam pop ups, they are advertisements trying to get me to buy something.
     
    Last edited: Mar 7, 2007
  14. audiobahn1000

    audiobahn1000 New Member

    Messages:
    461
    Also if the pop up generator is running in the background in Windows it would have to show up in the processes window in the ctrl alt delt tab right? If so can I start shutting down every processes not needed until the pop ups stop?
     
  15. audiobahn1000

    audiobahn1000 New Member

    Messages:
    461
    I ran tool and it said it found and removed Virtumonde. But the problem still exists. Also I notice hat everytime I run Spybot Search and Destroy it lists Smitfraud toolbar as being a virus. Its a registry entry. I always choose to remove it but it seems like it also redownloads all the time. Its seeming like my only option is to reformat my drive again... for the 6th time in like one year.... Is there a way I cah reintall all the Windows files without causeing any problems with my current programs I have installed?
     
  16. PC eye

    PC eye banned

    Messages:
    21,116
    You can easily perform a repair install of Windows if the option is available when starting the XP installer when you reach the press enter to install now option. A repair install or deletion of the current wihout a wipe will still see the same "univited guest" hanging around. Or Spyware Doctor simply wants you to believe that something is remaining or indicating it's still there while the remover saw it at least partitially removed. Need a different remover?

    Gee? Why didn't I think of Lavasoft? They also have their own removal tool for the dame problem found at http://www.lavasoft.com/support/securitycenter/virtumonde_remover.php
     
  17. audiobahn1000

    audiobahn1000 New Member

    Messages:
    461
    That scaner said it dident find anything. But I know its there. Almost every 10 min AVG says a new threat is detected via the real time protection. So there is still something downloading new viruses. And I am still getting pop ups from a generator.
     
  18. PC eye

    PC eye banned

    Messages:
    21,116
    You can post 100 logs but the real thing needed there is a good drive sweep. Did AVG point out any specifics like location? You would seem to have a trojan downloader buried on your hard drive you need to locate and remove. I think you will end up having to have PC-cillin perform a "House Call". http://housecall.trendmicro.com/
     
  19. Buzz1927

    Buzz1927 Digaredd Staff Member

    Messages:
    7,890
    Make sure you have the latest version of Vundofix.
    http://www.atribune.org/ccount/click.php?id=4

    Open Vundofix and right-click in the white box to add more files. Paste these into the first 2 boxes, then close the window and run the program.

    C:\WINDOWS\system32\jkhhg.dll
    C:\WINDOWS\system32\ljjgecd.dll


    After the reboot post a new Hijackthis log.
     
  20. Buzz1927

    Buzz1927 Digaredd Staff Member

    Messages:
    7,890
    If you're looking at them, he'd probably need to :p
     

Share This Page