# How can I remove the Virtumonde virus when I cant find it?



## audiobahn1000 (Mar 5, 2007)

Please read the ENTIRE post before replying.


I have a very nasty virus I cant find that I need to remove.  It’s the infamous pop up generator called Virtumonde.  I have done scans with AVG anti-virus, AVG Anti-Spyware, Ad-Aware SE personal, Spyware Terminator and Spybot Search and Destroy.  Although they did find a bunch of trojens that I have removed, none of them can remove Virtumonde.  Spybot S&D found one instance of it and allegedly removed it, but it still exists.  I know it still exists because even though all programs say I am clean, I still get pop-ups that are clearly from a pop-up generator.  Further more Spyware Doctor detected the virus.  However I have to pay to remove it with that program.  The part that troubles me is that I cant find the virus.  Spyware Doctor gives me a specific address where it is but the address it gives me does not exist.  It says the virus is located at C:\WINDOWS\system32\ddaby.ddl   Well I typed that into the search function in Windows and it came back as a invalid address.  Further more I went to the s32 folder and arranged the files by name, and there is no ddaby.ddl in there.  In the image below it shows where a file named ddaby.ddl would have to be if it existed in the s32 folder.

I have one other problem.  I installed Actual Spy (a keystroke logger) on my computer to see if my anti sypware software could detect it.  Well the software did detect it and I manually uninstalled the program.  Further more I did a search for “Actual Spy” and I deleted every file with that name in it.  But Spyware Doctor still says it’s on my computer.  Once again it gives me the alleged address where its suppose to be, but the address is not valid and when I did a search for Actual Spy, I came back with nothing.

I did all virus scans in and out of safe mode.  I have deleted every file that has come up as a virus / spyware.






I also ran VundoFix.  It came back clean (in a way).  The only two files it found are the two files it always finds.  There are two files on my computer that come up as soon as I run VundoFix, and they cannot be removed.  I have tried many time to have VundoFix remove them, and the program is never able to, even if I restart the computer.

Here is my HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 10:12:51 PM, on 3/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Me!\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.realmofexcursion.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe


----------



## PC eye (Mar 5, 2007)

First pf all the reason Spyware Doctor tells you that there are?(ha!) bugs on your system and NEED TO buy the full version to see them? removed is just that. YOU NEED TO BUY! bunk! That's the typical scam type selling gimic! And you can post a hundred logs and never find out "just where" any actual "bug" is located. The only done there is remove some values in the system registry. A few days later and "They're back"! again. You need a spcialized remover like the one found at http://www.spywareremove.com/removeVirtuMonde.html

 The following registry values are the ones specific to this type of malware.

HKEY_CLASSES_ROOT\atlevents.atlevents
13589181-4f0d-4553-b9f8-b4b72172c139

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\*winlogon

HKEY_CURRENT_USER\software\microsoft\windowsupd

HKEY_LOCAL_MACHINE\software\microsoft\windowsnt\currentversion\winlogon\notify\catw

HKEY_LOCAL_MACHINE\software\microsoft\windowsnt\currentversion\winlogon\notify\psdrv

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\windowsupd

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\*catw

HKEY_LOCAL_MACHINE\software\targetsoft
1B34D3EC-4AC7-41EC-ACC8-C9A2C0CBA2E5

Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnno
68616403-4FFB-4B19-B360-0B0B1F55D5EC
22B271AB-3D0A-4CCB-8AD9-DD08183C356A

Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssttr
D714A94F-123A-45CC-8F03-040BCAF82AD6

Software\Microsoft\Internet Explorer\Explorer Bars\83B28A74-640D-48F4-9F51-E80EED7CC7E0
83B28A74-640D-48F4-9F51-E80EED7CC7E0
2FCAB754-0535-470E-8F80-BACB6CA1ACC1

Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnlk


----------



## audiobahn1000 (Mar 5, 2007)

PC eye said:


> First pf all the reason Spyware Doctor tells you that there are?(ha!) bugs on your system and NEED TO buy the full version to see them? removed is just that. YOU NEED TO BUY! bunk! That's the typical scam type selling gimic! And you can post a hundred logs and never find out "just where" any actual "bug" is located. The only done there is remove some values in the system registry. A few days later and "They're back"! again. You need a spcialized remover like the one found at http://www.spywareremove.com/removeVirtuMonde.html
> 
> The following registry values are the ones specific to this type of malware.
> 
> ...


I didn’t understand 3/4ths of what you wrote.  Mainly due to improper grammar / spelling and incomplete sentences.  Can you retype what you said in a legible format please?


----------



## audiobahn1000 (Mar 5, 2007)

Also I ran the scanner you gave a link to and it did not find it.  It found one Trojan in the registry that I went and manually deleted.  I went through the registry and could not find any of the registry entries you listed above.

However in the last four registry entries you listed there is no main group.  I looked under the HKEY_LOCAL_MACHINE group for the last four entries.  Should I have looked somewhere else?


----------



## Kazoon (Mar 5, 2007)

Turn off system restore! 

Then clean your registry download regcleaner http://www.worldstart.com/weekly-download/archives/reg-cleaner4.3.htm
Go to the very top of the program and select tools> registry cleanup> do them all.

Download superantispyware http://www.superantispyware.com/ update the definitions and then boot into safemode by holding down the f8 key while your pc reboots. Run a complete system scan. 

Have hijackthis fix this entry O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh.exe (file missing).


----------



## PC eye (Mar 5, 2007)

The last few groups are acually two different values seen under the same reg key by number. Besides the download of the removal tool they weren't too good at providing much else there.
 The "Software\Microsoft\Internet Explorer\Explorer Bars\83B28A74-640D-48F4-9F51-E80EED7CC7E0
83B28A74-640D-48F4-9F51-E80EED7CC7E0
2FCAB754-0535-470E-8F80-BACB6CA1ACC1
should be seen as
Software\Microsoft\Internet Explorer\Explorer Bars\83B28A74-640D-48F4-9F51-E80EED7CC7E0-83B28A74-640D-48F4-9F51-E80EED7CC7E0
and
Software\Microsoft\Internet Explorer\Explorer Bars\83B28A74-640D-48F4-9F51-E80EED7CC7E0-2FCAB754-0535-470E-8F80-BACB6CA1ACC1
if those precise values can be found.

 Symantec itself lists several registry keys that are made by the adware. These can be compared at http://www.symantec.com/security_response/print_writeup.jsp?docid=2003-120914-4108-99

 The file or files to look for are the WindowsUpd1.exe, WindowsUpd2.exe, and WindowsUpd4.exe with a search of the drive and more then always in the "C:\Windows\" or "C:\WIN NT" directory for NTor 2K. Another set of instructions involves removing the problem manually.
*Manual removal*


Please follow the instructions below if you would like to remove VirtuMonde manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If VirtuMonde remains on your system after stepping through the removal instructions, please double-check by stepping through them again. 

Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
In the right pane, delete the values called 'WindowsUpd', 'WindowsUpd1', 'WindowsUpd2' and 'WindowsUpd4', if they exists.
Exit the registry editor.
Restart your computer.
Start Windows Explorer and delete:
%WinDir%\WindowsUpd1.exe
%WinDir%\WindowsUpd2.exe
%WinDir%\WindowsUpd4.exe
*Note:* %WinDir% is a variable (?). By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).
Problems uninstalling? Click here. http://www.kephyr.com/spywarescanner/uninstallproblems.phtml


----------



## audiobahn1000 (Mar 5, 2007)

Kazoon said:


> Have hijackthis fix this entry O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh.exe (file missing).



I tried to have HJT fix it but it wont.  Everytime I check it and click fix, it comes back when I do a new scan.  Should I just find and delete the file manually?


----------



## PC eye (Mar 6, 2007)

First you have id the process if running and end that with the taskmanager. Rushing into the system registry blindly is a fool's game. The "(file missing)" is commonly seen on a number of items when using HT. I would ignore that one since that can point at a service available while nothing has been installed for it. Do you have a printer installed?


----------



## audiobahn1000 (Mar 6, 2007)

No I dont have a printer installed.  I have used a plug and play on this computer before, but its not currently connected.  I searched the processes running and I could not find any listed as psmchs.exe.  I did a search of the entire C drive for WindowsUpd1, WindowsUpd2, and WindowsUpd4 and the search came back empty.


----------



## audiobahn1000 (Mar 6, 2007)

Kazoon said:


> Turn off system restore!
> 
> Then clean your registry download regcleaner http://www.worldstart.com/weekly-download/archives/reg-cleaner4.3.htm
> Go to the very top of the program and select tools> registry cleanup> do them all.
> ...


I ran the registery cleaner and removed every listing it gave me.  The pop up generator still exists.


----------



## Buzz1927 (Mar 6, 2007)

Rename Hijackthis.exe to something else (ending in .exe) then post a new log.


----------



## PC eye (Mar 6, 2007)

This is one little bug like I suspected poses as a system file. It mainly hides itself as a normal Winlogon notification package in the "C:\Windows\system32" folder. It has a random sequencer to avoid removal.
*Detailed Description* 
Virtumonde is adware that displays pop-up advertisements. Some advertisements are for rogue antispyware applications such as Winfixer. Pop-ups are not marked as having originated from Virtumonde.

Virtumonde runs hidden from the user. It installs itself as a Winlogon notification package and locks its own module. The module has a random 5 character name and is installed to the windows\system32 folder.

Virtumonde infects Windows XP and 2000.
A specialized removal tool is available for this at http://www.f-secure.com/sw-desc/virtumonde.shtml


----------



## audiobahn1000 (Mar 7, 2007)

I renamed HJT and here is the log:


Logfile of HijackThis v1.99.1
Scan saved at 10:46:38 PM, on 3/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Me!\Desktop\blah.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.realmofexcursion.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {7F5A2699-38CD-4B98-B193-5916D6566B01} - C:\WINDOWS\system32\ljjgecd.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - (no file)
O2 - BHO: (no name) - {FA87CDCE-767E-4495-A0F2-D88B13281B0C} - C:\WINDOWS\system32\jkhhg.dll
O2 - BHO: (no name) - {FC77FBEE-BF70-45F4-83B6-9ED10B5C6A09} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe






Ok some things have changed.  As of yesterday every single one of my anti virus / spyware programs said I was clear.  I found the Virtumonde file that Sypware Doctor listed and I removed it.  However the pop up generator is not gone so either it was not Virtumonde causing the problem, or it is and the program is still there and I cant find it.  I left my computer on over night and today when I rescaned stuff after surfing the net for an hour I had many trogens again.  So this pop up generator is constantly downloading new threats to my computer and I am having trouble removing them as fast as they are coming in.  I find that it constantly downloads the CWS virus.  I keep deleting the folder but it keeps redownloading.  So at the moment none of my anti virus programs can detect the pop up generator...

Also I noticed almost all the pop ups were trying to get me to buy an antivirus program or something else.  They are not spam pop ups, they are advertisements trying to get me to buy something.


----------



## audiobahn1000 (Mar 7, 2007)

Also if the pop up generator is running in the background in Windows it would have to show up in the processes window in the ctrl alt delt tab right?  If so can I start shutting down every processes not needed until the pop ups stop?


----------



## audiobahn1000 (Mar 7, 2007)

PC eye said:


> This is one little bug like I suspected poses as a system file. It mainly hides itself as a normal Winlogon notification package in the "C:\Windows\system32" folder. It has a random sequencer to avoid removal.
> *Detailed Description*
> Virtumonde is adware that displays pop-up advertisements. Some advertisements are for rogue antispyware applications such as Winfixer. Pop-ups are not marked as having originated from Virtumonde.
> 
> ...



I ran tool and it said it found and removed Virtumonde.  But the problem still exists.  Also I notice hat everytime I run Spybot Search and Destroy it lists Smitfraud toolbar as being a virus.  Its a registry entry.  I always choose to remove it but it seems like it also redownloads all the time.   Its seeming like my only option is to reformat my drive again... for the 6th time in like one year....  Is there a way I cah reintall all the Windows files without causeing any problems with my current programs I have installed?


----------



## PC eye (Mar 7, 2007)

You can easily perform a repair install of Windows if the option is available when starting the XP installer when you reach the press enter to install now option. A repair install or deletion of the current wihout a wipe will still see the same "univited guest" hanging around. Or Spyware Doctor simply wants you to believe that something is remaining or indicating it's still there while the remover saw it at least partitially removed. Need a different remover?

 Gee? Why didn't I think of Lavasoft? They also have their own removal tool for the dame problem found at http://www.lavasoft.com/support/securitycenter/virtumonde_remover.php


----------



## audiobahn1000 (Mar 9, 2007)

That scaner said it dident find anything.  But I know its there.  Almost every 10 min AVG says a new threat is detected via the real time protection.  So there is still something downloading new viruses.  And I am still getting pop ups from a generator.


----------



## PC eye (Mar 9, 2007)

You can post 100 logs but the real thing needed there is a good drive sweep. Did AVG point out any specifics like location? You would seem to have a trojan downloader buried on your hard drive you need to locate and remove. I think you will end up having to have PC-cillin perform a "House Call". http://housecall.trendmicro.com/


----------



## Buzz1927 (Mar 10, 2007)

Make sure you have the latest version of Vundofix.
http://www.atribune.org/ccount/click.php?id=4

Open Vundofix and right-click in the white box to add more files. Paste these into the first 2 boxes, then close the window and run the program.

*C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\ljjgecd.dll*

After the reboot post a new Hijackthis log.


----------



## Buzz1927 (Mar 10, 2007)

PC eye said:


> You can post 100 logs but the real thing needed there


If you're looking at them, he'd probably need to


----------



## PC eye (Mar 11, 2007)

He's got little bug on there that's hiding itself good. Hopefully Vundofix will get rid of it. The descriptions found on this one are like the one seen at the f-secure.com link where it will create new entries and change file names to keep itself hidden. After you see the host file removed post a few followup logs after a few days to see what else comes up. You'll probably hear: "Not this crap again... come on!  ggrrrr... ". It works like a self duplicating I-Worm.


----------



## audiobahn1000 (Mar 16, 2007)

PC eye said:


> You can post 100 logs but the real thing needed there is a good drive sweep. Did AVG point out any specifics like location? You would seem to have a trojan downloader buried on your hard drive you need to locate and remove. I think you will end up having to have PC-cillin perform a "House Call". http://housecall.trendmicro.com/



I tried house call and got nowhere.  After 1 hour it was only 3% done.  It seems it requires me to submit the entire contants of my harddrive over the net to their server.  Well on a 512 kbps upload cable connection that would take weeks to do.  I ran Vundo and the same thing happens that always happens.  It finds two problems ad try  remove them and cant so it restarts. Ten when it restarts it tries again and still cant and the lets it go.

It seems anti spyware programs are as useful at removing viruses as randomly deleting files is….  Maybe I should try randomly deleting files?    I am pretty sure its Vurtimonde doing all this bull shit because 100% of the pop up add are adds for antivirus software and Virtumonde displays those types of adds.

Also AVG is constantly detecting viruses.  About 3 - 8 per hour.  Sometime three in a row.  I found almost all the viruses it finds are in the IE7 temp internet files folder.  I have deleted the files in there over and over and it still finds viruses in there so something is downloading them.

I think my only option is to reformat.


----------



## audiobahn1000 (Mar 16, 2007)

Also I read that Virtumonde hijacks IE7 to display adds.  Well if so would reinstalling IE7 fix te problem?  Or is it not part of IE7; it just hijacks it?


----------



## PC eye (Mar 16, 2007)

Once you reinstall IE even with 6.0 it cuts the connection between that and any hijacker due to  the new set of registry values created. But seeing AVG constantly flagging new items clearly shows that something you put on probably came with something else like a trojan downloader. You still want to kill off that once you find it. 

Once you have a location simply boot up in safe mode if you need to just to get rid of it. The description seen at pctools points right at what I've been saying all along on this.
*Spyware Research > Infections > Virtumonde*

Details of the selected infection are shown below. This infection can be detected and cleaned using Spyware Doctor.
*Name:**Virtumonde**Risk Level:*



*Description:*Virtumonde modifies the Windows Internet connection mechanism and display various pop-up advertisements.*Type:*Adware, Trojan*Also known as:*Trojan-Downloader.Win32.Agent.br [Kaspersky] Trojan.Win32.Agent*Removal:*This infection can be removed using Spyware Doctor.
http://www.pctools.com/mrc/infections/id/Virtumonde/

 Some additional instructions for manual removal as well as other variations of this type of adware/hijacker/downloader show how involved this one gets. It's another set of registry values also shown to look for. http://411-spyware.com/remove-virtumonde


----------

