[How do I remove the Virtumonde virus when I cant find it?] - Computers



Search Tech-Forums - link takes you to our Forum's search page.

Note: The following is only a text archive!

To view the actual forum discussion, please visit our website at http://www.tech-forums.net

Pages:1


How do I remove the Virtumonde virus when I cant find it?

(Click here to view the original thread with full colors/images)


Posted by: SPL Tech

[COLOR="Red"]Please read the ENTIRE post before replying.[/COLOR]


I have a very nasty virus I cant find that I need to remove. It’s the infamous pop up generator called Virtumonde. I have done scans with AVG anti-virus, AVG Anti-Spyware, Ad-Aware SE personal, Spyware Terminator and Spybot Search and Destroy. Although they did find a bunch of trojens that I have removed, none of them can remove Virtumonde. Spybot S&D found one instance of it and allegedly removed it, but it still exists. I know it still exists because even though all programs say I am clean, I still get pop-ups that are clearly from a pop-up generator. Further more Spyware Doctor detected the virus. However I have to pay to remove it with that program. The part that troubles me is that I cant find the virus. Spyware Doctor gives me a specific address where it is but the address it gives me does not exist. It says the virus is located at C:\WINDOWS\system32\ddaby.ddl Well I typed that into the search function in Windows and it came back as a invalid address. Further more I went to the s32 folder and arranged the files by name, and there is no ddaby.ddl in there. In the image below it shows where a file named ddaby.ddl would have to be if it existed in the s32 folder.

I have one other problem. I installed Actual Spy (a keystroke logger) on my computer to see if my anti sypware software could detect it. Well the software did detect it and I manually uninstalled the program. Further more I did a search for “Actual Spy” and I deleted every file with that name in it. But Spyware Doctor still says it’s on my computer. Once again it gives me the alleged address where its suppose to be, but the address is not valid and when I did a search for Actual Spy, I came back with nothing.

I did all virus scans in and out of safe mode. I have deleted every file that has come up as a virus / spyware.

[img]http://img88.imageshack.us/img88/5633/untitleddb2.jpg[/img]

I also ran VundoFix. It came back clean (in a way). The only two files it found are the two files it always finds. There are two files on my computer that come up as soon as I run VundoFix, and they cannot be removed. I have tried many time to have VundoFix remove them, and the program is never able to, even if I restart the computer.

Here is my HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 10:12:51 PM, on 3/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Me!\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://forum.realmofexcursion.com/index.php[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [url]http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab[/url]
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - [url]http://www3.ca.com/securityadvisor/virusinfo/webscan.cab[/url]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - [url]http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab[/url]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe


Posted by: Warez Monster

Download This program by clicking on the link: VirtumundoBeGone.exe [94.7 KB]
Run the program and follow the directions. Make sure you save all your work before!
If the virus is detected it will force you to restart your computer right away.


[url]http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe[/url]


Posted by: SPL Tech

I ran the program. As soon as I ran it the program asked me to restart. I dont know if it fixed anything or not. Here is the log it gave me:




[03/06/2007, 23:56:42] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Me!\Local Settings\Temporary Internet Files\Content.IE5\K9RGL6CQ\VirtumundoBeGone[1].exe" )
[03/06/2007, 23:56:47] - Detected System Information:
[03/06/2007, 23:56:47] - Windows Version: 5.1.2600, Service Pack 2
[03/06/2007, 23:56:47] - Current Username: Me! (Admin)
[03/06/2007, 23:56:47] - Windows is in NORMAL mode.
[03/06/2007, 23:56:47] - Searching for Browser Helper Objects:
[03/06/2007, 23:56:47] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/06/2007, 23:56:47] - BHO 2: {0A87E45F-537A-40B4-B812-E2544C21A09F} ()
[03/06/2007, 23:56:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:47] - No filename found. Continuing.
[03/06/2007, 23:56:47] - BHO 3: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[03/06/2007, 23:56:47] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/06/2007, 23:56:47] - BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[03/06/2007, 23:56:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:47] - No filename found. Continuing.
[03/06/2007, 23:56:47] - BHO 6: {7F5A2699-38CD-4B98-B193-5916D6566B01} ()
[03/06/2007, 23:56:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:47] - Checking for HKLM\...\Winlogon\Notify\ljjgecd
[03/06/2007, 23:56:47] - Key not found: HKLM\...\Winlogon\Notify\ljjgecd, continuing.
[03/06/2007, 23:56:47] - BHO 7: {937C1209-D27D-4992-82CF-BDB50EB390D9} ()
[03/06/2007, 23:56:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:47] - Checking for HKLM\...\Winlogon\Notify\geedd
[03/06/2007, 23:56:47] - Found: HKLM\...\Winlogon\Notify\geedd - This is probably Virtumundo.
[03/06/2007, 23:56:47] - Assigning {937C1209-D27D-4992-82CF-BDB50EB390D9} MSEvents Object
[03/06/2007, 23:56:47] - BHO list has been changed! Starting over...
[03/06/2007, 23:56:47] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/06/2007, 23:56:47] - BHO 2: {0A87E45F-537A-40B4-B812-E2544C21A09F} ()
[03/06/2007, 23:56:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:47] - No filename found. Continuing.
[03/06/2007, 23:56:47] - BHO 3: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[03/06/2007, 23:56:47] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/06/2007, 23:56:47] - BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[03/06/2007, 23:56:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:47] - No filename found. Continuing.
[03/06/2007, 23:56:47] - BHO 6: {7F5A2699-38CD-4B98-B193-5916D6566B01} ()
[03/06/2007, 23:56:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:47] - Checking for HKLM\...\Winlogon\Notify\ljjgecd
[03/06/2007, 23:56:47] - Key not found: HKLM\...\Winlogon\Notify\ljjgecd, continuing.
[03/06/2007, 23:56:47] - BHO 7: {937C1209-D27D-4992-82CF-BDB50EB390D9} (MSEvents Object)
[03/06/2007, 23:56:47] - ALERT: Found MSEvents Object!
[03/06/2007, 23:56:47] - BHO 8: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[03/06/2007, 23:56:47] - BHO 9: {D38439EC-4A7F-42b4-90C2-D810D7778FDD} ()
[03/06/2007, 23:56:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:47] - No filename found. Continuing.
[03/06/2007, 23:56:47] - BHO 10: {FA87CDCE-767E-4495-A0F2-D88B13281B0C} ()
[03/06/2007, 23:56:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:47] - Checking for HKLM\...\Winlogon\Notify\jkhhg
[03/06/2007, 23:56:47] - Found: HKLM\...\Winlogon\Notify\jkhhg - This is probably Virtumundo.
[03/06/2007, 23:56:47] - Assigning {FA87CDCE-767E-4495-A0F2-D88B13281B0C} MSEvents Object
[03/06/2007, 23:56:47] - BHO list has been changed! Starting over...
[03/06/2007, 23:56:47] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/06/2007, 23:56:47] - BHO 2: {0A87E45F-537A-40B4-B812-E2544C21A09F} ()
[03/06/2007, 23:56:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:47] - No filename found. Continuing.
[03/06/2007, 23:56:47] - BHO 3: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[03/06/2007, 23:56:47] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/06/2007, 23:56:47] - BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[03/06/2007, 23:56:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:47] - No filename found. Continuing.
[03/06/2007, 23:56:47] - BHO 6: {7F5A2699-38CD-4B98-B193-5916D6566B01} ()
[03/06/2007, 23:56:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:47] - Checking for HKLM\...\Winlogon\Notify\ljjgecd
[03/06/2007, 23:56:47] - Key not found: HKLM\...\Winlogon\Notify\ljjgecd, continuing.
[03/06/2007, 23:56:47] - BHO 7: {937C1209-D27D-4992-82CF-BDB50EB390D9} (MSEvents Object)
[03/06/2007, 23:56:47] - ALERT: Found MSEvents Object!
[03/06/2007, 23:56:47] - BHO 8: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[03/06/2007, 23:56:47] - BHO 9: {D38439EC-4A7F-42b4-90C2-D810D7778FDD} ()
[03/06/2007, 23:56:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:47] - No filename found. Continuing.
[03/06/2007, 23:56:47] - BHO 10: {FA87CDCE-767E-4495-A0F2-D88B13281B0C} (MSEvents Object)
[03/06/2007, 23:56:47] - ALERT: Found MSEvents Object!
[03/06/2007, 23:56:47] - BHO 11: {FC77FBEE-BF70-45F4-83B6-9ED10B5C6A09} ()
[03/06/2007, 23:56:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:47] - No filename found. Continuing.
[03/06/2007, 23:56:47] - Finished Searching Browser Helper Objects
[03/06/2007, 23:56:47] - *** Detected MSEvents Object
[03/06/2007, 23:56:47] - Trying to remove MSEvents Object...
[03/06/2007, 23:56:48] - Terminating Process: IEXPLORE.EXE
[03/06/2007, 23:56:49] - Terminating Process: RUNDLL32.EXE
[03/06/2007, 23:56:49] - Disabling Automatic Shell Restart
[03/06/2007, 23:56:49] - Terminating Process: EXPLORER.EXE
[03/06/2007, 23:56:49] - Suspending the NT Session Manager System Service
[03/06/2007, 23:56:50] - Terminating Windows NT Logon/Logoff Manager
[03/06/2007, 23:56:50] - Re-enabling Automatic Shell Restart
[03/06/2007, 23:56:50] - File to disable: C:\WINDOWS\system32\geedd.dll
[03/06/2007, 23:56:50] - Renaming C:\WINDOWS\system32\geedd.dll -> C:\WINDOWS\system32\geedd.dll.vir
[03/06/2007, 23:56:50] - File successfully renamed!
[03/06/2007, 23:56:50] - Removing HKLM\...\Browser Helper Objects\{937C1209-D27D-4992-82CF-BDB50EB390D9}
[03/06/2007, 23:56:50] - Removing HKCR\CLSID\{937C1209-D27D-4992-82CF-BDB50EB390D9}
[03/06/2007, 23:56:50] - Adding Kill Bit for ActiveX for GUID: {937C1209-D27D-4992-82CF-BDB50EB390D9}
[03/06/2007, 23:56:50] - Deleting ATLEvents/MSEvents Registry entries
[03/06/2007, 23:56:50] - Removing HKLM\...\Winlogon\Notify\geedd
[03/06/2007, 23:56:50] - Searching for Browser Helper Objects:
[03/06/2007, 23:56:50] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/06/2007, 23:56:50] - BHO 2: {0A87E45F-537A-40B4-B812-E2544C21A09F} ()
[03/06/2007, 23:56:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:50] - No filename found. Continuing.
[03/06/2007, 23:56:50] - BHO 3: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[03/06/2007, 23:56:50] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/06/2007, 23:56:50] - BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[03/06/2007, 23:56:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:50] - No filename found. Continuing.
[03/06/2007, 23:56:50] - BHO 6: {7F5A2699-38CD-4B98-B193-5916D6566B01} ()
[03/06/2007, 23:56:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:50] - Checking for HKLM\...\Winlogon\Notify\ljjgecd
[03/06/2007, 23:56:50] - Key not found: HKLM\...\Winlogon\Notify\ljjgecd, continuing.
[03/06/2007, 23:56:50] - BHO 7: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[03/06/2007, 23:56:50] - BHO 8: {D38439EC-4A7F-42b4-90C2-D810D7778FDD} ()
[03/06/2007, 23:56:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:50] - No filename found. Continuing.
[03/06/2007, 23:56:50] - BHO 9: {FA87CDCE-767E-4495-A0F2-D88B13281B0C} (MSEvents Object)
[03/06/2007, 23:56:50] - ALERT: Found MSEvents Object!
[03/06/2007, 23:56:50] - BHO 10: {FC77FBEE-BF70-45F4-83B6-9ED10B5C6A09} ()
[03/06/2007, 23:56:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:50] - No filename found. Continuing.
[03/06/2007, 23:56:50] - Finished Searching Browser Helper Objects
[03/06/2007, 23:56:50] - *** Detected MSEvents Object
[03/06/2007, 23:56:50] - Trying to remove MSEvents Object...
[03/06/2007, 23:56:51] - Terminating Process: IEXPLORE.EXE
[03/06/2007, 23:56:51] - Terminating Process: RUNDLL32.EXE
[03/06/2007, 23:56:51] - Disabling Automatic Shell Restart
[03/06/2007, 23:56:51] - Terminating Process: EXPLORER.EXE
[03/06/2007, 23:56:51] - Suspending the NT Session Manager System Service
[03/06/2007, 23:56:51] - Terminating Windows NT Logon/Logoff Manager
[03/06/2007, 23:56:51] - Re-enabling Automatic Shell Restart
[03/06/2007, 23:56:51] - File to disable: C:\WINDOWS\system32\jkhhg.dll
[03/06/2007, 23:56:51] - Removing HKLM\...\Browser Helper Objects\{FA87CDCE-767E-4495-A0F2-D88B13281B0C}
[03/06/2007, 23:56:51] - Removing HKCR\CLSID\{FA87CDCE-767E-4495-A0F2-D88B13281B0C}
[03/06/2007, 23:56:51] - Adding Kill Bit for ActiveX for GUID: {FA87CDCE-767E-4495-A0F2-D88B13281B0C}
[03/06/2007, 23:56:51] - Deleting ATLEvents/MSEvents Registry entries
[03/06/2007, 23:56:51] - Removing HKLM\...\Winlogon\Notify\jkhhg
[03/06/2007, 23:56:51] - Searching for Browser Helper Objects:
[03/06/2007, 23:56:51] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/06/2007, 23:56:51] - BHO 2: {0A87E45F-537A-40B4-B812-E2544C21A09F} ()
[03/06/2007, 23:56:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:51] - No filename found. Continuing.
[03/06/2007, 23:56:51] - BHO 3: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[03/06/2007, 23:56:51] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/06/2007, 23:56:51] - BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[03/06/2007, 23:56:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:51] - No filename found. Continuing.
[03/06/2007, 23:56:51] - BHO 6: {7F5A2699-38CD-4B98-B193-5916D6566B01} ()
[03/06/2007, 23:56:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:51] - Checking for HKLM\...\Winlogon\Notify\ljjgecd
[03/06/2007, 23:56:51] - Key not found: HKLM\...\Winlogon\Notify\ljjgecd, continuing.
[03/06/2007, 23:56:51] - BHO 7: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[03/06/2007, 23:56:52] - BHO 8: {D38439EC-4A7F-42b4-90C2-D810D7778FDD} ()
[03/06/2007, 23:56:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:52] - No filename found. Continuing.
[03/06/2007, 23:56:52] - BHO 9: {FC77FBEE-BF70-45F4-83B6-9ED10B5C6A09} ()
[03/06/2007, 23:56:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/06/2007, 23:56:52] - No filename found. Continuing.
[03/06/2007, 23:56:52] - Finished Searching Browser Helper Objects
[03/06/2007, 23:56:52] - Finishing up...
[03/06/2007, 23:56:52] - A restart is needed.
[03/06/2007, 23:56:59] - Attempting to Restart via STOP error (Blue Screen!)








Also I found the instance of Virtumonde that Spyware Doctor found. I deleted it. However either something else is causing the popups or there is another instance of it because I keep getting pop ups from a generator. Further more I found that what ever is causing the pop ups is also downloading more viruses. I can run all my scans and remove all viruses and after only a few hours on the net I have a ton more. I found that Smithfraud keeps redownloading. Spybot S&D said its a registry entry. I keep deleting it bit it keeps coming back. Also the CWS virus keeps coming back. I delete the folder that it downloads but it keeps coming back. AVG is constantly flagging viruses via the real time protection. I get like 1-2 per hour. Also I noticed almost all the pop ups are adds to buy antivirus software. Further more the pop ups never happen on Firefox. Not even if Firefox is the primary browser. Its always IE7.


Posted by: crickmail.cet57

Try the Free Trial of Prevx1.

They have info on DDABY.DLL:
[url]http://spywarefiles.prevx.com/RRIIFG3473788/ddaby%252Eddl.html[/url]

..and although listing it as part of Malware group "Malware ASDF", if you click the link at the bottom of that page to view "other versions of this file", you will see it is also listed under the Virtumonde infection as seen here:
[url]http://spywarefiles.prevx.com/ssIIFG3473788/DDABmore.html[/url]

They also have other general information on the Virtumonde infection here:
[url]http://virusinfo.prevx.com/viruscenter.asp?returnpage=default&GRP=4830300017[/url]

As mentioned, they have a free trial which will remove any infections it finds free of charge, but if you do not wish to keep it after the inital 30day trial then you can simply ininstall it after cleanup :)




vBulletin Copyright ©2000 - 2003, Jelsoft Enterprises Limited.


PPC Management
vB Easy Archive Final - Created by Xenon