Computer Hope

Software => Computer viruses and spyware => Topic started by: stumpitron on June 22, 2009, 02:27:56 PM

Title: Spybot Detects Virtumonde - Both Spybot and Malware Can't Delete It
Post by: stumpitron on June 22, 2009, 02:27:56 PM
I recently ran Spybot - Search and Destroy, and wound up with some 116 problems. Upon fixing them, I noticed that one was Virtumonde, a problem I've had with on a previous computer. After trying to fix it by Spybot (and failing), I did exactly what I had done in my previous encounter - went to VundoFix and ran it. Came back with nothing.

Thinking that it was a mistake, I looked online and found another. VirtumondeBeGone was also unsuccessful. I've looked around on this website before and saw that there was another individual with a similar problem. I followed the previous advice and used Malwarebytes Anti-Malware's File Assassin to delete the file. I ran Spybot again, and it is still there. The location is unchanged: C:\Windows\System32\rcpnet.dll

Please help!!
Title: Re: Spybot Detects Virtumonde - Both Spybot and Malware Can't Delete It
Post by: harry 48 on June 22, 2009, 02:32:32 PM
http://www.computerhope.com/forum/index.php/topic,46313.0.html


go to above post the 3 logs here an expert will see them , harry



you can also read this below

http://www.computerhope.com/search.htm?cx=003411668307610607965%3Ah4yba8pbdco&cof=FORID%3A9%3BNB%3A1&q=virtumonde&sa=Search#1297
Title: Re: Spybot Detects Virtumonde - Both Spybot and Malware Can't Delete It
Post by: GTL on June 22, 2009, 02:50:41 PM
Sumptitron,

Malwarebytes was successful in removing it from my system when I ran it in safe mode.

Good luck...
Title: Re: Spybot Detects Virtumonde - Both Spybot and Malware Can't Delete It
Post by: stumpitron on June 22, 2009, 04:06:02 PM
Harry48 - Which logs should I post? Spybots/VundoFix/Malwarebytes/VundoBeGone?
Title: Re: Spybot Detects Virtumonde - Both Spybot and Malware Can't Delete It
Post by: harry 48 on June 22, 2009, 04:26:43 PM
logs 3,4 ,6 , in evil's post's  but do the rest as well , harry
Title: Re: Spybot Detects Virtumonde - Both Spybot and Malware Can't Delete It
Post by: stumpitron on June 23, 2009, 09:47:18 AM
I've posted the SAS, MBAM, HJT and VirtumondeBeGone logs. The first two and the last one all indicate that the virus doesn't exist, but Spybot still says it exists (SBI $75457FE7) Library. C:\Windows\System32\rpcnet.dll. Is Spybot infected/lying? (I don't know how to post Spybot logs).

- Stump

[attachment deleted by admin]
Title: Re: Spybot Detects Virtumonde - Both Spybot and Malware Can't Delete It
Post by: harry 48 on June 23, 2009, 01:19:18 PM
i have tried twice to open hjt and it will not download

go to below read and use


http://www.computerhope.com/forum/index.php/topic,81761.0.html
Title: Re: Spybot Detects Virtumonde - Both Spybot and Malware Can't Delete It
Post by: stumpitron on June 23, 2009, 01:54:08 PM
Computer Hope HijackThis log overview (created Tuesday Jun 23, 12:51:26 PM MST):
Unique found: 84 - Unknown: 1 - Total: 85
Processes / services not required: 79 (that are not hardware / security: 33) - Potential threats: 5
OS: Windows Vista SP1 (winnt 6.00.1905) - Directory: \windows\ - Detected Antivirus: McAfee - Detected Firewall: McAfee
>> Skip to cleaning steps

Path   Process   Description   Type   Required?   Threat?
[o23 - service: remote procedure call (rpc) net (rpcnet) - absolute software corp. - c:\windows\system32\rpcnet.exe]    rpcnet.exe   Although unknown rpcnet.exe is suspicious since many legitimate unknown files do not run from the Windows path. Click here to open Google search for this file.   Unknown   
Yes
   
Maybe
[o18 - filter: x-sdch - {b1759355-3eec-4c1e-b0f1-b719fe26e377} - c:\program files\google\google toolbar\component\fastsearch_a8904fb862bd9564.dll]    HijackThis   Detected potential protocol hijack (filter: x-sdch - {b1759355-3eec-4c1e-b0f1-b719fe26e377} - c:\program files\google\google toolbar\component\fastsearch_a8904fb862bd9564.dll). Unless you recognize or want this change we suggest it be fixed.   Unknown   
Yes
   
Maybe
[r0 - hkcu\software\microsoft\internet explorer\toolbar,linksfoldername = ]    HijackThis   Blank Internet Explorer value for linksfoldername.   Unknown   
Yes
   
Maybe
[r0 - hklm\software\microsoft\internet explorer\search,customizesearch = ]    HijackThis   Blank Internet Explorer value for customizesearch.   Unknown   
Yes
   
Maybe
[r0 - hklm\software\microsoft\internet explorer\search,searchassistant = ]    HijackThis   Blank Internet Explorer value for searchassistant.   Unknown   
Yes
   
Maybe
[c:\windows\system32\taskeng.exe]    taskeng.exe   Microsoft Windows Task Scheduler file.   Application   
Safe
   
No
[c:\windows\system32\dwm.exe]    dwm.exe   Microsoft Windows Desktop Window Manager file.   Application   
Safe
   
No
[c:\windows\explorer.exe]    explorer.exe   Microsoft Windows Explorer file.   Windows   
Yes
   
No
[c:\program files\dell\delldock\delldock.exe]    delldock.exe   Dell DellDock docking station utility file.   Application   
Safe
   
No
[c:\program files\mcafee.com\agent\mcagent.exe]    mcagent.exe   McAfee Internet security file.   Security   
No
   
No
[c:\program files\windows defender\msascui.exe]    msascui.exe   Microsoft Windows Defender file.   Security   
No
   
No
[c:\program files\delltpad\apoint.exe]    apoint.exe   Alps Electric touchpad driver file.   Hardware   
No
   
No
[c:\windows\oem02mon.exe]    oem02mon.exe   Creative Live! cam console launcher file.   Hardware   
No
   
No
[c:\windows\system32\rundll32.exe]    rundll32.exe   Microsoft Windows process that handles handling.dll files that should be located in the C:\Windows\System32 directory.   Windows   
Yes
   
No
[c:\program files\intel\intel matrix storage manager\iaanotif.exe]    iaanotif.exe   Intel Application Accelerator service. Replaces the pre-installed ATA drivers with Windows with optimized drivers.   Hardware   
No
   
No
[c:\windows\system32\wltray.exe]    wltray.exe   Dell wireless lan card driver file.   Hardware   
No
   
No
[c:\program files\google\google desktop search\googledesktop.exe]    googledesktop.exe   Google Desktop file.   ApplicationNetwork   
Safe
   
No
[c:\program files\dell\mediadirect\pcmservice.exe]    pcmservice.exe   Dell Multimedia Experience applicatino file.   Application   
Safe
   
No
[c:\program files\dell datasafe online\datasafeonline.exe]    datasafeonline.exe   Dell online storage service file.   ApplicationNetwork   
Safe
   
No
[c:\program files\fingerprint reader suite\psqltray.exe]    psqltray.exe   UPEK Protector Suite systray file.   Application   
Safe
   
No
[c:\program files\dell support center\bin\sprtcmd.exe]    sprtcmd.exe   Dell support agent process. Also an agent file used with many different ISP software packages.   Application   
Safe
   
No
[c:\program files\western digital\wd drive manager\wdbtnmgrui.exe]    wdbtnmgrui.exe   Western Digital driver manager file.   Application   
Safe
   
No
[c:\program files\java\jre6\bin\jusched.exe]    jusched.exe   Sun Microsystems Java Update scheduler file.   ApplicationNetwork   
Safe
   
No
[c:\program files\itunes\ituneshelper.exe]    ituneshelper.exe   Apple iTunes helper file.   ApplicationNetwork   
Safe
   
No
[c:\program files\daemon tools lite\daemon.exe]    daemon.exe   Daemon Tools CD/DVD and virtual disc drive file.   Application   
Safe
   
No
[c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe]    googletoolbarnotifie...   Google toolbar file.   ApplicationNetwork   
Safe
   
No
[c:\users\scott\appdata\local\google\update\googleupdate.exe]    googleupdate.exe   Google Toolbar update file.   ApplicationNetwork   
Safe
   
No
[c:\program files\widcomm\bluetooth software\bttray.exe]    bttray.exe   Widcomm Bluetooth systray file.   Hardware   
No
   
No
[c:\program files\dell\quickset\quickset.exe]    quickset.exe   Dell power management file.   Hardware   
No
   
No
[c:\program files\delltpad\apmsgfwd.exe]    apmsgfwd.exe   Alps touchpad driver file.   Hardware   
No
   
No
[c:\program files\delltpad\hidfind.exe]    hidfind.exe   Alps pointing device driver file.   Hardware   
No
   
No
[c:\program files\delltpad\apntex.exe]    apntex.exe   Alps Electric touchpad driver file.   Hardware   
No
   
No
[c:\program files\spybot - search & destroy\spybotsd.exe]    spybotsd.exe   Spybot Search and Destroy (S&D) spyware application file.   Security   
No
   
No
[c:\windows\system32\wbem\unsecapp.exe]    unsecapp.exe   Microsoft Windows Windows Management Instrumentation (WMI) asynchronous callback file.   Application   
Yes
   
No
[c:\program files\widcomm\bluetooth software\btstackserver.exe]    btstackserver.exe   Bluetooth server file.   Hardware   
No
   
No
[c:\windows\system32\wscript.exe]    wscript.exe   Microsoft Windows file that should be located in the C:\Windows\System32 directory.   Windows   
Yes
   
No
[c:\windows\system32\wuauclt.exe]    wuauclt.exe   Microsoft Windows update process that should be located in the C:\Windows\System32 directory.   ApplicationNetworkWindows   
Yes
   
No
[c:\program files\trend micro\hijackthis\sniper.exe.exe]    sniper.exe.exe   Unknown - However, it appears as if this could be the Hijackthis tool renamed.   Application   
Safe
   
No
[o2 - bho: acroiehelperstub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll]    acroiehelpershim.dll   Adobe Acrobat reader Internet Explorer helper DLL file.   DLL   
Safe
   
No
[o2 - bho: mcafee phishing filter - {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\program files\mcafee\msk\mskapbho.dll]    mskapbho.dll   McAfee phishing filter Browser Helper Object (BHO) DLL file.   DLLSecurity   
No
   
No
[o2 - bho: scriptproxy - {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\viruss~1\scriptsn.dll]    scriptsn.dll   McAfee Browser Help Object (Browser Helper Object (BHO)) which provides additional security in your Internet browser DLL file.   DLLSecurity   
No
   
No
[o2 - bho: google toolbar helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\googletoolbar.dll]    googletoolbar.dll   Google Toolbar Browser Helper Object (BHO) DLL file.   DLL   
Safe
   
No
[o2 - bho: google toolbar notifier bho - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll]    swg.dll   Google Toolbar browser help module.dll.   DLL   
Safe
   
No
[o2 - bho: google dictionary compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_a8904fb862bd9564.dll]    fastsearch_A8904FB86...   Google fast search DLL file.   DLL   
Safe
   
No
[o2 - bho: browser address error redirector - {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\bae.dll]    bae.dll   Browser help module.dll that is used to redirect you to a different page if you encounter a 404 error in an Internet browser.   DLL   
Safe
   
No
[o2 - bho: java(tm) plug-in 2 ssv helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll]    jp2ssv.dll   Sun Java browser plugin DLL file.   DLL   
Safe
   
No
[o4 - hklm\..\run: [ecenter] c:\dell\e-center\eulalauncher.exe]    eulalauncher.exe   Dell e-center EULA launcher file.   Application   
Safe
   
No
[o4 - hklm\..\run: [nvcpldaemon] rundll32.exe c:\windows\system32\nvcpl.dll,nvstartup]    nvcpl.dll   NVidia video card control panel DLL file.   DLL   
Safe
   
No
[o4 - hklm\..\run: [nvmediacenter] rundll32.exe c:\windows\system32\nvmctray.dll,nvtaskbarinit]    nvmctray.dll   Nvidia video card display driver DLL file.   DLL   
Safe
   
No
[o4 - hklm\..\run: [nvhotkey] rundll32.exe c:\windows\system32\nvhotkey.dll,start]    nvhotkey.dll   NVIDIA hotkey DLL file.   DLL   
Safe
   
No
[o4 - hklm\..\run: [updreg] c:\windows\updreg.exe]    updreg.exe   Creative register reminder file.   Application   
Safe
   
No
[o4 - hklm\..\run: [psqllauncher] "c:\program files\fingerprint reader suite\launcher.exe" /startup]    launcher.exe   Hewlett Packard, Toshiba and other OEM computers PCAngel system recovery process and Webshots.   Application   
Safe
   
No
[o4 - hklm\..\run: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"]    dsca.exe   Dell Support Center file.   Application   
Safe
   
No
[o4 - hklm\..\run: [adobe reader speed launcher] "c:\program files\adobe\reader 9.0\reader\reader_sl.exe"]    reader_sl.exe   Adobe Acrobat Reader load time reduction file.   Application   
Safe
   
No
[o4 - hklm\..\run: [quicktime task] "c:\program files\quicktime\qttask.exe" -atboottime]    qttask.exe   Apple QuickTime systray file.   Application   
Safe
   
No
[o4 - hkus\s-1-5-19\..\run: [sidebar] %programfiles%\windows sidebar\sidebar.exe /detectmem (user 'local service')]    sidebar.exe   Microsoft Windows sidebar that should be located in the C:\Program Files\Windows Sidebar directory. If in another directory this process could be the Searchcentrix hijacker.   Application   
Safe
   
No
[o8 - extra context menu item: e&xport to microsoft excel - res://c:\program files\micros~3\office12\excel.exe/3000]    excel.exe   Microsoft Excel file.   Application   
Safe
   
No
[o9 - extra button: blog this - {219c3416-8cb2-491a-a3c7-d9fcddc9d600} - c:\program files\windows live\writer\writerbrowserextension.dll]    writerbrowserextensi...   Windows Live Browser Helper Object (BHO) DLL file.   DLL   
Safe
   
No
[o9 - extra button: send to onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\program files\micros~3\office12\onbttnie.dll]    onbttnie.dll   Microsoft Office Internet Explorer shortcut DLL file.   DLL   
Safe
   
No
[o9 - extra button: research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - c:\program files\micros~3\office12\refiebar.dll]    refiebar.dll   Microsoft Office research assistant module DLL file.   DLL   
Safe
   
No
[o16 - dpf: {49312e18-aa92-4cc2-bb97-55dea7bcadd6} (wmi class) - http://support.dell.com/systemprofiler/sysproexe.cab]    sysproexe.cab   Dell online system scanner CAB file.   Cab   
Safe
   
No
[o20 - appinit_dlls: c:\program files\google\google~2\goec62~1.dll]    goec62~1.dll   Google desktop DLL file.   DLL   
Safe
   
No
[o20 - winlogon notify: !saswinlogon - c:\program files\superantispyware\saswinlo.dll]    saswinlo.dll   SUPERAntiSpyware DLL file.   DLL   
Safe
   
No
[o20 - winlogon notify: gotoassist - c:\program files\citrix\gotoassist\514\g2awinlogon.dll]    g2awinlogon.dll   Citrix GoToAssist Remote Assistance service DLL file.   DLL   
Safe
   
No
[o23 - service: andrea st filters service (aestfilters) - andrea electronics corporation - c:\windows\system32\aestsrv.exe]    aestsrv.exe   Andrea Electronics ST filters service file.   Hardware   
No
   
No
[o23 - service: apple mobile device - apple inc. - c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe]    applemobiledeviceser...   Apple iTunes Mobile Device service file.   Application   
Safe
   
No
[o23 - service: bonjour service - apple inc. - c:\program files\bonjour\mdnsresponder.exe]    mdnsresponder.exe   Apple Bonjour for Windows file.   ApplicationNetwork   
Safe
   
No
[o23 - service: creative labs licensing service - creative labs - c:\program files\common files\creative labs shared\service\creativelicensing.exe]    creativelicensing.ex...   Creative Labs licencing service file.   Application   
Safe
   
No
[o23 - service: creative service for cdrom access - creative technology ltd - c:\windows\system32\ctsvccda.exe]    ctsvccda.exe   Creative disc drive process that should be located in the C:\Windows\System32 directory.   Hardware   
No
   
No
[o23 - service: dock login service (dockloginservice) - stardock corporation - c:\program files\dell\delldock\docklogin.exe]    docklogin.exe   Dell DellDock docking station utility file.   Application   
Safe
   
No
[o23 - service: gotoassist - citrix online, a division of citrix systems, inc. - c:\program files\citrix\gotoassist\514\g2aservice.exe]    g2aservice.exe   Citrix GoToAssist Remote Assistance service file.   ApplicationNetwork   
Safe
   
No
[o23 - service: google software updater (gusvc) - google - c:\program files\google\common\google updater\googleupdaterservice.exe]    googleupdaterservice...   Google Pack updater file.   ApplicationNetwork   
Safe
   
No
[o23 - service: intel(r) matrix storage event monitor (iaantmon) - intel corporation - c:\program files\intel\intel matrix storage manager\iaantmon.exe]    iaantmon.exe   Intel ATA application accelerator file.   Hardware   
No
   
No
[o23 - service: ipod service - apple inc. - c:\program files\ipod\bin\ipodservice.exe]    iPodService.exe   Apple iTunes iPod service monitor file.   ApplicationNetwork   
Safe
   
No
[o23 - service: mcafee services (mcmscsvc) - mcafee, inc. - c:\program files\mcafee\msc\mcmscsvc.exe]    mcmscsvc.exe   McAfee security center file.   Security   
No
   
No
[o23 - service: mcafee network agent (mcnasvc) - mcafee, inc. - c:\program files\common~1\mcafee\mna\mcnasvc.exe]    mcnasvc.exe   McAfee Security file.   Security   
No
   
No
[o23 - service: mcafee scanner (mcods) - mcafee, inc. - c:\program files\mcafee\viruss~1\mcods.exe]    mcods.exe   McAfee VirusScan file.   Security   
No
   
No
[o23 - service: mcafee proxy service (mcproxy) - mcafee, inc. - c:\program files\common~1\mcafee\mcproxy\mcproxy.exe]    mcproxy.exe   McAfee proxy file.   NetworkSecurity   
No
   
No
[o23 - service: mcafee real-time scanner (mcshield) - mcafee, inc. - c:\program files\mcafee\viruss~1\mcshield.exe]    mcshield.exe   McAfee Internet security file.   Security   
No
   
No
[o23 - service: mcafee systemguards (mcsysmon) - mcafee, inc. - c:\program files\mcafee\viruss~1\mcsysmon.exe]    mcsysmon.exe   McAfee VirusScan API file.   Security   
No
   
No
[o23 - service: mcafee personal firewall service (mpfservice) - mcafee, inc. - c:\program files\mcafee\mpf\mpfsrv.exe]    mpfsrv.exe   McAfee personal firewall service file.   NetworkSecurity   
No
   
No
[o23 - service: mcafee anti-spam service (msk80service) - mcafee, inc. - c:\program files\mcafee\msk\msksrver.exe]    msksrver.exe   McAfee SpamKiller file.   Application   
Safe
   
No
[o23 - service: nvidia display driver service (nvsvc) - nvidia corporation - c:\windows\system32\nvvsvc.exe]    nvvsvc.exe   NVIDIA video card service file.   Hardware   
No
   
No
[o23 - service: supportsoft sprocket service (dellsupportcenter) (sprtsvc_dellsupportcenter) - supportsoft, inc. - c:\program files\dell support center\bin\sprtsvc.exe]    sprtsvc.exe   Dell Support Center service file.   Application   
Safe
   
No
[o23 - service: sigmatel audio service (stacsv) - idt, inc. - c:\windows\system32\stacsv.exe]    stacsv.exe   StigmaTel sound card audio service file.   Hardware   
No
   
No
[o23 - service: steam client service - valve corporation - c:\program files\common files\steam\steamservice.exe]    steamservice.exe   Valve Steam service file.   ApplicationNetwork   
Safe
   
No
[o23 - service: stllssvr - microvision development, inc. - c:\program files\common files\surething shared\stllssvr.exe]    stllssvr.exe   MacroVision SureThing CD Labeler file.   Application   
Safe
   
No
[o23 - service: wd drive manager service (wdbtnmgrsvc.exe) - wdc - c:\program files\western digital\wd drive manager\wdbtnmgrsvc.exe]    wdbtnmgrsvc.exe   Western Digital external drive manager service file.   Hardware   
No
   
No
[o23 - service: dell wireless wlan tray service (wltrysvc) - unknown owner - c:\windows\system32\wltrysvc.exe]    wltrysvc.exe   Dell wirless LAN service file.   HardwareNetwork   
No
   
No
[o4 - hkus\s-1-5-19\..\run: [windowswelcomecenter] rundll32.exe oobefldr.dll,showwelcomecenter (user 'local service')]    oobefldr.dll   Microsoft Windows Welcome Center DLL file.   DLL   
Safe
   
No


- Hope this helps. I just pasted my log into the website you gave me. Stump
Title: Re: Spybot Detects Virtumonde - Both Spybot and Malware Can't Delete It
Post by: harry 48 on June 23, 2009, 02:31:28 PM
ok stumpitron , thats as far as i can take you , the experts have not signed in yet , and they will take a look ,

 i will keep a look here to see what they say , all the best , harry