Virtumonde win32 sneaky ****

[wudisc]

Ok, I've been battling this virus for a couple weeks now.

I doesnt seem to be producing pop ups of any sort, and it doesnt seem to be leeching any resources, however it keeps coming back and installing dll files!
I've run hijackthis nod32 vundofix in safe mode numerous times, but I havent stopped it from coming back, every 2 reboots or so my nod32 pops up saying the dll's have returned... Obviously there is something I need to remove manually that I'm missing every time so I've come here for some advice.

[wudisc]

here is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:35:48, on 04/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Lock My PC 4\lockpc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [vmc] C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\vmc.dll
O4 - HKLM\..\RunOnce: [Falcon] C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Falcon.dll
O4 - HKLM\..\RunOnce: [mswm] C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\mswm.dll
O4 - HKLM\..\RunOnce: [NetMD] C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\NetMD.dll
O4 - HKLM\..\RunOnce: [SPTISRVps] C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\SPTISR~1.DLL
O4 - HKLM\..\RunOnce: [OMG LP 4.7-07-14-05-01] C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.7-07-14-05-01\HotFixSetup\setup.exe /n /o
O4 - HKLM\..\RunOnce: [AppReg] C:\PROGRA~1\Sony\SONICS~1\AppReg.exe
O4 - HKLM\..\RunOnce: [AudioNorm.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\AUDION~1.DLL
O4 - HKLM\..\RunOnce: [Metallic.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Metallic.dll
O4 - HKLM\..\RunOnce: [OmgApDeliveryManagerComp.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\OMGAPD~1.DLL
O4 - HKLM\..\RunOnce: [OmgApPlaybackComp.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\OMGAPP~1.DLL
O4 - HKLM\..\RunOnce: [OpcArs.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\OpcArs.dll
O4 - HKLM\..\RunOnce: [OpcCDAPlay.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\OPCCDA~1.DLL
O4 - HKLM\..\RunOnce: [OpcWAV2.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\OpcWAV2.dll
O4 - HKLM\..\RunOnce: [OpcWMA.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\OpcWMA.dll
O4 - HKLM\..\RunOnce: [OpdClie.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\OpdClie.dll
O4 - HKLM\..\RunOnce: [SonyMixerControl.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\SONYMI~1.DLL
O4 - HKLM\..\RunOnce: [SonyWavWriter.ax] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\SONYWA~1.AX
O4 - HKLM\..\RunOnce: [SsAppDbMan.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\SSAPPD~1.DLL
O4 - HKLM\..\RunOnce: [SsDbConnection.exe] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\SSDBCO~1.EXE
O4 - HKLM\..\RunOnce: [SsDbMan.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\SsDbMan.dll
O4 - HKLM\..\RunOnce: [SSScsiSVps.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\SSSCSI~1.DLL
O4 - HKLM\..\RunOnce: [SsBeServicePS.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\SSBESE~1.DLL
O4 - HKLM\..\RunOnce: [CDDBUISony.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\WINDOWS\system32\CDDBUI~1.DLL
O4 - HKLM\..\RunOnce: [CDDBControlSony.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\WINDOWS\system32\CDDBCO~1.DLL
O4 - HKLM\..\RunOnce: [CddbLinkSony.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\WINDOWS\system32\CDDBLI~1.DLL
O4 - HKLM\..\RunOnce: [CddbMusicIDSony.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\WINDOWS\system32\CDDBMU~1.DLL
O4 - HKLM\..\RunOnce: [CddbPlaylist2Sony.dll] C:\WINDOWS\system32\Regsvr32.exe /s C:\WINDOWS\system32\CDDBPL~1.DLL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-21-1177238915-527237240-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1177238915-527237240-682003330-1003\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195867402468
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9286 bytes

[Broni]

Download Trojan.Vundo Removal Tool from here:
http://www.symantec.com/security_response/writeup.jsp?docid=2004-112210-3747-99
Print, and follow instructions listed there, and after that post your new HJT log.

[wudisc]

Thanks for the quick reply, I've just used vundofix, and apparently a full scan hasn't detected any viruses.

Here is my "new" hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:23:45, on 04/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Lock My PC 4\lockpc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://194.80.38.243:3128/
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-21-1177238915-527237240-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1177238915-527237240-682003330-1003\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195867402468
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5990 bytes

[wudisc]

So, I woke up this morning, booted up the puter and I got the same warning message saying virtumonde dll files detected...

I am starting to suspect this is a new version of virtumonde, because all of the tools I try can't seem to remove this infection!
NOD32 however isn't giving me the option of sending the dll files to their headquarters for analysis.

Any ideas anyone?

[Broni]

Your HJT log is totally clean.
I suspect false positive.
Do two things.
1. When Nod32 pops-up, write down names of those suspicious ".dll" files, and post them back here. Search your computer, and see, if they exist, and if so, in what location.
2. Go here: http://www.eset.com/onlinescan/index.php for free on-line scan.

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Attach the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply

[wudisc]

It's definitely not a false positive.

I have downloaded s&d and adaware from lavasoft and they have both flagged multiple copies of randomly named dll's all existing in the system32 path.

The program that is downloading virtumonde after my "successful" removal is the win32.conhook.trojan.

I succesfully removed both of these with both s&d and adaware, after this I went to the pandasoftware website to make sure I got rid of all traces of these two, but while the scan was taking place nod32 popped up again to tell me 4 new copies of the dll's had been created in the same system32 folder.

Here are some of the files that were flagged:
C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtuvuv.dll
C:\WINDOWS\system32\jkkkhgd.dll
C:\WINDOWS\system32\khffcbx.dll
C:\WINDOWS\system32\mljgfdd.dll
C:\WINDOWS\system32\silkyeqk.exe
C:\WINDOWS\system32\tzlfe.exe
C:\WINDOWS\system32\wvusrqo.dll
C:\WINDOWS\system32\wvuvvwx.dll

This virus is driving me crazy!!!

[Broni]

   1.   Download VirtumundoBegone :  http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe 

   2. Now reboot into Safe Mode.

         1. This can be done tapping the F8 key as soon as you start your computer

         2. You will be brought to a menu where you can choose to boot into safe mode.

         3. Select safe mode with networking using your arrow keys on the keyboard and then press enter.

         4. When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps,

   3. Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions.

   4. Exit when it has finished, and reboot back to normal mode.


 

[wudisc]

Awesome! That process worked a treat, thank you VERY MUCH!!

:D:D:D

[Broni]

I'm glad, it did