I've scanned with Spybot(in safe mode) and the Virtumond de.prx Trojan Virus comes up. I have deleted it, but it keeps coming right back the next time I do a scan. How do I go about getting rid of it for good?

Thanks!

Why it comes back is there is a Tag left Somewhere quite deep And the Best method of locating it is to make up a "HiJackthis!" Log and Putting it in the Forum But It is an experts job to read it and they'll advise you what should be done.
Delete the wrong file without that advice and You may be in in deep trouble
This is Typical of the warning Notices On the sites which deal with these Problems

quote:

HijackThis lists the contents of key areas of the Registry and hard drive--areas that are used by both legitimate programmers and hijackers. The program is continually updated to detect and remove new hijacks. It does not target specific programs and URLs, only the methods used by hijackers to force you onto their sites.

As a result, false positives are imminent, and unless you're sure about what you're doing, you always should consult with knowledgeable folks before deleting anything.

http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

There is also a Video clip on this Link I highly recommend that you view it before you make up a log and Submit it

Program is Tiny 793K but it is the Best Troubleshooter Program there is

Thanks Bedstor! Here's what came up on my log file . . .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:26 PM, on 2/7/2009
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\CTSvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SYSTEM\atiptaxx.exe
C:\Program Files\Creative\News\NewsUpd.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\AOL\1108700882\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*...t/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {31b5a924-a70f-4281-aac7-32dd2afbb7a3} - C:\WINDOWS\system32\wogutopa.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {650EF698-DE92-4978-896D-45EB1BFFAD71} - C:\WINDOWS\system32\dsctlt.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {831E2AC1-64D1-4CC1-9500-34A7EAF19C8F} - c:\windows\system32\dmutild.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\SYSTEM\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108700882\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [setup] D:\setup.exe
O4 - HKLM\..\Run: [Verizon Custom Uninstall Tracking] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\InstallHelper.exe /uninstalltrackingvendor=Verizon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AOLWebutil] "C:\Program Files
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nalotadepo] Rundll32.exe "C:\WINDOWS\system32\zibuyubo.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1606980848-1993962763-839522115-500\..\Run: [ATI Launchpad] (User '?')
O4 - HKUS\S-1-5-21-1606980848-1993962763-839522115-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PowerReg Scheduler V3.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\PROGRAM FILES\ATI MULTIMEDIA\TV\EXPLBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_P...ontrol_v1-0-3-36.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall....ickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Co...te.cab?1186796357158
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {DFABA77C-F8BB-4AB9-BED7-7D48AE103E24} - http://www.myfreeicons.com/cabs/setup300.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - AppInit_DLLs: hadjajr.ini C:\WINDOWS\system32\midirude.dll c:\windows\system32\nurugapu.dll c:\windows\system32\nefuwipi.dll
O20 - Winlogon Notify: cbxwxvs - cbxwxvs.dll (file missing)
O20 - Winlogon Notify: ghccdigo - dmutild.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nefuwipi.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nefuwipi.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager


Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7856 bytes

Looks a tricky fix
But Here are the full detection removal Instructions (Bad layout but readable) http://icrontic.com/forum/showthread.php?p=333265

Think its best left to a computer shop . I daren't touch it Sorry

quote:

Virtumond de.prx Trojan Virus comes up. I have deleted it, but it keeps coming right back the next time I do a scan.

"Virtumonde" or "Virtumondo" is more commonly known as "Vundo". Wikipedia has an article about it. You may have noticed that your antivirus, firewall and antispyware software have been behaving strangely. Vundo attempts to disable or alter many security software products.

Symantec, makers of Norton, offer a free tool to remove the Vundo trojan horse. If that doesn't do the trick, VundoFix will probably do it in.

Other notes about your report:
- Windows 2000 is out of date. The latest version is Service Pack 4. Please visit Windows Update ASAP!!!

- You have a few old "Downloaded Program Files" lurking in your cache. I suggest running disk cleanup. It'll free up some disk space.

- If you have not used AOL recently, consider uninstalling it. (AOL email is easily accessible via AOL.com webmail) Removing the AOL software will free up disk space and RAM.

- Your version of Internet Explorer is waaaay out of date. Latest version of IE for Win2k is Internet Explorer 6 SP1, which itself is nearly at end-of-life. (XP/Vista users have IE7, and soon IE8) I strongly suggest switching to Firefox 3 or Opera for your web browsing needs.

Hello J! So it is 'Vundo' who has been playing havock with my security software!

I'm gonna give the Noron fix a try and do a disk clean.

I've tried to download the Service Pack 4.. a few times , put it won't download for me.

I don't use AOL, I thought I had uninstalled it.
How do I go about uninstalling it?

Thanks J!


PS: I'll definitely look into Firefox!

Manually downloading the Win2k SP4 installer might work for getting Service Pack 4 to install. It will take a while for the installer to download all the bits and pieces to update your OS. Best to get it started, and leave for dinner.

AOL has instructions for uninstalling its software.

Best of luck getting your PC back in shape!

quote:

Originally posted by JWooden271:

AOL has instructions for uninstalling its software.

As an AOL User I agree this is the Best way although slow
There will be some tags Left over in the Registry.
Running a cleaner like CCleaner (on the Registry cleaner) will get rid of these and Other oddments.Safe to Run. Though, in regular use certain tick boxes must be unchecked
This is especially important if you are running the Cleaner
www.ccleaner.com

An outta shape puter! That's putting it mildly J!

Thanks for all you help J & bedstor!

Just spotted this, Dunno if this is connected?
Is a different signature though

quote:

O4 - HKLM\..\Run: [nalotadepo] Rundll32.exe "C:\WINDOWS\system32\zibuyubo.dll",s

www.prevx.com/filenames/X892232627532118388-X1/ZIBUYUBO2EDLL.html

Pencil that for deletion later in Hijack this!

As for Vundo

You Have Windows 2000 Install/Run this
http://fileforum.betanews.com/detail/Symantec_TrojanVun...al_Tool/1101510353/1
Feedback on the page suggests they leave an antispyware ad
But That can be dealt with easier than the virus if that happens

For XP Users who are looking in Use this link instead (DISREGARD the other link)

XP Vundo removal tool

quote:

O4 - HKLM\..\Run: [nalotadepo] Rundll32.exe "C:\WINDOWS\system32\zibuyubo.dll",s

quote:

O2 - BHO: (no name) - {31b5a924-a70f-4281-aac7-32dd2afbb7a3} - C:\WINDOWS\system32\wogutopa.dll

Remove the above files.

Thanks CS!

JT
I know this is being Nosey but have you got Spywareblaster installed? Preferably version 4.1
This has lots of Vundo "Blocks", also has been populating the IE Restricted sites list often.Something MS has not bothered with on an update
www.javacoolsoftware.com/spywareblaster.html
If you are using version 3.0 there are no or very few updates being issued for that Program now, so uninstall that and Install 4.1
Updates are roughly Monthly (Manual)

Avast! is also worth getting ( Totally Free) Its a very good antivirus Detection Program Even looks at email for "Visitors"
Updates Daily (Click on the Blue Popup)
Only Hard thing to do is to find where the activation Key Goes for 1 years updates. Shout out If you are lost and we'll show you where it goes
NOTE: You'll Get a Months Updates without the "Key"

Hi bedstor! Spybot is still picking up the Vundo.

I have Avast, and I've run the scan in reg.& safe modes and it does not pick up the Vundo.

I ran the Norton Vundo a few times and the virus does not come up there either.
Will be running it again ...

I also tried deleting those 2 file that CS recommended, and they're still there.
Updating Windows 4 pack won't take manually either. This virus isn't letting me do diddly.

I finally found a tool that was able to delete all the Vundo infections(there were 30! ) Malwarebytes did the trick!

Jersey,
Thats exactly the program I was about to suggest before I read your last post! Glad you got rid of that pest! You might also want to install and run a scan with SuperAntiSpyware. It's also very thorough.

www.superantispyware.com

Download and install the free version.


chris


chris

I questioned some people who do virus removals(for cash) and they said the same as yourself It removes the Pest yet goes overboard on finding "false Positive" references too
But they said too it's a good cleaner for all that.Something they'd recommend