This computer I'm borrowing right now is infected with something called virtumonde.dll. It's terrible, and nearly impossible to get rid of.

This computer has Spyware Blaster, and Spybot- Search & Destroy, which has some prevention, like Spyware Blaster. Very little that's bad ever gets through. But a couple weeks ago a whole bunch of stuff broke through the defenses, all at once, including a bunch of virtumonde stuff. One thing was called Malware Alarm and another I think was called OIC or something. I forget the full name. All of the stuff was easily removed, including all of the virtumonde stuff except one dll file. But with that one file running, all the other stuff kept coming back. (Although now it's all gone except for the one virtumonde file.)

It's called Virtumonde.dll, but the actual file name is different than that, and it renames itself from time to time. Last I checked it was rqonk.dll. It's located in C:\WINNT\system32.

I also have Adaware SE, Hijack This and Registry Mechanic, which really is not the same thing. Only Hijack This, and Spybot- Search & Destroy will find the dll file. The other programs won't find it. But it seems to be undeletable anyway. Besides that, Spybot- Search & Destroy takes 2 hrs., 50 min. to run on this computer! It's terrible.

Okay, now that you know all that, I've tried a few things to get rid of it. First I downloaded a program that's made specifically for getting rid of all virtumonde files. Unfortunately no matter how many times I ran it, it never even found any of the virtumonde files. One time I ran Adaware SE after running that other program (which told me there weren't any virtumonde files on this computer). Adaware found 17 files, although it didn't, and never did, find the virtumonde.dll file. Okay, so I deleted that program since it was useless. I also downloaded Spy Hunter, which purported to get rid of virtumonde infections, but it never found that one dll file. (But it did find other bad stuff that nothing else has found.)

Then I read this page: http://www.safer-networking.com/removeVirtuMonde.php , where I found that you can "un-register" the dll files. But every time I tried, I got an error message that said something about the unregister server is offline, or malfunctioning, or something. Then finally, I discovered that with Hijack This, you can order Windows to delete a file at startup, but even then it wouldn't delete that one file!
Right now the file seems to be doing nothing except slowing the system down. Right now while I've been typing this message everything has frozen a couple of times so far. But I can usually get things to free up again when that happens. When the file is more active I get re-directs, especially after clicking on search results, but sometimes other times too.

So I'm desparate to find a way to get rid of this file. It's driving me up a wall.
Please help.
Thanks,
Barry

Doc will be along soon to save the day I'm sure!

While he's at it though, I notice you listed a lot of spyware software that you run.. do you run all those regularly?

I only use ad-aware, spybot, and Norton (anti-virus, internet security, and system works), and I wonder if maybe I should add some more. I try to run each program (and updates) at least once a week, and Norton's on auto all the time, unless it's REALLY messing with something, like an off-line game and I know it's safe to turn off.

Doc, after you answer Barry's concern, can you suggest any more stuff I might add? I'd hate to get caught like Barry did.


-Elgalad

There's another one called Spy Sweeper, which I have not put on this computer, although it is on my own computer.
They say it's good to have multiple spyware removal programs because each one may find different things, which does seem to be the case. My own computer also has Panda running 24/7.

Have you done all this?

http://www.411-spyware.com/remove-virtumonde

Simply deleting files will not do it if you don't clean the registry. It would probably be best to do all this in Safe mode.

Did you put a space between "regsvr32" and "/u", and then another space right after that?

What exactly is the unregister error? Is it one of these?

http://support.microsoft.com/kb/249873

Regsvr32.exe loads the file you are trying to register or un-register, along with all of its dependencies. The process may be unsuccessful if a required file is missing or damaged.http://www.uninet.net/~blaisdel/Regsvr32Info.htm

My guess is you removed one of those other files before doing the unregister.

Yes. I realize that. But my spyware removal programs remove all the bad registry keys and values too. Everything has been removed, both from the registry and the rest of the computer, except that one file. I have to check your link though. It doesn't look familiar.
Thanks.
Simply deleting files will not do it if you don't clean the registry. It would probably be best to do all this in Safe mode.

Yes.
Did you put a space between "regsvr32" and "/u", and then another space right after that?

Below is the complete error message:

C:\WINNT\system32\byvss.dll was loaded, but the DllUnregisterServer entry point was not found.

DllUnregsterServer may not be exported, or a corrupt version of C:\WINNT\system32\byvss.dll may be in memory. Consider using PView to detect and remove it.

I tried the unregister server as a last resort, after everything had been deleted except that one dll file. So I guess I corrupted it. I didn't know about the unregister server until it was too late.
I tried looking up that PView thing, but I need to look some more. But the more I do with this computer the worse things get.

By the way, that dll file has renamed itself yet again. byvss.dll is its latest incarnation.
Barry

What exactly is the unregister error? Is it one of these?

http://support.microsoft.com/kb/249873

Not sure what to say now. Unless you can restore the dependencies, or find another path for deletion, you may end up reloading the computer. Really hard to judge this stuff without being there.

Update:
I got to thinking, I got an email message a few days ago from Panda, saying that my license was up for renewal. I checked that message and decided that I would install the Panda antivirus on this computer. I went to renew the license and found that I had a license for 3 computers, so that was great. I installed Panda on this computer and it has found tons of stuff, all of which have been neutralized or deleted. I think everything's fine now. If I had any idea that I would be keeping this loaner computer this long, I would have installed Panda ages ago.
Thanks for taking the time to answer anyway.
Barry

Update again!
Yesterday I was having a few problems with this computer again, so.....
Last night I got fed up with not being able to update the definitions file of my Adaware. I eventually found out that Adaware SE Personal was no longer supported because it's been replaced by Adaware 2007. So I downloaded that. I updated its definitions file and then ran it. It found 123 tracking cookies and 23 Virtumonde files and registry keys and values. I made it delete all. But two of the Virtumonde files could not be deleted. It said they would be deleted upon a reboot. So I rebooted the computer and then ran Adaware again. It found absolutely nothing. Yay!

:thumb:

But two of the Virtumonde files could not be deleted. It said they would be deleted upon a reboot.When this message appears with an AV or spyware program, it means that the file is running. Windows won't delete an active file. Adaware deleted the startup calls, and after the reboot it was not running, ergo it could be fragged.

Kudos! Charge the owner for services rendered. $50/hour would be reasonable. :evilgrin:

Re tracking cookies, their "danger" is grossly overrated. They're just little text files that are meaningful only to the site that deposited them. Here's one from ABC News, found in the IE Cookies folder.

CP
null*
abcnews.go.com/
1088
1761935360
30785590
2261933312
29910678
*

That sho 'nuff is perilous, hey?

IMO, adware/spyware programs include them because they grossly inflate the number of items that can be listed in the scan report.