Need help w/ pesky Virtumonde...

I went through the very well-written and informative READ-ME to remove most of the viruses I contracted on 12-16-08.

Last year (Jan. 2008), I had a VUNDO infection, and I used the VUNDOFIX this site offered to remove it.

Then on Dec. 16, my wife was browsing the website "SoapCentral.com" (which she had gone to multiple times in the past), and she was hit with a "You have a virus!" pop-up, that probably asked for money to be removed.
My guess is that maybe she ran into a poisoned image or movie advertisement. She said she saw two instances of "Mama Mia" being advertised and that it seemed unusual. I wish I could say more, but I wasn't doing the browsing, so I have no idea what happened. I figure the viruses we got are new instances, and not a remnant of the Vundo from earlier this year (as I received no more bad registry results from either Spybot's scan, Ad-Aware's scan, or AVG's scan - after applying the VundoFix program that was offered on MajorGeeks!).

I ran my AVG 8.0 (free ed.) and removed some of the viruses, and then I ran Spybot to remove the rest. But five infections kept appearing: 2 Virtumonde's, 2 Virtumonde.generic, and 1 Smitfraud-C. These were usually in the form of Registry keys that refused to be removed! Well, rather, they got removed and then reappeared the next time I scanned.

I went through the READ-ME and I got rid of all of those except for one registry entry for Virtumonde. Spybot finds it but cannot delete it. I've also tried running Spybot before loading the operating system (the program offers that option to remove some viruses), but it cannot remove the bad Virtumonde registry entry - it keeps telling me it's in use.

I will attach the results of my scans!

I appreciate the help! Thanks, guys!
(If you need more info, let me know!)

The first SuperAntiSpyware log (20-38-42) is from the first run. During removal of malware, the program crashed and had to be restarted. It removed some spyware but then forcibly closed "winlogin.exe" (I believe), which then crashed the system.
Thus, I included a second SuperAntiSpyware log (20-38-55).

The Spybot log had to be shortened because it exceeded the 250 KB file limit (by 10! ARGGH!). So I cut off some of the stuff on the bottom. I can attach the bottom stuff I cut off, if you guys think it's important. But I thought the important stuff was at the top, so I'm posting it like this for now!

 

The other logs...

 

Originally, my AVG 8.0 (free ed.) found a virus named "GADCOM.EXE".

This was the installing agent, I believe. I'm including an Excel log of what AVG eliminated - in case it's of any help!

 

The other site I visited is called "Cashbackr.com", but I have McAffee's SiteAdvisor, and you would think it would warn me if the site was bad. I have no idea how we got these viruses, but I assume it was from SoapCentral.com, cause that was what she was actively browsing (though we do leave other web pages open). Is there any way to pinpoint where the virus came from???

The other thing I wanted to mention is that the virus quickly disabled my Window XP Pro's FIREWALL when it infected the machine. I had no idea a virus could even do that. I mean, the firewall is there for a reason and BAM! Disabled! Nice.

(Oh, and it looks like I forgot to add the MGlogs.zip attachment! So I'm doing that now!)

 

Thanks for the warm welcome! I've been browsing the site here and there since Jan., but then had to join for some of the software to fix this virus! I love this site and the folks here! I'm definitely recommending it to others (which will, unfortunately, mean more work for you guys! ).

I followed your instructions, and everything... miraculously... looks CLEAN!!!

I'm attaching three logs. The one after it cleaned everything, the second run, and then my third run (after rebooting, since I didn't do that on the second run!). So the pertinent logs are probably the first and third!

I'm not sure if your READ ME is updated with the latest edition of SuperAntiSpyware (the version I downloaded was straight from a link in the READ ME, so that might explain how I got an older version!). Or maybe the new version IS in the READ ME and I somehow downloaded an older one??? I don't know.

But thanks a lot for all the help! It looks like the virus is gone, and I'm now running Spybot to make sure!

As a side note, do you have any idea why I might have a RED "X" as the picture of my C: hard drive? I've had that since I repaired the original VUNDO I had back in January! I can't figure out what the red x means, or how to change the picture back. Should I be concerned about that? Or is it some obscure indication that my HDD is really fragmented or something?

THANKS AGAIN FOR ALL THE HELP!

 

Everything appears to be clean, but while running Lavasoft's Ad-Aware SE Personal, I got this strange virus warning. I think it was trying to access an infected VUNDO file. I took a screen shot, cropped it, and am posting the actual message. I chose "HEAL" out of those options.

Is there some remnant of the virus still lurking in my system?

 

Thanks for all the help! I really appreciate it! I thought we were pretty much done, but it looks like I have some more work...

Sorry for the delay in replying!

I used the Registry edit you made in your first reply and it definitely solved my red "X" icon problem! THANKS!
Any idea why the icon got changed to begin with???? I like having some knowledge about these issues, as I plan on working in I.T. full time soon!

As for the updates on the various softwares, I have updated all of them (as per the instructions), but it looks like they keep updating further and are making me look stupid on purpose! rolleyes I've never seen anti-virus programs update THAT quickly!
So I apologize if it looks like any of my programs are out-of-date, but I have been searching for updates throughout these procedures!

Right now I'm running that SAS scan with the newest update. I'll post the log as soon as it finishes!

Thanks again for all the help! :clap

 

Here's my SAS log! No viruses...

Going to run the other steps (in your second reply) now.

 

Tried running Combofix with the notepad file, but the program hung/froze. So I closed it and tried re-running it (to no avail).

Should I reboot and try again???

Plus, my system clock (in the tray) is now in 24 hour mode... which is weird... (Combofix was supposed to return it to normal).

I'm thinking REBOOT and try again. Sound good?

 

Ran the scans, my man! :-D

Had to reboot since ComboFix kept freezing. Originally, I forgot to turn off my AVG... so that was probably the issue. But then, after turning it off, I still couldn't get ComboFix to run properly. Maybe the original instance of the program was still running (even after reboot)??

Anyway, ran through the steps. Minor error with Avenger.exe (as shown in the log file) - I made an image of the error message.

Everything else seems clean.

I'm not running into any problems with the computer right now... but I'm also not connecting it back to the internet until we're clean of infections (just in case). I know these viruses have a bad habit of rebuilding themselves.

Thanks for helping me clean the Dealio mess! I would have never downloaded it had I known it was spyware/adware. The website doesn't make it seem half as bad as it is - but you know there's a problem when the website is outright telling you that the program is hard/almost-impossible to properly remove. I didn't even want the program, but it came with some other program I downloaded. Last time I accept charges! "No, I won't take the collect call!" Of course, I've been [stupidly] using MSCONFIG to boot my PCs faster... so that could also be some explanation as to why we're finding various remnants of old programs/viruses. I read the guide to NOT using MSCONFIG on MajorGeeks, and I plan on using those tips from now on!

Thanks for all the help! :clap I hope you have a happy New Year! :dancer

Let me know if there's anything else I need to do before I can give my PC a clean bill of health! HAPPY 09!!!

 

A quick question that needs your expertise:

How would you describe Vundo? A virus? A trojan? Simply "malware"?

My uncle runs a Quickbooks training company and knows quite a bit about computers. He argued about a distinction between viruses and spyware/adware (that viruses delete data and do more harm than spyware/adware). I did some research on the net, and I do see a distinction mentioned - however, it seems almost arbitrary. Before the internet, a "virus" spread via manual tools and user activations. I understand that. But "malware" or "spyware/adware" today can have the same effects as one of those "viruses", so I am confused as to why the computer community would limit the term "virus" like that, rather than evolve the term to include the activities of Trojans and spyware/adware. At one point, there was a difference between "worms" and "viruses", but are there any TRUE viruses out there that don't share characteristics with all malware in general???

Or is the simple solution to this query to use the term "malware" as a catch-all description (to depict almost any computer infection)?

What is "Vundo" classified as?

Thanks!

 

Just caught a warning message from AVG about an infected file. I'm posting the image I saved!

Seeing as how it seemed to be a Windows Restore file, I followed your guide for turning off Windows Restore (on my XP Pro PC!), and I ran a Spybot scan.

The scan came out clean, but should I run the other scans like Combofix, SuperAntiSpyware, etc?

Or is turning off Windows Restore and then turning it back on the simple solution?

Right now, Windows Restore is still set to off. I'll await your instructions before I do anything else! I'm running AVG's virus scanner now, but I don't expect it will find anything.

I'll attach the clean Spybot log, in case it's useful.

 

Ha ha... well, believe it or not, I was NOT bumping my thread. I was trying to post new (and relevant) information - well, except for the general question about Vundo's classification! :-D

Most forums have some sort of edit function, and I would have done that (cause I did read the DO NOT BUMP a while ago!), but I couldn't find an edit button anywhere. :confused So, sorry for the "bumps", but I REALLY wasn't trying to bump!
EDIT: Correction... I just found the EDIT button. I don't know why it didn't show in some of the posts. I guess you can only edit your last post? How the heck did I miss that button?!?! :-0

I figured we were about done, by the way! I appreciate all the help with this. It's my opinion that I caught Vundo TWICE because of the same Java vulnerability! rolleyes So I'm updating all the PCs in my house, my parent's house, etc. to make sure they don't catch the same thing!

Thanks again for the help! YOU ARE THE MAN! :major

 

NOT A BUMP!

Apparently, you can only edit your LAST post, ONCE! :confused That's a little weird...

Anyway, I had a quick question about my desktop - you told me to remove all the items and leave only links?

Is there a particular reason for that? Are desktop items more susceptible to spyware or something? Other than the obvious clutter, I don't see the harm.

 

[NOT A BUMP] - Can't edit posts, so...

Did a MalwareBytes scan and found a virus FILE. Deleted, rebooted, and re-scanned. Second scan clean. Posting both logs for you. Let me know if it's anything relevant! Thanks!

 

There's a certain paradox in your bump argument. I can't possibly post some relevant log I catch from another virus scan if I already replied earlier. And if I don't reply quickly, I won't get a quick reply back. I guess there's some sort of middle ground, but every time I reply, I sincerely do not expect to have anything relevant to add later. Murphy's Law: a new log comes up and I feel it's important to bring it to your attention (in the hopes of making your job easier!).

I guess poor human behavior (i.e. the deletion of previous posts) and limited technology put us in a no-win situation here! Do I blame the stupid men before me or the limitations of forums and editing? (Or blame myself? :-D)

All that aside, I appreciate all the help you've given me on this! And especially, the added info on stuff like defining Vundo and cluttered desktops! My hat's off to ya! :clap THANK YOU THANK YOU THANK YOU THANK YOU!!!!:clap

 

Yep, that does make sense, and in hindsight, I would've done just that.

I just got another Vundo infection due to some stupid browsing, but I was able to eradicate it with the guide... luckily! :-D

Only weird thing is that the normal text bubbles from my system tray (lower right corner) don't show up. I'll hear a text bubble sound (i.e. new updates available for my Win XP OS), but the bubble does not appear. Any idea how to fix that? :-/

I appreciate all the help and replies, by the way! Above and beyond!!! :wave

Also, I'm actually going to implement the tips from the "How to Protect Yourself from Malware" thread, this time! I got lazy about it last time... and yeah... got reinfected! ;-0 On the bright side, I'm proud to have removed Vundo THREE times now (thanks to your help!!!!)! CHEERS! :-D