Please Help--Dealing With Virtumonde

I'm at the end of my rope trying to obliterate the hellspawn known as Virtumonde and Virtumonde.prx (?) from my computer. Despite my best efforts, SpyBot continually observes its presence on my computer after it should have been deleted. It occasionally shows up accompanied by Zlob.downloader.bs, but I managed to make that go away for a while by following a serious of HijackThis suggestions I found.

In my desperation, I downloaded ComboFix, but as soon as it started running, ComboFix found a rootkit and rebooted, and when my computer came back online, both ComboFix and HijackThis had disappeared. This happened to me twice (I downloaded HijackThis and ComboFix again.) I don't have the Windows Vista CD on me at the moment, so I can't enter Recovery Mode; the software known as Vundofix resolutely refuses to admit I have Vundo or Virtumonde on my computer even though SpyBot has found it repeatedly.

Basically at the moment I'm left cowering in Safe Mode, hoping there's some way for me to get rid of this and save my beloved laptop. If you can help, please do and accept my eternal gratitude.

 

Thanks, the triple cocktail in the Anti-Malware thread you mentioned seems to have done the trick, at least according to SpyBot. Huge gracias; you've helped save my sanity with that link. (My bad on skipping it before; I was worried ComboFix would flip its bit again and ruin things, but by doing everything else I think I'm in the clear.)

 

Fair enough.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/28/2008 at 09:10 PM

Application Version : 4.21.1004

Core Rules Database Version : 3555
Trace Rules Database Version: 1543

Scan type : Complete Scan
Total Scan Time : 00:15:16

Memory items scanned : 647
Memory threats detected : 0
Registry items scanned : 7928
Registry threats detected : 5
File items scanned : 0
File threats detected : 0

Adware.Vundo Variant/Rel
HKU\S-1-5-21-221074350-3926372785-2001073628-1000\Software\Microsoft\Windows\CurrentVersion\Run#MSServer [ rundll32.exe C:\Users\OWNER\AppData\Local\Temp\xxyvwWqn.dll,#1 ]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#MSServer [ rundll32.exe C:\Windows\system32\ddcYsTMG.dll,#1 ]
HKU\S-1-5-21-221074350-3926372785-2001073628-1000\Software\Microsoft\Windows\CurrentVersion\Run#cmds [ rundll32.exe C:\Users\OWNER\AppData\Local\Temp\geBtUnom.dll,c ]
HKLM\SOFTWARE\Microsoft\FCOVM
HKU\S-1-5-21-221074350-3926372785-2001073628-1000\Software\Microsoft\rdfa


Malwarebytes' Anti-Malware 1.28
Database version: 1221
Windows 6.0.6001 Service Pack 1

28/09/2008 9:24:13 PM
mbam-log-2008-09-28 (21-24-13).txt

Scan type: Quick Scan
Objects scanned: 44845
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\qnntpfos.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Users\OWNER\AppData\Local\Temp\geBtUnom.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4c9c9caa-fb06-4dfb-9cba-72fdbae8b713} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4c9c9caa-fb06-4dfb-9cba-72fdbae8b713} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d3ccfaf7-df03-4e73-95ec-e5e139cc2bf2} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instbndlkeyldr (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5799e186 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\users\owner\appdata\local\temp\gebtunom -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\users\owner\appdata\local\temp\gebtunom -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\OWNER\AppData\Local\Temp\geBtUnom.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Users\OWNER\AppData\Local\Temp\monUtBeg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Users\OWNER\AppData\Local\Temp\monUtBeg.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\qnntpfos.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\sofptnnq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\ (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\drivers\ (Trojan.Agent) -> Delete on reboot.
C:\Windows\rwlfsdmk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\TDSSserv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Those are the logs I have at the moment. I removed the other antispyware software because there was so much of it and it was taking up a lot of space and resources . Also, I'm terrified ComboFix will eat my computer's brains. Anyway, I hope these logs will do. I'll download HijackThis and get a log if that's required.