Virtumundo on PC; Low virtual memory message also appearing

Hi!

We started reading majorgeeks.com when my BF's 6-month old PC (with oodles of memory) started giving a warning message that Virtual Memory was too low. We had been noticing that all programs were loading incredibly slowly. The defrag program in systems tools no longer was able to fix the fragments, which were multiplying daily. The Internet Explorer 6.0 browser fails constantly. It has become totally unreliable for Internet access.

We've been through the contents of READ ME FIRST BEFORE ASKING FOR SUPPORT (which is excellent, well-written and easy to use). Following are the results:

System Restore is now disabled.

None of the items listed for deletion in "services.msc" were found. We skipped the step, as instructed.

Viewing of hidden files and folders and extensions are now enabled.

All of the Tools listed have been downloaded and run. AOL does not allow us to reach the Internet in safe mode. So, all the on-line scans were run in normal mode.
Trend Micro's Free Online Virus Scan found one problem Troj Agent.EA in an AOL Spyware Protection backup file. Deleted it.
Symantec Security Check - nothing found
McAfee AVERT Stinger - nothing found in safe mode or in normal mode
CCleaner - run as instructed - plenty of files and issues removed
AD-Aware and Spybot - ran as instructed -
Ad-Aware turned up Softomate Toolbar, Virtumundo, IE Cache - deleted
Spybot found ATLEvents.ATLEvents - deleted
Other tools - ran as instructed
CWShredder - CWS.Jksearch and CWS.HiddenDll were removed
Kill2me - found nothing
about:Buster - found nothing
HSRemove - found nothing

Alternate Scan Options
Bitdefender - were never able to reach that site
Ravantivirus - found nothing
Trojan Scan - found nothing
a-squared Virus Cleaner tool - setup files corrupted, cannot run this
Avast! virus Cleaner tool - found nothing
ADS SPY from Merijn - the instructions intimidated me (that's an accomplishment) into not trying this. But I will if you insist.

Virtumundo continues to show up in subsequent scans of Ad-Aware, leading me to believe it never really deleted it or it revived somehow. We're still getting the Low Virtual Memory message, the defrag tool is still ineffective, and our programs are still not working quickly and efficiently. For example, it took 4.5 minutes for AOL to load to the sign-on screen.

BTW, AOL is the ISP of choice for the owner of this PC. It wouldn't be my first choice but my boyfriend has teenagers and AOL has the best parental control program. So, AOL is the ISP.

Looking to your suggestions regarding the next steps!
Regards,
Martiniqueeni

 

Hey guys,

Just to be thorough, it might be a good idea to check this out as well:
StopGuard or WinFirewall Problems?

The symptoms are often very similar. Especially considering your SpybotSD results.

Best,
PP

 

I have worked two threads with practically the same title and both turned out to be StopGuard related, so it was an easy catch for this old dog. They are included in the link I posted.

PP

 

Wow! Thanks for the responses! I'll work on the items you suggest and post with the results.

Regards,
Martiniqueeni

 

Major,
I went through the diagnostics in the PestPatrol link you suggested. Came up with a big ZERO. Not one of the files or registry items was found. I did notice that there are two processes (in the Task Manager) that seem to be very large. LIBDB.exe and CAT.exe I left them alone... I have no idea what they are.

I re-ran Ad-Aware a few minutes ago, in normal mode. It detected Virtumundo in HKEY_CLASSES_ROOT.altevents.altevents and altevents1. Regedit will not allow me to delete these.

I noticed that pestpatrol.com is affliated with eTrust (CA). We used to use eTrust until it stopped working immediately following XP SP2 upgrade. Since AOL is planning to give subscribers the McAfee VirusScan program (yes, that's right "give"), we downloaded the evaluation version and uninstalled eTrust. Having said all of that, it occurred to me that McAfee might have a similar virus removal process. Sure enough, they do. Both of them look similar to PestPatrol but neither of them flag the same files or registry values. They call out virtumonde and virtumundo. They provide a DOS command prompt for scanning the system. I couldn't make it work. Kept getting an error message. We have Engine version 4.3.20 and DAT version 4.0.4404 Do you think there is any merit to struggling through the McAfee diagnostics?

I'm going to start picking my way through the Stopguard links that PhilliePhan posted. It would be real nice to have the solutions distilled into a single closed thread, if that's even possible. The READ ME FIRST thread is awesome...everything you need in one place. The PREVENTING MALWARE thread is also very good. I used that for my own PC!

Please let me know what you think about pursuing the Virtumundo route.
Regards,
Martiniqueeni

 

Hi Martiniqueeni,

Since you have exhausted so many other options, perhaps it is a good idea to send us a HijackThis log. It'll give us a better idea of where you stand.

Please read this: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting for info on how to properly scan with HJT.

Note that HJT needs to be in its own folder - C:\Program Files\HijackThis and that the log must be saved as a .txt file and attached via the "Manage Attachments" tool when you post.

The symptoms you described in your first post are very similar to what we have run into before with StopGuard. Of course, it could be something different altogether. Hopefully, a HijackThis scan will ID the bugger!

I'll try to check back when I get a chance - Usually in the wee hours.

Best
PP

 

Thanks, PhilliePhan! I'll get going on that now. I did poke around some of the threads you referenced in the below post of yours. I couldn't find a common diagnostic routine and was/am pretty reluctant to just start deleting stuff without some expert advice!!! :-D If I missed it, do feel free to "draw me a picture"! I have no pride... this is getting very frustrating... hope my bad mood isn't creeping into these posts.

FYI, the Internet connection has slowed down to a crawl again. It takes roughly 5-6 minutes to open a new window or a new program. So, if I seem slow, I'm indeed slow.

 

Hey MQ,

We understand your frustration! Hang in there

When you run HijackThis, you'll definitely see the pattern if it is indeed StopGuard that is causing your problems. You'll be able to see the BHOs and their backward-named running processes. This bugger has a survival instinct that is to be admired! It can be a pain to delete, but Chaslang and I are getting better at it I thought about consolidating the steps into a generic removal procedure, but StopGuard doesn't come up often enough to warrant that.

Of course, as I said before, it may be something different that is responsible for you ill computer. Send us a log - I'll try to check back tonight.

PP

 

Here is the Hijack This! log file you requested. It saved itself as a log file. Then the notepad opened and I was able to save it as a txt file. Both are identical.

I didn't run "fix" as I saw only 3 or 4 files that meant nothing to me. Maybe you'll see more. Thanks for your help!

Regards,
Martiniqueeni

 

Hi MQ,

Your log doesn't look too bad. I'll run through it when I get some time later tonight and post a fix for you then.

I will probably have you remove the two R0 items. They are OK, but I would imagine that you'd like to reset them anyway.

I will remove the 015 Trusted Zone entry- It, too is OK, but I like to keep things out of there on principle.

Lastly, are any of the following items ones that you definitely want to keep?

O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1437/ftp.coupons.com/v3123/cpbrkpie.cab

O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab

Let me know and I'll adjust the workthrough accordingly.

Best,
PP

 

Thanks, PhilliePhan. I agree with the removal of the six items you listed. I have no idea what those O16 items are.

When you post the suggested fix, would you also let me know if we should enable the system restore?

Thanks so much for your prompt attention; this is most impressive customer-service!!

Regards,
Martiniqueeni

 

Most of us who contribute in the forums are unpaid volunteers (except for the site owners, of course ) I am just an occasional visitor who works a log here and there (I do 1 for every 50 Chaslang does!!). I'm not really a tech guy - Just someone who hates Malware.

Anyhoo, heres your fix:

Please print this out so that you can operate with all browser windows CLOSED.

Please make sure System Restore is turned OFF (You should keep this OFF until you are certain your machine is clean!) and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Look in C: > WINDOWS > PREFETCH & Delete libdb.pf ( or any libdb or bdbil entries). If it is easier, you can go ahead and delete all of the files in the Prefetch Folder - Its a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself)

NEXT:
Run HijackThis and Check the Boxes for the following entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm

O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\Joyce\LOCALS~1\Temp\bdbil.dat

O4 - HKLM\..\Run: [*cat] C:\WINDOWS\Driver Cache\cat.exe

O4 - HKLM\..\Run: [*libdb] C:\WINDOWS\Driver Cache\libdb.exe

O15 - Trusted Zone: *.javacoolsoftware.com

O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1437/ftp.coupons.com/v3123/cpbrkpie.cab

O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab

CLICK “FIX” and then, while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\Driver Cache\libdb.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8. You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode,find and DELETE the following if they remain:

C:\WINDOWS\Driver Cache\libdb.exe
C:\WINDOWS\Driver Cache\cat.exe

THEN:
Use Windows Explorer to run a search of your computer for:
libdb
bdbil

and DELETE the related files. (We especially want to get rid of libdb.ini & libdb.dat and bdbil.ini & bdbil.dat + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D again.

Then, go to C:\Documents and Settings\Administrator\Local Settings\Temp and Delete any files or folders that remain. This is important, too.

Reboot to Normal Windows and Attach a fresh HJT log. Let me know of any problems that you may have encountered with the above instructions.

Best luck
PP
----------------------------------------------------------------------------------------------------------------------------------------------------

BTW – This entry bothers me a bit: O4 - HKLM\..\Run: [nwiz] c:\Backup\Video\NWIZ.EXE /install
It is probably legit (NVIDIA) but it is in an odd place. Leave it alone for now.

~pp

 

As luck would have it, AOL crashed as I was printing the first page of your your instructions. I didn't realize it would go to more than one page.

Of course, the only way to finish printing was to reboot and reconnect. Oh goody. I recall instructions to others about not rebooting, so I'm sure this makes you as unhappy as it does me. I ran Hijack This! again and the second log is attached. I am really sorry this happened.

After the AOL crash but before rebooting, I was able to accomplish the following from the partially printed instructions:

Deleted the contents of the Prefetch file.

Ran the HJT fix on the R0, O2, O4 pertaining to libdb.exe, 015 and 016 you listed. The O4, 015, and 016 were from memory which is why I didn't get the other 04 you listed. Couldn't do the "Other stuff" in the paragraph following the listing. And of course, I wasn't able to complete the remainder of the instructions.

On the positive, I'm noticing a lot more speed in the processes. It isn't taking anywhere near as long to do things as it did before I deleted those few things.

Again, I apologize for this imposition.

Regards,
Martiniqueeni

 

Hey MQ,

Lets pick it up here:

Do this again: Look in C: > WINDOWS > PREFETCH & Delete libdb.pf ( or any libdb or bdbil entries). If it is easier, you can go ahead and delete all of the files in the Prefetch Folder - Its a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself)

Now Run HijackThis and check the box for:

O4 - HKLM\..\Run: [*cat] C:\WINDOWS\Driver Cache\cat.exe

Make sure All Browser Windows are Closed when you click FIX.

Boot into Safe Mode and find and DELETE the following if they remain:

C:\WINDOWS\Driver Cache\libdb.exe
C:\WINDOWS\Driver Cache\cat.exe

THEN:
Use Windows Explorer to run a search of your computer for:
libdb
bdbil

and DELETE the related files. (We especially want to get rid of libdb.ini & libdb.dat and bdbil.ini & bdbil.dat + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D again.

Then, go to C:\Documents and Settings\Administrator\Local Settings\Temp and Delete any files or folders that remain.

We need to get rid of all traces of this so that it doesn't resurrect itself. We don't want to leave enough of it intact that it can "phone home" and reinstall.
There wasn't much of it on your log in the first place, so you may be OK.

Reboot to Normal Windows and Attach a fresh HJT log. Let me know how things are working and of any problems that you may have encountered with the above instructions.

PP

 

PhilliePhan,

WOW... I just can't believe how quickly that went!!! I worked through all of the instructions, had no trouble with any of them. Found one libdb.bak file and that was it!!! I am amazed and thrilled at how much faster and smoother this machine is now running!!!!

Attached is the new log file you requested. Hopefully, you'll agree that we're all set. I simply can't thank you enough for hanging in there with me and for your precise and concise instructions. Tomorrow, I'll go back through the PREVENTING MALWARE thread to see if I missed anything that could be used proactively in the future.

Once again, my heartfelt thanks. It's wonderful that you are willing to dedicate so much of your own time to helping others!

Regards,
Martiniqueeni

 

You're welcome! Happy to help Though it only seems like I spend a lot of time here. I'm always popping in and out. I wasn't joking when I said I do 1 thread for every 50 Chas does!

Your HijackThis log is clean. Hopefully things will continue to run better! Keep an eye on things for at least a couple of reboots to make sure the problems do not come back. Definitely look at Chas' How to protect yourself from Malware thread.

Let us know if we can be of further assistance.

Best
PP