Virtumonde pest

I have been having problems w/ virtumonde, virtumonde.generic, and smitfraud.c. I run Symantec and Sybot S&D normally w/ their associated protections running. I had problems w/ the trogen before, but I thought I fixed it w/ Spybot. It started acting up again recently. My wife and I are both careful on the internet and not sure where it came from. We believe the first time was using blogspot and the second time facebook...Neither of which I would assume would pass along vundo w/o running the applications they have. I tried Avast (installed it, ran it, uninstalled it) and it fixed some stuff. I also tried VirtumondeFix from atribune.org and it found nothing. Symantec didn't find anything either. Then I came to this site and followed the READ & RUN ME FIRST thread. I was unable to uninstall Java (I have Java 2 Runtime Environment, SE v 1.4.2_03). I got the message "The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is no correctly installed. Contact..." It wasn't in safe mode at the time. Instead of Normal Startup mode in msconfig I used Diagnostic mode dropping to bare bones including not running teatimer (Normal ran way too many services). System Restore was already turned off. I downloaded SUPERAntiSpyware & Malwarebytes, installed them, and updated them. I downloaded the rest of the files and turned off my wireless connection on my laptop. I then ran through the 5 programs suggested and collected their logs. I tried to get back on the net but was unable due to disabling everything. I went to take it to a Normal start, but it was already in a Custom mode. I took it to Normal and back to Custom (getting rid of a bunch of services). I was able to access my wireless connections and it claims everything was back to normal. I was however not able to establish a connection to the net (IE, Mozilla, Outlook, etc.). So I downloaded the logs and am currently using another computer. Attached are my logs. Thanks for your help in advance.

 

more logs

 

First of all, thank you a ton! I believe that all malware is removed. As you asked I changed startup mode to normal. I previously downloaded all files and transferred them w/ a flash drive. I reset my registry and rebooted. I tried to get online to update SUPERAntiSpyware and Malwarebytes, but no luck. Although my wireless connection showed connected as normal, Internet Explorer kept giving me errors. I clicked on the link to have Windows diagnose the problem. It came back w/ the Winsock provider catalog had a problem and that I should reset it. I did and it forced me into a reboot. When complete, it still gave the same errors and so I didn’t get the updates. I ran the scans, which found nothing. I used ccleaner to uninstall Java and then followed the rest of your list. When I was all done I deleted the quarantined files, ran ccleaner, the three scanners and again they found nothing. I have attached my logs (again transferred w/ a flash drive). Thank you again for the help getting rid of Virtumonde!!! Do you know what I need to do to use the internet again?

 

attached log

 

FYI, this is what I get after diagnostic for bad IE (or Mozilla) connection.


Last diagnostic run time: 12/19/08 21:34:02 WinSock Diagnostic
WinSock status

info All base service provider entries are present in the Winsock catalog.
info The Winsock Service provider chains are valid.
error Provider entry MSAFD Tcpip [TCP/IP] could not perform simple loopback communication. Error 10061.
error Provider entry MSAFD Tcpip [UDP/IP] could not perform simple loopback communication. Error -1.
error Provider entry RSVP UDP Service Provider could not perform simple loopback communication. Error -1.
error Provider entry RSVP TCP Service Provider could not perform simple loopback communication. Error 10061.
error A connectivity problem exists with an installed LSP.
action Automated repair: Reset WinSock catalog
action Successfully executed: netsh winsock reset catalog
info System restart required



Network Adapter Diagnostic
Network location detection

info Using home Internet connection
Network adapter identification

info Network connection: Name=Local Area Connection, Device=Realtek RTL8139/810x Family Fast Ethernet NIC, MediaType=LAN, SubMediaType=LAN
info Network connection: Name=Wireless Network Connection, Device=Broadcom 802.11b/g WLAN, MediaType=LAN, SubMediaType=WIRELESS
info Network connection: Name=1394 Connection, Device=1394 Net Adapter, MediaType=LAN, SubMediaType=1394
info Network connection: Name=Internet Connection, Device=Internet Connection, MediaType=SHARED ACCESS HOST LAN, SubMediaType=NONE
info Both Ethernet and Wireless connections available, prompting user for selection
action User input required: Select network connection
info Wireless connection selected
Network adapter status

info Network connection status: Connected



HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn FTP (Passive): Error 12029 connecting to ftp.microsoft.com: A connection with the server could not be established
warn HTTP: Error 12029 connecting to www.microsoft.com: A connection with the server could not be established
warn HTTPS: Error 12029 connecting to www.microsoft.com: A connection with the server could not be established
warn FTP (Active): Error 12029 connecting to ftp.microsoft.com: A connection with the server could not be established
warn HTTP: Error 12029 connecting to www.hotmail.com: A connection with the server could not be established
warn HTTPS: Error 12029 connecting to www.passport.net: A connection with the server could not be established
error Could not make an HTTP connection.
error Could not make an HTTPS connection.
error Could not make an FTP connection.

 

I thought I had uninstalled ZoneAlarm Firewall....I found out that i hadn't. I uninstalled it and now I can get online. So I believe that I have cleared the virtumonde pest and the connectivity issues. If you double check my logs and verify that I am clean, I believe that I am ready to finish up and remove some of the files installed. Thank you again for your help.

 

I did as you asked and they both came up clean. I've attached them for you. Also, since a few days ago, I have run a number of the scans (Spybot S&D, Malwarebytes, and SuperAntiSpyware) after numerous reboots and haven't found anything. Do you think that I have dormant or hidden vundo files? Or are you just being extra careful? Thank you again.

 

I just ran Spybot S&D and it found a Microsoft Windows Security Center AntiVirus Override registry entry. It fixed it, but unsure what exactly this is, so I don't know if this was an issue or not. Attached log file.

 

Sucess on the registry edit. Also I disabled Windows Messenger as described, but I am pretty sure this is what we use to chat online (w/ MSN messenger)...As this is what it is called in the program files list. Anyways, thanks again!