Cannot kill Virtumonde!

I have searched threads and I see various methods of removal, most just citing removal tools. I have tried Webroot Spy Sweeper, McAfee Scans both in normal and safe mode as well as Spybot SnD & Ad-Aware. I had a good amount of spyware that I killed off already with mostly with Spysweeper but everytime it detects Virtumode and it quarantines but always comes back. I'm bout 2 seconds from just formatting and re-imaging this thing. IE runs super slow and I suspect there is remnants of spyware still lurking about. I will post my HiJack this log and computer specs below. I'm trying one last thing, Symantec's Trojan.Vuno removal tool but I don't have high hopes. Here the info, see attached HT log... please provide some insight on this nasty.


OS Name Microsoft® Windows Vista™ Home Premium
Version 6.0.6000 Build 6000
Other OS Description Not Available
OS Manufacturer Microsoft Corporation
System Name RYANS-PC
System Manufacturer Dell Inc
System Model Dimension E521
System Type X86-based PC
Processor AMD Athlon(tm) 64 X2 Dual Core Processor 5000+, 2600 Mhz, 2 Core(s), 2 Logical Processor(s)
BIOS Version/Date Dell Inc 1.1.4, 12/9/2006
SMBIOS Version 2.4
Windows Directory C:\Windows
System Directory C:\Windows\system32
Boot Device \Device\HarddiskVolume3
Locale United States
Hardware Abstraction Layer Version = "6.0.6000.20500"
User Name Ryans-PC\Ryan
Time Zone Pacific Daylight Time
Total Physical Memory 2,045.88 MB
Available Physical Memory 1.09 GB
Total Virtual Memory 4.20 GB
Available Virtual Memory 3.04 GB
Page File Space 2.29 GB
Page File C:\pagefile.sys

 

I have done all as expected and had already tried the VundoFix. I have done the lengthy process as described and now have the log files for your review. Things seem to be running a bit better after a few finishing touches. If everything is looking good is it ok to remove all the applications? I have a registered version of spysweeper as well as mcafee running if needed. Also I'm seeing a log of error msgs at startup for missing dll's etc as it likely killed those as well. They were the ones that looked suspicious anyhow. I'm assuming there is a system file or folder where I can remove these startup or run commands for these dll's?

I have maxed out the attachments at 3. I will post another reply with the mg tools zip file in a subsequent reply.

 

Here is the ZIP file with the 4-5 Mgtool txt logs.

 

Hi rplieth,
Please don't remove the applications until we've had a chance to look at your logs. The Vundo variants generally like to keep a few files in hiding so it can get started back up again. It takes awhile to go through the logs, so thinks for being patient.
abri

 

Hi rplieth,

Please do the following. If anything doesn't work, just go on, but let me know when you finish.


1) Go to add/remove programs and uninstall the below:

Viewpoint Media Player
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) SE Runtime Environment 6

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment

4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {4BC0D0EC-591F-458F-B508-3BDF19B99CD5} - (no file)
O2 - BHO: (no name) - {513E60AD-10C5-43CF-BBF0-E3A1E30E5E76} - (no file)
O2 - BHO: (no name) - {590E1A71-88F0-4371-BEA0-CBADB2551968} - (no file)
O2 - BHO: (no name) - {FB6CE4C4-6893-4988-8687-428050C0BD28} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [4aa9de6f] "rundll32.exe" "C:\Windows\system32\ygimvryr.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime


After you click fix, just close hijackthis.


5) Download and install Erunt. Use it to create a backup of your registry.

6) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

7) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

8) Now run CCleaner at the default setting with the Windows tab as the top one.

9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri