Virtumundo, Again

What is the deal with Virtumundo that everyone seems to be having a problem lately? I have a Win2k Pro system that is infected. I followed the steps in the "Read Me First Before asking for support", skipping steps 1 and 2 (no about:blank or home search hijack) in "Getting Prepared", and skipping optional step 5 in "Scanning and Cleaning". As with everyone else, Ad-Aware continually picks up 4 instances of Virtumundo but never truly cleans it. Spybot detects ALTevents, and again never truly cleans it. I ran Hijack This (after reading "No Hijack This Log Files Before Reading This") and tried to compare my results to some of the other posts that were successful in removing Virtumundo. The only items I selected to be removed were O2 - BHO:CATLEvents (4 of them), as everything else seemed to be ok. After doing this, I restarted back in Safe Mode (with Network Support) and ran Ad-Aware again and it's back! Could someone PLEASE help me get rid of this nasty program!

Also, I have tried from different threads to access the link to "Stopguard or WinFirewall Problems" and I get an error that no thread is specified. Could you point me in the right direction to this article?

Thanks.

 

Go ahead and send me your log file with the Attachment Manager below

 

After you send me the log file, we will begin to work on your problems as soon as possible, but be patient... The removal of a worm like this is easily removed with the help and support from the one with the problem as well, since each instance the problem is unique everytime...

 

Attached is the Hijack This log. Thanks for your help.

 

Would you email me at Tribulattifather@yahoo.com (<<don't click this link, just copy and paste it into your emailer clientel) I would like to help you via email becuase it is much more efficient for me....I am sorry for the inconvinience....

 

Ok. E-mail has been sent.

 

In addition to the problems I listed below, the system is running INCREDIBLY slow, and Task Manager is showing WMS.exe as taking most of the CPU resources. The system has now completely frozen. Just before the system locks up, the display goes completely crazy. When I restart it, the monitor does not receive a signal from the PC and the PC beeps about 8 times, then two times, then 1 time. This happened a week ago, and after letting it sit for several hours, I was able to reboot the system without any problems. Are these problems all related, or do I need a seperate post in a different forum?

 

Please attach a fresh log and I'll take a look when I get a chance.

You guys should note that, when you do things via email, you eliminate any constructive suggestions from the rest of the forum.

PP

 

Here's the latest. I saw Steve54's post about the Symantec removal tool and gave that a shot (before I saw his response this morning). I ran the tool in Safe Mode with Network Support (with the network cable disconnected). It found a problem and said it would delete the file on reboot. I let it reboot and went back in to Safe Mode with Network Support (cable still disconnected). I ran the tool again and it came back clean. I checked Task Manager and wms.exe was no longer running (good sign!). I ran Hijack This to make sure everything was good and I still had one entry for O2 BHO CATLEvents and one O4 entry for WMS, but no longer had the O4 RunOnce entry for WMS. I had Hijack This remove the O2 BHO CATLEvents entry and then ran HJT again. Attached is the log file after the second run of HJT.

The computer is still running in Safe Mode with Network Support (cable disconnected). Let me know how to proceed, or when it is safe to reconnect it and boot normally.

 

Apparently I can't do anything right on this forum. I'm just trying my best to get the system clean before I leave work at 5 today (which is REALLY a lot to ask, I know). Leaving the forum led me nowhere, except for providing Tribulattifather a chance to complain about this site. I learned my lesson. Now, attached is the HJT log from Normal Mode. I feel like the problem is VERY close to being resolved. Any help is greatly appreciated.

 

The O17 lines are legit. Thank you for the prompt reply. Attached is the updated log. I have not plugged the network cable back in for this PC. Could Virtumundo 'reappear' when it has a chance to reconnect to the internet? (I am using a second system to access the internet.)

 

Hi DLD,

Those HJT entries are likely remnants from previous incarnations of StopGuard/Virtumundo. It mutates on reboot and leaves a trail when it does that.
If you looked at my generic removal procedure, one of the reasons that I harped on people tracking down every last vestige of this baddie is that it likes to resurrect itself. One user that I helped told me that his firewall notified him that StopGuard was trying to call home - So that might be part of the equation.

At any rate, it looks like the removal tool worked for you. Hang in there for the last word from Chas, though.

PP

 

THANK YOU! THANK YOU! THANK YOU!!!

The files, as they were listed in the last post, did not exist. All the directories except the Tasks\basdos.exe had the files spelled backwards with a .bak or .bak1 or .bak2 extension. I deleted all the .bak files in those directories, restarted the computer in Normal Mode, and connected it to the internet. It is now working like a charm! No more pop-ups, no more freezing, no more crazy display. I REALLY appreciate all your help, PhilliePhan and Chaslang, and also Steve54 for letting us know about the Symantec removal tool. Hopefully with this tool Virtumundo can be put to rest.