Virtumundo Help

I've tried every Spyware removal program and still can't get rid of Virtumundo. It is taking control of my browser. Adaware detects it, but Virtumundo keeps returning. Please help. Here is a copy of my HJT log.

 

Hi Stvbrb,

You are running HijackThis Improperly! You need to extract it to its own folder - C:\Program Files\HijackThis

Also, please do not post inline logs.

Please start HERE:
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

Note the steps that you can and cannot complete. Please make sure that you are in Safe Mode with System Restore OFF and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back with the results from the above instructions and we’ll go from there. If a HJT log is then called for (and it probably will be ), we'll give you instructions for how to properly scan and post the results.

You should also take a look at this thread for more info on your malware issue. As you will see, there is a specific removal procedure:

StopGuard or WinFirewall Problems?

Best luck
PP

 

Thanks for the speedy response. Will get to work on this and post back asap

 

Your log doesn't look too bad (other than 5-6 bad entries).

Run Spybot, Ad-aware, Avert Stinger and do the online scans as per the Tutorial. Also run a-squared in the Alternative scans section.

Then, go ahead and send us a fresh HijackThis Log.

Note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Send us a log and we'll go from there I'll try to check back when I get a chance. I don't know when that will be, although I am usually here most evenings.

Best,
PP

 

I followed the instructions in the link, did online scans and included my new Hijack This log. Thanks so much for taking the time to help me.

 

Hi Stvbrb,

Welcome to the wonderful world of what I like to call StopGuard-Related Malware!

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and END them, if possible:
vgabak.exe
hardun.exe

NEXT:
Look in C: > WINDOWS > PREFETCH & Delete hardun.pf ( or any hardun or nudrah entries). If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

NOW:
Run HijackThis and Check the Boxes for the Following:

O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\nudrah.dat

O4 - HKLM\..\Run: [*acccom] C:\WINDOWS\security\Database\acccom.exe

O4 - HKLM\..\Run: [*vgabak] C:\WINDOWS\system32\CatRoot2\vgabak.exe

O4 - HKLM\..\Run: [*hardun] C:\WINDOWS\Driver Cache\hardun.exe

O4 - HKLM\..\RunOnce: [*hardun] C:\WINDOWS\Driver Cache\hardun.exe rerun

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/063f0fd7da8b59e54f23/netzip/RdxIE601.cab

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\Driver Cache\hardun.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if they remain:

C:\WINDOWS\Driver Cache\hardun.exe
C:\WINDOWS\system32\CatRoot2\vgabak.exe
C:\WINDOWS\security\Database\acccom.exe

THEN:
Use Windows Explorer to run a search of your computer for:
nudrah
hardun
Vgabak
Acccom

and DELETE the related files. (We especially want to get rid of nudrah.ini & nudrah.dat & nudrah.bak AND hardun.ini & hardun.dat & hardun.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then , as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let us know of any problems that you may have encountered with the above instructions.

Best luck
PP

 

I followed instructions exactly. I have attached my new HJT log. I did not close any programs after rebooting to normal windows, wasn't instructed to do so. Things seem to be running OK so far. Thanks again for your expert help PhilliePhan.

 

Hi Stvbrb,

Your HJT log looks good - Happy we could help

Note that I left all of the 016 entries alone - Nothing jumped out at me as being particularly harmful, though.

You should also take a look at Chaslang's recommendations HERE:How to protect yourself from malware!

I definitely recommend that you use the following tools:
Ad-Aware SE Personal

SpyBot-Search & Destroy - Remember to use the "Immunize" feature

SpywareBlaster

These are all FREE! Just remember to Internet Update them regurlarly! They, along with a good Anti-Virus and Firewall & keeping your Windows up-to-date will do wonders in helping to keep Malware off your computer!

Best
PP

 

I can't thank you enough. Things seem great now. I've been using Norton Antivirus, Zone Alarm Pro, and Adaware. I update them regularly. It was real frustraing because Adaware kept detecting 4 Virtumundo items, allowed me to delete them, however it kept returning. Internet Explorer was crawling. I will add Spybot and Spyware Blaster to my arsenal.

Again, much thanks. You are a genius!!
I have a happy computer again

regards,
Stvbrb

 

You're Welcome!

SpybotSD & Spyware Blaster compliment Ad-aware pretty well. You might also want to check out Spyware Guard in Chas' link - if you want a little overkill

Happy & Safe Computing!

PP