Virtumundo Removal

Hello,
Im having problems with Virtumundo. Everytime I run Adaware, I notice that Virtumundo is always there. My interent speed has also slowed down to a crawl. It takes me 5 minutes just to open interent explorer.
Could you possibly help me?

 

Hi GL,

Please take a look at the threads in this link for more info: StopGuard or WinFirewall Problems? They will acquaint you with the removal process.

If you still need some help, then I would ask that you please take a run through this Cleanup Tutorial. It will remove a lot of crap that would otherwise clog up a HijackThis Log:

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

Note the steps that you can and cannot complete. Please make sure that you are in Safe Mode with System Restore OFF and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back with the results from the above instructions and we’ll go from there. Please send us a HijackThis Log with your post.

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Send us a log and we'll go from there - I'll try to check back when I get a chance. (Usually in the wee hours)

Best luck
PP

 

Thanks for your help
I'll just run the programs and post the file
Thanks

 

All righty then!

I'm usually here in the wee hours.

PP

 

Hello
Here are the steps I followed,
1. Started in Safe Mode
2. Ran Trend Micro's Online Scan
- Results - Found Trojansmall.gl (non-cleanable), deleted file
3. Ran Symantec Security Check
- Results - Virus Detection: None
- Security Scan: Alol ticks except for Antivirus Product Check
4. Ran McAfee AVERT Stinger
- Results - Only clean files
5. Ran CCleaner
- Results - Cleaned 3687.1 MB
6. Ran AdAware SE with VX2 Plug-in
- Results - Quarantined/Removed: 2*Virtumundo Regkey, 3*Virtumundo Regvalue, 1*Virtumundo File.
7. Ran Spybot S & D
- Results - 4*ATLE vents.ATLE vents, 5*DSO Exploit (All Fixed)
8. Ran CW Shredder
- Results - Nothing found
9. Ran Kill2Me
- Results - Removed Look2Me infection (if present)
10. Ran about:Buster
- Results - Ref List 17, No ADS found on system, Attempted cleanup of Temp folder, Pages Reset: done.
11. Ran HSRemove
- Results - 8 items removed (not-known)

Thanks for reading all this...I hope it's everything.

 

Hi GL,

WOW! Your log is a prime example of how this baby mutates on reboot!

If you have rebooted since scanning for that HJT log, I'll need a fresh log.

I'm tied up right now, but I will try to check back later. We should be able to get you fixed up

Best,
PP

 

Ok...Thanks for your help
Here is my new HJT log, so i can't turn the comouter off between the scan and when you reply, is that right?
Thanks anyway

 

Hi GL,

As I mentioned, this particular malware generates a different randomly named .exe upon each reboot. That is why there are so many to fix with HJT. All, except one, are remnants from a previous boot.

Anyhoo, here is my generic fix for Stopguard-related malware infections. Please follow the instructions carefully. I’m still working out the kinks, but it seems to do the job!

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Look in C: > WINDOWS > PREFETCH & Delete msvcas.exe ( or any msvcas or sacvsm entries) - if found. If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

NOW:
Run HijackThis and Check the Boxes for the Following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O1 - Hosts: .com

O1 - Hosts: .com

O2 - BHO: CATLEvents Object - {55E301E5-BA44-4095-BB0B-14E0123CCF71} - C:\DOCUME~1\Andrew\LOCALS~1\Temp\lruger.dat (file missing)

O2 - BHO: CATLEvents Object - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - C:\DOCUME~1\Andrew\LOCALS~1\Temp\sacvsm.dat

O4 - HKLM\..\Run: [*vsssrv] C:\WINDOWS\system\vsssrv.exe
O4 - HKLM\..\Run: [*cabfont] C:\WINDOWS\cabfont.exe
O4 - HKLM\..\Run: [*mcabr] C:\WINDOWS\mcabr.exe
O4 - HKLM\..\Run: [*hardftp] C:\WINDOWS\security\Database\hardftp.exe
O4 - HKLM\..\Run: [*antiras] C:\WINDOWS\addins\antiras.exe
O4 - HKLM\..\Run: [*wavelog] C:\WINDOWS\Fonts\wavelog.exe
O4 - HKLM\..\Run: [*winfax] C:\WINDOWS\system\winfax.exe
O4 - HKLM\..\Run: [*hardacc] C:\WINDOWS\hardacc.exe
O4 - HKLM\..\Run: [*apvss] C:\WINDOWS\Help\apvss.exe
O4 - HKLM\..\Run: [*regplay] C:\WINDOWS\addins\regplay.exe
O4 - HKLM\..\Run: [*expurl] C:\WINDOWS\AppPatch\expurl.exe
O4 - HKLM\..\Run: [*dbmsvc] C:\WINDOWS\system\dbmsvc.exe
O4 - HKLM\..\Run: [*regurl] C:\WINDOWS\repair\regurl.exe
O4 - HKLM\..\Run: [*pcwin] C:\WINDOWS\security\Database\pcwin.exe
O4 - HKLM\..\Run: [*odbcw] C:\WINDOWS\Tasks\odbcw.exe
O4 - HKLM\..\Run: [*mcdll] C:\WINDOWS\Fonts\mcdll.exe
O4 - HKLM\..\Run: [*mcwin] C:\WINDOWS\system\mcwin.exe
O4 - HKLM\..\Run: [*asdvd] C:\WINDOWS\addins\asdvd.exe

O4 - HKLM\..\Run: [*msvcas] C:\WINDOWS\Fonts\msvcas.exe

O4 - HKLM\..\RunOnce: [*msvcas] C:\WINDOWS\Fonts\msvcas.exe rerun

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\Fonts\msvcas.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if it should somehow still remain:

C:\WINDOWS\Fonts\msvcas.exe

THEN:
Use Windows Explorer to run a search of your computer for:

bkinst
sacvsm
msvcas

and DELETE the related files. (We especially want to get rid of msvcas.ini & msvcas.dat & msvcas.bak AND sacvsm.ini & sacvsm.dat & sacvsm.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions.

Best luck
PP

 

Thanks for your help,
Hopefully it all should be working now.
When I scanned for 'sacvsm' and 'msvcas' in Windows Explorer, I couldn't find them.
Anyway here's my log file.

 

Hello,
Bad News, I just ran AdAware SE and it picked up some Virtumundo regkeys and values.
What should I do?

 

Is it worth mentioning that this computer connects to the interenet through another computer. Could that computer have Virtumundo on it?

 

That could be the case! There is still a lot about this malware that I am unsure of. You might need to clean both. Also, are there multiple user accounts on your machine?

I am advising a lot of threads with this problem right now - My generic solution seems to work for most cases.(you might want to take a look at some of them to see if you or I missed anything) If you followed the instructions to the letter and the problem came back, then we need to look at some outside variables.

If you look at your HJT log, you can see the new mutation. You could try disconnecting your computer from the other one and running through the previous instructions for the new mutation. Then, save the new HJT log on a floppy and send it to me from the other computer so that they can remain disconnected & we can go from there.

I am on a different computer right now and probably won't be able to check back until tonight. Keep me posted.

Best,
PP

 

Ok, thanks for that
I'll try disconnecting it from the other computer.
If I do run the programs again, under what user account should I run them?
Thanks

 

Hi GL,

Sad to say that running through the cleanup process is recommended for ALL user accounts. One of the reasons I spend some (actually a lot)of my free time trying to help people here is that I know firsthand how frustrating Malware can be. Hang in there!
Let me know how things shake out.

PP

 

Hello,
I'll go through the processes on all users
Thanks for all your help
GL

 

Hello again,
I've managed to run trhough the process on all users.
I've attached the HJT log for 2 of the users, I'll post the other two in another post.
Sorry about wasting your time but could you possibly look through them all?
Thanks for all your help up to here
GL

 

Hello
I'm just posting the other two HJT logs
Thanks for your help
GL

 

I will try to take a look tonight or tomorrow morning Hang in there.

Take a look at this thread:

Another Virtumundo Problem

The devil is in the details. You need to follow the instructions word for word!
Also, try looking in the folders for the hiddeen files as Steve did and as I advised Tarkin789 to do here:

virtumundo strikes again...other issues too perhaps

You are not alone in your frustration, but I am finding that , more often than not, people are missing crucial steps in the removal process. In your case, however, it may be the multiple accounts at fault.

I'll look those over when I can and check back.

Best
PP

 

Hi GL – Sorry I couldn't get back to you sooner. I guess we can try working this for each user account.

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


For Each Account:

Look in C: > WINDOWS > PREFETCH & Delete xmlav.exe ( or any xmlav or valmx entries) if found. If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

ALSO: take a look inside the C:\WINDOWS\Microsoft.NET Folder for any backups (xmlav.bak etc. . . ) or other Virtumundo Files – Note that they will probably be Hidden Files – Delete the ones that allow you to do so.

NOW:
Run HijackThis and Check the Boxes for the Following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm ----> All Logs

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm ----> All Logs

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = ----> Log 1

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ----> Log 1

R3 - Default URLSearchHook is missing ----> Log 1

O2 - BHO: CATLEvents Object - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\valmx.dat -----> Log 1

O2 - BHO: CATLEvents Object - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - C:\DOCUME~1\Andrew\LOCALS~1\Temp\valmx.dat ----> Log 2

O2 - BHO: CATLEvents Object - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - C:\DOCUME~1\Lee\LOCALS~1\Temp\valmx.dat ----> Log 3

O2 - BHO: CATLEvents Object - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - C:\DOCUME~1\Kate\LOCALS~1\Temp\valmx.dat ----> Log 4

O4 - HKLM\..\Run: [*xmlav] C:\WINDOWS\Microsoft.NET\xmlav.exe ----> All Logs

O4 - HKLM\..\RunOnce: [*xmlav] C:\WINDOWS\Microsoft.NET\xmlav.exe rerun ----> All Logs


Then, FOR ALL user accounts,
Click FIX and then, while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, Enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\Microsoft.NET\xmlav.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click OKAY and DO NOT REBOOT AGAIN.

THEN:
Use Windows Explorer to run a search of your computer for:
bkinst
xmlav
valmx

and DELETE the related files. (We especially want to get rid of xmlav.ini & xmlav.dat & xmlav.bak AND valmx.ini & valmx.dat & valmx.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. Did we get it? Keep me posted!

I do not know if much of this will be redundant - Better thorough than sorry!

ALSO: For user #4 I would suggest Uninstalling Kontiki - People have had trouble with this before.

Best luck
PP

 

Hello,
Thanks for all these things....
1. Just quickly, after you've run HJT in each account and deleted those things, you said to reboot. After you've rebooted, you say not to reboot again. The problem is i will need to reboot because i need to run it on each account. What should I do?

2. And also, when I looked in the Microsoft.NET file, I found a xmlav.exe file. When I go to delete it it says 'Unable to delete xmlav:access denied' then something about making sure the disk isn't full or write protected and the file isn't in use.

3. Finally, in that same folder there is a thing called 'crdrv.exe', should I delete this too?

I really appreciate all the help you've given me
GL

 

Hi GL,

This is a toughie! I'm not sure if you should run through the procedure for each user. I'm leaning toward yes you should.
Try running through the entire procedure for each account. Go ahead and reboot when you need to to switch accounts. You may find that, if you are able to nail the Virtumundo in the first account, all that is left to fix in the subsequent accounts are a few hjt entries (the BHO's, etc...)

You may have to play it a bit by ear! There is still a lot I don't know about this badguy. It may take a little initiative on your part - trying various things and experimenting. I imagine that you are a bit more comfortable now and that you have a good idea what to look for. As always, the key is to try to Delete the baddie before it gets a chance to run! To that end, you might try this tool:
Pocket KillBox

When running the procedure:
When You looked in the Microsoft.NET folder, did it look like a legitimate folder? Do you think it is something that you can try to delete in its entirety with Killbox?
Look for xmlav.bak and others and see if you can delete them first before running through the entire procedure - They may be hidden files.

This sounds a little iffy: 'crdrv.exe' It probably should be deleted.

Try reading some of the many other thread on the subject. You may get a few more ideas.

Keep me posted.

PP

 

Hello again,
I tried using that other program to delete the xmlav.exe file, but it still didnt get rid of it. I tried running HJT, and when I restart the computer, the files are still there. Can you possibly suggest any other ways to delete the file. I'm not sure if this is important, but when I get into thee task manager, one of the processes running is xmlav.
Thanks for all your help.
GL

 

Hi GL,

The key is to Delete that file on Reboot so that it never gets a chance to run in the first place. You then must clean ALL traces of it (backups, etc...) so that it cannot reconstitute itself or phone home and reinstall itself. This is a particularly nasty baddie. I do not know what else to suggest other than dogged perseverence and experimentation. The multiple accounts make things all the more difficult. You must fix that BHO for each account as well as flush all xmlav or valmx occurrences after deleting on reboot.

I'm sorry I cannot be more help. I know how frustrating this can be. I just do not know what else to recommend other than to read some of the threads in the sticky post at the top of the forum and see if there is something you missed.

PP

 

Hey GL,

This might be just the ticket. Give it a try and let me know if it does the job. You may need to run it for each account.

Symantec Virtumundo Eradication Tool

I'll keep my fingers crossed

PP

 

Hello,
I've got some good news. That program you mentioned seemed to do the trick. Thank you very much for all your help and I appreciate all this time you've spent on helping me. Before I connect the recently fixed computer back to the other one (this one), I might check this for viruses. Can you please just check the HJT log for this computer.
Thanks again
GL

 

Hi GL,

You're welcome! I'm happy to see that the tool worked for you Just in time, huh?!

Chaslang has jumped in to reclaim his rightful spot as head of the Spyware Forum foodchain He is more knowledgable than I, so you are in good hands.

Best
PP

 

I've been able to get rid of this by booting XP (and 2000) into command prompt mode and manually navigating to the suspicious directory. In my case it was C:\WINNT\SPEECH\*Eula..exe.

The problem is that this does run in safe mode, you cannot end the task, and it keeps adding itself back to the RUN ONCE key in the registry. with the "rerun" option.

It does not seem to be able to run in command prompt mode, or at least it is not protected as it is in safe mode.

However there can be more than one thing that loads and runs. You may eliminate one of these *xxxx.exe programs, only to find another one has taken it's place.

It appears that virtumundo is trying to compete on the sinister side with CWS