Resolved

[Evaluate]

Yesterday, I was playing away on Runescape and suddenly another Firefox browser pops up offering to sell me some sort of credit card. I closed it and thought nothing of it, but it kept happening like every 5 minutes or so after that. So, after about half an hour I scanned with AVG, and it said I had a Trojan. It had moved it to the virus vault, so I thought I was safe. I wasn't. I then tried Ad-aware, which didn't identify the trojan, but instead found malware, specifically Virtumonde, on my computer. So I hit to delete that, and figured that was all over with. Turns out, it wasn't, again. So, I asked one of my friends and he told me to try Spybot S&D. So I did. After the scan, I ended up with a list that contains the following.

 

 

 

Burstmedia-3 entries-browser

 

Casalemedia-4 entries-browser

 

Doubleclick-2 entry-browser

 

Smitfraud-c.- 1 entry-MalwareC

 

Virtumonde-4 entries-trojans

 

Virtumonde.generic-2 entries-trojans

 

Virtumonde.sci-1 entry-trojansC

 

Zedo-7 entries- browser

 

 

 

I tried deleting them, 3 times actually. Every time the scan brings up the same thing. It's really got me annoyed, as I want them off my damn computer. Any ideas?

 

 

 

Edit: Tried Sindarin's idea, didn't work. Any other ideas?

 

 

 

Edit2: Another friend recommended I use Malwarebytes' malware removal tool. Tried it, removed everything except "virtumonde-1 entry- trojansC"

 

 

 

Edit3: It appears everything is clear from my computer now, but you're free to check my hijackthis log in my last post to see for yourself.

[Sindarin00]

Get rid of AdAware and download Spybot search and destroy, scan with spybot, it will tell you it cannot remove them and ask you to restart, restart the computer and it will scan before anything loads up. This should get rid of everything. If not.... Virtumonde is insanely difficult to delete...

[Evaluate]

Thanks, I'll try that. In the meantime, any other advice is still much appreciated.

[Evaluate]

Sindarin's idea didn't work for me. I don't really know where to go in terms of deleting the stuff from here, so any help is appreciated.

[Evaluate]

A kind person told me to try Malwarebytes' malware removal system. I did, and it removed nearly everything. I'm still left with "Virtumonde -1 entry- TrojansC"

 

 

 

Any way to get rid of it?

[Resonae]

Download Superantispyware, if it cannot delete Virtumonde, you can at least put it in the vault where it can cause no further damage. After this, go to Control Panel->Add or Remove Programs, if you find any suspicious programs post them here, because what I find with recurring trojans is something you installed causes them.

[Errdoth]

OP: Please download and run VundoFix

 

After, you need to run a HijackThis scan, and post the logfile here.

[Evaluate]

@Errdoth: Tried Vundofix, it didn't detect anything, maybe it's gone somehow, lol. Here's the HJT log, Hopefully you make more sense of it than me.

 

 

 

[hide=Log]Logfile of Trend Micro HijackThis v2.0.2

 

Scan saved at 4:13:24 PM, on 1/5/2009

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

 

Boot mode: Normal

 

 

 

Running processes:

 

C:\WINDOWS\System32\smss[Caution: Executable File]

 

C:\WINDOWS\system32\winlogon[Caution: Executable File]

 

C:\WINDOWS\system32\services[Caution: Executable File]

 

C:\WINDOWS\system32\lsass[Caution: Executable File]

 

C:\WINDOWS\system32\svchost[Caution: Executable File]

 

C:\WINDOWS\System32\svchost[Caution: Executable File]

 

C:\WINDOWS\Explorer[Caution: Executable File]

 

C:\WINDOWS\system32\spoolsv[Caution: Executable File]

 

C:\WINDOWS\system32\igfxtray[Caution: Executable File]

 

C:\WINDOWS\system32\hkcmd[Caution: Executable File]

 

C:\Program Files\Microsoft Office\Office12\GrooveMonitor[Caution: Executable File]

 

C:\PROGRA~1\AVG\AVG8\avgtray[Caution: Executable File]

 

C:\Program Files\iTunes\iTunesHelper[Caution: Executable File]

 

C:\WINDOWS\system32\ctfmon[Caution: Executable File]

 

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService[Caution: Executable File]

 

C:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

C:\PROGRA~1\AVG\AVG8\avgwdsvc[Caution: Executable File]

 

C:\Program Files\Bonjour\mDNSResponder[Caution: Executable File]

 

C:\PROGRA~1\AVG\AVG8\avgrsx[Caution: Executable File]

 

C:\WINDOWS\system32\wscntfy[Caution: Executable File]

 

C:\Program Files\iPod\bin\iPodService[Caution: Executable File]

 

C:\WINDOWS\System32\svchost[Caution: Executable File]

 

C:\WINDOWS\system32\rundll32[Caution: Executable File]

 

C:\Program Files\Mozilla Firefox\firefox[Caution: Executable File]

 

C:\Program Files\Trend Micro\HijackThis\HijackThis[Caution: Executable File]

 

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

 

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

 

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray[Caution: Executable File]

 

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd[Caution: Executable File]

 

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR[Caution: Executable File]

 

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor[Caution: Executable File]"

 

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray[Caution: Executable File]

 

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier[Caution: Executable File]

 

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl[Caution: Executable File]"

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask[Caution: Executable File]" -atboottime

 

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper[Caution: Executable File]"

 

O4 - HKCU\..\Run: [ctfmon[Caution: Executable File]] C:\WINDOWS\system32\ctfmon[Caution: Executable File]

 

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: Executable File]" /background

 

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

 

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

 

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

 

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

 

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL[Caution: Executable File]/3000

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

 

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

 

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

 

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

 

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag[Caution: Executable File]

 

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag[Caution: Executable File]

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

 

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

 

O20 - AppInit_DLLs: avgrsstx.dll pubczd.dll

 

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService[Caution: Executable File]

 

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc[Caution: Executable File]

 

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder[Caution: Executable File]

 

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService[Caution: Executable File]

 

 

 

--

 

End of file - 5475 bytes[/hide]