Hi,

Today when I perform a full scan using Spyware Doctor version 4.1.0.1, it inform me that my pc were infected by a malware Trojan.Virtumonde.

After spyware doctor scan and remove the threat, it popup a window saying the computer need to restart. But after i restart and come back to window, it did a scan again, this time didnt found anything. I waited and let the scan completed. After the scan has completed, i perform a full system scan again using Spyware doctor, again it detected the Trojan.Virtumonde malware. Again it remove and prompt for me to restart.

After a many tries, the malware cannot be remove by spyware doctor and it keep coming back.

Please help me to solve this.

Hi
Virtumonde or Vundo is reputedly difficult to remove. It needs a special fix.
Download and Run ComboFix

Download this file from either of the two below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/ComboFix.exe

Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Would download and try on this later today. Would post the log once runned the Combofix.exe.

Have runned the Combofix.exe. Below are the log. Let me know if I need to do anything further.

ComboFix 07-11-08.1 - MSI 2007-11-14 20:07:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.322 [GMT 8:00]
Running from: C:\Documents and Settings\MSI\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\MSI\Application Data\macromedia\Flash Player\#SharedObjects\3NNBXC9R\iforex.com
C:\Documents and Settings\MSI\Application Data\macromedia\Flash Player\#SharedObjects\3NNBXC9R\iforex.com\Emerp\Ev ents\flash_object.swf\user_data.sol
C:\Documents and Settings\MSI\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ifo rex.com
C:\Documents and Settings\MSI\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ifo rex.com\settings.sol
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\fixmfs.dll
C:\WINDOWS\system32\ijkkj.ini2
C:\WINDOWS\system32\ijkmp.ini2
C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\nqtwa.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pqtss.ini2
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini2

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-14 12:23 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-14 00:06 80,448 ----a-w C:\WINDOWS\system32\cljoxhph.dll
2007-11-14 00:03 85,056 ----a-w C:\WINDOWS\system32\jtnwvtnr.dll
2007-11-14 00:00 143,522 ----a-w C:\WINDOWS\system32\qvgfrkkp.dll
2007-11-13 23:57 71,232 ----a-w C:\WINDOWS\system32\dvtppndt.exe
2007-11-13 22:15 --------- d-----w C:\Program Files\Spyware Doctor
2007-11-13 14:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 11:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2007-11-13 02:43 --------- d-----w C:\Program Files\RapidLeecher Ultimate 2007
2007-11-12 23:33 35,328 ----a-w C:\WINDOWS\system32\byxwvsr.dll
2007-11-10 02:56 --------- d-----w C:\Program Files\BitComet
2007-11-09 15:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-09 15:42 --------- d-----w C:\Program Files\Symantec
2007-11-09 15:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-09 14:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-09 11:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-11-09 11:32 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-07 14:57 --------- d-----w C:\Program Files\Windows Live
2007-11-07 14:21 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-07 14:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-04 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\sentinel
2007-11-04 14:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-04 14:44 --------- d-----w C:\Program Files\Panda Security
2007-11-04 14:25 --------- d-----w C:\Program Files\Super Mutual Video Media Pack
2007-11-04 00:11 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks
2007-11-04 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-02 23:05 --------- d-----w C:\Documents and Settings\MSI\Application Data\Netscape
2007-10-29 13:13 --------- d-----w C:\Program Files\IBM
2007-10-25 12:32 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Applicati on Data\Juniper Networks
2007-10-25 12:31 --------- d-----w C:\Program Files\Juniper Networks
2007-10-25 12:31 --------- d-----w C:\Documents and Settings\MSI\Application Data\Juniper Networks
2007-10-20 01:51 --------- d-----w C:\Program Files\JetAudio
2007-10-18 03:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
2007-10-15 03:10 --------- d-----w C:\Program Files\Common Files\COWON
2007-10-13 03:38 34,312 ----a-w C:\WINDOWS\system32\drivers\blueletaudio.sys
2007-10-13 03:36 --------- d-----w C:\Program Files\IVT Corporation
2007-10-13 03:18 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-13 02:49 --------- d-----w C:\Documents and Settings\MSI\Application Data\PC Suite
2007-10-13 02:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-10-12 00:46 --------- d-----w C:\Documents and Settings\MSI\Application Data\Nokia Multimedia Player
2007-10-12 00:36 --------- d-----w C:\Program Files\ppfilm
2007-10-11 23:31 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-10-11 23:27 --------- d-----w C:\Program Files\Nokia
2007-10-11 23:27 --------- d-----w C:\Program Files\Common Files\Nokia
2007-10-11 23:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2007-10-11 23:01 --------- d-----w C:\Documents and Settings\MSI\Application Data\Nokia
2007-10-11 22:59 --------- d-----w C:\Program Files\PC Connectivity Solution
2007-10-11 22:59 --------- d-----w C:\Program Files\DIFX
2007-10-11 22:59 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-10-11 22:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-10-11 21:04 --------- d-----w C:\Documents and Settings\MSI\Application Data\Skype
2007-10-07 01:29 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2007-10-06 23:42 --------- d-----w C:\Program Files\Java
2007-09-30 01:43 --------- d-----w C:\Program Files\DivX
2007-09-25 12:39 --------- d-----w C:\Documents and Settings\MSI\Application Data\Media Player Classic
2007-09-25 01:25 --------- d-----w C:\Program Files\Medieval Software
2007-09-25 01:09 --------- d-----w C:\Program Files\Monkey's Audio
2007-09-25 01:03 --------- d-----w C:\Program Files\Winamp
2007-09-23 00:55 --------- d-----w C:\Program Files\Real Alternative
2007-09-23 00:54 --------- d-----w C:\Program Files\Media Player Classic
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-17 16:42 --------- d-----w C:\Program Files\Skype
2007-09-17 16:42 --------- d-----w C:\Program Files\Common Files\Skype
2007-09-17 16:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-08 14:30 1,569,280 ----a-w C:\3CRWDR101A-75_v1.10.00.A.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 04:53 28,766 ----a-w C:\WINDOWS\system32\PlayerCtrl.dll
2007-08-21 00:26 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-08-17 08:00 18,432 ----a-w C:\WINDOWS\system32\BsMonSvr.dll
2007-08-17 08:00 10,240 ----a-w C:\WINDOWS\system32\BsMonUI.dll
2007-08-17 07:59 57,430 ----a-w C:\WINDOWS\system32\btfunc.dll
2007-08-17 07:59 528,485 ----a-w C:\WINDOWS\system32\BSShell.dll
2007-08-17 07:59 323,670 ----a-w C:\WINDOWS\system32\Bscdlg.dll
2007-08-17 07:59 278,647 ----a-w C:\WINDOWS\system32\outlookAddin.dll
2007-08-17 07:59 114,774 ----a-w C:\WINDOWS\system32\versit.dll
2007-08-17 07:58 90,218 ----a-w C:\WINDOWS\system32\BsHelpCSps.dll
2007-08-17 07:58 360,563 ----a-w C:\WINDOWS\system32\BlueSoleilCSps.dll
2007-08-17 07:58 122,970 ----a-w C:\WINDOWS\system32\BsCommon.dll
2007-08-17 07:58 110,692 ----a-w C:\WINDOWS\system32\BsProfileFunc.dll
2007-08-17 07:57 77,923 ----a-w C:\WINDOWS\system32\Bs2Res.dll
2007-08-17 07:57 28,760 ----a-w C:\WINDOWS\system32\BsTrace.dll
2007-08-17 07:57 159,828 ----a-w C:\WINDOWS\system32\BsSDK.dll
2007-08-15 22:33 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-08-15 22:33 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 22:33 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-08-15 22:33 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-08-15 22:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 22:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-08-15 22:31 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 22:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-08-15 22:30 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}]
2007-11-13 07:33 35328 --a------ C:\WINDOWS\system32\byxwvsr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A36591C-CF2A-4D90-BEF3-862F81FC9F5A}]
C:\WINDOWS\system32\sstqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7CB961C2-96ED-452E-97BC-89149218B763}]
C:\WINDOWS\system32\jkkji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9907ED63-9584-453D-818B-4C5B53DFB193}]
C:\WINDOWS\system32\awtqn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F62AE009-13A2-4762-A80A-14C0F40FF409}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 06:32]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 06:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 06:32]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-02-09 20:33]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-02-09 20:50]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-09 20:39]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]
"nwiz"="nwiz.exe" [2007-06-29 00:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43]
"BtTray"="C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe" [2007-10-13 11:38]
"CY_BG"="C:\WINDOWS\CY_BG.EXE" [2003-04-21 11:11]
"YIFR Agent"="C:\WINDOWS\system32\28463\YIFR.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 20:31]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-08-16 15:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-04-16 11:47]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}"= C:\WINDOWS\system32\byxwvsr.dll [2007-11-13 07:33 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwvsr]
byxwvsr.dll 2007-11-13 07:33 35328 C:\WINDOWS\system32\byxwvsr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"= msv1_0 relog_ap C:\WINDOWS\system32\awtst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^MSI^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationA gent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Check Version]
"C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Express Welcome]
"C:\Program Files\IBM\Client Access\cwbwlwiz.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Help Update]
"C:\Program Files\IBM\Client Access\cwbinhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access PC5250 Sound]
"C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Service]
"C:\Program Files\IBM\Client Access\cwbsvstr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jfproc]
C:\Program Files\ppfilm\jfCacheMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 BlueSoleilCS;BlueSoleilCS;C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R3 BsHelpCS;BsHelpCS;C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
S3 CY_FX_AT;USB Storage Adapter FX (CY);C:\WINDOWS\system32\DRIVERS\CY_FX_AT.SYS
S3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

.
Contents of the 'Scheduled Tasks' folder
"2007-11-13 11:13:09 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
.
************************************************** ************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 20:24:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\pmkhg.dll 317536 bytes executable

scan completed successfully
hidden files: 1

************************************************** ************************
.
Completion time: 2007-11-14 20:28:54 - machine was rebooted
.
--- E O F ---

Hi
Well that got some of them! This is a little more complicated though as there are more malware files hiding around :(

What I would like you to do is:
Download and Run HijackThis
Download HJTInstall.exe (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to your Desktop.

Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Copy/Paste the log in a NEW TOPIC at http://malwareremoval.com/forum/viewforum.php?f=11 along with the ComboFix report. Someone will help you very shortly with your problem.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

I have post the log in the malware website...I scan this morning using Spywar Doctor, it shows my pc still infected with Trojan.Virtumonde...:mad:

Please follow mjq suggestions,usualy works
Hope This helps

Please follow mjq suggestions,usualy works
Hope This helps

Hi vecchio, I have followed mjq instructions and the log is shown on the posting above. But strange things is, yesterday I run the combofix.exe and it remove it, also rebooted my pc. This morning, I scan with spyware doctor and again it found Trojan.Virtumonde variant. Probably my pc were heavily infected and the cleaning is not complete.

Not sure what to do.
:confused:

Post a new log here

http://malwareremoval.com/forum/viewforum.php?f=11
I am sure mjq can help you

Post a new log here

http://malwareremoval.com/forum/viewforum.php?f=11
I am sure mjq can help you

Hi,
Thanks so much.Have posted my problem to the link above. My pc is getting very slow everyday, now I do scanning everyday to clean the Trojan.Virtumonde.

This little suckers are hard to remove since they change their files always when evertime it executes automatically with Windows reboot.

If you have rebooted several times already then you probadly have infected with newer Vundo. At the moment I have never seen any effective AVs that can deal with Vundo. Because it will fix some but leaves the other random Vundo at startup.

To disable them, you must disable or deletes all Startup items that belongs to Vundo. Safemode reboot my be good option and takeout all random Vundo files manually and removes runkeys.

All Vundo files have funny random file names, there are mostly located in system32 directory or %temp% directory and because they are BHO they hooks to Explorer.exe and runkeys are hooked to Winlogon.

I had this suckers before, but I managed to end their daring stuns by disabling them to run and removed all of them manually. Then ran the AVs or antispyware to remove the rest.

hi consoleman, many thanks for your reply on this, appreciate it a lot.
I have done switching to linux since my last posting, cause it is very difficult for me to run programs (as my pc were slow and infected by this crap Virtumonde or Vundo).

After running linux, everything were ok. And my pc is now even running faster than it usually had in windows, also so far very stable too and hardly crash like windows did. :D


This little suckers are hard to remove since they change their files always when evertime it executes automatically with Windows reboot.

If you have rebooted several times already then you probadly have infected with newer Vundo. At the moment I have never seen any effective AVs that can deal with Vundo. Because it will fix some but leaves the other random Vundo at startup.

To disable them, you must disable or deletes all Startup items that belongs to Vundo. Safemode reboot my be good option and takeout all random Vundo files manually and removes runkeys.

All Vundo files have funny random file names, there are mostly located in system32 directory or %temp% directory and because they are BHO they hooks to Explorer.exe and runkeys are hooked to Winlogon.

I had this suckers before, but I managed to end their daring stuns by disabling them to run and removed all of them manually. Then ran the AVs or antispyware to remove the rest.