Recently I purchased a new Dell Vostro 200 computer. Within two weeks of connecting the computer to the internet it became infected with the Virtumonde virus. I downloaded AVG, ZoneAlarm, Spybot Search & Destroy, and already had McAfee Security Centre installed on the computer. These utilities removed the Virtumonde virus, around 30 Trojan horses, and about 27,000 spyware-related items. Now whenever I logon to the computer the following messages appear: “Error loading C:\WINDOWS\system32\karfwxvw.dll” and “Error loading C:\WINDOWS\system32\feruvijc.dll”. Do these error messages mean that the virus is still installed on the computer, and how can I get rid of the messages? Also, what is your opinion on the security software I am now running on the computer?

The Virtumonde virus is quite a nasty infection which causes pop-up windows to appear on the computer with advertisements and can also have other adverse consequences for the computer, particularly performance degradation. Making things worse, the virus has a habit of hooking into system processes making removal very difficult. While you are probably well versed in the particulars of this virus, other readers may find the information on the following Wikipedia article interesting, regarding the nasty nature of this infection: en.wikipedia.org/wiki/Vundo .

Relating to your question about the error messages that appear, I was unable to find any references to these files when researching your question. This was most likely because the files are related to either the Virtumonde or one of the other (several thousand) infections found on the computer which were removed. Even though the threats were removed Windows is still referencing those files and attempting to load them on startup. As such, we need to tell Windows not to load these files on startup. Go to the “Start” menu > “Run” and type “msconfig” (without the quotes) and click OK. In the System Configuration Utility window that appears, click the “Startup” tab. This will provide a list of all the processes which load on Windows startup. Find the entries which relate to the two DLL files which are attempting to load on Windows startup. Once you have found the relevant entries, untick the entries and click the OK button. You have now disabled those files from attempting to load on Windows startup. Restart the computer and the messages should no longer appear on startup. However, you may receive a message informing you that your computer is running in “Selective Startup” mode. This simply means that not all processes are loading on Windows startup (as you just disabled the two files which were causing the errors from loading on startup). You can safely tick the box not to display that message again and click OK.

You should be fairly confident that those messages are not related to your computer still being infected, as they appeared to be remnants of the previous infection. However, given the infections present on your computer in the past, combined with the seriousness of the Virtumonde infection, I would still see your computer as highly suspect. An important consideration, coined by security expert Steve Gibson (www.grc.com), is that once your computer has been compromised by a virus or malware you can never trust that computer again. This may seem paranoid, but when you consider that you may be conducting internet banking and credit card transactions using your computer, you can never be 100% certain that you have eliminated all the infections on the computer (so there could be something still running in the background, quietly gathering all your personal information and sending this to a third-party). As such, whenever I see an infection on a computer instead of attempting to remove the threat, I recommend that you backup any data (e.g. documents) you need to keep and then format the computer hard drive and complete a fresh reinstallation of Windows.

You may question the effectiveness of this remedy, since if you backup data from the infected installation, and then later copy that back onto your clean installation, can you not also bring across the infection (i.e. you have backed-up the infection). This is a valid concern, but in most cases does not present a major problem. When you have an infection on your computer this usually attempts to infect system files and requires executable processes to operate. As such, they integrate into Windows to ensure that they are automatically executed on startup (e.g. through placing themselves into the Windows registry). When you backup your data for a Windows reinstallation you generally only backup your data, such as documents, rather than programs. In fact, it is not possible to normally backup programs (by simply copying the program folder) and then copy them back onto a new system, as they will be missing all the shared files which the programs install into other directories, such as the Windows system directory. Normally the infections are not contained within folders containing your personal data (such as My Documents) so you should be able to copy these to the new system without risk of re-infection. That said, you should always make sure that antivirus software is the first application you install on your new system before anything else, as this should pick-up any infections in the unlikely event that they make it across to your new system.

This neatly leads into answering your final question regarding the security software you are running on the computer. You should always avoid running multiple antivirus scanners on your computer, as they can have a bad habit of conflicting amongst themselves. This primarily comes about because most antivirus packages (in fact, any antivirus packages worth anything) have real-time scanners which are always running. If you have two antivirus packages installed, both with real-time scanners, these can conflict particularly if they both intercept a virus at the same time. As such, you should choose a single antivirus package. My recommended virus scanners are AVG Free (if you are looking for a free solution) or NOD32 (if you don’t mind paying a yearly subscription). It is an unfortunate fact that most antivirus packages on the market have become so bloated with additional “features” they completely bog down the computer with a significant toll on performance. I quite like AVG and NOD32 as neither have yet suffered this fate. If you can afford $59.50 then I would strongly recommend that you purchase and install NOD32.

Be aware, both AVG and NOD32 are only antivirus scanners. While they may detect some variants of malware, that is not their primary purpose. However, do not let this dissuade you into purchasing a competing product which claims to also perform adware and spyware detection and removal. Another good feature of AVG and NOD32 is that they perform their antivirus functions very well, as that is their primary purpose. So, they are not trying to spread themselves thin doing everything, but instead focus on one task. For adware and spyware scanning there are a multitude of free utilities available. I recommend that you use Ad-Aware Free (www.lavasoft.de), Spybot Search & Destroy (www.safer-networking.org), and Windows Defender (www.microsoft.com/downloads). I have tested these utilities and even though Windows Defender does have a real-time scanner, using the other two utilities to scan your computer should not create a conflict when Windows Defender is running.