various forms of malware: trojans, vundo, virtumonde

I am working on my dad's computer so I can't go into detail about what's not working as it should. I am using Windows XP if that makes a difference. I have read the READ AND RUN ME FIRST and went through the cleaning procedures and this computer is/was loaded with malware. To name a few trojans that came up during the superantispyware scan: trojan.downloader-newjuan/vm, win32 tro-gen, adware.vundo variant resident, trojan.downloader-gen/bundle installer, rootkit.tncore/trace, and some form of vitumonde were among many others. I have read that rootkits can't be removed(?) and presume that with all of these forms of malware it isn't likely that all traces were deleted.
So, could someone help/review the logs I attached?
I'll point out that during installation of combofix I overlooked that it was saved to C: instead of my desktop; however, it seemed to work fine, no error messages came up. If this is a problem I can reinstall it and run another scan.
Thanks in advance

 

The mbam log originally was too big to upload on account of mbam having deleted malwarebot. I deleted most of the log that mentions malwarebot, which was the anti-spyware program that was being used on this computer.

 

Hi smit6577,
Welcome to Major Geeks!

Your computer is infected still and will need some special instructions to remove the remaining malware files. This takes some time, so thanks for being patient!

Thanks.
abri

 

Hi smit6577,

1) Please disable your guest account if this hasn't already been done.

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: {2de3214c-270b-a51b-f1d4-289b15aac832} - {238caa51-b982-4d1f-b15a-b072c4123ed2} - C:\WINDOWS\system32\vgttafop.dll (file missing)
O2 - BHO: (no name) - {58F93BFF-95B7-429F-A510-296B1122AC75} - C:\WINDOWS\system32\geBuUMfD.dll (file missing)
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\jkkHBUkk.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {D67878F9-3257-4D1D-93CE-05D534C9ED31} - C:\WINDOWS\system32\hgGwUOgD.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O20 - Winlogon Notify: awtspnn - awtspnn.dll (file missing)
O20 - Winlogon Notify: jkkHBUkk - jkkHBUkk.dll (file missing)
O20 - Winlogon Notify: wvfnndsb - wvfnndsb.dll (file missing)


Do the need for the following programs to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

After you click fix, just close hijackthis.

4) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
94DC889F52
awtspnn
jkkHBUkk
wvfnndsb

FILE::
C:\WINDOWS\BM53d340a0.txt
C:\WINDOWS\system32\vgttafop.dll
C:\WINDOWS\system32\geBuUMfD.dll
C:\WINDOWS\system32\jkkHBUkk.dll
C:\WINDOWS\system32\hgGwUOgD.dll
C:\WINDOWS\system32\94DC889F52.sys
C:\WINDOWS\system32\fmhwxrsh.tmp
C:\WINDOWS\system32\ostvihln.tmp
C:\WINDOWS\system32\icfmgseg.ini
C:\WINDOWS\system32\lxdvbvll.ini
C:\Documents and Settings\Tom Smith\Local Settings\temp\DIOB.tmp
C:\Documents and Settings\Tom Smith\Local Settings\temp\DIOF.tmp
C:\Documents and Settings\Tom Smith\Local Settings\temp\MAR9.tmp
C:\Documents and Settings\Tom Smith\Local Settings\temp\MARA.tmp
C:\Documents and Settings\Tom Smith\Local Settings\temp\STSE.tmp

FOLDER::
C:\WINDOWS\system32\aqVreo01
C:\WINDOWS\system32\IDME
C:\WINDOWS\system32\md2
C:\WINDOWS\system32\usnv
C:\WINDOWS\system32\xTmp
C:\temp\itmp4

REGISTRY::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{238caa51-b982-4d1f-b15a-b072c4123ed2}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{58F93BFF-95B7-429F-A510-296B1122AC75}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C28EAFB-FF50-4F42-8D39-A006129CC907}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D67878F9-3257-4D1D-93CE-05D534C9ED31}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9C28EAFB-FF50-4F42-8D39-A006129CC907}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtspnn]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkHBUkk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvfnndsb]

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger or Combofix log.


Let me know how things are running now?

abri

 

Thanks again, everything is running smoothly. When I tried to run messengerdisabler a dialogue box came up saying that it already has been uninstalled, so that program didn't do anything but I suppose it didn't have to.

 

Hi smit6577,

Your logs look good! Please go through the final clean-up instructions in the box below:

abri