Trojan:Win32/Vundo.gen!A (how do i remove?)

Welcome to Majorgeeks!

Run the below and attach the rewuested logs and then one of our malware experts will assist you in mopping up the remaining infection,

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

Now Disable Spybot's TeaTimer as requested in the READ & RUN ME

• Run Spybot and click Mode
• Select Advanced Mode.
• Then click Tools and select Resident.
• Now in the right window pane, uncheck TeaTimer.
• Also while this is open, in the left column now select IE Tweaks
• and then in the right pane make sure all the Miscellaneous locks are unchecked.
• Now quit Spybot!

Uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.1_02

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

Just continue on with the rest of the instructions ignoring that line that is no longer there.

 

Yes you need to complete all steps in the order written.

 

Please attach the requested log for Avenger. Not the Avenger program that you downloaded.

Windows Live and StopZilla are very low on my list of things to use.

 

Do you have any idea what all the below new files are from? Are they from StopZilla

Code:

"C:\Documents and Settings\Owner\Local Settings\Temp\"
060835~1      Dec 25 2007       10362  "060835d4-c14d-44f7-bd6d-1aa60310c70e"
135c28~1      Dec 26 2007       10398  "135c286a-1a8e-4a22-a0d0-8d088497a377"
207a77~1      Dec 24 2007       10326  "207a77a6-7a60-4694-a6bd-838be3438704"
22300d~1      Dec 25 2007       10398  "22300de9-aa4b-4fc7-80e8-79fd4360d1d8"
259d76~1      Dec 25 2007       10398  "259d7654-b9f2-4727-8e58-8b9ca8f48ca6"
29cebf~1      Dec 25 2007       10326  "29cebfc1-3061-4dcb-9da6-25badf6deef3"
2b9123~1      Dec 25 2007       10362  "2b9123ac-e72e-4f03-b2f1-55fc1bad708a"
2dd967~1      Dec 25 2007       10398  "2dd967f7-3b31-4c2d-b25a-e0d8ad844539"
3f9a1b~1      Dec 26 2007       10398  "3f9a1b78-8f6d-4cea-84ae-04d8717eff1f"
43090d~1      Dec 26 2007       10398  "43090dd0-aee5-4d23-b03a-ed03d65c64bf"
6105a4~1      Dec 26 2007       10398  "6105a4fd-1f6a-4c1a-9e93-44506f4c8e3c"
618f4b~1      Dec 26 2007       10398  "618f4b3c-e62f-4ebb-b183-d2086a3d715e"
670fec~1      Dec 25 2007       10398  "670fec2a-5cf5-422f-95de-2ef70c87a07e"
6fc97a~1      Dec 25 2007       10398  "6fc97ae4-19c9-480e-9cd7-a0b9d7a27b77"
727845~1      Dec 25 2007       10398  "72784538-48ee-4efb-9d39-4a7edf147e11"
8f015b~1      Dec 25 2007       10398  "8f015b80-b0ee-4377-b44c-5c01fbbbcc4b"
9cc28f~1      Dec 25 2007       10398  "9cc28fbe-6dfb-49e6-b26a-8287b12b8749"
9f394c~1      Dec 25 2007       10398  "9f394ce3-7a82-492d-8ce5-3ec4ba028562"
ada393~1      Dec 26 2007       10398  "ada39359-e1ed-4e41-8ae5-085faeffb202"
b2992d~1      Dec 25 2007       10398  "b2992d28-40a5-49e0-b875-f75fe5c31661"
b70e60~1      Dec 26 2007       10398  "b70e6060-0c8e-4393-a1fe-e1683439c1b3"
b72646~1      Dec 26 2007       10398  "b72646cd-f9c9-45cd-a4f1-051c491a6124"
c35df0~1      Dec 26 2007       10398  "c35df047-9588-4986-954e-e6d2fd3c059b"
c7ad85~1      Dec 26 2007       10398  "c7ad8556-0810-40f6-85b8-1323cab83fb5"
d6e644~1      Dec 26 2007       10398  "d6e6449b-2d61-4a81-a490-8289ca6e2171"
d8c341~1      Dec 25 2007       10362  "d8c341e1-5b10-4dae-9986-19ec1dffc09e"
ec6852~1      Dec 25 2007       10398  "ec685289-a554-40a4-95fc-f077ad18a0c0"
f5ba33~1      Dec 25 2007       10398  "f5ba33cc-b3ef-4ce5-8b05-bc3add5b72bf"
f8da3c~1      Dec 26 2007       10398  "f8da3c95-e0a0-4f5b-ab3d-c791db4d8140"
ff3c4f~1      Dec 26 2007       10398  "ff3c4fc7-e846-4d12-a195-63930f0075ec"

Your logs appear to be clean!

You said you have Windows Onecare Live! I do not see it installed!

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

But you only had one and that was Windows Onecare. You don't have another antivirus installed.

No I don't believe that they are from AVG Antispyware.

Did you read the link I gave you in my previous message?

This is a false indication. It is detecting what ComboFix installed. CatchMe is part of a rootkit detection tool that ComboFix uses. CatchMe is really from the people who created the program named GMER.

Where do you have the combofix.exe file installed? You can run combofix /u from a command prompt to uninstall it but you need to have combofix.exe in your path or you need to give the fullpath in the command. When shown the disclaimer, Select "2"

 

We requested that you download ComboFix to your Desktop. The command I gave you to uninstall it it will not work if it is not on your Desktop.

 

You can move the file you already have to your Desktop or you can delete the one you have and redownload to your Desktop and then run the command to uninstall it.

 

You're welcome. Surf safely.