Trojan:Win32/Vundo.gen!A (how do i remove?)

[technique333]

My Windows Live OneCare detects that it has found potentially unwanted software "Trojan:Win32/Vundo.gen!A" and wants me to clean it. when finshed cleaning it promts for a restart and I am in the same boat again when the computer reboots. if there is anyone that can get me a detailed instructions on how to remove this and any other malwear would greatly help me thanks.

[DavidGP]

Welcome to Majorgeeks!

Run the below and attach the rewuested logs and then one of our malware experts will assist you in mopping up the remaining infection,

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

[technique333]

here is the things you requested

[chaslang]

Now Disable Spybot's TeaTimer as requested in the READ & RUN ME

• Run Spybot and click Mode
• Select Advanced Mode.
• Then click Tools and select Resident.
• Now in the right window pane, uncheck TeaTimer.
• Also while this is open, in the left column now select IE Tweaks
• and then in the right pane make sure all the Miscellaneous locks are unchecked.
• Now quit Spybot!

Uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.1_02

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

Quote:

Files to delete:
C:\WINDOWS\system32\bjywxcwv.ini
C:\WINDOWS\system32\cjjyvmdr.ini
C:\WINDOWS\system32\clrrfmsa.ini
C:\WINDOWS\system32\gcipldgy.ini
C:\WINDOWS\system32\hywakecw.ini
C:\WINDOWS\system32\jffbcjhm.ini
C:\WINDOWS\system32\ndaqkfat.ini
C:\WINDOWS\system32\qoumuicc.ini
C:\WINDOWS\system32\timuywes.ini
C:\WINDOWS\system32\vgedogfw.ini
C:\WINDOWS\system32\ycjdohne.ini
C:\WINDOWS\system32\drivers\1D050F6E-36CD-4B5C-A1EC-B5DBC40FDB25.cxv
C:\WINDOWS\system32\drivers\524A224C-6397-4B78-AF27-EAA782733F1D.cxv
C:\WINDOWS\system32\drivers\CC33E78A-DF49-4BD8-9CC8-6B890A7B6897.cxv
C:\WINDOWS\system32\drivers\E716112B-0053-4D34-A5EA-6E724D9FCF43.cxv
C:\Documents and Settings\Owner\Local Settings\Temp\0f20d5e3-d160-49d0-a168-8fc49f84ff25
C:\Documents and Settings\Owner\Local Settings\Temp\2a863090-d39b-4d93-819f-d39d8c385d67
C:\Documents and Settings\Owner\Local Settings\Temp\5a9cda7d-2fbd-4b36-9be9-4743d628eb7d
C:\Documents and Settings\Owner\Local Settings\Temp\d3b25e05-d313-443d-8a13-22927a10fa64
C:\Documents and Settings\Owner\Local Settings\Temp\d7e50820-bde1-465b-9ae3-2c0029d2c46f
C:\Documents and Settings\Owner\Local Settings\Temp\fffd9661-80f1-4af6-a2e0-70474f644009

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

[technique333]

O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

this isnt showing up on the in the analyize this window that opens only the first two HKLM's you list are there.

[chaslang]

Just continue on with the rest of the instructions ignoring that line that is no longer there.

[technique333]

do i run Sun Java Runtime Environment after the boot up after avenger? then Ccleaner,C:\MGtools\GetLogs.bat file and attach the new C:\MGlogs.zip and log from Avenger?

[chaslang]

Yes you need to complete all steps in the order written.

[technique333]

here are the logs

[technique333]

after all you magic is done with fixing my computer what progam should i use for virus protection and pop up blocking? I have windows live and stopzilla are they worth keeping or should i go a different way?

[chaslang]

Quote:

Originally Posted by technique333

here are the logs

Please attach the requested log for Avenger. Not the Avenger program that you downloaded.

Windows Live and StopZilla are very low on my list of things to use.

[chaslang]

Do you have any idea what all the below new files are from? Are they from StopZilla

Code:

"C:\Documents and Settings\Owner\Local Settings\Temp\"
060835~1      Dec 25 2007       10362  "060835d4-c14d-44f7-bd6d-1aa60310c70e"
135c28~1      Dec 26 2007       10398  "135c286a-1a8e-4a22-a0d0-8d088497a377"
207a77~1      Dec 24 2007       10326  "207a77a6-7a60-4694-a6bd-838be3438704"
22300d~1      Dec 25 2007       10398  "22300de9-aa4b-4fc7-80e8-79fd4360d1d8"
259d76~1      Dec 25 2007       10398  "259d7654-b9f2-4727-8e58-8b9ca8f48ca6"
29cebf~1      Dec 25 2007       10326  "29cebfc1-3061-4dcb-9da6-25badf6deef3"
2b9123~1      Dec 25 2007       10362  "2b9123ac-e72e-4f03-b2f1-55fc1bad708a"
2dd967~1      Dec 25 2007       10398  "2dd967f7-3b31-4c2d-b25a-e0d8ad844539"
3f9a1b~1      Dec 26 2007       10398  "3f9a1b78-8f6d-4cea-84ae-04d8717eff1f"
43090d~1      Dec 26 2007       10398  "43090dd0-aee5-4d23-b03a-ed03d65c64bf"
6105a4~1      Dec 26 2007       10398  "6105a4fd-1f6a-4c1a-9e93-44506f4c8e3c"
618f4b~1      Dec 26 2007       10398  "618f4b3c-e62f-4ebb-b183-d2086a3d715e"
670fec~1      Dec 25 2007       10398  "670fec2a-5cf5-422f-95de-2ef70c87a07e"
6fc97a~1      Dec 25 2007       10398  "6fc97ae4-19c9-480e-9cd7-a0b9d7a27b77"
727845~1      Dec 25 2007       10398  "72784538-48ee-4efb-9d39-4a7edf147e11"
8f015b~1      Dec 25 2007       10398  "8f015b80-b0ee-4377-b44c-5c01fbbbcc4b"
9cc28f~1      Dec 25 2007       10398  "9cc28fbe-6dfb-49e6-b26a-8287b12b8749"
9f394c~1      Dec 25 2007       10398  "9f394ce3-7a82-492d-8ce5-3ec4ba028562"
ada393~1      Dec 26 2007       10398  "ada39359-e1ed-4e41-8ae5-085faeffb202"
b2992d~1      Dec 25 2007       10398  "b2992d28-40a5-49e0-b875-f75fe5c31661"
b70e60~1      Dec 26 2007       10398  "b70e6060-0c8e-4393-a1fe-e1683439c1b3"
b72646~1      Dec 26 2007       10398  "b72646cd-f9c9-45cd-a4f1-051c491a6124"
c35df0~1      Dec 26 2007       10398  "c35df047-9588-4986-954e-e6d2fd3c059b"
c7ad85~1      Dec 26 2007       10398  "c7ad8556-0810-40f6-85b8-1323cab83fb5"
d6e644~1      Dec 26 2007       10398  "d6e6449b-2d61-4a81-a490-8289ca6e2171"
d8c341~1      Dec 25 2007       10362  "d8c341e1-5b10-4dae-9986-19ec1dffc09e"
ec6852~1      Dec 25 2007       10398  "ec685289-a554-40a4-95fc-f077ad18a0c0"
f5ba33~1      Dec 25 2007       10398  "f5ba33cc-b3ef-4ce5-8b05-bc3add5b72bf"
f8da3c~1      Dec 26 2007       10398  "f8da3c95-e0a0-4f5b-ab3d-c791db4d8140"
ff3c4f~1      Dec 26 2007       10398  "ff3c4fc7-e846-4d12-a195-63930f0075ec"

Your logs appear to be clean!

You said you have Windows Onecare Live! I do not see it installed!

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

[technique333]

i uninstalled windows onelive care when i first came on the site cuz it said not to have more than one virus protection program installed.
Also the new files maybe from avg everytime i reboot it says that i am now updated and secure.

what program should i use for protecting my computer?

on reboot stopzilla comes up with detection of trojans in register key HKLM\system\CurrentControlSet... saying it infection name is "CatchMe"

[chaslang]

Quote:

Originally Posted by technique333

i uninstalled windows onelive care when i first came on the site cuz it said not to have more than one virus protection program installed.

But you only had one and that was Windows Onecare. You don't have another antivirus installed.

Quote:

Originally Posted by technique333

Also the new files maybe from avg everytime i reboot it says that i am now updated and secure.

No I don't believe that they are from AVG Antispyware.

Quote:

Originally Posted by technique333

what program should i use for protecting my computer?

Did you read the link I gave you in my previous message?

Quote:

Originally Posted by technique333

on reboot stopzilla comes up with detection of trojans in register key HKLM\system\CurrentControlSet... saying it infection name is "CatchMe"

This is a false indication. It is detecting what ComboFix installed. CatchMe is part of a rootkit detection tool that ComboFix uses. CatchMe is really from the people who created the program named GMER.

Where do you have the combofix.exe file installed? You can run combofix /u from a command prompt to uninstall it but you need to have combofix.exe in your path or you need to give the fullpath in the command. When shown the disclaimer, Select "2"

[technique333]

Quote:

Originally Posted by chaslang

But you only had one and that was Windows Onecare. You don't have another antivirus installed.
STOPzilla! is the only other program that is installed
No I don't believe that they are from AVG Antispyware.
well i dont know where they may be from then
Did you read the link I gave you in my previous message?
no i just shut the computer down i had work in the morning

This is a false indication. It is detecting what ComboFix installed. CatchMe is part of a rootkit detection tool that ComboFix uses. CatchMe is really from the people who created the program named GMER.

Where do you have the combofix.exe file installed? You can run combofix /u from a command prompt to uninstall it but you need to have combofix.exe in your path or you need to give the fullpath in the command. When shown the disclaimer, Select "2"

C:\Documents and settings\All Users\Doucuments

[technique333]

Quote:

Originally Posted by chaslang

But you only had one and that was Windows Onecare. You don't have another antivirus installed.

No I don't believe that they are from AVG Antispyware.
well i dont know where they may be from then
Did you read the link I gave you in my previous message?


This is a false indication. It is detecting what ComboFix installed. CatchMe is part of a rootkit detection tool that ComboFix uses. CatchMe is really from the people who created the program named GMER.

Where do you have the combofix.exe file installed? You can run combofix /u from a command prompt to uninstall it but you need to have combofix.exe in your path or you need to give the fullpath in the command. When shown the disclaimer, Select "2"

*STOPzilla! is the only other program that is installed
*well i dont know where they may be from then
*no i just shut the computer down i had work in the morning
*C:\Documents and settings\All Users\Doucuments

[chaslang]

Quote:

Originally Posted by technique333

C:\Documents and settings\All Users\Doucuments

We requested that you download ComboFix to your Desktop. The command I gave you to uninstall it it will not work if it is not on your Desktop.

[technique333]

so do i just re download it to my desktop or what do i have to do?

[chaslang]

You can move the file you already have to your Desktop or you can delete the one you have and redownload to your Desktop and then run the command to uninstall it.

[technique333]

alright thanks for everything. I will update you on how the computer is running soon, i am just busy with stuff right now. It seems ok just the page loading is kinda slow for being on a cable modem.