Another unstoppable Vundo Trojan infection!

Hi folks. You all must be getting sick of the requests for help with Vundo, but seeing as I'm at a loss, I'll see whether someone here can help. I've been having IE popups about every 20 minutes for various websites (usually 123topsearch.com and Passion.com lately), even though I use Firefox almost exclusively. It happens even when I haven't used IE since reboot. I understand that these are symptoms of Vundo, and I'm hoping to eradicate it fully before it gets as bad as it has on other machines. It just seems like this one won't go away using the numerous automatic tools.

This particular case seems to be unstoppable. VundoFix.exe will detect the infection, but then detects it again after I reboot. Ewido antispyware will not detect it. AdAware will not detect it. Spybot will not detect it. Only one program, SpyNoMore *has* detected it, but it detects it every time I reboot after completing VundoFix.exe

It seems that in order to make my $180 WinXP work properly requires over $200 in third-party anti-malware programs. Is it time to switch to Linux? Help me find out! Thanks in advance! Oh, and the "letsgo.exe" in the log is actually a renamed "HijackThis.exe", hope it doesn't confuse anyone.
--------------------------
~ INLINE LOG REMOVED ~ SPD
------------------------
End of HiJackThis! Log

I really hope that someone can help me out, because there are a couple of programs I love that require Windows (MS Streets/Trips and Encarta), so I'm a little reluctant to make the Linux switch. Of course, there's always WinE. Thanks so much for your help!

 

I think I've got it fixed. Time will be the judge!

So the files in question were:

c:\windows\system32\pmkhf.dll
c:\windows\system32\fhkmp.bak1
c:\windows\system32\fhkmp.ini

It just dawned on me that if the dll was undeletable due to its being in use by Windows, I should just find a way to access the file system without loading Windows at all. So I found NTFS4DOS, which is freeware. It created a boot disk with the program on it, and I was able to delete the offending file without a hitch. **Make sure that the disk is fully formatted and BLANK before creating the bootdisk.**

Afterward, I rebooted and the files were not visible in the directory in question. SpyNoMore Trial found a residual registry key, which I deleted manually.

Keep in mind that the above description of how I solved this is only for those of you who are familiar with DOS and its commands, and don't make typos when entering critical information!

Thanks to anyone who was about to help out with this, and good luck to the rest of you!

 

There's more to a Vundo infection then just those files.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• CounterSpy - ONLY IF you were not able to run Windows Defender
• Bitdefender - from step 6
• Panda Scan - from step 6
• HijackThis

 

Okay, so I couldn't run Windows Defender. Here are the first three files you requested. Thanks for your patience... the last two scans (BD and Panda) took over 2 hours each!

 

Now, the HijackThis! log I'm including was taken after rebooting in Normal Mode. I hope that's what you wanted! Every RAR/Zip file caught by BD and Panda was manually deleted afterward. I hope this helps!

 

Now, this screenshot shows that SpyNoMore (the only program that kept on noticing the Vundo infection) is no longer catching it. It does, however, continue to notice a couple of registry keys for other malware (one key for SpyAxe and a few for WinAntivirus).

I'm not sure what the deal is with the Active Desktop Enabled "Exploit" or the Smitfraud.c entries. They seem innocuous. I believe you're more qualified to make that decision, however!

Spybot in Normal Mode returns nothing of terrible concern, just a few pesky tracking cookies. If you want the log, let me know.

Thank you so much for your help!

 

Download
- Pocket Killbox

<< The installed version of Java on this compter is out-dated. Install Java Runtime Environment (JRE) 5.0 Update 8 available from http://java.sun.com/javase/downloads/index.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

Post a log from SpyNoMore, so I can see what it is reporting, related to Smitffraud.c. All your other logs don't show a Smit infection.

 

I've updated Java to 5.0.08, and I have also a new HJT log for you. The keys you asked me to remove with HJT earlier are now gone after rebooting.

Also, I'm rid of the Smitfraud.c that showed up in SpyNoMore -- see post #6 in this thread for a screenshot. Another friend referred me to Smitfraudfix.zip by S!ri, and running the enclosed cmd file with option #2 in Safe Mode appears to have eradicated it.

SpyNoMore no longer shows any trace of any infections. Down from 12 a few days ago.

One last question... your instructions in the last post never ended up explicitly telling me to run the FixReg.reg you directed me to create. Should I return to Safe Mode and run it this time?

 

Forgot to attach the HJT log... this time it says it's "In Progress". I guess it'll show up in a few minutes.

 

Smitfraudfix is a decent tool. However not one used by this site. We may have to reevalute that position.

Yes run the reg patch, minus the last line, no longer necessary. As I Cut & Paste from several templates to formulate a response. I forgot to paste that instruction in my reply.

HijackThis did not attach.

 

I think it's working this time...

 

Your HijackThis log is clean.

Flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

Wonderful! Thank you very much for your input and patience!

 

You're welcome.