Can't Seem to Get Rid of Vundo

Hi,

I've been scanning my computer for the last 48 hours, going step by step using the guide here for removal of the crap I seem to have been infested with.

I'm Running Windows XP SP2 with Avast AV and ZoneAlarm. I also have Windows Defender, Lavasoft Adaware SE and WinPatrol (WinPatrol caught the Vundo things and I denied them access to be launched at startup, but the popups started...). I thought I was safe and secure, but apparently not!

Of course, now I have a ton of new things installed since using the guide here. I've listed all that I have installed below.

I can't get rid of Vundo it seems. I have tried using Vundo Fix and another app called VirtumundoBegone.

I am still getting a notice that says this virus is on my system (when I ran Ewido).

Can anyone find what I am missing? I've been pouring over this stuff and scanning and doing whatever I can for nearly 2 days now and I am in a state of numbness!

I am attaching the following files:
hijackthis0207.log (9.4 KB)
txt.gif newfiles.txt (48.4 KB)
txt.gif runkeys.txt (16.1 KB)

I will reply to this and attach my other logs from the other scans I did.

I'm SO tired from all this!!!


Thank you to anyone who is kind enough to help me.

Also, does anyone know if I should now unistall Ewido and CounterSpy... or should I leave them?

I currently have the following security apps installed:

Avast Anti Virus (Free)
ZoneAlarm (Personal)
CounterSpy (unactivated)
Ewido Anti Spyware (Trial)
WinPatrol
SmitRem
LavaSoft Ad-Aware SE Personal
SpyBot Search and Destroy
Microsoft Windows Defender

Other helpful apps installed:
MSConfig Cleanup
CCleaner
Hijack This 1.99.1
Webroot Window Washer

Thanks so much!

 

More Log Files

More Log Files..


Activescan.txt (1.1 KB)
bdscan.txt (21.9 KB)
CounterSpy.txt (2.3 KB)

 

And one more

This is the VirtumundoBeGone file.

For some reason it says I am clean.

So why is Ewido showing this virus?

 

New Logfiles

Hi,

I have done as you suggested. I am posting my logfiles.

ComboFix.txt (15.9 KB)
newfiles.txt (46.9 KB)
runkeys.txt (18.3 KB)

 

Hijack This Logfile (NEW)

Hijack This log file posted.

 

Combofix.exe nuked some things on my system...

OK before I go on I wanted to let you know that after I ran Combofix.exe and tried to shut down, my computer hung at "Windows is shutting down" and I had to manually shut off the power to turn of the system.

Also, when I came back all of my program icons were gone or showing up as generic icons.

Is this normal?

See screenshots...
http://img231.imageshack.us/img231/9600/icon1ky0.th.jpg

http://img394.imageshack.us/img394/6486/icon2rj6.th.jpg


Should I just continue with what you said.

Also, what about making registry backups. Should I do that before I do any of this other stuff and if so, how do I do it?

 

2 Questions... icons back

Tim,

I just wanted you to know that I shut down again and it shut down normally. When I re-booted the icons came back. Not sure what that was all about, but it's OK now.

I am going ahead with the procedure you outlined above.

Just 3 questions:

1.) After my last 'clean', I went to MSConfig and turned off some programs from starting up on boot. Should I go to NORMAL boot mode and have everything start up before I run Pocket KillBox and VundoFix.exe and then doing the Hijack This run again?

2.) Should I be in regular boot mode as opposed to one of the Safe Modes?

3.) I am sure that in one of my other sweeps I saved a registry entry (can't remember which program prompted me for this tho). Should I search for old registry backups and delete them? If so, how do I find the registry backups that are to be deleted?

Thank you so very much for your help!

 

Ok I will do the Pocket KillBox first in Safe mode, then reboot (or do what it says) and then come back with Normal start up in regular mode to do the VundoFix.

I will return with new logs.

Thanks so much!

 

Latest Logs

Hello again,

Just ran everything as you specified and here are the results.

vundofix.txt log:

VundoFix V6.3.5

Checking Java version...

Java version is 1.5.0.8

Java version is 1.5.0.9

Scan started at 10:53:19 PM 2/7/2007

Listing files found while scanning....

C:\WINDOWS\system32\wgbbhtrl.dll

Beginning removal...

Performing Repairs to the registry.
Done!


GRK
SN
HJT
are posted as attachments.

The Hijack This log is from before I ran any of these other things you told me. I was a bit confused about if I should run it again after I ran the Killbox and VundoFix.

Let me know if I should post a fresh HJT log as for the system as it stands now.

Thanks!

 

Hjt

You know what, I figure it doesn't hurt to show you the very latest HJT log. So it is attached. This is after running all the steps you told me to go through.

Thanks!

 

Yes I installed Avvenu knowingly. I use it all the time to access my system remotely.

OK so you want me to just run Killbox and restore the following?:
C:\WINDOWS\system32\pndx5016.dll
C:\WINDOWS\system32\pndx5032.dll
C:\WINDOWS\system32\rmoc3260.dll

Do I do this in safe mode or regular boot mode?

Also do I fix the Registry before I run Killbox? Or after?
Thanks!

 

How do I restore these files using Killbox?

Sorry I am not clear on how to do it and I don't want to mess it up. I went to Killbox and selected
File > Open Killbox Backups
Then it popped open a folder and I double clicked the first one "pndx5016.dll" and it said I had to find something to open it with.

How do I do this and what do I use?

Thanks

 

Restoring DLL

I know I sound stupid... but do I just copy those DLLs back to the system32 folder?

I just don't want to mess something up, but I am anxious to continue with your steps.

Thanks!

 

Latest Logs

Ok I took a chance and just copied those DLL files to the System32 Folder. I left a copy in the Killbox folder though.

Then I went and updated the Registry as you suggested.

Then I ran ShowNew and HJT.

Logs are attached.

Am I clean yet?