Did WinXP Cleaning, not sure if removed Vundo

Dear MG's,

Two weeks ago, 4/16, I became infected with Vundo/Virtumonde. I've been trying to shake it ever since, but my NOD32 scans were still showing problems. In particular, the following two items would show up in quarantine, but could not be deleted.

H:\I386\apps\APP15968\src\CompaqPresario_Spring06.exe
H:\I386\apps\APP15968\src\HPPavillion_Spring06.exe

NOD32 was describing it as an Adware.Virtumonde variant. Anyway, after several other scans with AVG 7.5, AVG Anti-Spyware, Spybot, I was still not coming completely clean.

I found your READ ME FIRST Malware guide last night and am very grateful. I did everything you suggested, in order listed. The only thing that went wrong was, this morning, when I got to ComboFix step, when I was supposed to click Start/Run/"%userprofile%\desktop\cf.exe" /killall, I inadvertently clicked on the cf.exe desktop icon and started ComboFix autoscan. It stalled after 1/2 hour or so (Not Responding) and I had to reboot computer by holding down the power button.

I then restored my registry (with ERUNT) to what it was this morning, before running ComboFix.

Assuming that restoring the old registry, it would be reinfected, I repeated the Windows XP Cleaning Procedure again, all the way through. It went well, except for a couple of error messages when I ran MGTools.

My question is, I'm not sure if I'm clean or not, as your guide says not to run the READ ME again. I'm not sure Vundo is gone, or that my registry is ok, or that it's ok to Toggle SysRestore yet. What should I do at this point?

I'm attaching the logs from the latest cleaning run. Do you need the logs from the first cleaning run too?
This is my first post. Thank you for your patience with me.
Thanks so much for your malware guide. You're lifesavers!

 

Here's the MGlogs.zip file

 

Thanks a lot, Tim.

During reboot, the avenger log came up, and on top of it, the following error box:
_______________________________________________________________
ERROR: WINDOWS - NO DISK (red circle with x in it)
Exception Processing Message c0000013Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c

Cancel Try Again Continue
_________________________________________________________________

At the same time, the computer repeatedly made that dinging sound it makes when you insert or remove a usb device.

I clicked Continue about 5 times and the error box went away.

Is this a problem? It made me nervous :confused

This was the same kind of error box I got when I ran MGTools.

Avenger log says everything is ok.

Also, how can I confirm Virtumonde/Vundo is gone for good? Should I toggle SysRestore yet? Do I need to enable it if I already have ERUNT?

Should I keep SAS Free and ditch AVG Anti-Spyware (free)? Sorry for all the questions. Thanks again for your help.

 

No, not at all.

I downloaded MGTools.exe to the C drive, where windows folder is. It's in
C:\MGtools.exe

I downloaded avenger.zip to desktop and extracted avenger.exe to desktop. I ran avenger.exe from the desktop. It's in C:\Documents and Settings\Compaq_Administrator\Desktop

There are no external drives in my usb slots.

 

Hi Tim,

After your last post, I did a complete scan with SuperAntiSpyware again. Again, it showed Adware.Vundo Variant. Log is attached. It quarantined the items. I went into Quarantine and deleted the entries. Why does it keep reappearing? I thought I'd be clean by now.

Log is attached.

Also, the Windows-No Disk error came up twice during the SAS scan. It is not on a thumb or usb drive. What does this error mean?
Thanks again for all your help.

I rebooted and am scanning again with SAS. Same infection is appearing.

 

I'm sorry, it's only my 2nd day on MajorGeeks. I don't mean to bump or double post, but I don't want to keep a thread open if there's no hope for my problem either.

It looks like I'm still infected, maybe even more so.
My Virtumonde/Vundo infection keeps coming up on subsequent SAS scans this a.m. Can't delete them on reboot. Keep showing up.

Got 2 new NOD32 threats detected today: Win32/PrcView viruses detected in Docs&Settings folder and System Volume restore file. Nod32 can't remove.

Is there any way to clean my system at this point, or should I seriously consider totally reformatting and restoring my computer to factory condition (ugh) and thus closing this thread ?
Sorry to bother you. Thanks again for your help.

 

Please forgive delay. Attached MGlogs.zip file.

When I scanned with SAS last night and today, the same XXYYRHFC.dll file in win/sys32 and the same 5 CLSID's keep returning, even though after previous scans, SAS was supposed to remove them upon reboot. I've also tried removing them in quarantine, to no avail. Also got the same "No disk - error" twice during SAS scan today.

I can't remove the two spring06.exe files in H:\I386, since it's a recovery partition and locked. NOD32 keeps saying they're variant of Win32/Adinstaller application. Don't know if these are infected or false positives. They never came up before the Virtumonde infection.

Thanks again.

 

OK, here's the combofix.txt log.

When Combofix finished and notepad opened with it, on top of it was an error box:
______________________________
Windows-Fatal Application Exit

Kerio Personal Firewall Driver: AppendFragmentToLongPath: GetLongFilename error: C000000F, File: CF45.exe
__________________________________
I clicked on "OK" and it disappeared.

Also, AIGNES is a folder apparently left over from when I installed/uninstalled AM Deadlink. Aignes is the software company.

 

The registry entries and dll I mentioned are all listed in the attached SAS logfiles. They keep reappearing. Only 1 item from 4/30/08 (attached for comparison) is gone.

I tried fixing/removing the C:\windows\system32\XXYYRHFC.dll file with NOD32's UNDLL tool, but I can't even find the file in the system32 folder.

I just ran a second SAS scan and they still showed up, even after SAS said it will remove them upon reboot. They keep reappearing scan after scan. Same thing with a similar CLSID in MBAM scans (log posted earlier in thread).

That is my main problem;I can't get clean scans. Vundo/Virtumonde stuff keeps coming up. I'm just worried that if I leave it there, it could get worse, especially with every reboot.

I really appreciate your help with this.

 

Ok, here's combofix log.

I'll run another set of scans from the READ ME FIRST-WinXP cleaning procedure tonight and tomorrow and see what happens. Is that ok? Any other suggestions for verifying my machine is clean?

Thanks a mil!

 

I ran the combofix script from yesterday. Logs attached here and in next message.

I then ran the following scans this a.m.
NOD32 - OK
SAS - same 6 threats as yesterday's logs
AVG7 - OK
AVG-AntiSpy - OK
Spybot - OK
MbAM - Vundo (same registry item as listed in SAS log)
ComboFix - see log
MGTools - see log

I don't get it. Are these things reinstalling themselves on reboot? Why would they keep reappearing? Nasty little things! I could just kick myself for not being more careful. Trusted my cousin in Europe who urged me to try BitTorrent and try a new program. I had no idea what I was getting into. Honestly, never heard of torrents and P2P sharing until after I got infected. Let your guard down, get sucker-punched!

Anyway, I really appreciate whatever you can do to help. Is it time to (gasp) dust off the HP Recovery disks? Say it ain't so!

 

C:\MGlogs.zip attached.

 

BitDefender log attached.

It found and deleted some other Vundo stuff.

Good old SAS still shows the same 6 Vundo items, though.

 

Vundofix found nothing. Log attached.

 

Before the infection, all I ever had was NOD32, Spybot S&D, and Kerio PF. Never had a problem.

After this infection 2 weeks ago, I downloaded AVG and AVG-AS to try and get rid of this Vundo/Virtumonde thing that NOD32 caught. I added SAS & MbAM from the READ ME FIRST cleaning procedures.

I'd love to get rid of everything, once I know I've got a clean machine. I don't understand why Vundo keeps showing up in my SAS & Mbam scans. I even tried a free Spyware Doctor scan and it found stuff the others didn't, including some high risk Trojan.FakeAlert in a couple of screensavers I've had for years. Are these all false positives? How do I know my machine is clean when these scans are showing infections?

I really do appreciate everyone's help here. I don't want to prolong the agony much longer for everyone. You've got plenty of others to help and I don't want to take any more of your time up. Thanks so much for taking the time to help me. Could you tell me how to uninstall combofix and if there's anything else I can do to wind this down?

Again, many thanks.

 

Thanks, Tim.

One quick question. My combofix.exe file is still renamed cf.exe. Do I need to rename it to the original combofix.exe name for the uninstall \u command to work?

Also, should I uninstall all the other antivirus/antispyware stuff and only keep my original NOD32, SpybotS&D, and KerioPF?

 

Well, that will teach me not to react so fast. I followed Tim's command line and just manually deleted the rest. I hope that was ok.

One last question. Can I somehow manually remove the registry key that shows up as infected with Vundo in both SAS and MbAM scans:

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c14e6230-757d-4246-81ce-b34e2940c722} (Trojan.Vundo) -> Delete on reboot.

Neither program seems to remove it upon reboot. I'm leery of messing with the registry, but I'd love to get rid of it, if it's ok.

What do you think?

Again, many thanks.