Help!! My PC has Trojan:win32/Vundo.gen!A

Hi!

I'm new to this forum and quite a newbie in PC's, I hope somebody could help me with my problem. My PC running in XP has been infected with Trojan:win32/Vundo.gen!A in which I could have gotten from key generators(?) 2 days ago.

It first damaged Virgin Media Broadband's PC guard, in which when I looked at the Task Manager some annoying filenames appeared which replaced the original files; e.g. from Broadbandadvisor.exe to Boardbandadvisor .exe --> with extra space(s) before the .exe

Other programs that automatically boot on startup (e.g. mmtask.exe, qttask.exe, jusched.exe) are having the same issues and I found the annoying files residing in the same folders as the original files. I've tried deleting them but after restart they just would come back to life again.

I've tried using Spybot Search & Destroy, AVG Anti-Spyware, AVG Anti-Rootkit, & Trend Micro Housecall but they seem to fail to detect the problem.

I would want to install AVG-Antivirus to try to remove the trojan but I
couldn't proceed as there is a conflict with Virgin's PC guard which I couldn't uninstall. It said somewhat like it needed rebooting for uninstallation to take place but when I did, it still couldn't be removed... I don't know why.

I tried Windows Live Onecare Scan and it detected the problem but couldn't remove the trojan. I have disabled System Restore before doing the scan.

I did Vundofix and Hijackthis scans. Sorry, if I did repetitive Vundofix runs. Below are the logs.

Edit: removed inline logs for guide to be run.

I would greatly appreciate any help you can give.

Thanks in advance,
Pawn (Paul)

 

Hi, HALO. Thanks for the quick attention. I have the documents attached as needed. Thanks in advance for your help.

 

Hi pwncastle!

The following programs were all installed on your computer on the 22nd of December. Do you know what they belong to?


C:\Documents and Settings\All Users\Application Data\ActivationInfo.dat
C:\Documents and Settings\All Users\Application Data\AdBlocker.dat
C:\Documents and Settings\All Users\Application Data\AntiFraud.dat
C:\Documents and Settings\All Users\Application Data\Firewall.dat
C:\Documents and Settings\All Users\Application Data\Freedom.dat
C:\Documents and Settings\All Users\Application Data\Parental.dat
C:\Documents and Settings\All Users\Application Data\Spyware.dat
C:\Documents and Settings\All Users\Application Data\Virus.dat


Please do the following:

1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhhg.exe
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll (file missing)
O2 - BHO: (no name) - {48E7D976-9B43-4A54-B27C-735815021A39} - C:\WINDOWS\system32\pmnlj.dll (file missing)
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll (file missing)
O2 - BHO: (no name) - {8EFB0D59-46DB-411C-80BB-586B0009F285} - C:\WINDOWS\system32\awvtr.dll (file missing)
O2 - BHO: (no name) - {A9C83FD6-721C-4F3C-BAD9-91E6C3E2E03A} - C:\WINDOWS\system32\jkhhg.dll
O2 - BHO: (no name) - {CC22CAA7-5A18-428A-B0E7-47153AD5E101} - C:\WINDOWS\system32\mllmn.dll (file missing)
O8 - Extra context menu item: &Search - ?p=ZCxdm341YYGB
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab


Does the following belong to a program you know or want to keep? If not, please fix it as well.

O4 - HKLM\..\Run: [TimeSRTemp] "C:\Program Files\TimeSupportReg\TimeSRTemp.exe"

After you click fix, just close hijackthis.

3) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

4) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.

Let me know how things are running now?

abri

 

Hi, Abri.

I really appreciate your reply and for aiding me for all this.

I don't know where I got those .dat files. I followed all the steps you gave and I even included the TimeSRTemp.exe to be fixed. I'm still figuring out symptoms of relief after following your advice. I'll let you know if there's anything. Anyway, here are the current logs you needed.

Thanks again and I'm awaiting for your follow-up.
Pawn

 

Hi again, Abri.

Just to give you an update, I've scanned the system thru HijackThis again and F3 - REG:win.ini load=C:\WINDOWS\system32\jkhhg.exe is still there.

I've also run Vundofix and found the following:
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.ini2
C:\WINDOWS\system32\jkhhg.exe
C:\WINDOWS\system32\jkhhg.dll

Vundofix tried removing them and on reboot (seemed gone but), two windows containing the same message would pop-up telling something like C:\WINDOWS\system32\jkhhg.exe could not be found. It seems there's still a program that tries to activate and later restore these files, well, perhaps is it F3 - REG:win.ini load=C:\WINDOWS\system32\jkhhg.exe?

I could try scanning & fixing thru Vundofix (I did it thrice) but it would end up in the same situation again.


Awaiting your response soon, thanks.
Pawn

 

Hi pwncastle,
There are more files that need to be removed, but please first see post #4 and answer my very first question which is before the instructions.
Thanks.
abri

 

Hi, Abri.

Sorry but I thought I have answered your question about the .dat files in post #5, that I simply said I didn't know where I got them. I didn't realize there's more to it that you would want to know.

Computer-wise, I don't have great knowledge on how to figure out which program(s) those .dat files belong to. But now looking at them again, I think those could be part of Virgin Media Broadband PC Guard since I remember them from the features of the program (although I hadn't seen the actual .dat files before). This is just a very close hunch, though.

I believe I don't need those .dat files since you said they were just installed on the 22nd (virus attack date). Do you want me to find and delete them? Remember, in post #1, I've once tried to uninstall the infected Virgin Media Broadband PC Guard but couldn't proceed. I also have wanted this program to be removed.

Thanks for your incessant support, Abri, and awaiting your follow-up.
Pawn

 

Hi pwncastle!

You have signs of a new form of Vundo that's very dangerous for your computer. It is best to use your computer as little as possible until we can finish! Please continue as follows:

1) Did you put the following on your desktop?

C:\Documents and Settings\Jake L. Matus III\Desktopmessengerdisable

Note: I added the above file to the list of things to be removed in the Avenger quotes box below. If it should not be removed, please remove it and also remove the words "Folders to delete:" just above it. Otherwise leave it as it is.


2) Now copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

3) Next I would like for you to run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now!!

F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhhg.exe
O2 - BHO: (no name) - {611AD792-77F0-438B-87CB-D239D48FE272} - C:\WINDOWS\system32\jkhhg.dll

Do you know what the following is? If not, please fix this entry as well.

O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com

After you click fix, just close hijackthis.


4) And now, please do the following:

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Now download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


6) And finally, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.

Let me know how things are running now?

abri

 

Hi Abri,

That C:\Documents and Settings\Jake L. Matus III\Desktopmessengerdisable could have been the windows messenger remover you told me to install and run. I just wonder why it's showing a directory like that. Anyway, I just removed it manually from the desktop since it wasn't removed through avenger... I thought I didn't need it anyway, right?

I also merged with the registry the fixME.reg but when I read through the log, it seemed avenger couldn't locate it.

I also included O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com to be fixed by Hijackthis.

Anyway, here are the logs you needed.

I'll try running Vundofix and Windows OneCare scan to check any improvements, I'll keep you posted.

Thanks.
Pawn

 

Hi TimW,

After following the steps you've told me, I think my PC has been running well now. Vundofix and Windows OneCare scan didn't detect any malwares anymore. I also have successfully re-installed AVG Anti-Spyware, however I couldn't do the same for Virgin Media Broadband PC Guard. It said I had to reboot the system before I could proceed with the installation; well, I did reboot but still I couldn't install it. Any suggestions?

Anyway, I have attached the latest MGlog for you to check if there's more to be done.

Thank you for your help, that includes Abri.

Regards,
Pawn

 

Hi TimW,

Seems everything's working pretty well now. Thanks very much for your help. MajorGeeks indeed rocks!!! Keep moving forward!

All the best,
Pawn