Is the SpyWare/Trojan/Virus eliminated?

Hello there!

So recently I somehow got a bloody virus on my Notebook, OS: Windows XP. According to my Symantec AniVirus program I had the "Trojan.Vundo" on my PC. Which Symantec could not Quarantine, Clear or Delete..

So I checked the Internet and googled myself to the point where I found some crazy Trojan.Vundo Removal Tool which I downloaded. At first I (after disabling the System Recovery) tried to run the tool in normal mode with the Admin. It said that it didn't find the Virus.

I went on doing the same operation in Safe Mode and it didn't find it there either. Though when I rebooted into Admin Normal Mode Symantec said that it found the file in System32 and that it was neither Quarantined or Cleared but Deleted even though it said "Access denied".

I thought it was enough, but then when I got into Internet Explorer some Pop-Ups still showed up from time to time..
So I googeld and found SpyHunter Free Scan which I then downloaded and run a few times. It showed me three Cookies with ad.yieldmanager.com and some other stuff plus two Registry hits: Trojan.Downloader and a Smitfraud thingie. Both of which were in the file called runner1.

I deleted the cookies from my user and then I deleted the runner1 in the Registry thinking this would solve everything. Now SpyHunter didn't show anything in the scans. Though still some Pop-Ups still occur and I don't know what to do - so I came running to you guys hoping you could help me figure out what's happening..

I don't know but will this Log from HijackThis help? Should I give more information?

Anyway, hope you can help me. Thanks and keep fighting the good fight!

 

Hello again!

Sorry for not replying sooner. So, I think I did pretty well in the procedures..

Started with Spybot - Search and Destroy which showed me 7 problems that were fixed:
1. Smitfraud-C. (1 entry -> Directory [C:\Program Files\InetGet2\])
2. Microsoft.WindowsSecurityCenter.FirewallDisable Notify (1 entry -> Registry change)
3. Microsoft.Windows.Security.InternetExplorer (1 entry -> Registry change)
4. Microsoft.WindowsSecurityCenter.AntivirusDisable Notify (1 entry -> Registry change)
5. Virtumonde (1 entry -> File [C:\Documents and Settings\Users\Admin\Local Settings\Temp\removalfile.bat])
6. Win32.Small.azl (2 entries -> Registry Value [runner1] and Directory [C:\Program Files\WinAble\])

I immunized everything after that.

--

Then CounterSPY (v2)
Found some problems and quarantined them all and then deleted some cookies.
1. Backdoor.IRC.Small.g Backdoor (2 objects) [1 file and 1 registry]
2. Backdoor.Genlot.DX Backdoor [File]
3. Trojan-Downloader.Small.IG Trojan Downloader [File]
4. Maxfiles Adware (General) [File]
5. CoolOnline Offers.Screensaver Adware Bundler [File]
6. Trojan.Vxgame Trojan [File]

--

And then BitDefender Online Scanner
Here I couldn't update it for some reason but I scanned anyway (pretty long time).
It found and deleted all Viruses it found. Names like this came up:
- Trojan.Downloader.Agent.BQ
- BehavesLike: Win32.Malware
- Trojan.Conhook.CX (found in Symantec Antivirus Virus Definitions Folder or something like that)
- Trojan.Downloader.Small.Gen (C:\pdf.exe)
- Trojan.Agent.VB.AQC

--

Then PandaSoftware
It found a lot of Viruses and some Spyware was just left. Though it said that every single file was disinfected from the virus that was called W32/P2PSimple.C.worm

--

GetRunKey worked fine I think. I have that file and ShowNew also worked I think.

--

I reinstalled the HijackThis file you gave me and did a system scan and saved the log file.

--

The first three files are in this post and the next files will be in the next post. Activescan.txt is 7MB big so I trimmed it a bit. Cause it just repeats the name of the Virus it desinfected (they all were placed in the WINDOWS\Fonts folder) - but I did not touch the Spyware/Cookies stuff. Hope this helps you. Though one strange thing - not one of the methods showed me the Trojan.Vundo thing..

What do I do next. I hope Symantec Antivirus won't show anymore viruses and that the pop-ups in Internet Explorer stop.

 

Here is the second part of the files. But the hijackthis.txt failed to be uploaded - I don't know why..

 

Try to attach the HJT log again, if you can't get it to upload paste it inline and I will attach it for you.

 

OK, I think it's working now..

 

Let's start by running ComboFix...

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Once you complete the above, attach fresh logs from the below.

• GetRunKey
• ShowNew
• HijackThis
• ComboFix

 

OK, I did ComboFix twice. First from my user and then from Admin.

 

And here are the three other logs..

 

See the thread below and run GetRunKey again, something did not go right.

• Using GetRunKey

 

I don't know what I am doing wrong but it pop ups a Notepad window saying one line when I try using GetRunKeys:
Binary file C:\rkeysxxx.txt matches

What does that mean?

 

We have updated our guidelines and procedures, please see the thread below and run the MGTools and attach the logs created (MGLogs.zip).

Windows XP Cleaning Procedure