Trojan.vun and Vundo Malware - Logs attached

Hi! I am a first time poster, and please let me know if you need anything else other than what I am posting here.

First off, please know that I know virtually nothing about this stuff. I can do basic PC maintenance (updates, scans, and cache clearing), but I know nothing about viruses and such nasty, evil malware as this.

I was visiting a website about 2 days ago called www.glitter-graphics.com to retrieve an image to use in another forum I frequent. There are banner ads on that site (and I thought maybe that's where it came from?), but I wasn't downloading anything. All I needed was the forum code, so I clicked on the image I wanted and then my computer started getting all sorts of popups and McAfee acknowledged there was a problem. (Wish it would have stopped it.) I ran a McAfee scan and it came up with nothing (just had mentioned it had blocked some trojan.vun or something like that, but they don't appear in McAfee's logs.) I also ran SpySweeper and it kept finding the vundo malware and kept removing it, but it never really left.

I have followed your steps in the READ & RUN section of your forums and done everything except the Combofix and the toggle restore (as my system isn't clean, I don't think.) I was too afraid to try Combofix, as there are many warnings about using it, especially if you're an amateur. This is my only PC and I can't afford a new one. Also, I would like to note that I could not get my laptop to run in SAFE MODE. I tried, and it constantly froze, never progressing past loading the start button and a blank screen. Nothing else would load, and the little circle showing it's loading, was no longer spinning. I couldn't do anything, so my scans were performed in normal mode.

I have Windows Vista Home Premium for my OS, and a Gateway PC. Attached are my logs, and I REALLY hope you can help me out. My computer is so slow.

I know you guys are busy, and you are FREE helpers. So, I really appreciate your help and thank you in advance. (I loved the step by step READ & RUN instructions. Very helpful for someone who is not at all familiar with these things. )

EDIT: Also, since running MGTools.exe I have to (notepad?) files on my desktop. :confused

1st one:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799

2nd one:
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183

And when booting, I have error messages popping up about "big fix. :confused

Here you go:

 

Thank you so much for the reply, Kestrel!

That's odd that the log wasn't correct, as I DID accept the HJT user agreement the first time 'round. Hmm. Anyway, I went ahead and did it all again and this time the User Agreement didn't even pop up for me. Otherwise, it did everything it said it would in the MGTools tutorial. (Except my PC also showed a "Restoring System Information" window (I think that's what it said it was) with a progress bar.) But it did look just like the the attached image in the tutorial with the pressing any key to close the window. So it all looked correct. I will now attach the new logs, and I hope they're correct.

For the record, since running the READ ME & RUN FIRST, I've not noticed any more issues with my PC, nor are my anti-virus, or anti spyware programs (including the SuperAntiSpyware program I got from here) finding anything on my PC. I'm hoping that I am clean now.

I hope these logs are the ones you need. Please let me know if I again did them wrong. I have no idea why the user agreement didn't pop up again this time.

Again thank you so much for your reply.

 

Oh, good. When I saw that the file was quite a bit bigger, I was hoping it worked. Thanks again.

 

Thank you, Kestrel! I am very busy with work and school today/tonight, so I will be sure to do this tomorrow night. I really appreciate your time.

It wasn't exactly a file...just a notepad on my Desktop with the previously posted information in it. Two of them. I assume you're right as to what it is. Thanks!

I apologize for not having the error for BigFix. I panicked thinking it had something to do with my malware stuff, and closed it immediately, as BigFix hadn't been running until I did the msconfig change when doing the READ ME & RUN. However, it's not happened again. I have no idea what that program even does, so I will simply uninstall it like you said.

I'll post back here as soon as I have the new logs you requested.

 

Seems you are right. This is what I am seeing (circled in red):



Nevermind my error regarding BigFix. Seems it was a one time thing, and I haven't had the problem since. I will likely uninstall it. I have no idea what it even does. Sorry for not posting the original error message. As I said in my post (that's in moderation at the moment), I closed the error quickly as I panicked it had something to do with my malware problem.

I followed all of your directions, except that I ran MGtools as "administrator" since I use Vista and that was what you had me do when I ran it the first time. I hope that was correct. If not, I'll run it again for you.

EDIT: I went to attach the logs for MGtools, and the only one that was there was the log from the first time I ran it several days ago. :confused I hope I didn't mess up what you need to see. So, then I tried to run it again, and I got all these access denied errors and used the Task Manager to close the MGtools program, shut off my UAC, and rebooted it. I then ran the GetLogs.bat file as adminstrator (I use Vista.) I hope that is acceptable.

Attached are both logs.

Currently my PC seems to be running fine. Since my problem I have been only using Firefox, and not IE7. I will now work with IE7 and see if any problems arise.

If my logs are fine, will you help walk me through hiding those hidden files and changing back the msconfig if necessary? (I'm sorry - but I think that's what the READ ME & RUN first thread had me change/do. I apologize for my ignorance.)

As a reminder to you, I also had never done this:

"Step 6: Toggle System Restore"

Thank you again.

avenger log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\ProgramData\kayeyuja" deleted successfully.
Folder "C:\ProgramData\fupuvuyu" deleted successfully.
Folder "C:\ProgramData\gewofawu" deleted successfully.
Folder "C:\ProgramData\jepewosi" deleted successfully.
Folder "C:\ProgramData\lakenade" deleted successfully.
Folder "C:\ProgramData\tobuvuzi" deleted successfully.
Folder "C:\ProgramData\ninobuku" deleted successfully.
Folder "C:\Program Files\Trend Micro\AntiVirus 2007" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

 

No problem. And I apologize about attaching the avenger log incorrectly. Since it came up in notepad, I didn't realize it saved it to my system, and didn't think to save it as a .txt file myself. So I copy/pasted it there... Sorry about that. (Though the first post that went into moderation had no logs attached at all...) :confused

Anyway, take your time. I really do appreciate all the help you've given me so far.

 

I'm clean? YAY!!! Thank you!!

I will perform the above steps on Friday. I've had work followed by classes all week. I really appreciate this. I'll let you know how it goes.

 

Thanks again for everything. But I do have one last question. Since doing those final steps my NETWORK and VOLUME icons from my system tray have disappeared. Any idea how to put them back down there? It's frustrating not having them there.

 

Sorry for the double post...

Just letting you know that before, I had tried right clicking on the Start menu (I have Vista) and clicking the properties tab, but the volume and network were grayed out so I couldn't select them... It was weird. However, I tried a REBOOT, and they appeared again. Very odd. Anyway, thanks so much fo your help. You're awesome, Kestrel.