Trojan.Vundo and others

I got Trojan.Vundo (and some system-defender adware crap) from another user who put a thumbdrive on my pc so they could print their college work.

I have cleaned most of it up using spybot, adaware, and Malwarebytes' Anti-spyware. Unfortunately Symantec Antivirus 10 was useless and didn't even detect it.

So Malwarebytes' removed most of the stuff, but one thing keeps appearing and won't be removed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader)

Is this a trojan? How can I get rid of it? Here is my hijack log:

 

After reading other forums here about the Vundo annoyance, I found that vundofix by atribune is much more useful that fixvundo from symantec. In fact, I have found that symantec seems just to be mediocre on most of their software. They fixvundo app told me I was not infected, while vundofix found 4 instances on my machine. I told it to fix them, then ran Malwarebytes' anti-malware which removed 2 more. I hope I'm clean now.

Here is my hijackthis log output, does anyone see anything bad left?

Edit by chaslang: Inline HJT log removed. READ & RUN ME sticky not followed.

 

Log files from superAntispyware, combofix, MGtools. There was no detected problem with spybot.

Sorry about pasting the hijackthis results previously. I did get a few odd situations with combofix. ThreatFire didn't like some of what it was doing, but I told it to allow the activity anyway. There were two additional vundo related items found by SAS.

Anything else I must do to be completely clean?

 

I have followed the detail above. The only thing that hasnt completed is the installation of the new java. That will happen later today.

Thank you very much for your assistance with this!

 

I appreciate your help on this. Things appear to be working without any issue. I have a few other machines to clean up (vundo came from my kids machines), but they are so inundated, I think I will just wipe them and start from scratch. I'll follow the recommendations for spyware/malware avoidance when I get them built.

It's odd I have just ran spybot, adaware and spywareblaster forever and never had any trouble. I guess being connected to the Internet today is much more dangerous than it was only a few years back.

You guys don't recommend threatfire? I'm just trying to figure out what tools to use. I have (all free additions):

AVG Anti-virus
SuperAntiSpyware
Threatfire
Spybot
Adaware
Malwarebyte's Anti-Malware
spywareblaster
Windows XP SP2 firewall
OpenBSD with PF on the perimeter

From the instructions, it seems like I have more than I need. I used to run a-squared, but it expired for some reason, so I uninstalled it. I think I may try the comodo firewall.

What should I get rid of. I want to go with a free solution if I can.


Thanks again for the assistance!

 

After looking around more with the tools I have (for preventing spyware infection) I have noticed some things that are popping up still. It appears that the protection is catching them, but I'm not sure I am really clean. Here are some examples:

The Comodo Firewall Defender+ service has this files pending:

c:\windows\9129837.exe
c:\windows\system32\drivers\runtime2.sys
c:\windows\system32\drivers\runtime.sys
c:\windows\system32\drivers\lkw53.sys
c:\windows\system32\rpcc.exe

A-squared has also found a few items as well. I am going to scan through all my files with avg, malwarebytes and see what the result is.

 

Comodo has these files in quarantine:

C:\Documents and Settings\presence\Local Settings\Temp\xvfe30xn.dll
C:\Documents and Settings\presence\Local Settings\Temp\27zs8qfi.dll

The others are pending. I think Comodo sequesters the file until your decide they are safe. They aren't appearing in the spot they were in the filesystem.

Attached is the MGlogs.zip

 

I can't say what keymaker.exe is. I can say I didn't put it there, so it must be part of a software package I have installed. I deleted the file.

O23 - Service: FortiSslvpnDaemon - Fortinet Inc. - C:\WINDOWS\system32\FortiSslvpnDaemon.exe is SSL vpn software used to get access to one of my job sites. This, i know is legit, and shouldn't have any bad things related to it.

The folder has nothing in it. I checked to make sure nothing odd was hidden in it, but there was nothing. Maybe something that needed a temporary file and didn't clean up? I am playing the Age of Conan beta and some untimely crashes (due to bad code Im sure, it is a beta) have happened.

I am still seeing some odd things popping up in my documents Local Settings folder...mostly random letter dlls, and I see an autorun.exe has shown up under c:\windows\temp.

The dlls have names like txhlyz-8.dll, 3hhrstbf.dll, ydq9963l.dll and osnkm8ns.dll. Is this normal?

 

I don't have anything that I know of that is cracked or otherwise pirated. I do run daemon tools to mount an image I made of the bf2 disk so I don't have to leave it in the drive where my 5 year old won't get to it, but thats it. Even then, I don't have a crack or anything like that for it.

It doesn't appear that this happens when I run games or any software. I ran trillian and comodo and it shows that are new entries in the comodo pending files list. When I look them up in Comodo they all came back unknown. I did submit them to see if comodo can classify them.

The following files are in my <user>\Local Settings\Temp\ directory (some arent new, I havent cleared them as safe yet):

4rtr0svz.dll
4x352c9t.exe
8znlcqyy.dll
bkndrkfv.dll
cctthp5n.dll
g-nnmqbj.dll
kvvs8jes.exe
njejyikw.dll
\nsg6.tmp\InstallOptions.dll
\nsg6.tmp\LangDLL.dll
\nsg6.tmp\services.dll
ptzndsce.dll
shdtgdtw.dll
xdphee72.dll
zjtj7i-k.dll

and then some weird crap showing in my recycle bin:
c:\RECYCLER\S-1-5-21-682003330-1614895754-839522115-1003\Dc1.exe

I think that Comodo must put files in the "Pending File List" somewhere, because when I look, I don't see these files.

I am not the soul user for this system, but I don't think of the kids or my gf would do anything odd on this machine, they know I need it for some of my work effort (my notebook runs linux and doesnt have the office tools on it). I know my youngest plays cartoonnetwork.com games and other similar things on the machine but I didn't figure that stuff is too dangerous.

Here is the log from the rootkit tool (GMER) you asked me to run.

 

Unfortunately, after running the scan, the files are either moved or removed, so they don't exist after the scans are made. I let the machine run for several days to see if the files show up on their own, and they don't appear to. I did have a few files show up in the Temp directory when updating some of the anti-malware software, so maybe this is the kind of activity that is causing the issue. None the less I have not placed the files in the safe file list for comodo.

I ran bitdefender online, however I had to cancel it because it was deleting files that I knew were not infected (punkbuster for bf2 and cod4 for one). Housecall states that I am clean as does every other scanner I have. I believe that the system is clean and that just system activity (installing, updating) are causing the files to appear in Temp. I just didn't expect filenames with those kinds of names to be created. I will keep monitoring the system and see what happens. I thank you again for your assistance.