Trojan.Vundo sticking around.. Please assist

noonway · Apr 21, 2009

I have a laptop that my Symantec Endpoint Protection has found the Trojan.Vundo on it. I followed the basic malware removal guide twice in a three day period and every day or two since Vundo comes back and is detected again by Symantec. Please assist in helping me remove.

Thanks in advance... Awaiting your instructions.

noonway · Apr 21, 2009

Scanning logs are here...

TimW · Apr 24, 2009

Now let's use ComboFix to remove a bunch of malware files.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
c:\documents and settings\All Users\Application Data\yadebene
c:\documents and settings\All Users\Application Data\zadoleso
c:\documents and settings\All Users\Application Data\vewuvepo
c:\documents and settings\All Users\Application Data\zofufelo
c:\documents and settings\All Users\Application Data\zukuyepu
c:\documents and settings\All Users\Application Data\wutakizu
c:\documents and settings\All Users\Application Data\rurenami
c:\documents and settings\All Users\Application Data\jujivane
c:\documents and settings\All Users\Application Data\jubawiro
c:\documents and settings\All Users\Application Data\zebosewo
c:\documents and settings\All Users\Application Data\zesuvizi
c:\documents and settings\All Users\Application Data\migogaso
c:\documents and settings\All Users\Application Data\jahimaga
c:\documents and settings\All Users\Application Data\guwawefa
c:\documents and settings\All Users\Application Data\tivuzale
c:\documents and settings\All Users\Application Data\piwinala
c:\documents and settings\All Users\Application Data\neganosu
c:\documents and settings\All Users\Application Data\pabinula
c:\documents and settings\All Users\Application Data\wezuhobo
c:\documents and settings\All Users\Application Data\mepazufo
c:\documents and settings\All Users\Application Data\notetiki
c:\documents and settings\All Users\Application Data\morazolu
c:\documents and settings\All Users\Application Data\denakuja
c:\documents and settings\All Users\Application Data\dejezibi
c:\documents and settings\All Users\Application Data\yulofili
c:\documents and settings\All Users\Application Data\vetariwo
c:\documents and settings\All Users\Application Data\merahuro
c:\documents and settings\All Users\Application Data\sodiluha
c:\documents and settings\All Users\Application Data\fobunayi
c:\documents and settings\All Users\Application Data\yuyugepu
c:\documents and settings\All Users\Application Data\gosagure
c:\documents and settings\All Users\Application Data\budabaze
c:\documents and settings\All Users\Application Data\bahezefi
c:\documents and settings\All Users\Application Data\jonojepu
c:\documents and settings\All Users\Application Data\toyuwipi
c:\documents and settings\All Users\Application Data\hawupopa
c:\documents and settings\gramsey\Local Settings\Application Data\Fmofebasusevihe.bin
c:\documents and settings\gramsey\Local Settings\Application Data\{0C045861-D949-44C6-9DFC-BEAE1EC35B47}
c:\documents and settings\gramsey\Local Settings\Application Data\Kceyusobo.dat
c:\documents and settings\gramsey\Local Settings\Application Data\ageliwoluwaruy.dll
c:\documents and settings\All Users\Application Data\payafini
c:\documents and settings\All Users\Application Data\masebeba
c:\documents and settings\All Users\Application Data\tewiroyo
c:\documents and settings\All Users\Application Data\gifigotu
c:\documents and settings\All Users\Application Data\buponuvo
c:\documents and settings\All Users\Application Data\robuzulu
c:\documents and settings\All Users\Application Data\jedowifa
C:\Documents and Settings\All Users\Application Data\sitisosa

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.

Tell me what problems you are still having.

noonway · Apr 25, 2009

I dragged and dropped the script text file onto Combofix.exe and it started up, told me my virus software was running so I disabled the virus software and continued. But then a blue cmd window came up with a single period "." in the title bar. It's been sitting on that window now for 20 minutes and has shown no progress. Any suggestions?

noonway · Apr 27, 2009

I'm clean... Thanks for trying to assist but I had to get this done faster so when to bleepingcomputer.com and received assistance.

TimW · Apr 30, 2009

Well, good for you.

Log in or Sign up

Trojan.Vundo sticking around.. Please assist

noonway Private E-2

noonway Private E-2

Attached Files:

MGlogs.zip

ComboFix.txt

SUPERAntiSpyware Scan Log - 04-21-2009 - 10-49-09.log

mbam-log-2009-04-21 (11-19-54).txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

noonway Private E-2

noonway Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member