Trojans, and Vundo variants still found after cleaning.

Hey everyone thanks in advance for the assist. I ran the system cleaning as requested to the best of my ability. When I say to the best of my ability I mean I did only what was asked of my step by step, but I had a problem with combofix. I followed given instructions and could not get it to work, every time the scan commenced explorer crashed and the system just sat there. I then skipped combo fix and ran MGtools as directed.

I have ran super antispyware 1 time since following all instructions (in attempt to see if it turned up anything). the results were that I still have something called vundo-variant H and a number of trojans being detected. I will post my logs now, and read around in some more forums trying to see if i can help my self anymore, I will not run anymore removal tools until advised.

Thank you

 

Hi litenxtoxmetal,
Welcome to Major Geeks!

There seem to be troubles with Combofix today. While I look at the logs you've posted so far, please run SDFix. I'll post the instructions for you here.

Using SDFix. When you finish, please attach the log.

abri

 

ran sdfix as instructed, here is the log.

Thanks for the help

 

Hi listenxtoxmetal,

Please do the following:

1) What is in the following folder? (You can look in the folder, but do not open any files if you don't know what they are.)

C:\Documents and Settings\All Users\Application Data\zydgpofm

2) Please disable your guest account if this hasn't already been done.

3) Go to add/remove programs and uninstall the below:

Viewpoint Media Player


4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {3F07E378-20F7-4E60-B82E-FCE6D8AA50B2} - (no file)
O2 - BHO: (no name) - {51292029-06BD-4918-A2E2-50A9FD3AA71F} - (no file)
O2 - BHO: (no name) - {5C69FC78-560F-4370-86A9-F667C4FAF881} - (no file)
O2 - BHO: (no name) - {6BF034BC-C65A-4542-894E-F1B77729AA81} - C:\WINDOWS\system32\cbXqnMeF.dll (file missing)
O2 - BHO: (no name) - {78315BC6-E442-4671-9BCE-6BC73E4486CF} - (no file)
O2 - BHO: (no name) - {7FD33616-2214-4E63-9409-B4B8D2FC047B} - C:\WINDOWS\system32\geBrpoPJ.dll (file missing)
O2 - BHO: (no name) - {9F2886A3-3FAF-4FFE-94FD-E31F7E453268} - C:\WINDOWS\system32\urqQhGAP.dll (file missing)
O2 - BHO: (no name) - {D24D850E-FBF7-4566-8A78-12E3CAEA8781} - (no file)
O2 - BHO: (no name) - {D58B3365-279D-4A8F-9769-48BFCBB9DC80} - (no file)
O4 - HKLM\..\Run: [149ed982] rundll32.exe "C:\WINDOWS\system32\fxemxxep.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [wgdrhfqk] C:\WINDOWS\system32\wpsxqtkl.exe
O4 - HKCU\..\Run: [jmqopalx] C:\WINDOWS\system32\zwnuvmxm.exe
O20 - Winlogon Notify: jkkHBRhe - jkkHBRhe.dll (file missing)


After you click fix, just close hijackthis.


6) Download and install Erunt. Use it to create a backup of your registry.


7) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

8) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

9) Now run CCleaner at the default setting with the Windows tab as the top one.

10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Seems to be running great now, i should say that previsouly I had little if any pop ups I jsut had a sluggish system that seemed to be running at 100% cpu usage constantly no matter what I was doing.

Thanks a million for taking time out of your day to help me, here are the fresh logs (fresh logs not to be stated in public only ok on malware forums)

 

Hi llistenxtoxmetal,

All but one. Please do the following:

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {3F07E378-20F7-4E60-B82E-FCE6D8AA50B2} - (no file)

After you click fix, just close hijackthis.


2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

3) Now run CCleaner at the default setting with the Windows tab as the top one.

4) When you finish the above, run analyse.exe again as in Step 1 above and Do a system scan only. Check the window when it finishes to see if that one 02 entry is gone. If it is, you can continue with the final cleanup instructions in the box below:

abri

 

Clean as a whistle now, I will be more cautious. thanks for all the help

 

You're welcome!
Enjoy your computer!

 

So i was thinking all is well , but I just got hijacked to a site xponlinescanner.com wondering what I could have done wrong or if perhaps we just missed something

 

Hi listenxtoxmetal,

We might have missed something, or there might still be something which was not picked up by the scans we did. Please go to Using BitDefender Online Scan
and run this. This scan can only be done with Internet Explorer and with Active X enabled. It's a thorough scan, so do it when there's plenty of time to let it run. When you finish, make a log as per the instructions so we will have something we can use.

Also, it might be good to check for a rootkit. After you finish the above scan, please go to
Running GMER to detect rootkits

After you've run both of these, please attach the logs.
Thanks.
abri

 

Hey Abri,

been awhile I know, things have been things lately. So my machine seems to be incredibly slow and getting slower (has it's moments of speed however). I have a feeling we did miss something so I ran the bdscan as you suggested and also gmer here are the logs.

Thanks again

 

well when I say it is slow.

Boot up takes a ridiculous period of time and the taskbar never properly populates, volume controls never come out, certain programs I want to start at boot up misbehave never boot even when i open them they are there visually but fail to perform the tasks they are meant to i.e. non of the G15 keyboard stuff works anymore not will it open properly.

Writting this and thinking a little more about what you said in your last post online armor is probably causing alot of this lag (a price i don't mind paying for security given I know that is what it is)

I will get back to you when I try safe mode but for now start up and opening programs seems to be the slowest tasks.

I will get the mgtools again and post the logs as well.
Thanks