Virtumundo/ Trojan.Vundo/Antivirus2009 Popup

geex_newbie · Jan 11, 2009

Need help with Vundo Removal

geex_newbie · Jan 11, 2009

geex_newbie said: ↑

Need help with Vundo Removal
Click to expand...

Hi,
My system runs on XP SP3. My antivirus/Firewall is Symantec Endpoint Protection. I started receiving Trojan.Vundo, Packed.Gen, Downloader notification by SEP and it usually quarantineds or deleteds the files. I started receiving (occasionally) Antivirus2009 popup (IE window-I always run FF). Sometimes my antivirus would get turned off automatically right after this notice: 'Trojan.Vundo activity noticed'.

I ran all basic and cleaning steps as specified in these threads:
http://forums.majorgeeks.com/showthread.php?t=35407
http://forums.majorgeeks.com/showthread.php?t=139313

I am not sure if the infection is completely gone. I am attaching the logs for your perusal. Thanks in advance for your help!

geex_newbie · Jan 11, 2009

geex_newbie said: ↑

Need help with Vundo Removal
Click to expand...

Here is the MG Tools log.
Thanks!

TimW · Jan 14, 2009

Just a few things to clean up:

Use windows explorer to find and delete:
C:\WINDOWS\system32\D
C:\WINDOWS\system32\FIP
C:\WINDOWS\system32\HDX
C:\WINDOWS\system32\VIM

Now reun CCleaner --> both the cleaner and the issues sections ( making sure you do the backup when prompted).

Then download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Tell me what issues you may still have.

geex_newbie · Jan 15, 2009

Thanks a lot! I havent seen any popup since then. I will do as suggested this evening and get back to you.

geex_newbie · Jan 15, 2009

Hi Tim,
1.I deleted the mentioned folders from \system32.
2.I ran ccleaner for both files and registry (backed up).
3.I cleaned firefox using ATF Cleaner.

I havent had any problems since I submitted the logs, and with your guidance I think I have eliminated the residual problems.

Thanks a bunch!

TimW · Jan 16, 2009

If you are not having any other malware issues, then:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection, but are effective as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

Log in or Sign up

Virtumundo/ Trojan.Vundo/Antivirus2009 Popup

geex_newbie Private E-2

geex_newbie Private E-2

Attached Files:

SASlog01-11-2009 - 11-52-34.log

mbam-log-2009-01-11 (16-14-48).txt

ComboFix.txt

geex_newbie Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

geex_newbie Private E-2

geex_newbie Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member