Please help with Vundo and others

[jholland1964]

Did you run the AVG in SAFE MODE?
Also, can you spell out exactly the problems you were having which caused you to begin with this cleaning procedure? We sort of need to know what we might be dealing with here and symptoms experienced are a great help so that we can get an idea what other steps, other than those in the sticky, what might need to be run.

[Bryanr]

I did run it in safe mode. I know that because my monitor cannot display the entire AVG control panel when in safe mode.

Original problem and a bit of history if it helps:
I started getting many many unsolicited pop-ups on my computer, even when IE is not open. That has never happened before. Then <*insert random internet security program here*> told me that I have spyware on my computer. This was a program that I never installed but it was going to "clean all the spyware off my computer for the low low price of $29.99". I removed it immediately!

I Downloaded PCtools Spydoctor and ran it, that utility found 21 infections, but could not stop the original problem (Unsolicited popups). Much searching led me to your site here.

[jholland1964]

Ok, I would like you to run the cleaning steps again from here

Run Kaspersky again but also run at least one of the others FIRST. Kaspersky will not clean but the others will I believe. Have them clean everything found.

Then follow on through with the other steps. Once you have completed those then Disconnect from the internet, actually remove the plug from the computer.
Boot to safe mode and continue with the remaining steps, including running AVG Anti-spy again exactly as the instructions state. Have it fix whatever it finds and try to save the log.
Once all is complete then reboot to normal mode and run HJT again, save the log and post back here with all the logs you have saved.

You are showing at least one trojan on the computer, maybe more, we need to see if we can get rid of most of them before going forward to other steps or tools.
Judy

[Bryanr]

I followed your directions to the letter:

I ran Panda Scan (log attached)
I ran Kaspersky (log attached)
I ran AVGScan (no report was avaliable)
I ran WinDefender (said my computer is running normally - although I did get a popup as soon as I logged back on in normal mode)
HJT log is attached as well.

Thanks in advance

[jholland1964]

First of all you still do have a vundo infection on the computer.
Removal Steps:

1. Download Vundo Fix and save it to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click Yes
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears at reboot.

• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

[Bryanr]

I ran vundofix twice - no infections found
I reinstalled Vundofix and ran it 2 more times - no infections found
I rebooted and ran Vundofix twice more - still no infections found

Still getting unsolicited popups

[Bryanr]

oops forgot the vundofix.txt

[jholland1964]

While your VundoFix log shows that previously the computer did contain Vundo, it was removed on the 17th, but the Kaspersky log shows the following still there;
C:\WINDOWS\system32\fccawtt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp

1. Download VirtumundoBegone and save it to your desktop
2. Now reboot into Safe Mode.
   1. This can be done tapping the F8 key as soon as you start your computer
   2. You will be brought to a menu where you can choose to boot into safe mode.
   3. Select safe mode with networking using your arrow keys on the keyboard and then press enter.
   4. When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps,
3. Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions.
4. Exit when it has finished, and reboot back to normal mode.

Another thing noted in the VundoFix log is the presence of old java version is 1.4.2.3. This really leaves your system at risk as this version is not as secure as the newest. Go to Add/Remove and Uninstall this old version. While you are there search also for SpywareQuake. If you find it, uninstall it, if you don't find it don't worry about it.

The next thing you need to do are the following steps, I would recommend that you print these out so that you will have these to refer to while completing them, because you won't have internet access at that time.

Download SmitfraudFix (by S!Ri) to your Desktop
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. It will create a file named: c:\rapport.txt
Post back here with that report.