Can't Get Rid Of Vundo and Trojan Installer

[Leila]

Here's my story: Late Saturday night I was suddenly hit with an alert that I had a virus and needed to immediately install "Anti-Virus 2009" and also "Rapid Anti-Virus." I didn't recognize either one and went to Google and found that both were maleware. I tried to run my AVG anti-virus but evidently the virus wouldn't allow me to update AVG for the newest definitions. I also ran Spybot S and D, and Ad-Aware. Both detected the virus/trojan, but couldn't remove all of them.

Sunday, the virus/trojan wouldn't allow me to go to most anti-virus or anti malware sites, but I did find a forum where a poster said that the virus didn't recognize C-Net as a threat and was able to download Malwarebytes Anti-Malware there. So that's how I got the program.

From using AVG, Spybot S & D, and Ad-Aware these are the problems found:

Fake Anti-spyware program

Trojan Horse BHO - GSS

Trojan Horse GHO - GSX

HKU - registry key with reference to infected file

Trojan Horse Generic_c TSW

Smitfraud c toolbar 888

Microsoft Windows Security Center - disabled

Microsoft Windows Security Center - Anti-Virus

Microsoft Windows Security Center - update

Asta Killer

Virtumonde

Malwarebytes found 84 objects or files infected. I removed those objects. This allowed my AVE anti-virus to do an update and I ran a scan with it. This also allowed my Windows update to install updates. I went to to my Windows Security Center and found that my firewall, anti-virus, and updates were turned to off. I turned them to on. I ran Spybot S & D, and then a quick scan with Malwarebytes. I removed two more objects.

Today, the virus came back, but this time only 14 objects were found (originally 84). I've removed those, re-booted, and then came here. One problem I seem to have is finding that my Windows Anti-virus has been turn to off, I reset it to on, and somehow it gets reset to off again. Is that the malware doing that? Here's the first log:

Malwarebytes' Anti-Malware 1.31

Database version: 1579

Windows 5.1.2600 Service Pack 3

12/30/2008 3:23:35 PM

mbam-log-2008-12-30 (15-23-35).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 160459

Time elapsed: 1 hour(s), 15 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 7

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\ibffce.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79121392-e187-40bf-870e-9d8a0dcb2076} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{79121392-e187-40bf-870e-9d8a0dcb2076} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{37b80e04-6446-4191-a9df-b21f02811a72} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{37b80e04-6446-4191-a9df-b21f02811a72} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37b80e04-6446-4191-a9df-b21f02811a72} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jupejegaso (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\ibffce.dll (Trojan.Vundo) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3fr781te.default\Cache\63F1AE75d01 (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\0JNNZ0Qt.exe.part (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QVU9EYDK\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bonljqdb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

And the second log:

Malwarebytes' Anti-Malware 1.31

Database version: 1579

Windows 5.1.2600 Service Pack 3

12/30/2008 4:05:46 PM

mbam-log-2008-12-30 (16-05-46).txt

Scan type: Quick Scan

Objects scanned: 61093

Time elapsed: 7 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79121392-e187-40bf-870e-9d8a0dcb2076} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{79121392-e187-40bf-870e-9d8a0dcb2076} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jupejegaso (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Tigger93]

Hello.

Please read and follow the instructions provided here: Pre- HJT Post Instructions

When ready please post your logs here: Malware Removal - HijackThis Logs

Someone will be happy to assist you further with cleaning your system.

During this scan and cleanup process you should not install any other software unless requested to do so.

[Leila]

Hello.

Please read and follow the instructions provided here: Pre- HJT Post Instructions

When ready please post your logs here: Malware Removal - HijackThis Logs

Someone will be happy to assist you further with cleaning your system.

During this scan and cleanup process you should not install any other software unless requested to do so.

Thanks! I've downloaded the newest version of Spybot S & D (my version was years old), and am running it now, without Tea-Time. It's taking a long time to scan my system and is now about two-thirds of the way done.

[Leila]

Thanks! I've downloaded the newest version of Spybot S & D (my version was years old), and am running it now, without Tea-Time. It's taking a long time to scan my system and is now about two-thirds of the way done.

I've run into a problem. When Spybot S * D finished, I clicked on "fix problems" and the program is not responding. Do I have to start over?

[Tigger93]

No, don't worry about Spybot.

[Leila]

No, don't worry about Spybot.

Hi Tigger93,

Twice now I've run Spybot S & D and when it's finished scanning have clicked on "fix selected files", and Spybot stalls. I get a message that it's "not responding." I've been running it off line. Could that be a problem?

[Leila]

First Log - from Malwarebytes:

Malwarebytes' Anti-Malware 1.31

Database version: 1579

Windows 5.1.2600 Service Pack 3

12/30/2008 9:22:16 PM

mbam-log-2008-12-30 (21-22-16).txt

Scan type: Quick Scan

Objects scanned: 60851

Time elapsed: 8 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)