Stuck with Win 32 Heur and Trojan Horse Vundo

[rookiegeek]

Hi,
My system's stuck wid win 32 heur, win 32 cryptor and Trojan Horse Vundo. Even after repeated heal and qurantine attempts by AVg 8.5, the problem stills persists.
I have followed the "8-step Viruses/Spyware/Malware Preliminary Removal Instructions" mentioned in one of the forums. I have attached the 3 logs from Malware, SuperAntiSpyware and Hijack This. Pls help me. I can see where this virus can take me. Although the consequences for now are limited to affecting the functioning of my IE. I wouldn't want to get to the hastier side of the matter. Pls let me know what can be done to handle this!

Waiting for help...
RookieGeek!

 

[ChrisDown]

Hi, these are all still issues.

C:\WINDOWS\psvmon9.exe
O2 - BHO: (no name) - {01DDF077-EC34-4C1C-9EE4-90B86F87694a} - C:\WINDOWS\system32\hnaaxxxc.dll
O2 - BHO: (no name) - {6D282D2E-787B-42F1-A1B8-CDF9D06D1DA3} - c:\windows\system32\mplrgbh.dll
O4 - HKLM\..\Run: [psvmon9] C:\WINDOWS\psvmon9.exe
O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll
O20 - Winlogon Notify: zgwlcglg - C:\WINDOWS\SYSTEM32\mplrgbh.dll

Would you please open up HJT, tick those entries, and click fix, making sure that all programs are closed?

After that, download ComboFix. Download ComboFix from here, and save it to the Desktop. Now open notepad and paste the following into a document.

Killall::

Snapshot::

Folder::
c:\progra~1\ThunMail

File::
C:\WINDOWS\psvmon9.exe
C:\WINDOWS\system32\hnaaxxxc.dll
c:\windows\system32\mplrgbh.dll

Save this file onto your desktop too, as cfscript.txt. Then, drag it onto the cat icon, as shown below.

Do not click on the ComboFix window whilst it runs, as it may stall. Once ComboFix is done, please upload the log.

Thanks.

 

[rookiegeek]

Combofix log attached

As per the instructions, the logs ready..
If this info could help, before doing the comboFix, i ran Vundofix, its caought hold of a system file, but was unable to delete the same...

will wait for what is to be done next.
RookieGeek

 

[ChrisDown]

Hi, which file did VundoFix catch a hold of?

Also, would you please produce a fresh HJT scan? I forgot to mention, sorry.

 

[rookiegeek]

HijackThis logs Attached! Vondo says nuthn to fix!

Hi der!
VondoFix says nuthn to fix! No threat detected...
and HijcThs logs attached....but i dont knw why AVG's still poppin up errors...
i was not able to have a complete run, but i will have one now, and attach the errors...
hopefully ill get rid of them as well!

Whats next now?
RookieGeek

 

[ChrisDown]

That HJT log looks clean, doesn't mean you're necessarily clean though.

 

[rookiegeek]

Avg catches errors...

What do i do abt this now....
PFB jpeg file wid errors

 

[ChrisDown]

They're just tracking cookies (which whilst they should be removed, are not particularly serious). Are they the only issues remaining?

 

[rookiegeek]

Bad news!

Now what does this mean?
Jpeg AVG error Report attached

 

[ChrisDown]

Qoobox\Quarantine is ComboFix's quarantine, IIRC.

Start > Run > Type 'combofix /u' without the quotes.

 

[rookiegeek]

hmm...
As you can see, i am a lil new to this, thanks for being so patient,
so now i have to run combofix to? get things correct is it?

 

[ChrisDown]

No, /u uninstalls ComboFix and removes the quarantine (where the trojans were). Basically, the trojans were sent to a quarantine on your hard drive by ComboFix, but your antivirus didn't know this and still thought that they were threats. combofix /u removes it.

 

[rookiegeek]

okay...combofx is uninstalled!
enlightened a lil late...and abt the tracking cookies, what can i do get rid of them as well?

 

[ChrisDown]

Did AVG not remove them? If not, you can go to CCleaner and tick 'Cookies', then 'Run Cleaner'. You should have this from your 8 steps.

 

[rookiegeek]

Logically, if it does remove them, why is it that i see them every time i run a scan?
Again, if theres some thing thats related to my weak brains, pls, more of enlightenment needed!

 

[ChrisDown]

You don't have weak brains, don't worry. We all have to start somewhere, and you don't seem that bad!

If they are still there, I can get ComboFix to remove them for you. Would you like that?

 

[rookiegeek]

Thanks for the optimism! i do realise where i come from though...long way to go...:blackeye:
yes offcourse! No red mark for me in my error report...hate it when i see that red ! mark

 

[ChrisDown]

Okay, create a file called cfscript.txt again, with this in.

Killall::

Snapshot::

Folder::

File::
C:\Documents and Settings\ABCD\Application Data\Mozilla\Firefox\Profiles\eurzlmy3.default\cookies.sqlite

This should remove it. Make sure Firefox is closed first! After this is all done, you should do 'combofix /u' again.

 

[rookiegeek]

Thanks a ton for the patience!Cannot appreciate it enuf! Thanks again....

 

[ChrisDown]

It's no problem. Any other issues, don't hesitate to ask.