How to remove Trojan.Vundo or Win32.Monderc.gen

[Fredi]

Hey Guys,

now it hit me... Norton reports Trojan.Vundo and pretends to remove it, but it comes back after a while. Kaspersky finds Win32.Monderc.gen.

PC is slow and sometimes pops up websites with strange security warnings and security software to purchase. Norton occasionally reports an internal error when scanning. The windows explorer and the internet browser crash and restart occasionaly.

How can I get rid of that thing? Any help is greatly appreciated!

Thanks!!!

Fredi

[kps]

Please, turn off the system restore (how - see the rules).

Then AVZ - File - Custom scripts
Execute the following script (copy it, paste it in the script window of AVZ and execute):

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('C:\Users\Thomas\Documents\Downloads\Fertig\SlySoft\AnyDVD 6.3.0.0\AnyDVD leftover killer 1.3.exe','');
 QuarantineFile('rdpclip','');
 QuarantineFile('.exe','');
 QuarantineFile('C:\Windows\system32\oudslohn.dll','');
 QuarantineFile('C:\Windows\system32\gfxkywtb.dll','');
 QuarantineFile('C:\Windows\system32\ftfytc.dll','');
 QuarantineFile('C:\Users\Thomas\AppData\Local\Temp\khfGaaXn.dll','');
 DeleteFile('C:\Users\Thomas\AppData\Local\Temp\khfGaaXn.dll');
 DeleteFile('C:\Windows\system32\ftfytc.dll');
 DeleteFile('C:\Windows\system32\gfxkywtb.dll');
 DeleteFile('C:\Windows\system32\oudslohn.dll');
 DelBHO('EDB4D6AA-7416-4365-A0F8-506CF658681C');
 DelBHO('aece0790-fbf1-4398-9115-2d3062d3524c');
RegKeyParamDel('HKEY_CURRENT_USER', 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run', 'MSServer');
BC_ImportALL;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Your computer will reboot.
Upload the quarantined files according to the Appendix 3 of the rules. (upload here http://virusinfo.info/upload_virus_eng.php?tid=26755 )
Make and attach new logs.

[Fredi]

I did run the script. After reboot 3 messages popped up with Error loading dlls (2 times oudslohn.dll and one time gfxkywtb.dll)
But the system came up.

I uploaded the quarantined files.

I ran the Script Healing/Quarantine and advanced... as requested and restarted afterwards.
On reboot the messages came again and the system crashes with a blue screen "registry error".
Tried several times, always this blue screen. But I can start in safe mode.

What can I do? Please help!

Have to work now for some hours, but will be back around noon (4 hours).

[kps]

Does the PC start in normal mode, if you choose "last known good configuration" in the menu where you choosed safe mode?
Did you run AVZ with the right click and then "Run as" with administrator rights?
Please make new logs according to the rules (you can do it in Safe Mode) to see what is the problem.

[Fredi]

Yes, it started in normal mode with last known good config. Now I can even reboot and the system comes up normally, except for the dll-messages.

No, I didnґt start it as administrator. I was thinking my regular profile with admin-rights should be good enough. Probably not

I'll be back with new logs shortly. Thanks!

[Fredi]

Here the new logs...

[kps]

No, I didnґt start it as administrator. I was thinking my regular profile with admin-rights should be good enough. Probably not

On Vista it is not. Thats why AVZ could not clean the registry, that lead to problems.

Turn off the system restore, how it is described in the rules.
Run AVZ with the right click - Run as with administarotor rights.
File - Custom scripts
Execute the following script (copy it, paste it in the script window of AVZ and execute):

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 DeleteFile('C:\Windows\system32\oudslohn.dll');
 DeleteFile('C:\Windows\system32\gfxkywtb.dll');
 DeleteFile('C:\Windows\system32\ftfytc.dll');
 DeleteFile('C:\Users\Thomas\AppData\Local\Temp\khfGaaXn.dll');
 DelBHO('F256DA02-11C4-4E3A-8274-08AF698A375C');
 DelBHO('aece0790-fbf1-4398-9115-2d3062d3524c');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Your computer will reboot.

Do you know this? - C:\Users\Thomas\Documents\Downloads\Fertig\SlySoft \AnyDVD 6.3.0.0\AnyDVD leftover killer 1.3.exe

Make new logs.

[Fredi]

Done, Logs are attached. Sorry for the extra work!

Not aware of having this file, I do not even see the path you specified... ???

[kps]

No problem.
About the file - it seems to be an unnecessary entry in the registry, you can clean it with the following script in AVZ (which has to be launched with admin rights)

Код:

begin
 DeleteFile('C:\Users\Thomas\Documents\Downloads\Fertig\SlySoft\AnyDVD 6.3.0.0\AnyDVD leftover killer 1.3.exe');
DelCLSID('Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E555');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Your computer will reboot.

I didnt find any malware in your new logs. Any problems left?

[Fredi]

No problems so far. Thanks man, I think I owe you a beer or two...

Say, what makes you spend your Sunday at the computer helping jerks like me to get rid of their malware???
Anyway - I am glad to know there are folks like you out there!

Thanks again!

[kps]

Yes, there are folks like me out there

We are interested in your opinion about our project, it can help us to improve our service http://virusinfo.info/showthread.php?t=19966