Unable to remove Vundo Spyware / Adware

For starters Try malwarebytes AntiMalware (MBAM) http://www.malwarebytes.org/mbam.php

Install, update online & run a full scan (preferrably in safe mode)

Once the scan is complete please run a scan using hijack this & choose to save the log file, then please post the log file here as a code snippet .


http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

I did ran it but at the end its says that it need to restart to system to delete one file when I did restart the system didnt find the file I guess as Vundo can rename itself

Why you need to Hijackthis log ?

Thanks

To save yourself the headache, you should run a repair on your system or do a complete reload unless of course you have access to another PC.  Then I would slave the drive or put it in a drive bay and run a scan from a PC that the virus isn't on.  That should remove a majority of the viruses.

You may also get some requests for a download and run of vundofix, or a plethora of other fixes, and I'm sure they would work, they would just be more time intensive.

I dont have Complete reload on my pc also I dont have any other PC, but my pc have 4 partitions and I think the virus or spyware is on c drive only ?

I never have a problem removing spyware before I just dont know what make this Vundo so special, Spyware doctor most of time works for me but its cant be able to remove vundo virus.
I had tried vundofix but it never detect any vundo.

Any suggestions

Thanks

Vundo is more then likely on your C drive, and it can't be removed because its in use in a system folder and can't be removed while you are using the system.  Thats why it has to reboot to remove it.  

Some spyware and viruses recreate, or change themselves upon reboot.  In order to really get rid of them you need to stop them from starting, which would mean removing the registry key which hijack this can do, and maybe even reconfiguring your startup using MSconfig.  Another thing you can try is pulling the plug after removing Vundo.  Run the removal program, when it says it needs to reboot to remove, just pull the plug.  Reboot and re-run the scan and see if that helps at all.

Another easy way to do it would be to download and burn off a livecd that would allow you to go in and removed the vundo file manually.  You can download Knoppix and give that a shot.  

Let me know if any of this helps.

>>Why you need to Hijackthis log ?
HJT is a diagnostic tool that can provide valuable information on what type of infection we are dealing with here .
Vundo has hundreds of variant floating around, also it is usually associaed with other malware, as a backup routine of some sort .
Vundo is nothing special , it just needs to removed properly & all at once to ensure i is gone for good.
hope his clarifies.

here is my hijackthis script log

Logfile of HijackThis v1.99.1
Scan saved at 20:53:24, on 12/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Registry Clean Expert\RCHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
G:\Backup Software\Anti Spyware & Adware\Spyware to remove vundo\hijackthis.exe
 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {57c0042b-39f4-41aa-80c0-8338d5391c33} - C:\WINDOWS\system32\tadebava.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nuzohineji] Rundll32.exe "C:\WINDOWS\system32\bugusira.dll",s
O4 - HKLM\..\Run: [CPM3bb7e994] Rundll32.exe "c:\windows\system32\fulefoze.dll",a
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Program Files\Registry Clean Expert\RCHelper.exe" /startup
O4 - HKCU\..\Run: [SpySweeper] "K:\SpySweeper\SpySweeper.exe" /0
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\zemavuda.dll C:\WINDOWS\system32\yozekute.dll C:\WINDOWS\system32\zewobihu.dll  c:\windows\system32\fulefoze.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fulefoze.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Select allOpen in new window

After you downloaded , installed & scanned using malwarebytes Antimalware (In safe mode)
I would suggest removing the below entries in hijack this (if they still exist)

O2 - BHO: (no name) - {57c0042b-39f4-41aa-80c0-8338d5391c33} - C:\WINDOWS\system32\tadebava.dll (file missing)
 O4 - HKLM\..\Run: [nuzohineji] Rundll32.exe "C:\WINDOWS\system32\bugusira.dll",s

O4 - HKLM\..\Run: [CPM3bb7e994] Rundll32.exe "c:\windows\system32\fulefoze.dll",a

O20 - AppInit_DLLs: C:\WINDOWS\system32\zemavuda.dll C:\WINDOWS\system32\yozekute.dllC:\WINDOWS\system32\zewobihu.dll c:\windows\system32\fulefoze.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fulefoze.dll
once done, in safe mode , locaed the below files & delete them either from windows explorer or preferrably through command line (CMD)

del c:\windows\system32\fulefoze.dll
del C:\WINDOWS\system32\zewobihu.dll
del C:\WINDOWS\system32\zemavuda.dll
del C:\WINDOWS\system32\yozekute.dl
del C:\WINDOWS\system32\bugusira.dll

Finally , in order to ensure that you have killed the startup of the rojan, which is the only thing keeping it in your system, I would suggest you get a program like Autoruns , then delee all remaining startup entries for the aforementioned items.

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Good luck & please keep us updated.

HiJackThis.de does not show any malicious entries.
However, there are a few that can be removed.
Entry:
O2 - BHO: (no name) - {57c0042b-39f4-41aa-80c0-8338d5391c33} - C:\WINDOWS\system32\tadebava.dll (file missing)
Entry:
O4 - HKLM\..\Run: [nuzohineji] Rundll32.exe "C:\WINDOWS\system32\bugusira.dll",s
Entry:
O4 - HKLM\..\Run: [CPM3bb7e994] Rundll32.exe "c:\windows\system32\fulefoze.dll",a
O20 - AppInit_DLLs: C:\WINDOWS\system32\zemavuda.dll
Entry:
C:\WINDOWS\system32\yozekute.dll C:\WINDOWS\system32\zewobihu.dll c:\windows\system32\fulefoze.dll
(The above entry has a file (fulefoze.dll) that may be associated with the Vundo Trojan)
Entry:
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
Entry: (The entry listed below is the last line in your log file.)
Open in New Window Select All

Please uncheck the entries listed above, reboot and test.
If you do have Vundo on your system Malwarebytes ran in Safe Mode should correct the problem.

Didn't mean to duplicate the post prior to mine. We posted within minutes of one another.

I second David-Howard's suggestion of using Combofix as it works very well with vundo infections. We do need to see the logfile because it's common to still have some bad files needed to be remove using its script function.
Was it the latest version of Vundofix taht you use? version 7 I think.