Vundo question

[StephenS]

Hello, I recently downloaded MB to get rid of popup windows that were occurring on a client's machine. I have to say it really did a good job since it detected what other products could NOT find. For the most part, it took care of the nasty Vundo.H trojan that it found.

There is one registry key that will NOT go away however. What I find unusual is that it is not in the same registry location that Vundo.H usually puts it. As I have browsed around different forums, I have that most Vundo victims have two registry keys that will not go away. They are the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System

If I found it in these keys, I would be a little less perplexed than I am now, but of course the trojan decided to throw me a curve.

Instead, I have just one key that will re-appear when I loff off and log back on. I don't even have to reboot to get it to show up. I have two different accounts that I have used to run the MB program in. When I run MB in one account, it comes up with nothing found. However, when I run it under another account, I get a notification that there is one key remaining. Of course I have removed it with MB as well as manually deleted it, but it just comes right back.

Anyhow, the offending key is this: "HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System" As you can see, it's a little different than the preceding keys that other users have reported problems with. Everything except the first value is the same though. This is also why I just have to log off and log back on for it to return since it's based on the user that is logged in.

Anyhow, any ideas why it would show in this location and not in the Local Machine key like it usually does? I'd like to get rid of this of course, but I wonder if this is another variant other than what the other people have been infected with. As I stated before, all other tests come out clean when logged in as a different user and the machine doesn't show ANY symptoms of being infected. It's just this one key decides to stick around after logging in again as this one user.

[AdvancedSetup]

Please open a NEW post in the HJT forum.

Hello and Welcome to Malwarebytes.org

If you're having Malware related issues with your computer that you're unable to resolve.

1. Please read and follow the instructions provided here: I'm infected - What do I do now?
2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
   
3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.
   

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review
  

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.