• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Trojan Vundo help!

Hello, I recently discovered trojan vundo on my computer. Norton internet security recognizes it and tells me to restart my computer to remove it but every time I start my computer, it detects it again.

I have ran FixVundo under safe mode with system restore turned off and my internet network turned off and it found nothing.

I did install the Hijack This program after reading through some of the related threads here, but I am not clear what files to have it fix.

Thanks, Bob

Replies

Kudos1 Stats

Re: Trojan Vundo help!

Hi bohemianbob -

Here is a thread that might help resolve your issue. Kindly read the whole thing.

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=29938&query.id=489259#M29938

Kindly report back here and let us know if it helped you to resolve the issue.

Thanks.

Message Edited by Compumind on 05-31-2009 07:16 PM
CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: Trojan Vundo help!

Thanks Compumind. I actually have already read through that post, but the files Quads says to check off are not on my  Hijack this generated log. Many of them are similar but I cannot take the chance.

bob

Kudos0

Re: Trojan Vundo help!

Hi bohemianbob -

Please download, install, update and run a full scan with Malwarebytes - the link is here.

Let us know what the result is.

TIA

CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos1 Stats

Re: Trojan Vundo help!

Bohemianbob:

Please do not attemt to change or delete anything on the Hijackthis log.  Copy and paste it from Notepad here.  We have some people that are very skilled at analyzing them, but it is not a job for amateurs.

As per Compumind, you can download and run Malwarebytes.  Update it, disable your system restore, and disconnect from the internet.  If you are unable to install it or run it, it is a sign of a more involved problem.  Come back here for instructions should that occur.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Trojan Vundo help!

Hi bohemianbob:

Hopefully, Malwarebytes will complete and it will create a text log file.

If the scan does not pick up the Vundo, please post the file here, so we can evauluate.

If Malwarebytes Quarantines the Vundo, then turn on System Restore again and reconnect to the Internet.

Then reboot. 

Thanks.

CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos1 Stats

Re: Trojan Vundo help!

Hi

Vundo has soooo many variants and file names that is why the other post Hijackthis entries doesn't match what you see in your log.

Quads 

Kudos0

Re: Trojan Vundo help!

 I ran a full scan of Malwarebytes in safe mode while disconnected from the net and it did find infected files.

I followed the instructions and then did a reboot whereupon  trojan vundo was picked up again by Norton!

I re-entered safe mode and re-ran Malwarebytes and it again found the trojan. Rebooted and Norton detected it again, with the same "unable to remove, please reboot".

So, is my system restore corrupted? If so what now?

bob

Message Edited by bohemianbob on 06-01-2009 05:05 PM
Kudos0

Re: Trojan Vundo help!

Hi

What is the Name of the file(s) Norton and Malwarebytes keeps detecting??    

You could have the Ultra Hidden Rootkit family that is going around,  some variants once in download more Malware.

So the Names will help.

Quads 

Kudos1 Stats

Re: Trojan Vundo help!

Did you turn System Restore OFF?  Right click on My Computer (Computer in Vista) and select Properties. (In Vista, select Advanced System Settings.)  Go to the System Protection tab and uncheck System Restore.  This will delete all the restore files so the virus can not hide there.

Run your scans again after this.

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Trojan Vundo help!

Below are the Malwarebytes files from the full scan:

Malwarebytes' Anti-Malware 1.37
Database version: 2204
Windows 5.1.2600 Service Pack 3

6/1/2009 4:28:01 PM
mbam-log-2009-06-01 (16-28-01).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 407665
Time elapsed: 1 hour(s), 53 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\gbnlwyeh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cpuesjq.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35e35e0b-6cae-4c45-9a5e-87e6d03c2201} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qwcrztja (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{35e35e0b-6cae-4c45-9a5e-87e6d03c2201} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{036a0773-2e48-427c-85a6-586bd09fb8c5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{036a0773-2e48-427c-85a6-586bd09fb8c5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rtghwcuz (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rtghwcuz (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\cpuesjq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gbnlwyeh.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\mbjsgsl.dll (Trojan.Vundo.H) -> Delete on reboot.

Yes I have had System Restore turned off for all of my scans. Sorry I forgot to mention this important detail.

bob

Message Edited by bohemianbob on 06-01-2009 05:27 PMMessage Edited by bohemianbob on 06-01-2009 05:32 PM
Kudos0

Re: Trojan Vundo help!

OK it's a service

Lets see if it shows up in Rootrepeal

Go here, http://community.norton.com/norton/board/message?board.id=Norton_360&message.id=13889#M13889

I have already added your files  and service shown in the Malwarebytes log to the script. I will add whatever Rootrepeal shows as bad (does show good to).

Quads 

Kudos0

Re: Trojan Vundo help!

Hi bohemianbob -

I find it very interesting that MBAM did detect the Vundo.H, but did not remove it or send to quarantine. Weird.

Go with Quads suggestion first, with Rootrepeal.

After that let's try this -

Kindly download, update and run SuperAntiSpyware (free edition only) at  - http://www.superantispyware.com/

Again, please make sure that System Restore is disabled before running it.

Post your results, here. We can see what else might be hanging around.

TIA

Message Edited by Compumind on 06-01-2009 09:02 PM
CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: Trojan Vundo help!

 Ok  I ticke drivers, stealth objects and hidden services:

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time:            2009/06/01 17:38
Program Version:        Version 1.2.3.0
Windows Version:        Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB59BB000    Size: 98304    File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5D4000    Size: 8192    File Visible: No
Status: -

Name: MFX.sys
Image Path: MFX.sys
Address: 0xBA128000    Size: 45824    File Visible: No
Status: -

Name: qahvmw.sys
Image Path: qahvmw.sys
Address: 0xBA0A8000    Size: 61440    File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB32D3000    Size: 45056    File Visible: No
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xB9DC7000    Size: 323584    File Visible: No
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: cpuesjq.dll]
Process: winlogon.exe (PID: 1016)    Address: 0x018a0000    Size: 286720

Object: Hidden Module [Name: cpuesjq.dll]
Process: svchost.exe (PID: 1332)    Address: 0x02420000    Size: 286720

Object: Hidden Module [Name: cpuesjq.dll]
Process: explorer.exe (PID: 2060)    Address: 0x03f70000    Size: 286720

Object: Hidden Module [Name: cpuesjq.dll]
Process: rundll32.exe (PID: 840)    Address: 0x00730000    Size: 286720

Kudos0

Re: Trojan Vundo help!

Sounds like Quads may be on to something. Since, like he said, Vundo has so many variations it is possible that you are infected with a very new or very uncommon version of it that for whatever reason both norton and MBAM are unable to effectively remove.

 

Just one idea Quads. Have most of the versions of Vundo already been cataloged into virus definitions? Maybe try researching the varitations of Vundo and identifying which of the files infecting bob's computer have been successfully removed in the past and which ones have not. It could be that this version of Vundo has lets say one extra infected file than another version that is easy to remove. If that is the case then you could try manually deleting said file and then seeing if norton and/or MBAM can remove the rest of the infection that is more similar to previous versions that have been known to be easilly removed. Though I am sure the actual process of doing this is more complex than the way I describe it.

Message Edited by pexley on 06-01-2009 07:47 PM
Kudos1 Stats

Re: Trojan Vundo help!


Compumind wrote:

Hi bohemianbob -

I find it very interesting that MBAM did detect the Vundo.H, but did not remove it or send to quarantine. Weird.

Go with Quads suggestion first, with Rootrepel.

After that let's try this -

Kindly download, update and run SuperAntiSpyware (free edition only) at  - http://www.superantispyware.com/

Again, please make sure that System Restore is disabled before running it.

Post your results, here. We can what else might be hanging around.

TIA

Message Edited by Compumind on 06-01-2009 08:43 PM
Rootrepeal is only the scanner once the script is created we have to use another program
 
Quads 
Kudos0

Re: Trojan Vundo help!

Hi Quads -

I am very curious as to the process that you are using!

If Rootrepeal is the scanner, what creates the Script and how is that used?

What is the name of the other program that comes into play after this?

Just trying to understand the mechanics of whay you are doing.

TIA

Message Edited by Compumind on 06-01-2009 08:51 PM
CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: Trojan Vundo help!

That's interesting 

Name: qahvmw.sys
Image Path: qahvmw.sys
Address: 0xBA0A8000    Size: 61440    File Visible: No
Status: -

Did anything show up in the "hidden services" Tab??

Quads 

Kudos0

Re: Trojan Vundo help!

Watch and learn.
Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Trojan Vundo help!

No, I even ran Root report  with just the hidden services ticked and nothing showed up.

bob

Still need to  to dl and run superspy ware

Kudos0

Re: Trojan Vundo help!

Bob.......................

Do you know how to navigate the registry using regedit??  If yes go to this entry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rtghwcuz

See under ImagePath"="System32\\drivers\\........."   has the name "qahvmw.sys" as the file

Piceing script together now

Quads 

Kudos1 Stats

Re: Trojan Vundo help!

Hi

Now follow this post http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=53509#M53509

EXCEPT for 3. where your script ( your entries added) is below, So

3. In the "Input script here:" copy and paste the script between the lines


Drivers to disable:

UACd.sys

gxvxcserv.sys

gaopdxserv.sys

rtghwcuz

Drivers to delete:

UACd.sys

gxvxcserv.sys

gaopdxserv.sys

rtghwcuz

Files to delete:

C:\WINDOWS\system32\gbnlwyeh.dll

C:\WINDOWS\system32\cpuesjq.dll

C:\WINDOWS\system32\mbjsgsl.dl 

C:\WINDOWS\system32\wJQs.exe

C:\WINDOWS\system32\uacinit.dll

C:\WINDOWS\system32\uacvymnbtboeayohhs.dll

C:\WINDOWS\system32\uacqciqunodfnlghrv.dll

C:\WINDOWS\system32\drivers\gxvxcserv.sys

C:\WINDOWS\system32\gxvxccounter

C:\WINDOWS\System32\drivers\gaopdxserv.sys

C:\WINDOWS\system32\gaopdxl.dll

C:\WINDOWS\system32\drivers\gxvxcaithwuhtprrwopxgilalbaobwucrdslx.sys

C:\WINDOWS\system32\gxvxcxkfpxfxurntewmrfttjyqtsmsenqwgiw.dll

C:\RECYCLER\s-9-4-17-100016843-100000262-100031119-1898.com 

C:\WINDOWS\system32\drivers\gxvxcvxmuiisiusdatjuqfpdtmxbuqcecgbdn.sys

Registry keys to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC

HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx

HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc

HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\gaopdxserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services/gxvxcserv.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qwcrztja 


 It shouldn't find all of them

Quads 

Kudos0

Re: Trojan Vundo help!

I ran a scan with Superantispyware and all it seemed to find and delete were 13 tracking cookies. I rebooted as the program asked and then found Norton Antivirus to become disabled!

I followed the link to restore it and upon NAV's quick scan still have trojan vundo.

I'll now go to dl'ing Avenger and c+p the filesnoted above.

bob

Kudos0

Re: Trojan Vundo help!

You are doing great BohemianBob:

Stay with it.  You are just about to the homestretch.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Trojan Vundo help!

If you want to check that registry entry I said, it it does point to that strange file  seen in Rootrepeal, I will update the script again for you.

I have been looking at post on the web for what seems this type of Vundo, where even Combofix "Failed to Delete" Interesting

Quads 

Kudos0

Re: Trojan Vundo help!

Well, I ran Avenger with the pasted files and below are the results.

I'm not sure what's going on but this didn't seem to make a change.

bob

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  could not open driver "UACd.sys"
Disablement of driver "UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open driver "gxvxcserv.sys"
Disablement of driver "gxvxcserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open driver "gaopdxserv.sys"
Disablement of driver "gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open driver "rtghwcuz"
Disablement of driver "rtghwcuz" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd.sys" not found!
Deletion of driver "UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\gxvxcserv.sys" not found!
Deletion of driver "gxvxcserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxserv.sys" not found!
Deletion of driver "gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\rtghwcuz" not found!
Deletion of driver "rtghwcuz" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open file "C:\WINDOWS\system32\gbnlwyeh.dll"
Deletion of file "C:\WINDOWS\system32\gbnlwyeh.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error:  could not open file "C:\WINDOWS\system32\cpuesjq.dll"
Deletion of file "C:\WINDOWS\system32\cpuesjq.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error:  file "C:\WINDOWS\system32\mbjsgsl.dl" not found!
Deletion of file "C:\WINDOWS\system32\mbjsgsl.dl" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\wJQs.exe" not found!
Deletion of file "C:\WINDOWS\system32\wJQs.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\uacinit.dll" not found!
Deletion of file "C:\WINDOWS\system32\uacinit.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\uacvymnbtboeayohhs.dll" not found!
Deletion of file "C:\WINDOWS\system32\uacvymnbtboeayohhs.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\uacqciqunodfnlghrv.dll" not found!
Deletion of file "C:\WINDOWS\system32\uacqciqunodfnlghrv.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\drivers\gxvxcserv.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\gxvxcserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\gxvxccounter" not found!
Deletion of file "C:\WINDOWS\system32\gxvxccounter" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\System32\drivers\gaopdxserv.sys" not found!
Deletion of file "C:\WINDOWS\System32\drivers\gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\gaopdxl.dll" not found!
Deletion of file "C:\WINDOWS\system32\gaopdxl.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\drivers\gxvxcaithwuhtprrwopxgilalbaobwucrdslx.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\gxvxcaithwuhtprrwopxgilalbaobwucrdslx.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\gxvxcxkfpxfxurntewmrfttjyqtsmsenqwgiw.dll" not found!
Deletion of file "C:\WINDOWS\system32\gxvxcxkfpxfxurntewmrfttjyqtsmsenqwgiw.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\RECYCLER\s-9-4-17-100016843-100000262-100031119-1898.com" not found!
Deletion of file "C:\RECYCLER\s-9-4-17-100016843-100000262-100031119-1898.com" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\drivers\gxvxcvxmuiisiusdatjuqfpdtmxbuqcecgbdn.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\gxvxcvxmuiisiusdatjuqfpdtmxbuqcecgbdn.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\gaopdxserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services/gxvxcserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services/gxvxcserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\UAC" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\UAC" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qwcrztja" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qwcrztja" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished!  Terminate.
 

Kudos0

Re: Trojan Vundo help!

Hi -

I am noting what is transpiring here and find it to be rather fascinating.

Just wanted all to know.

CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: Trojan Vundo help!

Hi Quads -

Would SAS alone resolve this?

Message Edited by Compumind on 06-01-2009 10:37 PM
CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: Trojan Vundo help!

Heh, while I'm having a "this could only happen to me" moment.

I'm half tempted, since my hard drive is approaching the 5 year mark and I have most everything backed up virus free, to just start over with a new 

HD.

bob

Kudos0

Re: Trojan Vundo help!

Actually BohemianBob, it is beginning to happen to more and more people.  If you can bear with it a while longer you will be helping to provide answers for more people.  Several machines have already been cleaned through this process.
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos1 Stats

Re: Trojan Vundo help!

Hi bohemianbob -

Yes, it's true. Quads is *really* good at this.

If this complex process could be documented and made safer to use, it would be a very good thing.

Hang tight.

Thanks

Message Edited by Compumind on 06-01-2009 11:24 PM
CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: Trojan Vundo help!

Yeah, I hear you guys and I do want this process to work especially after it appears that my pc has something more than the basic trojan vundo...

This is why I'm ok with the full posting of my log reports just incase doing so might help someone else, or the anti-virus community.

bob

Kudos0

Re: Trojan Vundo help!

Hi bohemianbob -

It is *good* though that you have your Programs and Data backed up just in case you wish to reload.

Many users don't (sadly) and suffer from the lack of disaster preparedness.

Perhaps you won't need to do it.

Let's wait and see.

Message Edited by Compumind on 06-01-2009 11:31 PM
CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: Trojan Vundo help!

Hi

I am thinking,

Did you happen to find the registry entry to see what file it points to??  

As that .sys file q.............sys shows up is strange

Do you have Spybot S&D installed??

Quads 

Kudos0

Re: Trojan Vundo help!

I guess the only problem to starting over with a new HD would be if I end up having a corrupted System Restore. Though I understand even that can be rendered virus free.

bob

Quads, yes I do have Spybot installed and it was the first thing I ran after NAV detected Vundo.

Message Edited by bohemianbob on 06-01-2009 08:37 PM
Kudos0

Re: Trojan Vundo help!

With or without Teatimer enabled, 

Did you find the Registry entry I stated, to see what file it points to.

Quads 

Kudos0

Re: Trojan Vundo help!

(Quote from Quads

I am thinking,

Did you happen to find the registry entry to see what file it points to?? )

______________________________________________________________

I'm not sure what file you're referring to Quads. 

bob

Yes, TeaTimer is enabled

Message Edited by bohemianbob on 06-01-2009 08:51 PM
Kudos0

Re: Trojan Vundo help!

Hi

1. Teatimer can stop files being deleted, Uninstall Spybot S&D and Teatimer

2. This is the post I am refering to:


"Do you know how to navigate the registry using regedit??  If yes go to this entry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rtghwcuz

See under ImagePath"="System32\\drivers\\........."   has the name "qahvmw.sys" as the file


3. Go to http://homepages.slingshot.co.nz/~crutches/DDS/  and download  DDS.pif   Then disable Auto-Protect and Sonar as when run the file can be detected.  It will product a detailed log.   You only need to post back the log to the end of Find3M nothing below.

Quads 

  

Kudos0

Re: Trojan Vundo help!

I ran DDS.pif and have the files posted below.

The only problem is that I do not know where to find and disable "Auto-protect" and "Sonar" so this DDS generated file is run with these features presumably on.

==================== Find3M  ====================

2009-05-29 14:35    155,995    a-------    c:\windows\java\packages\2G5VPVB1.ZIP
2009-05-29 14:35    2,232    a-------    c:\windows\java\packages\data\L7VV93PV.DAT
2009-05-29 14:35    2,678    a-------    c:\windows\java\packages\data\M9NX713F.DAT
2009-05-29 14:35    2,678    a-------    c:\windows\java\packages\data\M1JJ1ZTV.DAT
2009-05-29 14:35    2,678    a-------    c:\windows\java\packages\data\K4UFNZ35.DAT
2009-05-29 14:35    2,678    a-------    c:\windows\java\packages\data\1BV7ZX79.DAT
2009-05-29 14:35    2,678    a-------    c:\windows\java\packages\data\LFVBDF9F.DAT
2009-05-05 19:18    107,888    a-------    c:\windows\system32\CmdLineExt.dll
2009-04-26 19:07    20    ----h---    c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-04-22 00:20    14,311,680    a-------    c:\windows\system32\xlive.dll
2009-04-22 00:20    13,642,496    a-------    c:\windows\system32\xlivefnt.dll
2009-03-21 10:20    60,808    a-------    c:\windows\system32\S32EVNT1.DLL
2009-03-21 07:06    989,696    --------    c:\windows\system32\dllcache\kernel32.dll
2009-03-09 05:19    410,984    a-------    c:\windows\system32\deploytk.dll
2009-03-08 14:09    638,816    a-------    c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09    391,536    a-------    c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41    5,937,152    a-------    c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39    11,063,808    a-------    c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34    914,944    a-------    c:\windows\system32\wininet.dll
2009-03-08 04:34    914,944    a-------    c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34    1,206,784    a-------    c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34    236,544    a-------    c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34    43,008    a-------    c:\windows\system32\licmgr10.dll
2009-03-08 04:34    43,008    a-------    c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34    105,984    a-------    c:\windows\system32\dllcache\url.dll
2009-03-08 04:34    193,536    a-------    c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34    109,568    a-------    c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33    759,296    a-------    c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33    18,944    a-------    c:\windows\system32\corpol.dll
2009-03-08 04:33    18,944    --------    c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33    25,600    a-------    c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33    726,528    a-------    c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33    229,376    a-------    c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33    420,352    a-------    c:\windows\system32\vbscript.dll
2009-03-08 04:33    420,352    a-------    c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33    125,952    a-------    c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32    72,704    a-------    c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32    72,704    a-------    c:\windows\system32\admparse.dll
2009-03-08 04:32    173,056    a-------    c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32    163,840    a-------    c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32    71,680    a-------    c:\windows\system32\iesetup.dll
2009-03-08 04:32    71,680    a-------    c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32    55,808    a-------    c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32    128,512    a-------    c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32    94,720    a-------    c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32    594,432    a-------    c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32    1,985,024    a-------    c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32    611,840    a-------    c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24    68,608    a-------    c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22    156,160    a-------    c:\windows\system32\msls31.dll
2009-03-08 04:22    156,160    a-------    c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11    445,952    a-------    c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 07:22    284,160    a-------    c:\windows\system32\pdh.dll
2009-03-06 07:22    284,160    --------    c:\windows\system32\dllcache\pdh.dll
2009-03-05 23:59    1,900,544    a-------    c:\windows\system32\usbaaplrc.dll
2006-11-05 22:11    22    ac-sh---    c:\windows\sminst\HPCD.sys

============= FINISH:  5:05:22.92 ===============

Now I'll regedit over to the file you want to see.

EDIT: The file: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rtghwcuz does not exist on my registry. I have an "RSVP" and an "rtl8139" but the file you're looking for isnt there.

Overnight I also re-ran Malwarebytes and it appears that the infected files found list is growing shorter though Trojan Vundo still reappears upon reboot.

Here's the current Malwarebytes list:

Malwarebytes' Anti-Malware 1.37
Database version: 2209
Windows 5.1.2600 Service Pack 3

6/2/2009 4:45:25 AM
mbam-log-2009-06-02 (04-45-25).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 408369
Time elapsed: 1 hour(s), 54 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35e35e0b-6cae-4c45-9a5e-87e6d03c2201} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qwcrztja (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{35e35e0b-6cae-4c45-9a5e-87e6d03c2201} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\cpuesjq.dll (Trojan.Vundo.H) -> Delete on reboot.
 

bob

Message Edited by bohemianbob on 06-02-2009 05:24 AMMessage Edited by bohemianbob on 06-02-2009 05:26 AM
Kudos1 Stats

Re: Trojan Vundo help!

Bohemianbob:

If you open your Norton main screen, go to the computer pane and then settings.  You may have to scroll down to find the Real Time Protection settings.  There you can turn the auto-protect slider to off and the sonar advanced protection to off.  Norton will probably flash a warning that you  are unprotected. 

Quads will advise if he requires another log, or you could run another in case.

Best wishes

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Trojan Vundo help!

Hi bohemianbob -

Important point:

Please don't forget to turn Sonar and Auto-Protect back *on* again after your log is complete!

Hang in there!

CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: Trojan Vundo help!

Hi Bohemianbob

You missed the first sections of the log up to Find3M oh well

You will notice some of the files and registry entries are now gone in the new MBAM log No memory entries

You might want to copy and save below in notepad and save it 


1. Go here http://homepages.slingshot.co.nz/~crutches/Vundofix/ and download Vundofix to your desktop (don't run yet)

2. Update Malwarebytes definitions, see update tab,   (Don't scan with Malwarebytes yet)

3. Update SUperAntispyware Free's defintions,   Don't scan yet.

4. Restart the PC in safe mode

5. Run Vundofix, and log results.

6. Full Scan with Malwarebytes may need a restart, but back into safe mode

7. Full scan with SuperAntispyware

8. Restart PC back to Normal Mode and Run Malwarebytes 


 Post back logs

I have been reading where the Tea Timer for some people blocks Avenger deleting. 

Quads 

Kudos0

Re: Trojan Vundo help!

Ok I misunderstood you about the DDS log. Here is the full DDS log with NAV Sonar and Auto protect turned off. (I'll turn them back on)

I'm next going to run in sequence your suggestions, after updating them all.


DDS (Ver_09-05-14.01) - NTFSx86 
Run by HP_ADMINISTER at 16:25:06.75 on Tue 06/02/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3518.2765 [GMT -7:00]

AV: Norton AntiVirus *On-access scanning disabled* (Updated)   {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\DISC\DiscStreamHub.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_ADMINISTER\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: : {35e35e0b-6cae-4c45-9a5e-87e6d03c2201} - c:\windows\system32\cpuesjq.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdMgr.exe
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [ccApp] -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232426499156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: qwcrztja - cpuesjq.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~3\applic~1\mozilla\firefox\profiles\hack35i3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.freerepublic.com/tag/*/index
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll

============= SERVICES / DRIVERS ===============

R0 hbkefdky;hbkefdky;c:\windows\system32\drivers\hbkefdky.sys [2004-8-9 23424]
R0 MFX;MFX; [x]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-3-21 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-3-21 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-3-21 482352]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-8 55152]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-5-5 10384]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-3-21 115560]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-5-29 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090602.007\NAVENG.SYS [2009-6-2 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090602.007\NAVEX15.SYS [2009-6-2 876144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S0 MF1;MF1; [x]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090513.001\IDSXpx86.sys [2009-5-19 276344]
S2 gupdate1c98680866756a8;Google Update Service (gupdate1c98680866756a8);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

Forum says my post is exceeding 20k characters so I'll post the rest next.

Kudos0

Re: Trojan Vundo help!

The rest:

=============== Created Last 30 ================

2009-06-01 18:11    <DIR>    --d-----    c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-01 18:11    <DIR>    --d-----    c:\program files\SUPERAntiSpyware
2009-06-01 18:11    <DIR>    --d-----    c:\docume~1\hp_adm~3\applic~1\SUPERAntiSpyware.com
2009-06-01 18:10    <DIR>    --d-----    c:\program files\common files\Wise Installation Wizard
2009-06-01 17:21    <DIR>    --d-----    c:\docume~1\hp_adm~3\applic~1\mhwvhrtq
2009-05-31 17:14    <DIR>    --d-----    c:\docume~1\hp_adm~3\applic~1\Malwarebytes
2009-05-31 17:14    40,160    a-------    c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-31 17:14    19,096    a-------    c:\windows\system32\drivers\mbam.sys
2009-05-31 17:14    <DIR>    --d-----    c:\program files\Malwarebytes' Anti-Malware
2009-05-31 17:14    <DIR>    --d-----    c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-31 15:39    <DIR>    --d-----    c:\program files\Trend Micro
2009-05-29 14:48    <DIR>    --d-----    c:\documents and settings\hp_administer\Tracing
2009-05-29 14:43    <DIR>    --dsh---    c:\documents and settings\hp_administer\IECompatCache
2009-05-29 14:42    <DIR>    --dsh---    c:\documents and settings\hp_administer\PrivacIE
2009-05-29 14:41    237,936    a-------    c:\windows\system32\unicows.dll
2009-05-29 14:36    <DIR>    --d-----    c:\windows\VerizonOnline
2009-05-29 14:36    49,210    --------    c:\windows\system32\vzServices.dll
2009-05-29 14:35    <DIR>    --d-----    c:\program files\common files\Verizon Online
2009-05-29 14:03    <DIR>    --d-----    c:\docume~1\hp_adm~3\applic~1\MSNInstaller
2009-05-29 12:25    0    a-------    c:\docume~1\hp_adm~3\applic~1\wklnhst.dat
2009-05-29 10:18    <DIR>    --dsh---    c:\documents and settings\hp_administer\IETldCache
2009-05-29 10:18    <DIR>    --d-----    c:\docume~1\hp_adm~3\applic~1\Symantec
2009-05-29 10:18    <DIR>    --d-----    c:\docume~1\hp_adm~3\applic~1\Intuit
2009-05-29 10:18    <DIR>    --d-----    c:\documents and settings\HP_ADMINISTER
2009-05-29 10:14    <DIR>    --d-h---    c:\windows\system32\GroupPolicy
2009-05-29 07:00    664    a-------    c:\windows\system32\d3d9caps.dat
2009-05-08 20:53    <DIR>    --d-----    c:\windows\ie8updates
2009-05-08 20:53    102,400    --------    c:\windows\system32\dllcache\iecompat.dll
2009-05-08 20:51    <DIR>    -cd-h---    c:\windows\ie8
2009-05-08 19:02    55,152    a-------    c:\windows\system32\drivers\fssfltr_tdi.sys
2009-05-08 18:59    <DIR>    --d-----    c:\program files\Microsoft
2009-05-08 18:59    <DIR>    --d-----    c:\program files\Windows Live SkyDrive
2009-05-08 18:41    <DIR>    --d-----    c:\program files\common files\Windows Live
2009-05-08 05:34    <DIR>    --d-----    c:\program files\Microsoft Games for Windows - LIVE
2009-05-05 21:46    <DIR>    --d-----    c:\windows\system32\xlive
2009-05-05 18:56    10,384    a-------    c:\windows\system32\drivers\LBeepKE.sys
2009-05-05 18:56    0    a---h---    c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-05-05 18:56    0    a---h---    c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-05-05 18:56    0    a---h---    c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-05-05 18:54    301,656    a-------    c:\windows\system32\BtCoreIf.dll
2009-05-05 18:54    170,512    a-------    c:\windows\system32\kemutb.dll
2009-05-05 18:54    145,936    a-------    c:\windows\system32\KemUtil.dll
2009-05-05 18:54    117,264    a-------    c:\windows\system32\KemWnd.dll
2009-05-05 18:54    84,496    a-------    c:\windows\system32\KemXML.dll
2009-05-05 18:43    21,504    a-------    c:\windows\system32\hidserv.dll
2009-05-05 18:43    21,504    a-------    c:\windows\system32\dllcache\hidserv.dll
2009-05-05 18:43    14,592    a-------    c:\windows\system32\drivers\kbdhid.sys
2009-05-05 18:43    14,592    a-------    c:\windows\system32\dllcache\kbdhid.sys

==================== Find3M  ====================

2009-05-29 14:35    155,995    a-------    c:\windows\java\packages\2G5VPVB1.ZIP
2009-05-29 14:35    2,232    a-------    c:\windows\java\packages\data\L7VV93PV.DAT
2009-05-29 14:35    2,678    a-------    c:\windows\java\packages\data\M9NX713F.DAT
2009-05-29 14:35    2,678    a-------    c:\windows\java\packages\data\M1JJ1ZTV.DAT
2009-05-29 14:35    2,678    a-------    c:\windows\java\packages\data\K4UFNZ35.DAT
2009-05-29 14:35    2,678    a-------    c:\windows\java\packages\data\1BV7ZX79.DAT
2009-05-29 14:35    2,678    a-------    c:\windows\java\packages\data\LFVBDF9F.DAT
2009-05-05 19:18    107,888    a-------    c:\windows\system32\CmdLineExt.dll
2009-04-26 19:07    20    ----h---    c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-04-22 00:20    14,311,680    a-------    c:\windows\system32\xlive.dll
2009-04-22 00:20    13,642,496    a-------    c:\windows\system32\xlivefnt.dll
2009-03-21 10:20    60,808    a-------    c:\windows\system32\S32EVNT1.DLL
2009-03-21 07:06    989,696    --------    c:\windows\system32\dllcache\kernel32.dll
2009-03-09 05:19    410,984    a-------    c:\windows\system32\deploytk.dll
2009-03-08 14:09    638,816    a-------    c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09    391,536    a-------    c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41    5,937,152    a-------    c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39    11,063,808    a-------    c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34    914,944    a-------    c:\windows\system32\wininet.dll
2009-03-08 04:34    914,944    a-------    c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34    1,206,784    a-------    c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34    236,544    a-------    c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34    43,008    a-------    c:\windows\system32\licmgr10.dll
2009-03-08 04:34    43,008    a-------    c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34    105,984    a-------    c:\windows\system32\dllcache\url.dll
2009-03-08 04:34    193,536    a-------    c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34    109,568    a-------    c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33    759,296    a-------    c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33    18,944    a-------    c:\windows\system32\corpol.dll
2009-03-08 04:33    18,944    --------    c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33    25,600    a-------    c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33    726,528    a-------    c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33    229,376    a-------    c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33    420,352    a-------    c:\windows\system32\vbscript.dll
2009-03-08 04:33    420,352    a-------    c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33    125,952    a-------    c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32    72,704    a-------    c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32    72,704    a-------    c:\windows\system32\admparse.dll
2009-03-08 04:32    173,056    a-------    c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32    163,840    a-------    c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32    71,680    a-------    c:\windows\system32\iesetup.dll
2009-03-08 04:32    71,680    a-------    c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32    55,808    a-------    c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32    128,512    a-------    c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32    94,720    a-------    c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32    594,432    a-------    c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32    1,985,024    a-------    c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32    611,840    a-------    c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24    68,608    a-------    c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22    156,160    a-------    c:\windows\system32\msls31.dll
2009-03-08 04:22    156,160    a-------    c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11    445,952    a-------    c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 07:22    284,160    a-------    c:\windows\system32\pdh.dll
2009-03-06 07:22    284,160    --------    c:\windows\system32\dllcache\pdh.dll
2009-03-05 23:59    1,900,544    a-------    c:\windows\system32\usbaaplrc.dll
2006-11-05 22:11    22    ac-sh---    c:\windows\sminst\HPCD.sys

============= FINISH: 16:25:47.98 ===============

Kudos0

Re: Trojan Vundo help!

Update.

The Vundo fix version 7.0.6 has completed it's scan and found NO infected files... However upon starting the Malwarebytes full scan program it has already found 4 infected files.

System Restore off

disconnected from the net

and running in Safe Mode

Kudos0

Re: Trojan Vundo help!

I am watching and continually thinking, especially about how TeaTimer blocks programs like Sdfix, Avenger, Malwarebytes, Combofix.......

Quads 

Kudos0

Re: Trojan Vundo help!

I uninstalled Spybot yesterday upon your noting that TeaTimer will possibly interfere with the removal of Vundo.

bob

Kudos0

Re: Trojan Vundo help!

Hi bohemianbob -

Wow. Too many variables in play here!

Perhaps you should start staging that new HD while this issue is being worked on, IMHO.

It would be nice to see if Quads could find the problem, though...

CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: Trojan Vundo help!

Hi Compumind,

I actually think this removal is proceeding in a logical and straightforward manner with only a few miscommunications on my part. 

Everything has worked in the sense that programs were run and data gathered. 

I'm a little disappointed at the Vundo fix not turning up something, but time will tell. And I do have the use of my older pc, which I'm using right now.

bob

Kudos0

Re: Trojan Vundo help!

Hi

Vundofix might be too old, hasn't been updated for awhile.

I am thinking my way though things and now Spybots Tea Timer is gone as well,  I have seen files in the DDS log that corrospond and would show in Hijackthis to.

I am also reading other peoples removal and succeeded or not.

Quads 

Kudos0

Re: Trojan Vundo help!

Has Malwarebytes andd SuperAntispyware Free finished??

Quads 

This thread is closed from further comment. Please visit the forum to start a new thread.