Hello, I recently discovered trojan vundo on my computer. Norton internet security recognizes it and tells me to restart my computer to remove it but every time I start my computer, it detects it again.
I have ran FixVundo under safe mode with system restore turned off and my internet network turned off and it found nothing.
I did install the Hijack This program after reading through some of the related threads here, but I am not clear what files to have it fix.
Thanks, Bob
Hi bohemianbob -
Here is a thread that might help resolve your issue. Kindly read the whole thing.
Kindly report back here and let us know if it helped you to resolve the issue.
Thanks. 
Thanks Compumind. I actually have already read through that post, but the files Quads says to check off are not on my Hijack this generated log. Many of them are similar but I cannot take the chance.
bob
Hi bohemianbob -
Please download, install, update and run a full scan with Malwarebytes - the link is here.
Let us know what the result is.
TIA 
Bohemianbob:
Please do not attemt to change or delete anything on the Hijackthis log. Copy and paste it from Notepad here. We have some people that are very skilled at analyzing them, but it is not a job for amateurs.
As per Compumind, you can download and run Malwarebytes. Update it, disable your system restore, and disconnect from the internet. If you are unable to install it or run it, it is a sign of a more involved problem. Come back here for instructions should that occur.
Hi bohemianbob:
Hopefully, Malwarebytes will complete and it will create a text log file.
If the scan does not pick up the Vundo, please post the file here, so we can evauluate.
If Malwarebytes Quarantines the Vundo, then turn on System Restore again and reconnect to the Internet.
Then reboot.
Thanks.
Hi
Vundo has soooo many variants and file names that is why the other post Hijackthis entries doesn't match what you see in your log.
Quads
I ran a full scan of Malwarebytes in safe mode while disconnected from the net and it did find infected files.
I followed the instructions and then did a reboot whereupon trojan vundo was picked up again by Norton!
I re-entered safe mode and re-ran Malwarebytes and it again found the trojan. Rebooted and Norton detected it again, with the same "unable to remove, please reboot".
So, is my system restore corrupted? If so what now?
bob
Hi
What is the Name of the file(s) Norton and Malwarebytes keeps detecting??
You could have the Ultra Hidden Rootkit family that is going around, some variants once in download more Malware.
So the Names will help.
Quads
Did you turn System Restore OFF? Right click on My Computer (Computer in Vista) and select Properties. (In Vista, select Advanced System Settings.) Go to the System Protection tab and uncheck System Restore. This will delete all the restore files so the virus can not hide there.
Run your scans again after this.
Below are the Malwarebytes files from the full scan:
Malwarebytes' Anti-Malware 1.37
Database version: 2204
Windows 5.1.2600 Service Pack 3
6/1/2009 4:28:01 PM
mbam-log-2009-06-01 (16-28-01).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 407665
Time elapsed: 1 hour(s), 53 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\gbnlwyeh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cpuesjq.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35e35e0b-6cae-4c45-9a5e-87e6d03c2201} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qwcrztja (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{35e35e0b-6cae-4c45-9a5e-87e6d03c2201} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{036a0773-2e48-427c-85a6-586bd09fb8c5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{036a0773-2e48-427c-85a6-586bd09fb8c5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rtghwcuz (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rtghwcuz (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\cpuesjq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gbnlwyeh.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\mbjsgsl.dll (Trojan.Vundo.H) -> Delete on reboot.
Yes I have had System Restore turned off for all of my scans. Sorry I forgot to mention this important detail.
bob
OK it's a service
Lets see if it shows up in Rootrepeal
Go here, http://community.norton.com/norton/board/message?board.id=Norton_360&message.id=13889#M13889
I have already added your files and service shown in the Malwarebytes log to the script. I will add whatever Rootrepeal shows as bad (does show good to).
Quads
Hi bohemianbob -
I find it very interesting that MBAM did detect the Vundo.H, but did not remove it or send to quarantine. Weird.
Go with Quads suggestion first, with Rootrepeal.
After that let's try this -
Kindly download, update and run SuperAntiSpyware (free edition only) at - http://www.superantispyware.com/
Again, please make sure that System Restore is disabled before running it.
Post your results, here. We can see what else might be hanging around.
TIA
Ok I ticke drivers, stealth objects and hidden services:
ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/06/01 17:38
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB59BB000 Size: 98304 File Visible: No
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5D4000 Size: 8192 File Visible: No
Status: -
Name: MFX.sys
Image Path: MFX.sys
Address: 0xBA128000 Size: 45824 File Visible: No
Status: -
Name: qahvmw.sys
Image Path: qahvmw.sys
Address: 0xBA0A8000 Size: 61440 File Visible: No
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB32D3000 Size: 45056 File Visible: No
Status: -
Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xB9DC7000 Size: 323584 File Visible: No
Status: -
Stealth Objects
-------------------
Object: Hidden Module [Name: cpuesjq.dll]
Process: winlogon.exe (PID: 1016) Address: 0x018a0000 Size: 286720
Object: Hidden Module [Name: cpuesjq.dll]
Process: svchost.exe (PID: 1332) Address: 0x02420000 Size: 286720
Object: Hidden Module [Name: cpuesjq.dll]
Process: explorer.exe (PID: 2060) Address: 0x03f70000 Size: 286720
Object: Hidden Module [Name: cpuesjq.dll]
Process: rundll32.exe (PID: 840) Address: 0x00730000 Size: 286720
Sounds like Quads may be on to something. Since, like he said, Vundo has so many variations it is possible that you are infected with a very new or very uncommon version of it that for whatever reason both norton and MBAM are unable to effectively remove.
Just one idea Quads. Have most of the versions of Vundo already been cataloged into virus definitions? Maybe try researching the varitations of Vundo and identifying which of the files infecting bob's computer have been successfully removed in the past and which ones have not. It could be that this version of Vundo has lets say one extra infected file than another version that is easy to remove. If that is the case then you could try manually deleting said file and then seeing if norton and/or MBAM can remove the rest of the infection that is more similar to previous versions that have been known to be easilly removed. Though I am sure the actual process of doing this is more complex than the way I describe it.
Compumind wrote:Hi bohemianbob -
I find it very interesting that MBAM did detect the Vundo.H, but did not remove it or send to quarantine. Weird.
Go with Quads suggestion first, with Rootrepel.
After that let's try this -
Kindly download, update and run SuperAntiSpyware (free edition only) at - http://www.superantispyware.com/
Again, please make sure that System Restore is disabled before running it.
Post your results, here. We can what else might be hanging around.
TIA
Message Edited by Compumind on 06-01-2009 08:43 PM
Rootrepeal is only the scanner once the script is created we have to use another program
Quads
Hi Quads -
I am very curious as to the process that you are using!
If Rootrepeal is the scanner, what creates the Script and how is that used?
What is the name of the other program that comes into play after this?
Just trying to understand the mechanics of whay you are doing.
TIA
That's interesting
Name: qahvmw.sys
Did anything show up in the "hidden services" Tab??
Quads
Watch and learn.
No, I even ran Root report with just the hidden services ticked and nothing showed up.
bob
Still need to to dl and run superspy ware