Trojan Vundo help!

Quads · June 2, 2009, 1:13am

Bob.......................

Do you know how to navigate the registry using regedit?? If yes go to this entry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rtghwcuz

See under ImagePath"="System32\\drivers\\........." has the name "qahvmw.sys" as the file

Piceing script together now

Quads

Quads · June 2, 2009, 1:48am

Hi

Now follow this post http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=53509#M53509

EXCEPT for 3. where your script ( your entries added) is below, So

3. In the "Input script here:" copy and paste the script between the lines

Drivers to disable:

UACd.sys

gxvxcserv.sys

gaopdxserv.sys

rtghwcuz

Drivers to delete:

UACd.sys

gxvxcserv.sys

gaopdxserv.sys

rtghwcuz

Files to delete:

C:\WINDOWS\system32\gbnlwyeh.dll

C:\WINDOWS\system32\cpuesjq.dll

C:\WINDOWS\system32\mbjsgsl.dl

C:\WINDOWS\system32\wJQs.exe

C:\WINDOWS\system32\uacinit.dll

C:\WINDOWS\system32\uacvymnbtboeayohhs.dll

C:\WINDOWS\system32\uacqciqunodfnlghrv.dll

C:\WINDOWS\system32\drivers\gxvxcserv.sys

C:\WINDOWS\system32\gxvxccounter

C:\WINDOWS\System32\drivers\gaopdxserv.sys

C:\WINDOWS\system32\gaopdxl.dll

C:\WINDOWS\system32\drivers\gxvxcaithwuhtprrwopxgilalbaobwucrdslx.sys

C:\WINDOWS\system32\gxvxcxkfpxfxurntewmrfttjyqtsmsenqwgiw.dll

C:\RECYCLER\s-9-4-17-100016843-100000262-100031119-1898.com

C:\WINDOWS\system32\drivers\gxvxcvxmuiisiusdatjuqfpdtmxbuqcecgbdn.sys

Registry keys to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC

HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx

HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc

HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\gaopdxserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services/gxvxcserv.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qwcrztja

It shouldn't find all of them

Quads

bohemianbob · June 2, 2009, 2:11am

I ran a scan with Superantispyware and all it seemed to find and delete were 13 tracking cookies. I rebooted as the program asked and then found Norton Antivirus to become disabled!

I followed the link to restore it and upon NAV's quick scan still have trojan vundo.

I'll now go to dl'ing Avenger and c+p the filesnoted above.

bob

delphinium · June 2, 2009, 2:16am

You are doing great BohemianBob:

Stay with it. You are just about to the homestretch.

Quads · June 2, 2009, 2:19am

If you want to check that registry entry I said, it it does point to that strange file seen in Rootrepeal, I will update the script again for you.

I have been looking at post on the web for what seems this type of Vundo, where even Combofix "Failed to Delete" Interesting

Quads

bohemianbob · June 2, 2009, 2:26am

Well, I ran Avenger with the pasted files and below are the results.

I'm not sure what's going on but this didn't seem to make a change.

bob

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: could not open driver "UACd.sys"
Disablement of driver "UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open driver "gxvxcserv.sys"
Disablement of driver "gxvxcserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open driver "gaopdxserv.sys"
Disablement of driver "gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open driver "rtghwcuz"
Disablement of driver "rtghwcuz" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd.sys" not found!
Deletion of driver "UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gxvxcserv.sys" not found!
Deletion of driver "gxvxcserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxserv.sys" not found!
Deletion of driver "gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\rtghwcuz" not found!
Deletion of driver "rtghwcuz" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open file "C:\WINDOWS\system32\gbnlwyeh.dll"
Deletion of file "C:\WINDOWS\system32\gbnlwyeh.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Error: could not open file "C:\WINDOWS\system32\cpuesjq.dll"
Deletion of file "C:\WINDOWS\system32\cpuesjq.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Error: file "C:\WINDOWS\system32\mbjsgsl.dl" not found!
Deletion of file "C:\WINDOWS\system32\mbjsgsl.dl" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\wJQs.exe" not found!
Deletion of file "C:\WINDOWS\system32\wJQs.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\uacinit.dll" not found!
Deletion of file "C:\WINDOWS\system32\uacinit.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\uacvymnbtboeayohhs.dll" not found!
Deletion of file "C:\WINDOWS\system32\uacvymnbtboeayohhs.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\uacqciqunodfnlghrv.dll" not found!
Deletion of file "C:\WINDOWS\system32\uacqciqunodfnlghrv.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\gxvxcserv.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\gxvxcserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\gxvxccounter" not found!
Deletion of file "C:\WINDOWS\system32\gxvxccounter" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\System32\drivers\gaopdxserv.sys" not found!
Deletion of file "C:\WINDOWS\System32\drivers\gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\gaopdxl.dll" not found!
Deletion of file "C:\WINDOWS\system32\gaopdxl.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\gxvxcaithwuhtprrwopxgilalbaobwucrdslx.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\gxvxcaithwuhtprrwopxgilalbaobwucrdslx.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\gxvxcxkfpxfxurntewmrfttjyqtsmsenqwgiw.dll" not found!
Deletion of file "C:\WINDOWS\system32\gxvxcxkfpxfxurntewmrfttjyqtsmsenqwgiw.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\RECYCLER\s-9-4-17-100016843-100000262-100031119-1898.com" not found!
Deletion of file "C:\RECYCLER\s-9-4-17-100016843-100000262-100031119-1898.com" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\gxvxcvxmuiisiusdatjuqfpdtmxbuqcecgbdn.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\gxvxcvxmuiisiusdatjuqfpdtmxbuqcecgbdn.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\gaopdxserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services/gxvxcserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services/gxvxcserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\UAC" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\UAC" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qwcrztja" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qwcrztja" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Completed script processing.

*******************

Finished! Terminate.

Compumind · June 2, 2009, 2:28am

Hi -

I am noting what is transpiring here and find it to be rather fascinating.

Just wanted all to know.

:smileyhappy:

Compumind · June 2, 2009, 2:34am

Hi Quads -

Would SAS alone resolve this?

:smileysurprised:

Message Edited by Compumind on 06-01-2009 10:37 PM

bohemianbob · June 2, 2009, 2:34am

Heh, while I'm having a "this could only happen to me" moment.

I'm half tempted, since my hard drive is approaching the 5 year mark and I have most everything backed up virus free, to just start over with a new

HD.

bob

delphinium · June 2, 2009, 3:03am

Actually BohemianBob, it is beginning to happen to more and more people. If you can bear with it a while longer you will be helping to provide answers for more people. Several machines have already been cleaned through this process.

Compumind · June 2, 2009, 3:06am

Hi bohemianbob -

Yes, it's true. Quads is *really* good at this.

If this complex process could be documented and made safer to use, it would be a very good thing.

Hang tight.

Thanks :smileyhappy:

Message Edited by Compumind on 06-01-2009 11:24 PM

bohemianbob · June 2, 2009, 3:21am

Yeah, I hear you guys and I do want this process to work especially after it appears that my pc has something more than the basic trojan vundo...

This is why I'm ok with the full posting of my log reports just incase doing so might help someone else, or the anti-virus community.

bob

Compumind · June 2, 2009, 3:29am

Hi bohemianbob -

It is *good* though that you have your Programs and Data backed up just in case you wish to reload.

Many users don't (sadly) and suffer from the lack of disaster preparedness.

Perhaps you won't need to do it.

Let's wait and see.

:smileyhappy:

Message Edited by Compumind on 06-01-2009 11:31 PM

Quads · June 2, 2009, 3:33am

Hi

I am thinking,

Did you happen to find the registry entry to see what file it points to??

As that .sys file q.............sys shows up is strange

Do you have Spybot S&D installed??

Quads

bohemianbob · June 2, 2009, 3:35am

I guess the only problem to starting over with a new HD would be if I end up having a corrupted System Restore. Though I understand even that can be rendered virus free.

bob

Quads, yes I do have Spybot installed and it was the first thing I ran after NAV detected Vundo.

Message Edited by bohemianbob on 06-01-2009 08:37 PM

Quads · June 2, 2009, 3:48am

With or without Teatimer enabled,

Did you find the Registry entry I stated, to see what file it points to.

Quads

bohemianbob · June 2, 2009, 3:50am

(Quote from Quads

I am thinking,

Did you happen to find the registry entry to see what file it points to?? )

______________________________________________________________

I'm not sure what file you're referring to Quads.

bob

Yes, TeaTimer is enabled

Message Edited by bohemianbob on 06-01-2009 08:51 PM

Quads · June 2, 2009, 4:22am

Hi

1. Teatimer can stop files being deleted, Uninstall Spybot S&D and Teatimer

2. This is the post I am refering to:

"Do you know how to navigate the registry using regedit?? If yes go to this entry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rtghwcuz

See under ImagePath"="System32\\drivers\\........." has the name "qahvmw.sys" as the file

3. Go to http://homepages.slingshot.co.nz/~crutches/DDS/ and download DDS.pif Then disable Auto-Protect and Sonar as when run the file can be detected. It will product a detailed log. You only need to post back the log to the end of Find3M nothing below.

Quads

bohemianbob · June 2, 2009, 12:15pm

I ran DDS.pif and have the files posted below.

The only problem is that I do not know where to find and disable "Auto-protect" and "Sonar" so this DDS generated file is run with these features presumably on.

==================== Find3M ====================

2009-05-29 14:35    155,995    a-------    c:\windows\java\packages\2G5VPVB1.ZIP
2009-05-29 14:35    2,232    a-------    c:\windows\java\packages\data\L7VV93PV.DAT
2009-05-29 14:35    2,678    a-------    c:\windows\java\packages\data\M9NX713F.DAT
2009-05-29 14:35    2,678    a-------    c:\windows\java\packages\data\M1JJ1ZTV.DAT
2009-05-29 14:35    2,678    a-------    c:\windows\java\packages\data\K4UFNZ35.DAT
2009-05-29 14:35    2,678    a-------    c:\windows\java\packages\data\1BV7ZX79.DAT
2009-05-29 14:35    2,678    a-------    c:\windows\java\packages\data\LFVBDF9F.DAT
2009-05-05 19:18    107,888    a-------    c:\windows\system32\CmdLineExt.dll
2009-04-26 19:07    20    ----h---    c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-04-22 00:20    14,311,680    a-------    c:\windows\system32\xlive.dll
2009-04-22 00:20    13,642,496    a-------    c:\windows\system32\xlivefnt.dll
2009-03-21 10:20    60,808    a-------    c:\windows\system32\S32EVNT1.DLL
2009-03-21 07:06    989,696    --------    c:\windows\system32\dllcache\kernel32.dll
2009-03-09 05:19    410,984    a-------    c:\windows\system32\deploytk.dll
2009-03-08 14:09    638,816    a-------    c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09    391,536    a-------    c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41    5,937,152    a-------    c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39    11,063,808    a-------    c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34    914,944    a-------    c:\windows\system32\wininet.dll
2009-03-08 04:34    914,944    a-------    c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34    1,206,784    a-------    c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34    236,544    a-------    c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34    43,008    a-------    c:\windows\system32\licmgr10.dll
2009-03-08 04:34    43,008    a-------    c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34    105,984    a-------    c:\windows\system32\dllcache\url.dll
2009-03-08 04:34    193,536    a-------    c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34    109,568    a-------    c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33    759,296    a-------    c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33    18,944    a-------    c:\windows\system32\corpol.dll
2009-03-08 04:33    18,944    --------    c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33    25,600    a-------    c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33    726,528    a-------    c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33    229,376    a-------    c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33    420,352    a-------    c:\windows\system32\vbscript.dll
2009-03-08 04:33    420,352    a-------    c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33    125,952    a-------    c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32    72,704    a-------    c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32    72,704    a-------    c:\windows\system32\admparse.dll
2009-03-08 04:32    173,056    a-------    c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32    163,840    a-------    c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32    71,680    a-------    c:\windows\system32\iesetup.dll
2009-03-08 04:32    71,680    a-------    c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32    55,808    a-------    c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32    128,512    a-------    c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32    94,720    a-------    c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32    594,432    a-------    c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32    1,985,024    a-------    c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32    611,840    a-------    c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24    68,608    a-------    c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22    156,160    a-------    c:\windows\system32\msls31.dll
2009-03-08 04:22    156,160    a-------    c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11    445,952    a-------    c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 07:22    284,160    a-------    c:\windows\system32\pdh.dll
2009-03-06 07:22    284,160    --------    c:\windows\system32\dllcache\pdh.dll
2009-03-05 23:59    1,900,544    a-------    c:\windows\system32\usbaaplrc.dll
2006-11-05 22:11    22    ac-sh---    c:\windows\sminst\HPCD.sys

============= FINISH: 5:05:22.92 ===============

Now I'll regedit over to the file you want to see.

EDIT: The file: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rtghwcuz does not exist on my registry. I have an "RSVP" and an "rtl8139" but the file you're looking for isnt there.

Overnight I also re-ran Malwarebytes and it appears that the infected files found list is growing shorter though Trojan Vundo still reappears upon reboot.

Here's the current Malwarebytes list:

Malwarebytes' Anti-Malware 1.37
Database version: 2209
Windows 5.1.2600 Service Pack 3

6/2/2009 4:45:25 AM
mbam-log-2009-06-02 (04-45-25).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 408369
Time elapsed: 1 hour(s), 54 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35e35e0b-6cae-4c45-9a5e-87e6d03c2201} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qwcrztja (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{35e35e0b-6cae-4c45-9a5e-87e6d03c2201} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\cpuesjq.dll (Trojan.Vundo.H) -> Delete on reboot.

bob

Message Edited by bohemianbob on 06-02-2009 05:24 AM

Message Edited by bohemianbob on 06-02-2009 05:26 AM

delphinium · June 2, 2009, 3:25pm

Bohemianbob:

If you open your Norton main screen, go to the computer pane and then settings. You may have to scroll down to find the Real Time Protection settings. There you can turn the auto-protect slider to off and the sonar advanced protection to off. Norton will probably flash a warning that you are unprotected.

Quads will advise if he requires another log, or you could run another in case.

Best wishes

Trojan Vundo help!

Announcements