TechSpot

Help with persistent Vundo Trojan please! HJT log attached.

By tredders
Jan 8, 2008
  1. Hi all

    Trying to sort out a friend's laptop for them - it's running XP Home, and Norton Security 2005. When booting up, Norton pops up a window: -

    Object Name C:\windows\system32\gebbcd.dll
    Virus Name Trojan.Vundo

    I've booted in safe mode and run the Symantec Vundo removal tool, but it reports that the virus isn't present. Same with VundoFix. Also ran a number of recommended spyware tools (TrojanHunter, Spybot & AVG anti-Spyware) and they all come up clean. I'm unable to run a Norton scan in safe mode, as I'm getting a Windows error message ("Symantec Integrator has encountered a problem and needs to end").

    Any help would be massively appreciated - it's driving me mad!

    Mark

    HJT Log attached
     

    Attached Files:

  2. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    1. Boot into safe mode under your normal user name. See how HERE
    2. Next turn on "Show all files and folders, including hidden and system". See how HERE

    3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
      O2 - BHO: (no name) - {187E3735-859B-482B-89E8-AE7F5C811DFB} - C:\WINDOWS\system32\gebcd.dll
      O8 - Extra context menu item: &Search - ?p=ZKxdm011YYGB
      O23 - Service: Print Spooler Service (zaouauvdeaa) - Unknown owner - C:\WINDOWS\system32\txnjme.exe (file missing)

    4. Whilst still in HijackThis, go to "Main Menu" and click on "Open the Misc Tools section". Click on the "Misc Tools" button and then "Delete an NT service..." Type the following into the prompt box and press OK after each entry.

      Print Spooler Service

      Close HJT.

    5. Navigate in Windows Explorer and delete the following files and folders in bold.
      C:\WINDOWS\system32\txnjme.exe
      C:\WINDOWS\system32\gebcd.dll

    6. Reboot into normal mode and rehide your protected OS files.
    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. Do not copy and paste the logs.


    Regards,
    momok =)

    This thread is for the use of tredders only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. tredders

    tredders TS Rookie Topic Starter

    Really appreciate your time in replying. I'll boot up the infected laptop and post the results shortly.

    Mark.

    Right - hit a snag whilst running HJT. I've got my MacBook next to the infected machine, so I can still post here and try to fix it at the same time.

    Fired up HJT, and selected both entries to remove, and clicked Fix. However, when I try to end the Print Spooler Service, HJT tells me it's not found ("Service 'Print Spooler Service' was not found in the Registry. Make sure you entered the name of the service correctly)".

    As I can't end that service, I can't delete the 2 files detailed. Gebcd.dll is reported as being in use, and txnjme.exe doesn't exist in windows\system32. I did, however find it in prefetch, so deleted it from there.

    Thanks again for your time in helping with this. It really is appreciated.

    Mark.

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)

    Slight update - rebooted back into safe mode and re-ran HJT. Out of the 3 entries you told me to delete, only the 02 - BHO entry for gebcd.dll now exists - the other two have been successfully removed.

    Thanks

    Mark.
     
  4. momok

    momok TS Rookie Posts: 2,265

    Where are the requested logs??

    Go to start > type "services.msc" and press enter. Search for the following services and right click to disable them. Then Right click > Properties to set the startup type to "disabled".

    'Print Spooler Service'

    I can't do a proper cleaning if you can't follow my instructions fully. Please post the requested logs in your next reply.
     
  5. tredders

    tredders TS Rookie Topic Starter

    Hi

    I've stopped the Print Spooler Service (disabled via services.msc), and re-run HJT, ComboFix & AVG anti-spyware. Logs attached as requested.

    Norton still reporting Vundo on the system, and unable to delete the gebcd.dll file.

    Any help is appreciated.

    Mark.
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    1. Boot into safe mode under your normal user name. See how HERE
    2. Next turn on "Show all files and folders, including hidden and system". See how HERE

    3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

      O2 - BHO: (no name) - {A1A20027-1DC6-4E76-B2B8-5B956F106CF5} - C:\WINDOWS\system32\gebcd.dll
      O8 - Extra context menu item: &Search - ?p=ZKxdm011YYGB
      O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?a9ea4c56913f4c4da518dc0c41f0861b
      O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?a9ea4c56913f4c4da518dc0c41f0861b

      Close HJT.

    4. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    5. Save this as CFScript on the desktop.
    6. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    7. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    8. Reboot into normal mode and rehide your protected OS files.
    Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.


    Regards,
    momok =)

    This thread is for the use of tredders only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. tredders

    tredders TS Rookie Topic Starter

    I've followed the instructions above, but I'm now getting reboots of Windows XP, with a popup saying "lsass.exe Object Name not Found". When I click OK, it just reboots again.

    Same happens if I try to boot into safe mode, so I'm just booting into Last Good config and will double check the CFSCRIPT file.

    EDIT: Rebooted in Last Known Good config, and ComboFix completed. It looks as though the machine is finally clear of the damned virus! Just running a full scan, and will then post fresh logs for confirmation.

    EDIT AGAIN: Looks good - no pop-ups anymore, and the dreaded gebcd.dll has gone. Virus scanner comes up clean, as does HJT & AVG. I've attached the logs for confirmation, but it looks clear now.

    One final issue - Can still only boot up in Last Good mode - when I try to boot up in normal, I get the popup saying "lsass.exe Object Name not Found". When I click OK, it just reboots again. Any help on this? Also, am I safe to re-enable the Print Spool service now?

    Thanks very much for the help - much appreciated.

    Mark.
     
  8. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Please let me know what service you had disabled previously. I had asked you to disable 'Print Spooler Service', whilst there's a legitimate service called 'Print Spooler'. If you had disabled that, please renable it.

    Regards,
    momok
     
  9. momok

    momok TS Rookie Posts: 2,265

    Thread closed due to lack of response. Should the original starter require it to be reopened, please PM a mod.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...