TechSpot

Vundo!grb trojan issues and removal

By SoraNagagino21
Mar 22, 2009
  1. I have had multiple pop ups from my mcafee stating that it prevented and removed the vundo!grb trojan from my system. It has been causing strange symptoms so I am assuming it did not block or remove it like it should have.
    Symptons:
    random windows opening to cannot find server page, pop up ads, and pop ups stating that i need updates and fixes from random companies. what can i do and how do i get rid of it without spending alot of money. SInce mcafee should of blocked it in the first place.
     
  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Do the TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall).
    avg

    Most importantly update MalwareBytes (MBAM) and SuperAntiSpyware (SAS)!

    Before you scan with either MalwareBytes or SuperAntiSpyWare do the Extra Configs below these have become most important lately

    SuperAntispyware extra config

    After installed double-click the icon on your desktop to run it.

    Update the program definitions.

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

    MalwareBytes extra config

    After update but before running
    Click settings and confirm all are Checked.

    I repeat Update these 2 programs.

    Run them and attach their logs.

    Mike
     
  3. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  4. SoraNagagino21

    SoraNagagino21 TS Rookie Topic Starter

    All logs attached
     
  5. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    You have LiveShare P2P program running
    Basically there is no use helping when any file sharing programs are installed
    This is because you could be receiving new Malwares as the old ones are being removed.

    I'd suggest uninstall it (all of them if you have multiple P2P programs)

    Another issue (even worse!)

    -> No action taken on MBAM scan, for found issues
    Please re-run Malwarebytes
    Confirm updated (third tab)
    Then do the above quoted message, but this time "Remove all found issues"

    By the way, you will need to then restart, and run (and attach) a new HJT log



    By the way, in no way do I want to take over supporting this thread
    But I thought I'd let you know of the above to help you, and importantly mflynn (seeming he is helping you)
     
  6. SoraNagagino21

    SoraNagagino21 TS Rookie Topic Starter

    i hit to remove selected so im not sure why it didnt remove it
     
  7. mflynn

    mflynn TS Rookie Posts: 2,655

    Wow!

    You are loaded! And you did not elect to clean items found in MBAM log says "No Action taken" so you need to run it again and this time delete what is found.But only after the below!.

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    
    sc stop Service_TDSSserv.sys
    sc delete Service_TDSSserv.sys
    
    sc stop Legacy_TDSSSERV.SYS
    sc delete Legacy_TDSSSERV.SYS
    
    Attrib -h -s -r /s c:\tdss*.*
    del /f /q /s c:\tdss*.*
    
    
    Attrib -h -s -r /s "c:\Legacy_*.*"
    del /f /q /s tdss*.* "c:\Legacy_*.*"
    
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    ::The above reg deletes these keys.
    
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    del /f /q c:\WINDOWS\system32\ieupdates.exe
    
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    del /f /q c:\WINDOWS\system32\scui.cpl
    
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    del /f /q c:\WINDOWS\system32\winsrc.dll
    
    attrib -h -s -r /s c:\xwdxqu.txt
    del /f /q /s c:\xwdxqu.txt
    
    attrib -h -s -r c:\windows\x
    del /f /q c:\windows\x
    
    attrib -h -s -r /s "c:\SxsCaPendDel*.*"
    del /f /q /s "c:\SxsCaPendDel*.*"
    
    attrib -h -s -r /s c:\h3s.sys
    del /f /q /s c:\qh3s.sys
    
    attrib -h -s -r /s c:\jsdpp32.sys
    del /f /q /s c:\jsdpp32.sys
    
    attrib -h -s -r /s c:\oxauau96.sys
    del /f /q /s c:\oxauau96.sys
    
    reg delete HKLM\SOFTWARE\swearware /f
    reg delete HKCU\Software\Wget /f
    reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
    
    sc stop gaopdxserv.sys
    sc delete gaopdxserv.sys
    
    attrib -h -s -r /s c:\gaopdx*.*
    del /f /q /s c:\gaopdx*.*
    
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f
    
    sc stop Service_UACd.sys
    sc delete Service_UACd.sys
    attrib -h -s -r /s "c:\Service_UACd*.*"
    del /f /q /s "c:\Service_UACd*.*"
    
    attrib -h -s -r "c:\program files\Common Files\System\Uninstall*.*"
    del /f /q "c:\program files\Common Files\System\Uninstall*.*"
    rd /s /q "c:\program files\Common Files\System\Uninstall"
    
    attrib -h -s -r /s "c:\PlayMP3z*.*"
    del /f /q /s  "c:\PlayMP3z*.*"
    rd /s /q "c:\program files\PlayMP3z"
    
    sc stop UACkdqxyyms.sys
    sc delete UACkdqxyyms.sys
    
    attrib -h -s -r /s "c:\UAC????????.sys"
    del /f /q /s "c:\UAC????????.sys"
    
    attrib -h -s -r /s "c:\uacinit.dll"
    del /f /q /s "c:\uacinit.dll"
    
    attrib -h -s -r c:\documents and settings\NetworkService\Application Data\.rdr.ini
    del /f /q c:\documents and settings\NetworkService\Application Data\.rdr.ini
    
    attrib -h -s -r c:\documents and settings\NetworkService\Application Data\install.dat
    del /f /q c:\documents and settings\NetworkService\Application Data\install.dat
    
    attrib -h -s -r "c:\windows\system32\f06WtR"
    del /f /q "c:\windows\system32\f06WtR"
    
    attrib -h -s -r c:\windows\system32\ntnet.drv
    del /f /q c:\windows\system32\ntnet.drv
    
    attrib -h -s -r "c:\windows\system32\W70MLRES.DLL"
    del /f /q "c:\windows\system32\W70MLRES.DLL"
    
    attrib -h -s -r "c:\windows\system32\dumphive.exe"
    del /f /q "c:\windows\system32\dumphive.exe"
    
    attrib -h -s -r "c:\windows\system32\IEDFix.exe"
    del /f /q "c:\windows\system32\IEDFix.exe"
    
    attrib -h -s -r "c:\windows\system32\Process.exe"
    del /f /q "c:\windows\system32\Process.exe"
    
    attrib -h -s -r "c:\windows\system32\SrchSTS.exe"
    del /f /q "c:\windows\system32\SrchSTS.exe"
    
    attrib -h -s -r "c:\windows\system32\VACFix.exe"
    del /f /q "c:\windows\system32\VACFix.exe"
    
    attrib -h -s -r "c:\windows\system32\VCCLSID.exe"
    del /f /q "c:\windows\system32\VCCLSID.exe"
    
    attrib -h -s -r "c:\windows\system32\WS2Fix.exe"
    del /f /q "c:\windows\system32\WS2Fix.exe"
    
    attrib -h -s -r "c:\windows\patch.exe"
    del /f /q "c:\windows\patch.exe"
    
    attrib -h -s -r "c:\windows\Readme.txt"
    del /f /q "c:\windows\Readme.txt"
    
    attrib -h -s -r "c:\windows\system32\apiri32.dll"
    del /f /q "c:\windows\system32\apiri32.dll"
    
    attrib -h -s -r "c:\windows\system32\crrh32.exe"
    del /f /q "c:\windows\system32\crrh32.exe"
    
    attrib -h -s -r "c:\windows\system32\d3im32.exe"
    del /f /q "c:\windows\system32\d3im32.exe"
    
    attrib -h -s -r "c:\windows\system32\deuau.dll"
    del /f /q "c:\windows\system32\deuau.dll"
    
    attrib -h -s -r "c:\windows\system32\fsszd.dll"
    del /f /q "c:\windows\system32\fsszd.dll"
    
    attrib -h -s -r "c:\windows\system32\iecw.exe"
    del /f /q "c:\windows\system32\iecw.exe"
    
    attrib -h -s -r "c:\windows\system32\ievd32.dll"
    del /f /q "c:\windows\system32\ievd32.dll"
    
    attrib -h -s -r "c:\windows\system32\iezj.exe"
    del /f /q "c:\windows\system32\iezj.exe"
    
    attrib -h -s -r "c:\windows\system32\ipiz.exe"
    del /f /q "c:\windows\system32\ipiz.exe"
    
    attrib -h -s -r "c:\windows\system32\javach.exe"
    del /f /q "c:\windows\system32\javach.exe"
    
    attrib -h -s -r "c:\windows\system32\jzimv.dll"
    del /f /q "c:\windows\system32\jzimv.dll"
    
    attrib -h -s -r "c:\windows\system32\klieq.dll"
    del /f /q "c:\windows\system32\klieq.dll"
    
    attrib -h -s -r "c:\windows\system32\mfcib32.exe"
    del /f /q "c:\windows\system32\mfcib32.exe"
    
    attrib -h -s -r "c:\windows\system32\nths.dll"
    del /f /q "c:\windows\system32\nths.dll"
    
    attrib -h -s -r "c:\windows\system32\ntzy32.exe"
    del /f /q "c:\windows\system32\ntzy32.exe"
    
    attrib -h -s -r "c:\windows\system32\sdkhq.exe"
    del /f /q "c:\windows\system32\sdkhq.exe"
    
    attrib -h -s -r "c:\windows\system32\sdkqw32.exe"
    del /f /q "c:\windows\system32\sdkqw32.exe"
    
    attrib -h -s -r "c:\windows\system32\sdkxu.exe"
    del /f /q "c:\windows\system32\sdkxu.exe"
    
    attrib -h -s -r "c:\windows\system32\sysgr.exe"
    del /f /q "c:\windows\system32\sysgr.exe"
    
    attrib -h -s -r "c:\windows\system32\windows.scr"
    del /f /q "c:\windows\system32\windows.scr"
    
    sc stop WinSvchostManager
    sc delete WinSvchostManager
    
    attrib -h -s -r /s "C:\WinSvcHostmanager*.*"
    del /f /q /s "C:\WinSvcHostmanager*.*"
    
    sc stop ntndis
    sc delete ntndis
    
    attrib -h -s -r /s C:\ntndis.*
    del /f /q /s C:\ntndis.*
    
    sc stop u_lehj
    sc delete u_lehj
    
    attrib -h -s -r /s "c:\\u_lehj32*.*"
    del /f /q /s "c:\u_lehj32.*.*"
    
    net stop Legacy_SECURITY
    attrib -h -s -r /s "c:\Legacy_SECURITY*.*"
    del /f /q /s c:\Legacy_SECURITY*.*"
    
    sc stop Service_SECURITY
    sc delete Service_SECURITY
    
    attrib -h -s -r /s "c:\Service_SECURITY*.*"
    del /f /q /s c:\Service_SECURITY*.*"
    
    attrib -h -s -r /s c:\svcprs32.exe
    del /f /q /s c:\svcprs32.exe
    
    attrib -h -s -r /s c:\wmdrtc32.dll
    del /f /q /s c:\wmdrtc32.dll
    
    attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    del /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    
    attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"
    del /f /q "C:\WINDOWS\system32\mdmcls32.exe"
    attrib -h -s -r /s c:\ebkp*.*
    
    del /f /q  /s c:\ebkp*.*
    
    :: AV2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    del /f /q "%UserProfile%\Desktop\Antivirus 2009.lnk"
    del /f /q  "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    del /f /q "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    del /f /q "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed ripping out Antivirus 2008-9
    
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    exit
    exit
    This post to big for allowed post read next post to continue!
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    Continued from last post.

    This should run and exit!

    It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

    Now after above run MBAM remove found post log and new HJT log.

    Mike
     
  9. SoraNagagino21

    SoraNagagino21 TS Rookie Topic Starter

    ok so if im correct in instrustions i need to copy and paste to command prompt, then do another malware scan and click remove after scan is done?
     
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    10-4

    You got it!

    Do MBAM and HJT last!

    Mike
     
  11. SoraNagagino21

    SoraNagagino21 TS Rookie Topic Starter

    so you needed the log from hijack this here it is anything else i need to do or know?
     
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    From Post #8
    I need MBAM ran and its log!

    Mike
     
  13. SoraNagagino21

    SoraNagagino21 TS Rookie Topic Starter

    sorry i ran both but didnt attach it i apologize
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    Since it has been greatly enhanced my script has gotten to big for a copy/paste so I have put it out to be downloaded.

    So go here and download to Desktop then double click it to run it, then click OK to self extract.

    Once extracted dbl click to enter Fixer folder. To run it 1st double click Daft click scan and check any found items and click fix.
    The just dbl click Fixit.cmd to run it (no copy/paste).

    But boot to Safe mode and run it!

    Get it here: http://www.adrive.com/public/97c4357781f45c7e443061094b8cfaff3836f57446eb242ab2ee0b6cd68a0107.html

    Only after it has been run the MBAM Quick scan has been run and you have posted the MBAM log. Only then do the below.

    Download ComboFix

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.
    =========================================

    Download SDFix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

    Mike

    EDIT:
    Run HJT Scan only and select and Fix all lines listed below
    Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end.
    And these..
    O4 - HKUS\S-1-5-19\..\Run: [kofefasuzi] Rundll32.exe "C:\WINDOWS\system32\fuzoyalu.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [kofefasuzi] Rundll32.exe "C:\WINDOWS\system32\fuzoyalu.dll",s (User 'NETWORK SERVICE')
    O20 - AppInit_DLLs: ifboxw.dll c:\windows\system32\kalulana.dll kqocsm.dll c:\windows\system32\rawomuba.dll

    Mike
     
  15. SoraNagagino21

    SoraNagagino21 TS Rookie Topic Starter

    sorry have not been on my computer and i apologize for being away and not getting back to you sooner since you are helping me fix my computer. log attached

    most recent log for mbam

    Moderator Edit:
    SoraNagagino21 did you read the above post?
    mflynn asked you for 3 attachments: ComboFix; SDFix; HJT
    You supplied MBAM with "No Action Taken" ?

    Better you go somewhere else to get help if you are not interested in it here ;)
     
  16. squidofdespair

    squidofdespair TS Rookie

    Another Vundo.grb problem

    I tried most of those steps, although SuperAntiSpyware [which I attempted to use after successfully using Malwarebytes] gave my computer the blue screen of death twice, so I decided to give up on that.

    I don't think I have any file sharing programs running, but if I do, I didn't install them.

    I'd appreciate any advice.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...