Vundo!grb trojan issues and removal

[SoraNagagino21]

I have had multiple pop ups from my mcafee stating that it prevented and removed the vundo!grb trojan from my system. It has been causing strange symptoms so I am assuming it did not block or remove it like it should have.
Symptons:
random windows opening to cannot find server page, pop up ads, and pop ups stating that i need updates and fixes from random companies. what can i do and how do i get rid of it without spending alot of money. SInce mcafee should of blocked it in the first place.

 

[mflynn]

Do the TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall).
avg

Most importantly update MalwareBytes (MBAM) and SuperAntiSpyware (SAS)!

Before you scan with either MalwareBytes or SuperAntiSpyWare do the Extra Configs below these have become most important lately

SuperAntispyware extra config

After installed double-click the icon on your desktop to run it.

Update the program definitions.

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

MalwareBytes extra config

After update but before running
Click settings and confirm all are Checked.

I repeat Update these 2 programs.

Run them and attach their logs.

Mike

 

[kimsland]

Pasted logs removed


You need to attach all 3 logs from following the instructions.
You did follow the instructions I hope?
Here they are again: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions
And here's some info on Attaching the 3 logs: https://www.techspot.com/vb/post733954-4.html <===
Here's a quote from that link: (To avoid any further wasted replies, without them)

Therefore your next reply must contain 3 logs: ATTACHED

 

[SoraNagagino21]

All logs attached

 

[kimsland]

You have LiveShare P2P program running
Basically there is no use helping when any file sharing programs are installed
This is because you could be receiving new Malwares as the old ones are being removed.

I'd suggest uninstall it (all of them if you have multiple P2P programs)

Another issue (even worse!)

-> No action taken on MBAM scan, for found issues

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected. <========= Not Done

Please re-run Malwarebytes
Confirm updated (third tab)
Then do the above quoted message, but this time "Remove all found issues"

By the way, you will need to then restart, and run (and attach) a new HJT log



By the way, in no way do I want to take over supporting this thread
But I thought I'd let you know of the above to help you, and importantly mflynn (seeming he is helping you)

 

[SoraNagagino21]

i hit to remove selected so im not sure why it didnt remove it

 

[mflynn]

Wow!

You are loaded! And you did not elect to clean items found in MBAM log says "No Action taken" so you need to run it again and this time delete what is found.But only after the below!.

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys

sc stop Service_TDSSserv.sys
sc delete Service_TDSSserv.sys

sc stop Legacy_TDSSSERV.SYS
sc delete Legacy_TDSSSERV.SYS

Attrib -h -s -r /s c:\tdss*.*
del /f /q /s c:\tdss*.*


Attrib -h -s -r /s "c:\Legacy_*.*"
del /f /q /s tdss*.* "c:\Legacy_*.*"

reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg deletes these keys.

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
del /f /q c:\WINDOWS\system32\ieupdates.exe

attrib -h -s -r c:\WINDOWS\system32\scui.cpl
del /f /q c:\WINDOWS\system32\scui.cpl

attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
del /f /q c:\WINDOWS\system32\winsrc.dll

attrib -h -s -r /s c:\xwdxqu.txt
del /f /q /s c:\xwdxqu.txt

attrib -h -s -r c:\windows\x
del /f /q c:\windows\x

attrib -h -s -r /s "c:\SxsCaPendDel*.*"
del /f /q /s "c:\SxsCaPendDel*.*"

attrib -h -s -r /s c:\h3s.sys
del /f /q /s c:\qh3s.sys

attrib -h -s -r /s c:\jsdpp32.sys
del /f /q /s c:\jsdpp32.sys

attrib -h -s -r /s c:\oxauau96.sys
del /f /q /s c:\oxauau96.sys

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

sc stop gaopdxserv.sys
sc delete gaopdxserv.sys

attrib -h -s -r /s c:\gaopdx*.*
del /f /q /s c:\gaopdx*.*

reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f

sc stop Service_UACd.sys
sc delete Service_UACd.sys
attrib -h -s -r /s "c:\Service_UACd*.*"
del /f /q /s "c:\Service_UACd*.*"

attrib -h -s -r "c:\program files\Common Files\System\Uninstall*.*"
del /f /q "c:\program files\Common Files\System\Uninstall*.*"
rd /s /q "c:\program files\Common Files\System\Uninstall"

attrib -h -s -r /s "c:\PlayMP3z*.*"
del /f /q /s  "c:\PlayMP3z*.*"
rd /s /q "c:\program files\PlayMP3z"

sc stop UACkdqxyyms.sys
sc delete UACkdqxyyms.sys

attrib -h -s -r /s "c:\UAC????????.sys"
del /f /q /s "c:\UAC????????.sys"

attrib -h -s -r /s "c:\uacinit.dll"
del /f /q /s "c:\uacinit.dll"

attrib -h -s -r c:\documents and settings\NetworkService\Application Data\.rdr.ini
del /f /q c:\documents and settings\NetworkService\Application Data\.rdr.ini

attrib -h -s -r c:\documents and settings\NetworkService\Application Data\install.dat
del /f /q c:\documents and settings\NetworkService\Application Data\install.dat

attrib -h -s -r "c:\windows\system32\f06WtR"
del /f /q "c:\windows\system32\f06WtR"

attrib -h -s -r c:\windows\system32\ntnet.drv
del /f /q c:\windows\system32\ntnet.drv

attrib -h -s -r "c:\windows\system32\W70MLRES.DLL"
del /f /q "c:\windows\system32\W70MLRES.DLL"

attrib -h -s -r "c:\windows\system32\dumphive.exe"
del /f /q "c:\windows\system32\dumphive.exe"

attrib -h -s -r "c:\windows\system32\IEDFix.exe"
del /f /q "c:\windows\system32\IEDFix.exe"

attrib -h -s -r "c:\windows\system32\Process.exe"
del /f /q "c:\windows\system32\Process.exe"

attrib -h -s -r "c:\windows\system32\SrchSTS.exe"
del /f /q "c:\windows\system32\SrchSTS.exe"

attrib -h -s -r "c:\windows\system32\VACFix.exe"
del /f /q "c:\windows\system32\VACFix.exe"

attrib -h -s -r "c:\windows\system32\VCCLSID.exe"
del /f /q "c:\windows\system32\VCCLSID.exe"

attrib -h -s -r "c:\windows\system32\WS2Fix.exe"
del /f /q "c:\windows\system32\WS2Fix.exe"

attrib -h -s -r "c:\windows\patch.exe"
del /f /q "c:\windows\patch.exe"

attrib -h -s -r "c:\windows\Readme.txt"
del /f /q "c:\windows\Readme.txt"

attrib -h -s -r "c:\windows\system32\apiri32.dll"
del /f /q "c:\windows\system32\apiri32.dll"

attrib -h -s -r "c:\windows\system32\crrh32.exe"
del /f /q "c:\windows\system32\crrh32.exe"

attrib -h -s -r "c:\windows\system32\d3im32.exe"
del /f /q "c:\windows\system32\d3im32.exe"

attrib -h -s -r "c:\windows\system32\deuau.dll"
del /f /q "c:\windows\system32\deuau.dll"

attrib -h -s -r "c:\windows\system32\fsszd.dll"
del /f /q "c:\windows\system32\fsszd.dll"

attrib -h -s -r "c:\windows\system32\iecw.exe"
del /f /q "c:\windows\system32\iecw.exe"

attrib -h -s -r "c:\windows\system32\ievd32.dll"
del /f /q "c:\windows\system32\ievd32.dll"

attrib -h -s -r "c:\windows\system32\iezj.exe"
del /f /q "c:\windows\system32\iezj.exe"

attrib -h -s -r "c:\windows\system32\ipiz.exe"
del /f /q "c:\windows\system32\ipiz.exe"

attrib -h -s -r "c:\windows\system32\javach.exe"
del /f /q "c:\windows\system32\javach.exe"

attrib -h -s -r "c:\windows\system32\jzimv.dll"
del /f /q "c:\windows\system32\jzimv.dll"

attrib -h -s -r "c:\windows\system32\klieq.dll"
del /f /q "c:\windows\system32\klieq.dll"

attrib -h -s -r "c:\windows\system32\mfcib32.exe"
del /f /q "c:\windows\system32\mfcib32.exe"

attrib -h -s -r "c:\windows\system32\nths.dll"
del /f /q "c:\windows\system32\nths.dll"

attrib -h -s -r "c:\windows\system32\ntzy32.exe"
del /f /q "c:\windows\system32\ntzy32.exe"

attrib -h -s -r "c:\windows\system32\sdkhq.exe"
del /f /q "c:\windows\system32\sdkhq.exe"

attrib -h -s -r "c:\windows\system32\sdkqw32.exe"
del /f /q "c:\windows\system32\sdkqw32.exe"

attrib -h -s -r "c:\windows\system32\sdkxu.exe"
del /f /q "c:\windows\system32\sdkxu.exe"

attrib -h -s -r "c:\windows\system32\sysgr.exe"
del /f /q "c:\windows\system32\sysgr.exe"

attrib -h -s -r "c:\windows\system32\windows.scr"
del /f /q "c:\windows\system32\windows.scr"

sc stop WinSvchostManager
sc delete WinSvchostManager

attrib -h -s -r /s "C:\WinSvcHostmanager*.*"
del /f /q /s "C:\WinSvcHostmanager*.*"

sc stop ntndis
sc delete ntndis

attrib -h -s -r /s C:\ntndis.*
del /f /q /s C:\ntndis.*

sc stop u_lehj
sc delete u_lehj

attrib -h -s -r /s "c:\\u_lehj32*.*"
del /f /q /s "c:\u_lehj32.*.*"

net stop Legacy_SECURITY
attrib -h -s -r /s "c:\Legacy_SECURITY*.*"
del /f /q /s c:\Legacy_SECURITY*.*"

sc stop Service_SECURITY
sc delete Service_SECURITY

attrib -h -s -r /s "c:\Service_SECURITY*.*"
del /f /q /s c:\Service_SECURITY*.*"

attrib -h -s -r /s c:\svcprs32.exe
del /f /q /s c:\svcprs32.exe

attrib -h -s -r /s c:\wmdrtc32.dll
del /f /q /s c:\wmdrtc32.dll

attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
del /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"

attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"
del /f /q "C:\WINDOWS\system32\mdmcls32.exe"
attrib -h -s -r /s c:\ebkp*.*

del /f /q  /s c:\ebkp*.*

:: AV2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del /f /q "%UserProfile%\Desktop\Antivirus 2009.lnk"
del /f /q  "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
del /f /q "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
del /f /q "%UserProfile%\Start Menu\Antivirus 2009\*.*"

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9

:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit

This post to big for allowed post read next post to continue!

 

[mflynn]

Continued from last post.

This should run and exit!

It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

Now after above run MBAM remove found post log and new HJT log.

Mike

 

[SoraNagagino21]

ok so if im correct in instrustions i need to copy and paste to command prompt, then do another malware scan and click remove after scan is done?

 

[mflynn]

10-4

You got it!

Do MBAM and HJT last!

Mike

 

[SoraNagagino21]

so you needed the log from hijack this here it is anything else i need to do or know?

 

[mflynn]

From Post #8

Now after above run MBAM remove found post log and new HJT log.

I need MBAM ran and its log!

Mike

 

[SoraNagagino21]

sorry i ran both but didnt attach it i apologize

 

[mflynn]

Since it has been greatly enhanced my script has gotten to big for a copy/paste so I have put it out to be downloaded.

So go here and download to Desktop then double click it to run it, then click OK to self extract.

Once extracted dbl click to enter Fixer folder. To run it 1st double click Daft click scan and check any found items and click fix.
The just dbl click Fixit.cmd to run it (no copy/paste).

But boot to Safe mode and run it!

Get it here: http://www.adrive.com/public/97c4357781f45c7e443061094b8cfaff3836f57446eb242ab2ee0b6cd68a0107.html

Only after it has been run the MBAM Quick scan has been run and you have posted the MBAM log. Only then do the below.

Download ComboFix

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.
=========================================

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

Mike

EDIT:
Run HJT Scan only and select and Fix all lines listed below
Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end.
And these..
O4 - HKUS\S-1-5-19\..\Run: [kofefasuzi] Rundll32.exe "C:\WINDOWS\system32\fuzoyalu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [kofefasuzi] Rundll32.exe "C:\WINDOWS\system32\fuzoyalu.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: ifboxw.dll c:\windows\system32\kalulana.dll kqocsm.dll c:\windows\system32\rawomuba.dll

Mike

 

[SoraNagagino21]

sorry have not been on my computer and i apologize for being away and not getting back to you sooner since you are helping me fix my computer. log attached

most recent log for mbam

Moderator Edit:
SoraNagagino21 did you read the above post?
mflynn asked you for 3 attachments: ComboFix; SDFix; HJT
You supplied MBAM with "No Action Taken" ?
Better you go somewhere else to get help if you are not interested in it here

 

[squidofdespair]

Another Vundo.grb problem

I tried most of those steps, although SuperAntiSpyware [which I attempted to use after successfully using Malwarebytes] gave my computer the blue screen of death twice, so I decided to give up on that.

I don't think I have any file sharing programs running, but if I do, I didn't install them.

I'd appreciate any advice.