Another Vundo problem

Discussion in 'Malware Help (A Specialist Will Reply)' started by jdrushton, Oct 8, 2005.

  1. jdrushton

    jdrushton Private E-2

    After trying Symantec's tool to no avail, I came across your forum on a Yahoo search and registered.

    I'm in the process of following the steps in the "Read Me First Before Asking for Support: Basicl Spyware, Trojan and Virus Removal". I'm down to the step of running the online scan at RavAntiVirus which is in the process of scanning.

    I'll finish up those steps and post when I've run the Hijack This (already downloaded it into the C:\Program Files\HJT folder) and am ready for further instructions.

    Thanks,
    JR
     
    jdrushton, Oct 8, 2005
    #1
  2. jdrushton

    jdrushton Private E-2

    I did want to mention that the Bitdefender got down to the C:\WINDOWS\_MSRSTRT.EXE file and then would not scan any more files. The file counter stayed where it was for about 20 minutes (the timer was still going) - so I stopped that scan (the window would not close on its own so I had to kill it via Task Manager) and continued on with the RavAntiVirus scan.

    JR
     
    jdrushton, Oct 8, 2005
    #2
  3. jdrushton

    jdrushton Private E-2

    Rav AntiVirus came back clean - surprised he didn't detect the Trojan.vundo :confused:

    Running the McAfee AVERT Stinger now.

    BTW, had problems getting updates on Spybot - bad checksum errors (I tried other update sites as suggested in another thread).

    JR
     
    jdrushton, Oct 8, 2005
    #3
  4. jdrushton

    jdrushton Private E-2

    Wanted to edit the previous post but couldn't find any edit button.

    Stinger ran clean. Going to get off the Internet on this laptop - which is the "family" one - but am staying on my work PC (which is also hooked up through my router). Getting set to clean the hard drive with CCleaner and run Ad-Aware and Spybot and then will reboot into Normal Mode and run Hijack This.

    JR
     
    jdrushton, Oct 8, 2005
    #4
  5. jdrushton

    jdrushton Private E-2

    I figured out what I was doing wrong - I was doing the search for updates after selecting the alternate site - which was resetting the site that I was downloading it from.

    Running Spybot now on the infected PC. Then I am going to run the CCleaner on the other user accounts.

    JR
     
    jdrushton, Oct 8, 2005
    #5
  6. jdrushton

    jdrushton Private E-2

    Ok...all of the steps in the READ ME were performed - including the Hijack This (log is attached - I saved it as another name so I could distinguish logs in my folder).

    Norton AntiVirus still showing c:\windows\system32\byvut.dll as being infected with Trojan.Vundo.

    I've got to run out for awhile to take care of some stuff before my daughter's homecoming dance tonight. I will check back later.

    I would appreciate any tips in cleaning up the config and startup too. Things boot really slow (I had been using a selective startup with MSCONFIG which was turned off before running Hijack This).

    JR
     

    Attached Files:

    jdrushton, Oct 8, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have more than just a Vundo problem.

    First try follow the below to remove SurfSideKick:

    SurfSideKick Removal

    Then continue with the below.

    Look in Add/Remove programs for WildTangent and uninstall if found.

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    On the page that opens, scroll down to CWShredder Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    CWShredder Service

    Now exit HJT and do not reboot if it asks you to do so. We will reboot later in my next message.
     
    chaslang, Oct 8, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just in case the WildTangent and SurfSideKick steps do not work, I'm leaving them in the below. If not found, just ignore those lines.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\Program Files\SurfSideKick 3\Ssk.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe


    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
    O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\gebax.dll (file missing)
    O2 - BHO: (no name) - {1500621E-004E-000C-701E-1863589C7700} - (no file)
    O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\byvut.dll
    O2 - BHO: (no name) - {7011F2BE-A453-8C3C-C45A-DAC630FF7E82} - (no file)
    O2 - BHO: (no name) - {70778446-293D-1560-231E-54FCC875D2AA} - (no file)
    O2 - BHO: (no name) - {70DDEEBE-009E-1C60-465A-46F3A89F2A3C} - (no file)
    O2 - BHO: (no name) - {8C11AA69-0082-4D90-5B3C-5809800C7E32} - (no file)
    O2 - BHO: (no name) - {CB993E2D-A4B4-D278-00C3-9EBDE096FC82} - C:\WINDOWS\System32\cdmweb\qtrbvckupq.dll
    O2 - BHO: (no name) - {EEDDAED7-CDAA-0760-FC87-E26360EA54D2} - (no file)
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKLM\..\Run: [ms-update] scvhost.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\RunServices: [ms-update] scvhost.exe
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O20 - Winlogon Notify: byvut - C:\WINDOWS\system32\byvut.dll
    O20 - Winlogon Notify: gebax - gebax.dll (file missing)


    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\cdmweb <--- the whole folder
    C:\WINDOWS\wt <--- the whole folder
    C:\Program Files\SurfSideKick 3 <--- the whole folder
    C:\WINDOWS\system32\gebax.dll
    C:\WINDOWS\system32\byvut.dll
    C:\WINDOWS\system32\scvhost.exe <--- be careful. Only delete scvhost.exe not svchost.exe (notice the order of the letters 'cv')

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    The vundo infection will probably come back. We will fix that next after the above are fixed.
     
    chaslang, Oct 8, 2005
    #8
  9. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Removed Chaslang Posted first
     
    Last edited: Oct 8, 2005
    Shadow_Puter_Dude, Oct 8, 2005
    #9
  10. jdrushton

    jdrushton Private E-2

    I figured as much. The infected PC is my kids' (14 & 18) PC and they are a
    lot less careful than I am. BTW, I am writing this up as I go from my work PC (which is not infected). That way, I can comment step-by-step.

    Done - there were no repairs*.dll files. I'm just going to post a final log at the end instead of the log after this step.

    Done...the Updater uninstalled, but nothing happened with the Web Driver when I clicked on the Change/Remove button. I rebooted after the uninstall as per the prompt.

    Done.

    System restore has been disabled since I tried Symantec's Vundo removal tool. Viewing of hideen files is enabled.

    Neither of these processes were found - so I guess that the uninstall took care of it.

    Done - however, this line - O2 - BHO: (no name) - {CB993E2D-A4B4-D278-00C3-9EBDE096FC82} - C:\WINDOWS\System32\cdmweb\qtrbvckupq.dll
    had a key of 77885046-52D7-31B4-F51E-960960542382

    The Surf Sidekick and WT guys weren't there.

    The gebax.dll stuff (which is a previously Vundo infected file) is no longer there after doing the fix - however, the byvut.dll entries are still there.

    See my comments above. I didn't touch byvut.dll with the Unlocker. I figured I would wait for your go-ahead.

    Done. I'm going to boot that PC in Normal Mode and run Hijack This again.

    I'll post the next note and the log from that PC.

    Thanks for all of the help so far.
    JR
     
    jdrushton, Oct 8, 2005
    #10
  11. jdrushton

    jdrushton Private E-2

    Well, it is still fairly slow at startup. I'm trying to take care of some of the startup stuff by the preferences options in the right-click menu in order to get some of this stuff (Kodak, AOL IM, etc) not to load at System Startup.

    I'm still getting the Trojan.Vundo message on the byvut.dll in \windows\system32 - I was unable to delete it above.

    I'm ready to tackle that next - here's the latest HJT log...

    JR
     

    Attached Files:

    jdrushton, Oct 8, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.

    Please print these instructions out for use in Safe Mode with no networking and DO NOT RUN any browsers while doing these steps.

    Please download VundoFix.exe to your desktop.

    • Double-click VundoFix.exe to extract the files
    • This will create a VundoFix folder on your desktop.
    • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
    • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
    • You will first be presented with a warning and a list of forums to seek help at. Iit should look like this
    • At this point press enter one time.
    • Next you will see:
    • At this point please type the following file path (make sure to enter it exactly as below!):

    C:\WINDOWS\system32\byvut.dll

    • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
    • Next you will see:
    • At this point please type the following file path (make sure to enter it exactly as below!):

    C:\WINDOWS\system32\tuvyb.*

    • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
    • The fix will run then HijackThis will open.
    • In HiJackThis, please place a check next to the following items and click FIX CHECKED:
    O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\byvut.dll
    O20 - Winlogon Notify: byvut - C:\WINDOWS\system32\byvut.dll

    • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
    • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
    • Now please attach a new HJT log from normal mode. And tell me how things are working.
     
    chaslang, Oct 8, 2005
    #12
  13. jdrushton

    jdrushton Private E-2



    • I had a little scare there because Norton Internet Security popped up with an alert about a script that was trying to run. But I click to allow it to run and then things continued as described by you below...



    • Fixes made and the other PC is booting up right now.

    As soon as it finishes booting up, I will run HJT from that PC and attach a log.

    The bootup seems to be going a lot quicker.

    JR
     
    jdrushton, Oct 8, 2005
    #13
  14. jdrushton

    jdrushton Private E-2

    Chaslang,

    Thanks :D!!!!!

    Things are looking mighty fine now. No NAV pop-up telling me about Trojan.Vundo!!!

    I brought up Process Explorer and the CPU is way down. Most of the time is being spent in System Idle Process as it should be - not Winlogon.exe like it was when that Trojan was on this PC.

    The bootup went a lot quicker and the PC is definitely responding like it should - not like it has been.

    Here's the (hopefully) final HJT log.

    Thanks again for your help - you are the best!

    JR
     

    Attached Files:

    jdrushton, Oct 8, 2005
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Oct 8, 2005
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds