Trojan Vundo byXRkhFV.dll that McAfee can't clean, delete, quarantine

[bburgjoy]

Good afternoon,

None of the internet searches I have done are showing up anything on the below. I should let you know my occupation is in the computer arena. I am an Middleware Administrator and have installed IBM MQ software & MSMQ on windows boxes, so I do have some comfort level playing around on the operating system.

Thursday night, April 24th, our McAfee popped up that it had found a Trojan named Vundo, byRKkhFV.dll that it could not clean. I checked clean, delete, and quarantine and none of the actions were successful. If I say cancel, the McAfee box pops right back up.

In MSCONFIG the following are showing in my startup now. I have disabled them but that is not working.

rundll.exe "c:\windows\system32\caslrqyd.dll",b
rundll.exe "c:\windows\system32\fvhgciyp.dll",s

In Windows Defender Software running tab the following shows up. When I disable this or try to remove it, it keeps coming right back. There is a line:

Microsoft run dll as an app with "c:\windows\system32\fvhgciyp.dll"

Windows Defender pops up that it has detected changes in the run key, I say deny, it says deny successful and then the pop up that it has detected changes comes up again.

I ran McAfee in regular startup, and it says 0 files found, even though that Trojan found popup appears. Then I rebooted in diagnostic mode, unhooking the internet cable, and ran McAfee. It is still finding anything.

An Error Repair Tool installed itself on the computer. I have supposedly successfully removed that program from add remove programs.

In HKLM\software\microsoft\windows\currentVersion\run is the following keys. In diagnostic mode these keys are now under MSConfig startupreg.

BM73c6c058 - command = rundll.exe "c:\windows\system32\fvhgciyp.dll",s
70f5e3c4 - command = rundll.exe "c:\windows\system32\caslrqyd.dll",b

In Windows\System32\ the following files were created on Thursday 4/24,
pmnmjgeb.dll ***
ytulhjjx.dll
hodgekbh.ini ***
clkcnt.tmp
xdyxmaqy.dll
begjmnmp.ini
begjmnmp.ini2

Files created in System 32 on 4/25
caslrqyd.dll
fvhgciyp.dll
mrch.tmp

The ones with the *** after them are files that are in use even in diagnostic mode. It does not let me rename them to with a bad_ in front.

So,
? Should I leave the ones I renamed to bad_* alone and restart or rename them back to normal and do something else.
? Should I delete the BM73c6d058 & 70f5e3c4 keys in MSConfig/startupreg?

My computer is still disconnected from the internet and it diagnostic mode. I am on another one, a laptop in the same room. Sorry if this is a long thread entry. Just wanted you to have all details that I see.

Thanks for your assistance!!!!

[jholland1964]

You will need to reconnect the infected computer to the internet and then run the steps noted HERE. Allow each program to FIX/Quarantine/or delete whatever is found. Save ALL the logs as noted. Then of course run an HJT scan and post that log here.
Do NOT do any file renaming or anything like that for now and also don't stop anything using msconfig, we need to see exactly what is starting and running. Do all those steps and then post back here with all the requested logs and we can better know how to proceed.
Judy

[bburgjoy]

Sorry, I was operating on an older version of your Do Before Posting list, and none of that stuff was helping. The MalwareBytes that you have in this newest version was able to clean the Trojan Vundo from my computer. Pretty AWESOME.

I was not able to run the Malicious Software Removal Tool before, as it would give Buffer Overrun errors and crash IE. After Malwarebytes initiated a reboot and cleaned the Trojan Vundo, I could then run MSRT successfully. It did not find anything.

I did run Windows Live One Care, when the MSRT was not working. It found 2 severe issues and could only clean one. It also could not clean the Trojan Vundo. It did not let me safe a log, but I typed out what I could, in case you want to see this.

Trojan:Win32/Vundo.gen!D
pid: 3428
several hklm registry keys.
c:\windows\system32\ytulhjjx.dll unable to clean
c:\windows\system32\pmnmjgeb.dll unable to clean
c:\documents and settings\joy\local settings unable to clean
\temporary internet files\content.ie5
\tf6pzcu6\css4[1]

TrojanDownloader:Win32/Matcash.E
c:\windows\mrofinu572.exe deleted
(upx)

Attached are the files you requested. The HJT Analyzer log shows some Trusted Zone entries that do not look familiar to me.

Thanks for you assistance.

[jholland1964]

Your logs look pretty good. Couple fixes need to be done with HJT. Let's do that first, especially those Trusted sites...believe me they are not.
First though, do you know what this program is? ErrorRepairTool
I can find no info for it whatsoever you you need to uninstall it. Now it is NOT showing in your Uninstall list. So you will need to do this manually.

Go to C:\Program Files\ErrorRepairTool\ and delete that folder noted in RED
Delete it all the way out...empty your recycle bin once you have deleted it.

Next, run HJT again and put checkmarks next to the following entries, if they are still showing;

O4 - HKLM\..\Run: [ErrorRepairTool] C:\Program Files\ErrorRepairTool\ErrorRepairTool.exe

O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)

O20 - Winlogon Notify: byXRkhFV - byXRkhFV.dll (file missing)
Once you have placed those checkmarks then click the Fix Checked button.
Exit HJT, reboot the computer.
Then go to SunJava
Download the latest version of java (yours is way out of date) Choose the Offline install and save it to your desktop.
Once you have done this go to Add/Remove and uninstall all previous versions of java that you find there. Once these are uninstalled then click that Java install on your desktop and install the new version. Once the install is completed then go here to verify the install was complete.
Once that is verified then run a new HJT scan and post back here with that new log.

[bburgjoy]

ErrorRepairTool showed up on its own when the trojan was infecting our computer. As I mentioned in my first post, I already did a remove via Add/Remove Programs. It did remove the C:\Program Files\ErrorRepairTool directory but it did not uninstall completely from the registry. I ended up doing a search through the registry and removed any other Keys it created. <not for the average user to do, I know>

Recycle Bin was already cleaned by the ATF Cleaner.

I did the other steps and have attached a new HJT analyzer log.

Thanks!

[jholland1964]

Sorry it has taken so long to get back with you. This new log looks good. Are you still having problems? You do have some extra start ups which really aren't required for the programs to run correctly and will run manually if needed;
Sonic Update Manager
Quicktime Task
iTunes Helper
HP Software Update
Adobe Reader Speed Launcher
Sun Java Auto update
Messenger
Microsoft Money Agent
I would never recommend using msconfig as a standard way to disable start ups. This really is considered a troubleshooting tool.
I recommend CodeStuff Starter or Mike Lin's Start Up Control Panel as simple ways to disable auto starts.