Vundo

[John]

I have a Windows XP Home SP2 PC infected with Vundo trojan. Norton AV
detects it but can't remove it. I've used Vundo removal tools from a few
sites. None can remove it. I've also done manual removal by deleting files
and registry entries. That does not work either (and yes I always boot into
safe mode).

Here's a list of things that I have done (Note: I do all my virus removal
work in Safe Mode. Never in normal mode):

- Boot into Safe Mode.

- Use VundoFix from atribune.org to scan and clean Vundo. It detects and
deletes a few files. Some malicious DLLS (for example GEBXVTT.DLL in
C:\Windows\System32) can not be deleted (in use by other program).

- Restart the system and use NTFS4DOS from free-av.com to (clean) boot into
command prompt with NTFS support to remove malicious DLL files created by
the trojan. Delete all infected files that VundoFix fails to delete in safe
mode. All bad files are successfully deleted.

- Restart the system into Safe Mode. Malicious files gets recreated. They're
back in place.

- Use regedit in Safe Mode. Delete registry keys that should be there (I
know they're created by trojan). Key gets recreated in a split second as
soon as I delete it. This is why I know the trojan is alive in safe mode.

- Remove the (infected) HD and install the HD in a clean PC as secondary
master. Then boot the PC (primary master - clean OS with Antivir virus
software installed). The system detects a new HD but does not assign a drive
letter. This means I can't access the data in the HD. Windows Disk
Management shows the new HD but does not 'mount' it or assign a drive
letter.

I run out of ideas. My last resort would be reformat HD and reinstall the OS
but I don't want to lose the data. If I back it up, I'm afraid the trojan
will reinfect the PC when data is restored.

Anyone has any ideas? Thanks.

 

[John]

CORRECTION:
> - Use regedit in Safe Mode. Delete registry keys that should be there (I
> know they're created by trojan).

Delete registry keys that should NOT be there (I know... )


"John" <a> wrote in message news:uqYli6hWIHA.1208@TK2MSFTNGP03.phx.gbl...
>I have a Windows XP Home SP2 PC infected with Vundo trojan. Norton AV
>detects it but can't remove it. I've used Vundo removal tools from a few
>sites. None can remove it. I've also done manual removal by deleting files
>and registry entries. That does not work either (and yes I always boot into
>safe mode).
>
> Here's a list of things that I have done (Note: I do all my virus removal
> work in Safe Mode. Never in normal mode):
>
> - Boot into Safe Mode.
>
> - Use VundoFix from atribune.org to scan and clean Vundo. It detects and
> deletes a few files. Some malicious DLLS (for example GEBXVTT.DLL in
> C:\Windows\System32) can not be deleted (in use by other program).
>
> - Restart the system and use NTFS4DOS from free-av.com to (clean) boot
> into command prompt with NTFS support to remove malicious DLL files
> created by the trojan. Delete all infected files that VundoFix fails to
> delete in safe mode. All bad files are successfully deleted.
>
> - Restart the system into Safe Mode. Malicious files gets recreated.
> They're back in place.
>
> - Use regedit in Safe Mode. Delete registry keys that should be there (I
> know they're created by trojan). Key gets recreated in a split second as
> soon as I delete it. This is why I know the trojan is alive in safe mode.
>
> - Remove the (infected) HD and install the HD in a clean PC as secondary
> master. Then boot the PC (primary master - clean OS with Antivir virus
> software installed). The system detects a new HD but does not assign a
> drive letter. This means I can't access the data in the HD. Windows Disk
> Management shows the new HD but does not 'mount' it or assign a drive
> letter.
>
> I run out of ideas. My last resort would be reformat HD and reinstall the
> OS but I don't want to lose the data. If I back it up, I'm afraid the
> trojan will reinfect the PC when data is restored.
>
> Anyone has any ideas? Thanks.
>

 

[Malke]

John wrote:
> I have a Windows XP Home SP2 PC infected with Vundo trojan. Norton AV
> detects it but can't remove it. I've used Vundo removal tools from a few
> sites. None can remove it. I've also done manual removal by deleting files
> and registry entries. That does not work either (and yes I always boot into
> safe mode).
>
> Here's a list of things that I have done (Note: I do all my virus removal
> work in Safe Mode. Never in normal mode):
>
> - Boot into Safe Mode.
>
> - Use VundoFix from atribune.org to scan and clean Vundo. It detects and
> deletes a few files. Some malicious DLLS (for example GEBXVTT.DLL in
> C:\Windows\System32) can not be deleted (in use by other program).
>
> - Restart the system and use NTFS4DOS from free-av.com to (clean) boot into
> command prompt with NTFS support to remove malicious DLL files created by
> the trojan. Delete all infected files that VundoFix fails to delete in safe
> mode. All bad files are successfully deleted.
>
> - Restart the system into Safe Mode. Malicious files gets recreated. They're
> back in place.
>
> - Use regedit in Safe Mode. Delete registry keys that should be there (I
> know they're created by trojan). Key gets recreated in a split second as
> soon as I delete it. This is why I know the trojan is alive in safe mode.
>
> - Remove the (infected) HD and install the HD in a clean PC as secondary
> master. Then boot the PC (primary master - clean OS with Antivir virus
> software installed). The system detects a new HD but does not assign a drive
> letter. This means I can't access the data in the HD. Windows Disk
> Management shows the new HD but does not 'mount' it or assign a drive
> letter.
>
> I run out of ideas. My last resort would be reformat HD and reinstall the OS
> but I don't want to lose the data. If I back it up, I'm afraid the trojan
> will reinfect the PC when data is restored.

When all else fails, run HijackThis and post your log in one of the
specialty forums listed below (not here, please).

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[Volodymyr Shcherbyna]

Simple deletion of files is not enought. This crap uses interesting
techniques of injection into system. Usually, it registers itself as a
shell-addon, which becomes active when you open my computer, or any folder.
So I'd suggest you to download autoruns from sysinternals.com, and check all
add-ons for shell.

--
V
"John" <a> wrote in message news:uqYli6hWIHA.1208@TK2MSFTNGP03.phx.gbl...
>I have a Windows XP Home SP2 PC infected with Vundo trojan. Norton AV
>detects it but can't remove it. I've used Vundo removal tools from a few
>sites. None can remove it. I've also done manual removal by deleting files
>and registry entries. That does not work either (and yes I always boot into
>safe mode).
>
> Here's a list of things that I have done (Note: I do all my virus removal
> work in Safe Mode. Never in normal mode):
>
> - Boot into Safe Mode.
>
> - Use VundoFix from atribune.org to scan and clean Vundo. It detects and
> deletes a few files. Some malicious DLLS (for example GEBXVTT.DLL in
> C:\Windows\System32) can not be deleted (in use by other program).
>
> - Restart the system and use NTFS4DOS from free-av.com to (clean) boot
> into command prompt with NTFS support to remove malicious DLL files
> created by the trojan. Delete all infected files that VundoFix fails to
> delete in safe mode. All bad files are successfully deleted.
>
> - Restart the system into Safe Mode. Malicious files gets recreated.
> They're back in place.
>
> - Use regedit in Safe Mode. Delete registry keys that should be there (I
> know they're created by trojan). Key gets recreated in a split second as
> soon as I delete it. This is why I know the trojan is alive in safe mode.
>
> - Remove the (infected) HD and install the HD in a clean PC as secondary
> master. Then boot the PC (primary master - clean OS with Antivir virus
> software installed). The system detects a new HD but does not assign a
> drive letter. This means I can't access the data in the HD. Windows Disk
> Management shows the new HD but does not 'mount' it or assign a drive
> letter.
>
> I run out of ideas. My last resort would be reformat HD and reinstall the
> OS but I don't want to lose the data. If I back it up, I'm afraid the
> trojan will reinfect the PC when data is restored.
>
> Anyone has any ideas? Thanks.
>

 

[David H. Lipman]

From: "John" <a>

| I have a Windows XP Home SP2 PC infected with Vundo trojan. Norton AV
| detects it but can't remove it. I've used Vundo removal tools from a few
| sites. None can remove it. I've also done manual removal by deleting files
| and registry entries. That does not work either (and yes I always boot into
| safe mode).
|

< snip >

Please follow Malke's advice !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[John]

That is what I thought too. This crapware hooks itself to system files to
make sure it's loaded on every system startup, no matter what mode we get
into. What's interesting is the fact that the HD is not accessible when
installed on a clean system. I've also tried using BartPE boot CD. I can't
see the drive either. I'm thinking perhaps the trojan might have changed HD
partition tables???

Does Autoruns require installation? Does it run in Safe Mode without
installation? I try to avoid getting into normal mode. Why? Because the
system takes a few minutes to respond to a single mouse click. It has become
almost unusable. Forget about installing/removing software. It might take
hours to install a single software.


"Volodymyr Shcherbyna" <v_scherbina@online.mvps.org> wrote in message
news:uhNlRPiWIHA.2000@TK2MSFTNGP05.phx.gbl...
> Simple deletion of files is not enought. This crap uses interesting
> techniques of injection into system. Usually, it registers itself as a
> shell-addon, which becomes active when you open my computer, or any
> folder. So I'd suggest you to download autoruns from sysinternals.com, and
> check all add-ons for shell.
>
> --
> V
> "John" <a> wrote in message news:uqYli6hWIHA.1208@TK2MSFTNGP03.phx.gbl...
>>I have a Windows XP Home SP2 PC infected with Vundo trojan. Norton AV
>>detects it but can't remove it. I've used Vundo removal tools from a few
>>sites. None can remove it. I've also done manual removal by deleting files
>>and registry entries. That does not work either (and yes I always boot
>>into safe mode).
>>
>> Here's a list of things that I have done (Note: I do all my virus removal
>> work in Safe Mode. Never in normal mode):
>>
>> - Boot into Safe Mode.
>>
>> - Use VundoFix from atribune.org to scan and clean Vundo. It detects and
>> deletes a few files. Some malicious DLLS (for example GEBXVTT.DLL in
>> C:\Windows\System32) can not be deleted (in use by other program).
>>
>> - Restart the system and use NTFS4DOS from free-av.com to (clean) boot
>> into command prompt with NTFS support to remove malicious DLL files
>> created by the trojan. Delete all infected files that VundoFix fails to
>> delete in safe mode. All bad files are successfully deleted.
>>
>> - Restart the system into Safe Mode. Malicious files gets recreated.
>> They're back in place.
>>
>> - Use regedit in Safe Mode. Delete registry keys that should be there (I
>> know they're created by trojan). Key gets recreated in a split second as
>> soon as I delete it. This is why I know the trojan is alive in safe mode.
>>
>> - Remove the (infected) HD and install the HD in a clean PC as secondary
>> master. Then boot the PC (primary master - clean OS with Antivir virus
>> software installed). The system detects a new HD but does not assign a
>> drive letter. This means I can't access the data in the HD. Windows Disk
>> Management shows the new HD but does not 'mount' it or assign a drive
>> letter.
>>
>> I run out of ideas. My last resort would be reformat HD and reinstall the
>> OS but I don't want to lose the data. If I back it up, I'm afraid the
>> trojan will reinfect the PC when data is restored.
>>
>> Anyone has any ideas? Thanks.
>>
>
>

 

[John]

"Malke" <notreally@invalid.invalid> wrote in message
news:uhHf9EiWIHA.3364@TK2MSFTNGP03.phx.gbl...
>
> When all else fails, run HijackThis and post your log in one of the
> specialty forums listed below (not here, please).
>

Malke, thanks for your reply. My biggest question is if the trojan survives
all kind of Windows boot selections (normal, safe etc), how can any software
remove it? I use HijackThis to remove all BHO related registry entries.
They're recreated right away.

I think an easy solution for this is to clean boot using a (CD/floppy) boot
disk or a different system. Then use AV software or manual removal of
registry entries. Problem is I can't access the data if I boot the system
with different boot disk/system. This is really a PITA but interesting thing
to encounter.

 

[David H. Lipman]

From: "John" <a>


| Malke, thanks for your reply. My biggest question is if the trojan survives
| all kind of Windows boot selections (normal, safe etc), how can any software
| remove it? I use HijackThis to remove all BHO related registry entries.
| They're recreated right away.
|
| I think an easy solution for this is to clean boot using a (CD/floppy) boot
| disk or a different system. Then use AV software or manual removal of
| registry entries. Problem is I can't access the data if I boot the system
| with different boot disk/system. This is really a PITA but interesting thing
| to encounter.
|

By killing the parent process that loads the malicious file, you can remove the malicious
file because the malicious process will no longer have it respective file handle held open
or by no longer allowing the malicious process to "protect" itself.

Have you tried the Recovery Console to delete or rename malicious DLL files related to the
Vundo ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[John]

I use Autoruns from sysinternals (Microsoft now). As soon as autoruns window
pops up, it disappears. Not sure if the trojan kills it or the fact that I'm
in safe mode crashes the software. It took me several attempts to get it
running in safe mode.

I removed several entries found by Autoruns. It comes back the next time I
launch Autoruns.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:e0EoD7iWIHA.1208@TK2MSFTNGP05.phx.gbl...
>
> By killing the parent process that loads the malicious file, you can
> remove the malicious
> file because the malicious process will no longer have it respective file
> handle held open
> or by no longer allowing the malicious process to "protect" itself.
>

Ok, how do I kill the process? Can ProcessExplorer accomplish this? I gotta
try it.

> Have you tried the Recovery Console to delete or rename malicious DLL
> files related to the
> Vundo ?
>

I've never used recovery console so help me on this. I suppose it requires
running Windows setup CD? If that is correct, I've got a little problem. The
PC is Sony. They don't provide WinXP setup disk. They provide Recovery CD
which is not going to help me run recovery console.

Rename/delete within Windows does not work. The files are in use.
What I have tried is NTFS4DOS boot floppy that gets me into a command
prompt. I can delete malicious EXEs and DLLs successfully but they come back
when I restart the PC into safe mode. I am guessing there are more malicious
EXEs and DLLs that are undetected by removal tool and have not been deleted.
They're the ones that recreates the files that I deleted.

> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

 

[Kerry Brown]

"John" <a> wrote in message news:uqYli6hWIHA.1208@TK2MSFTNGP03.phx.gbl...
>I have a Windows XP Home SP2 PC infected with Vundo trojan. Norton AV
>detects it but can't remove it. I've used Vundo removal tools from a few
>sites. None can remove it. I've also done manual removal by deleting files
>and registry entries. That does not work either (and yes I always boot into
>safe mode).


I agree with Malke and David. The moderators in the forums Malke pointed you
to have a lot of experience and training before they are allowed to respond
in those forums. They are experts at removing malware. Deleting the files
and registry entries that you can see will not remove many of the vundo
variants. It is very adept at hiding.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca/phpBB2/

 

[David H. Lipman]

From: "John" <a>

| I use Autoruns from sysinternals (Microsoft now). As soon as autoruns window
| pops up, it disappears. Not sure if the trojan kills it or the fact that I'm
| in safe mode crashes the software. It took me several attempts to get it
| running in safe mode.
|
| I removed several entries found by Autoruns. It comes back the next time I
| launch Autoruns.
|

Try renaming the AutoRuns EXE file to some other EXE file name.


| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:e0EoD7iWIHA.1208@TK2MSFTNGP05.phx.gbl...
>>
>> By killing the parent process that loads the malicious file, you can
>> remove the malicious
>> file because the malicious process will no longer have it respective file
>> handle held open
>> or by no longer allowing the malicious process to "protect" itself.
>>
| Ok, how do I kill the process? Can ProcessExplorer accomplish this? I gotta
| try it.
|

Yes and no...


>> Have you tried the Recovery Console to delete or rename malicious DLL
>> files related to the
>> Vundo ?
>>


| I've never used recovery console so help me on this. I suppose it requires
| running Windows setup CD? If that is correct, I've got a little problem. The
| PC is Sony. They don't provide WinXP setup disk. They provide Recovery CD
| which is not going to help me run recovery console.
|
| Rename/delete within Windows does not work. The files are in use.
| What I have tried is NTFS4DOS boot floppy that gets me into a command
| prompt. I can delete malicious EXEs and DLLs successfully but they come back
| when I restart the PC into safe mode. I am guessing there are more malicious
| EXEs and DLLs that are undetected by removal tool and have not been deleted.
| They're the ones that recreates the files that I deleted.
|

Using gthe Recovery Console requires eiher booting from the WinXP distribution CDROM or
installing it as a boot option.

...\i386\winnt32 /cmdcons

NOTE: If the PC is at SP2 level, you must install from a ..\386 folder that is at SP2 level
or has been patched to SP2 level.


Many malicious files have "helper files" and you have to get both or one will protect the
other. Call it malware self preservation.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[David H. Lipman]

From: "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m>


|
| I agree with Malke and David. The moderators in the forums Malke pointed you
| to have a lot of experience and training before they are allowed to respond
| in those forums. They are experts at removing malware. Deleting the files
| and registry entries that you can see will not remove many of the vundo
| variants. It is very adept at hiding.
|

Over the last several months the Vundo family of trojans seem to have improved their
respective "self preservation" capabilities.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[pcbutts1]

Use my Remove-it software it is free. If that does not work then run my
diagnostic program called What's live RN, that will generate a log file
which is much more in depth and more detailed then HJT. Send me a copy of
that log file for analysis. You can download both from my website here
http://pcbutts1.com/downloads/tools/tools.htm


--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz, Beauregard T.
Shagnasty,Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



"John" <a> wrote in message news:%232kxm9hWIHA.5984@TK2MSFTNGP06.phx.gbl...
> CORRECTION:
>> - Use regedit in Safe Mode. Delete registry keys that should be there (I
>> know they're created by trojan).
>
> Delete registry keys that should NOT be there (I know... )
>
>
> "John" <a> wrote in message news:uqYli6hWIHA.1208@TK2MSFTNGP03.phx.gbl...
>>I have a Windows XP Home SP2 PC infected with Vundo trojan. Norton AV
>>detects it but can't remove it. I've used Vundo removal tools from a few
>>sites. None can remove it. I've also done manual removal by deleting files
>>and registry entries. That does not work either (and yes I always boot
>>into safe mode).
>>
>> Here's a list of things that I have done (Note: I do all my virus removal
>> work in Safe Mode. Never in normal mode):
>>
>> - Boot into Safe Mode.
>>
>> - Use VundoFix from atribune.org to scan and clean Vundo. It detects and
>> deletes a few files. Some malicious DLLS (for example GEBXVTT.DLL in
>> C:\Windows\System32) can not be deleted (in use by other program).
>>
>> - Restart the system and use NTFS4DOS from free-av.com to (clean) boot
>> into command prompt with NTFS support to remove malicious DLL files
>> created by the trojan. Delete all infected files that VundoFix fails to
>> delete in safe mode. All bad files are successfully deleted.
>>
>> - Restart the system into Safe Mode. Malicious files gets recreated.
>> They're back in place.
>>
>> - Use regedit in Safe Mode. Delete registry keys that should be there (I
>> know they're created by trojan). Key gets recreated in a split second as
>> soon as I delete it. This is why I know the trojan is alive in safe mode.
>>
>> - Remove the (infected) HD and install the HD in a clean PC as secondary
>> master. Then boot the PC (primary master - clean OS with Antivir virus
>> software installed). The system detects a new HD but does not assign a
>> drive letter. This means I can't access the data in the HD. Windows Disk
>> Management shows the new HD but does not 'mount' it or assign a drive
>> letter.
>>
>> I run out of ideas. My last resort would be reformat HD and reinstall the
>> OS but I don't want to lose the data. If I back it up, I'm afraid the
>> trojan will reinfect the PC when data is restored.
>>
>> Anyone has any ideas? Thanks.
>>
>
>

 

[Malke]

David H. Lipman wrote:
> From: "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m>
>
>
> |
> | I agree with Malke and David. The moderators in the forums Malke pointed you
> | to have a lot of experience and training before they are allowed to respond
> | in those forums. They are experts at removing malware. Deleting the files
> | and registry entries that you can see will not remove many of the vundo
> | variants. It is very adept at hiding.
> |
>
> Over the last several months the Vundo family of trojans seem to have improved their
> respective "self preservation" capabilities.
>

Definitely, David. In fact, where in former years I almost never had to
reinstall Windows because of virus/malware infection, now it is becoming
extremely common. We're seeing rootkits, respawning, and Vundo variants
that came from installing infected codecs where the best solution is to
back up data (scan before putting it back on a clean machine!) and
flatten the system.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[Kerry Brown]

"Malke" <notreally@invalid.invalid> wrote in message
news:uF$yKsjWIHA.5716@TK2MSFTNGP05.phx.gbl...
> David H. Lipman wrote:
>> From: "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m>
>>
>>
>> |
>> | I agree with Malke and David. The moderators in the forums Malke
>> pointed you
>> | to have a lot of experience and training before they are allowed to
>> respond
>> | in those forums. They are experts at removing malware. Deleting the
>> files
>> | and registry entries that you can see will not remove many of the vundo
>> | variants. It is very adept at hiding.
>> |
>>
>> Over the last several months the Vundo family of trojans seem to have
>> improved their
>> respective "self preservation" capabilities.
>>
>
> Definitely, David. In fact, where in former years I almost never had to
> reinstall Windows because of virus/malware infection, now it is becoming
> extremely common. We're seeing rootkits, respawning, and Vundo variants
> that came from installing infected codecs where the best solution is to
> back up data (scan before putting it back on a clean machine!) and flatten
> the system.
>
>


I recently saw the first system in several years where I couldn't identify
the malware that was installed and remove it. It was playing tricks with the
mbr among other things. It did initially look like a vundo variant. It was
not mebroot or if it was it has changed considerably. Even overwriting the
mbr then booting from a Linux CD to inspect suspicious files I couldn't get
rid of it. It would come back as soon as explorer loaded in safe or normal
mode. I'm guessing it infects some system files as well as the mbr and the
scanners I was using didn't identify it yet. It is getting very nasty. I
think that more and more the solution will be backup the data then flatten
the system. If the malware starts attacking the factory restore partition
then even that method of cleaning a system will be beyond most people's
abilities :-(

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca/phpBB2/

 

[David H. Lipman]

From: "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m>


| I recently saw the first system in several years where I couldn't identify
| the malware that was installed and remove it. It was playing tricks with the
| mbr among other things. It did initially look like a vundo variant. It was
| not mebroot or if it was it has changed considerably. Even overwriting the
| mbr then booting from a Linux CD to inspect suspicious files I couldn't get
| rid of it. It would come back as soon as explorer loaded in safe or normal
| mode. I'm guessing it infects some system files as well as the mbr and the
| scanners I was using didn't identify it yet. It is getting very nasty. I
| think that more and more the solution will be backup the data then flatten
| the system. If the malware starts attacking the factory restore partition
| then even that method of cleaning a system will be beyond most people's
| abilities :-(
|

One of the problems is legit. files are being trojanized. That is the malware will insert
code into the legit. EXE/DLL and inject itself like a virus but without replication
capabilities of a virus. I have seen many samples now on a private research board.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Leythos]

In article <eackj.1266$nK5.600@nlpi069.nbdc.sbc.com>, pcbutts1
@leythosthestalker.com says...
> Remove-it software
>

Hosted on a porno site - do you really want people to trust a
questionable product of yours, hosted on a site where you've posted
links to porno for the world to see, where you've exposed little kids to
that filth?

I can't believe you're still trying to direct people to that porno site.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

 

[What's in a Name?]

On 1/18/2008 5:08 PM, John, after much thought, came up with this jewel:
> I have a Windows XP Home SP2 PC infected with Vundo trojan.
> snip <
This one worked well for me(run in safe-mode)

http://www.internetinspiration.co.uk/roguefix.htm

max
--
Virus Removal http://max.shplink.com/removal.html
Keep Clean http://max.shplink.com/keepingclean.html
Tools http://max.shplink.com/tools.html
Change nomail.afraid.org to gmail.com to reply by email.

 

[NonSuch [MVP]]

John,

Follow Malke's advice. This thing is nasty but it is being successfully
dealt with on the forums he listed.


John wrote:
> "Malke" <notreally@invalid.invalid> wrote in message
> news:uhHf9EiWIHA.3364@TK2MSFTNGP03.phx.gbl...
>> When all else fails, run HijackThis and post your log in one of the
>> specialty forums listed below (not here, please).
>>
>
> Malke, thanks for your reply. My biggest question is if the trojan survives
> all kind of Windows boot selections (normal, safe etc), how can any software
> remove it? I use HijackThis to remove all BHO related registry entries.
> They're recreated right away.
>
> I think an easy solution for this is to clean boot using a (CD/floppy) boot
> disk or a different system. Then use AV software or manual removal of
> registry entries. Problem is I can't access the data if I boot the system
> with different boot disk/system. This is really a PITA but interesting thing
> to encounter.
>
>

 

[BoaterDave]

Hi Kerry Brown.

You said " It is getting very nasty"

Indeed it is. I spent much time trying to explain that to those on
Annexcafe.

Perhaps you can help pinpoint just *who* is perpetrating the malware and
identify just HOW it is being done? Certainly not just through email
attachments,
of that I am quite certain!

Dave
**********************************************************
"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:BA3B01BD-CA5E-43FD-A9B7-F40F33D6E072@microsoft.com...
> I recently saw the first system in several years where I couldn't identify
> the malware that was installed and remove it. It was playing tricks with
> the mbr among other things. It did initially look like a vundo variant. It
> was not mebroot or if it was it has changed considerably. Even overwriting
> the mbr then booting from a Linux CD to inspect suspicious files I
> couldn't get rid of it. It would come back as soon as explorer loaded in
> safe or normal mode. I'm guessing it infects some system files as well as
> the mbr and the scanners I was using didn't identify it yet. It is getting
> very nasty. I think that more and more the solution will be backup the
> data then flatten the system. If the malware starts attacking the factory
> restore partition then even that method of cleaning a system will be
> beyond most people's abilities :-(
>
> --
> Kerry Brown
> Microsoft MVP - Shell/User
> http://www.vistahelp.ca/phpBB2/
>
>
>
>