Vicious Vundo Infection

  • Thread starter Thread starter Vik
  • Start date Start date
V

Vik

My laptop (XP professional) has been infected with the Vundo virus for
a while now. I've tried various tools (1. VundoFix, 2. a tool
provided by Symantec and 3. Spybot) but cannot get rid of it. Spybot
appears to find and clean it, however the virus returns with the next
boot-up. I've also removed all relevant registry entries and files as
suggested by Symantec.

The virus puts a new entry in the startup command every time I re-
boot.
e.g. Rundll32.exe C:\WINDOWS\system32\pajuneyo.dll, s. Unchecking,
the startup item (using msconfig) just causes it to be re-checked with
the next boot-up with a different dll specified in the command.

Any help with tips on removing this virus would be appreciated.

Thanks.
 
... My laptop (XP professional) has been infected with the Vundo virus for
... a while now. I've tried various tools (1. VundoFix, 2. a tool
... provided by Symantec and 3. Spybot) but cannot get rid of it. Spybot
... appears to find and clean it, however the virus returns with the next
... boot-up. I've also removed all relevant registry entries and files as
... suggested by Symantec.
...
... The virus puts a new entry in the startup command every time I re-
... boot.
... e.g. Rundll32.exe C:\WINDOWS\system32\pajuneyo.dll, s. Unchecking,
... the startup item (using msconfig) just causes it to be re-checked with
... the next boot-up with a different dll specified in the command.
...
... Any help with tips on removing this virus would be appreciated.
...
... Thanks.

Whenever I can't delete a file, I delete or change its extension.


=====
It sounds much better in French, but then, everything does.
 
My laptop (XP professional) has been infected with the Vundo virus for a
while now. I've tried various tools (1. VundoFix, 2. a tool provided by
Symantec and 3. Spybot) but cannot get rid of it. Spybot appears to
find and clean it, however the virus returns with the next boot-up.
I've also removed all relevant registry entries and files as suggested
by Symantec.

The virus puts a new entry in the startup command every time I re- boot.
e.g. Rundll32.exe C:\WINDOWS\system32\pajuneyo.dll, s. Unchecking, the
startup item (using msconfig) just causes it to be re-checked with the
next boot-up with a different dll specified in the command.

Any help with tips on removing this virus would be appreciated.

Thanks.
Click to expand...

Since none of the removers worked for you... you'll have to do it
manually. Get a boot disk.. The Active Boot Disk has a 10 day trial,
or make the UBCD4Win. They both have really cool Windows-like GUI's.
You don't have to be a Dos Geek to use them and clear your virus.

For me, I used HijackThis to get knowledge of which files were being
used by the trojan. Focus on the windows\system32 dll file or files
that the trojan created. There is at least one in there that must be
deleted. Note also the time stamps on that one and pay attention to
the other files that were created then, as well.

For me, when I cleared the virus, I created and booted with the Active
Boot disk trial.. then deleted the "locked" dll file in the system32
folder that kept coming back. Then, I deleted all my temp files. I
deleted my Firefox profiles. I deleted all cookies and temporary
internet files for both Firefox and IExplorer. I also deleted my
restore points-as the trojan had disabled my system restore, but a
couple of the scanners said infected files were in that hidden folder.
No worries to delete that "restore_" folder in a dos-like, bootdisk
environment. I also deleted a few ini1 and ini2 files that were being
recreated in the system32 folder when I rebooted.. They were easily
spotted and disposed of. Their creation dates and nonsense names
aligned them as part of the trojan mess.

Then, after deleting those and rebooting back to regular windows, I
had hijackthis "fix" the entries of those files. Finally, because the
trojan had disabled so many of my services, I had to do a windows
repair. There are instructions on the net to help you with that. None
of your files or programs will be overwritten and all the settings
that have been tampered with or deleted will be restored..

Thats how I took care of Virtumonde
 
That's what I like to do.
For anyone who wants to try a boot disk I have created a BartPE boot
image.
http://www.nu2.nu/pebuilder/
This is a boot disk based on XP with some extra tools included. It is a
79 M/b zip which extracts to a 150 M/b iso image. As well as an aid to
fixing malware, a boot disk is useful for when Windows decides not to
boot for some reason or other. You can download it from here:
http://www.megaupload.com/?d=HTIGTU5P
Click to expand...

I think that if many of the people who seek help online with their issues
were aware just how sophisticated and sleek these bootdisks are, they
would take a stab at repairing the disk and/or clearing the virus by
themselves.. I was amazed at how brilliant and easy the GUI is to work
with. In days past, even for those of us who knew our way around DOS, it
was still an ordeal to search for and clear a virus. But now, it's
simplified and almost easy. You can delve right into the file manager on
the boot disk and click your way around in seconds, exploring properties
and creation dates, deleting easily everything that doesn't belong.

Also, in my case, I made a big error by staying online while
troubleshooting the virus/trojan. The boys who got that virus in - with
the help of my teen daughter, were trapping my keyboard and watching what
I was doing. They deleted services as I thought of them. They watched me
type the admin password and they disabled it... They disabled nearly all
of the av software. It failed to run.. msi files wouldnt run either..
copy and paste wouldnt work, my search abilities were gone, the help
files were not working.. etc.. They had control thru a terminal.. So, I
wised up. I went offline, made the bootdisk on another computer,
developed a general plan and carried it out, all offline.

Since I could not copy and paste, I zipped/archived the files I needed to
work with on another computer and extracted them on the infected
computer. Extraction worked to move the files, copy and paste did not.
Also, though I was unaware of it till nearly the end of the process, the
copy command worked in a dos window..

By the way, in addition to the boot disk you refer to, HijackThis is the
OTHER invaluable tool. With those two alone.. most viruses can be
cleared..
 
From: "Cadillakin" <[email protected]>



| By the way, in addition to the boot disk you refer to, HijackThis is
the | OTHER invaluable tool. With those two alone.. most viruses can be
| cleared..


| --
| Regards,
| Cadillakin

Not really. Some non-viral malware yes. However its won't help with
many true viruses as they will prepend, append or insert code into
legitimate files and you can't tell theat from a HJT log. It won't help
with Boot Sector Infectors either.
Click to expand...

Yes, like many people, I sometimes incorrectly use virus in place of the
word "trojan", or malware. I know the difference.. I just stated it
incorrectly.
 
Cadillakin said:
Yes, like many people, I sometimes incorrectly use virus in place of the
word "trojan", or malware. I know the difference.. I just stated it
incorrectly.
Click to expand...

Before you give up or spend a lot of time, download and install
SUPERAntiSpyware Free Edition. I had a Vundo infection several weeks ago
and tried many of the fixes that you did. I was about ready to do the
step-by-step registry change and repair process suggested by one site when I
checked with the tech support folks at Smart Computing and they recommended
the antispyware. A few minutes later, Vundo was gone and I haven't had a
problem since. I agree it's one of the nastiest out there. Certainly the
worst that I've ever encountered

TKM

P.S. I also tried the Lavasoft Ad-Watch which I liked from a previous bout
with spyware; but it didn't clean Vundo.
 
Before you give up or spend a lot of time, download and install
SUPERAntiSpyware Free Edition. I had a Vundo infection several weeks
ago and tried many of the fixes that you did. I was about ready to do
the step-by-step registry change and repair process suggested by one
site when I checked with the tech support folks at Smart Computing and
they recommended the antispyware. A few minutes later, Vundo was gone
and I haven't had a problem since. I agree it's one of the nastiest out
there. Certainly the worst that I've ever encountered

TKM

P.S. I also tried the Lavasoft Ad-Watch which I liked from a previous
bout with spyware; but it didn't clean Vundo.
Click to expand...

I fixed it easily with the boot disk and Hijack This and a Windows
Repair. I think you might have misunderstood some of my original posting.

Yes, I agree that Vundo is particularly nasty, but in my case, it wasn't
just the trojan itself and it's intent to advertise and redirect, but the
OPEN access the intrusion provided to my wife's computer.. As I noted in
my first posting, they blocked many of the services that one would use to
troubleshoot and they rewrote many of the registry keys... But even more
troublesome was that they were following (trapping) my keystrokes and
passwords and adjusting my computer so that I couldn't find workarounds
or fix things.

So, my particular trojan was not just sitting there.. but my data was
being transmitted to boys (presumably) that were actively working to
thwart me. Until I got offline and created that boot disk, I was getting
deeper in the hole.

After I got the main dll file deleted in the system32 folder, everything
fell into place. I then cleaned up with the help of HijackThis and some
common sense, and finally, I repaired my Windows installation.
 
dogbreath said:
I want to thank you all for this thread. My daughter's computer picked
up the Virtumonde spyware. The computer was just frozen solid with
pop-ups and ads (for a virus scanner, of all things).
Click to expand...

Yes, that is what it proclaims to be, a virus scanner. Giant scam.
Several attempts
to exorcise it with Spybot failed. It kept coming back. Googling
"Virtumonde" led me to several sites that claimed to be able to do the
exorcism. But it was your lead to "SUPERAntiSpyware" that did the
trick. The name "SUPERAntiSpyware" is dorky, like "FinallyFast dot
com", or some piece-of-shit scam like that. But I figured if it works
or not, that computer can be in no worse shape. But it worked (I
think, so far).

This thread also tells me HijackThis is a good thing to have. I will
get it and learn about it.

The experience with Virtumonde tells me also a better reason to
maintain backups is not for recovery after a hard drive crash as much
as it is for recovery from this kind of malware. Instead of trying to
figure out what's been tampered with or inserted or infected, just
kill it all and do a restore from the backup.

Thanks much.
Click to expand...

Yes, SuperAntiSpyware (SAS) is a great program and I own the paid version.
The name is kind of suspicious sounding. :)
Another great and free program is MalwareByte's Anti-Malware (MBAM).
 
Back
Top