Vundo - Virus/Trojan/Hijack etc.

Started by Hans Manhave, October 01, 2009, 09:45:35 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Hans Manhave

Besides reformat, how do I remove a Vundo infection?  This is on a home computer, it was a good lesson for a kid not to go wherever a thought leads, and a dad to install more Deepfrozen machines instead of letting some be open and trusting a virus scanning software.  But I like to get rid of it first.  I ran SuperAntiSpyware which may have gotten rid of a bunch, a virus scanner which may have gotten rid of a bunch, but instead of it becoming more subdued, it is out in greater force than yesterday.

Thanks.
Fantasy is more important than knowledge, because knowledge has its boundaries - Albert Einstein

Marie (Zionkowski) Gozikowski

Hans

I just cleaned up someone's laptop 2 weeks ago with this....

Download Malwarebytes' Anti-Malware, and install it on the computer - run once, and make note of the
names of the files it is deleting...   go into your registry and search/remove those, then reboot in safe mode
and run Malwarebyte again....  It was the only thing that I could get to work --- SuperAntispyware and others didn't seem to be able to remove it

Took a while, but it is possible to remove it - good luck!
Marie (Zionkowski) Gozikowski
Iddings Insurance Agency
Wyalusing, PA
WinTAM 11.1    SBS 2003 
8 users

Mark

+1 for Malwarebytes -- though I am not familiar with your infection.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Marie (Zionkowski) Gozikowski

New one going around... have actually cleaned up two computers in the last month with it...

Also a REALLY nasty one out there called PCAntispyware2010... one of those things where it pops up
and says 'your computer is infected, click here to download our free on-line virus scan..."   It was a
tenacious little bas***d, and took a long time to track down the dll's and registry items....

(Good thing I'm tenancious too....)    :o
Marie (Zionkowski) Gozikowski
Iddings Insurance Agency
Wyalusing, PA
WinTAM 11.1    SBS 2003 
8 users

Mark

I added HAVP to my proxy so now I am scanning http traffic for viruses using the ClamAV database.  I've already heard about some false positives some shops have experienced in the past, but I'd rather a false positive then an infection.

I am happy with this configuration so far.  Performance is decent as well.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Sheila Foss

SuperAntiSpyware which is free, was the only one that removed the prior versions easily.  Although you had to rename the file to install it, since those programs watch out for the name.

Haven't had the pleasure (!) of working on the 2010 version yet.

Marie (Zionkowski) Gozikowski

Quote from: Sheila Foss on October 02, 2009, 11:59:28 AM

Haven't had the pleasure (!) of working on the 2010 version yet.


LOL --- your friends will hit you up soon enough~    :P
Marie (Zionkowski) Gozikowski
Iddings Insurance Agency
Wyalusing, PA
WinTAM 11.1    SBS 2003 
8 users

Bob



Han's what ever happened to your strong endorsement of Hit Man Pro?

Jeff Zylstra

VUndoFix.exe is a specialty program that I've used a couple of times with great success.  It is an executable that will run right off a usb memory stick without installing, and it was not blocked by VUndo.   That said, VUndo is somewhat "old" by now so I think that either Malware Bytes or Super Anti Spyware would both clean it up too.  Good luck.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Hans Manhave

SuperAntiSpyware made an attempt but by no means was succesful.  MalwareBytes did a much better job, plus, and I think this was also a big part, I deleted the other users.  Tough they lost their files, but a good lesson.

Still wondering if I should do DeepFreeze with Igloo or WinSelect.  The latter looks more interesting to me.  But I'll probably end up doing both.  The Enterprise version of each appears to be what I want.  Just wish they had it as one product.
Fantasy is more important than knowledge, because knowledge has its boundaries - Albert Einstein

Marie (Zionkowski) Gozikowski

I never used Deep Freeze before... I'd be interested in knowing what people think
about it...
Marie (Zionkowski) Gozikowski
Iddings Insurance Agency
Wyalusing, PA
WinTAM 11.1    SBS 2003 
8 users

Dawn Shirley

I think its a cold dark place, when the lid is closed.  Remember on Desperate Housewives the old lady had her husband in it!
Dawn Shirley
GEM Insurance, Houston, TX
TAM 10.3; @fax; citrix; 40 users

Marie (Zionkowski) Gozikowski

Wow --- I'm gonna have to start watching that show   :o
Marie (Zionkowski) Gozikowski
Iddings Insurance Agency
Wyalusing, PA
WinTAM 11.1    SBS 2003 
8 users

Nick Oliver

Quote from: Marie Long on October 07, 2009, 09:40:38 AM
I never used Deep Freeze before... I'd be interested in knowing what people think
about it...
Deepfreeze is awesome, I'll fill you in more at TENCon when I see you

Hans Manhave

It is.  You just have to handle the unfrozen parts, because you'll need those.  They made an Igloo for that.  Planning ahead and scheduling in the use of DeepFreeze would greatly help.
Fantasy is more important than knowledge, because knowledge has its boundaries - Albert Einstein

Jeff Zylstra

Yes, I tried Deep Freeze a few years ago on computer that I deloused from malware, only I forgot to unfreeze an area to save files. When it was shut down all of the files that were added were lost, along with all of the e-mails and changes to other files as well.  There's no warning before you shut down, so everyone assumes that since they saved their work to the hard drive, it will be there tomorrow.  That may have changed now, but just be aware of it. 
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Hans Manhave

No, no warning after you have it installed.  But they do have Igloo, which is free, and also is useful if you don't have DeepFreeze!  Except, I haven't evaluated that yet. 
Fantasy is more important than knowledge, because knowledge has its boundaries - Albert Einstein

Jim Jensen

Thanks for starting this thread, Hans. I recently started having some problems with IE hanging up and some other related issues (like most all of my saved passwords in IE were gone). I suspected a potential virus. Had an email come in that didn't trigger a message from ESET here at work, but did later at home. Looks like I did end up with it here. It was a backdoor trojan from email about updated W-2 forms. It was very precise timing that made me get it. I would have always ignored the email - supposedly sent by the IRS with an updated W-2 form attached in PDF. It came just minutes after I had logged into the business services area of social security to file my W-2's electronically. The timing took down my guard. I thought it reasonable that my logging in might have triggered the notification since I hadn't logged in for many months.

Anyway, I used Malewarebytes to find 14 issues and remove them. IE seems to be working better now. Hitmanpro also scanned at the next restart and didn't appear find anything, so hopefully it's indeed gone.
Jim Jensen
CIC, CEO, CIO, COO, CFO, Producer, CSR, Claims Handler, janitor....whatever else.
Jensen Ford Insurance
Indianapolis

Jeff Zylstra

Has anyone used the "cloud" version of Hitman Pro yet?  I'm kind of interested to see how that works since it uses all new products, and is supposed to be very quick and effective.

As far as malware cleanup goes, I've started removing hard drives out of infected machines and hooking them up to the USB ports on clean ones.  I ran into one that had a rootkit on it a while back, and it wasn't getting detected until I removed the drive and scanned it from another machine.  Removing drives out of machines and connecting them to others has gotten so easy with newer computers that I just pull them out right away after I do a "quick" scan using Malware Bytes and find problems.  I find that going right for the throat of these little buggers saves a lot of time and aggravation in the end.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Bloody Jack Kidd

Another nice tactic is to use a LiveCD - this prevent malware that's dug into the OS from hiding itself effectively.

malware clean-up has become part art,  part science, but in the end, the only real clean-up is format and reinstall OS.
Sysadmin - Parallel42

Rob Talkington

#20
FYI, if none of solutions above work there is a powerful program called Combofix that will most certainly fix the problem.  It uses multiple scanners to search for rootkits and other hard to get rid of malware.

I've had a couple of machines where none of the spyware removers were even able to run.  I tried renaming the exe's and they still wouldn't run (safe-mode didn't matter).  I used Combofix and had to rename it as well but when I did it found rootkits that were causing the problem.

If your spyware removal software won't run try renaming the executible.  Some malware has code to prevent certain filenames from running.

Personally I don't rely on any single program to clean a PC.  I always use at least two because there is no single solution out there that catches everything.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Rob Talkington
IT Manager
Salem Insurance Agency
Goshen, IN
Tam 10.3, 24 users

Robin Deatherage

Is it just me or does there seem to be an increase in virus infections from the web lately?  I've had several machines hit in the last few months.  I'm wondering if that means my anti-virus isn't doing a good job with updating their definition files or my users' reckless browsing habits are just catching up to them (and me).  I'm thinking both. 
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Bloody Jack Kidd

Quote from: Robin Deatherage on March 10, 2010, 11:52:15 AM
Is it just me or does there seem to be an increase in virus infections from the web lately?  I've had several machines hit in the last few months.  I'm wondering if that means my anti-virus isn't doing a good job with updating their definition files or my users' reckless browsing habits are just catching up to them (and me).  I'm thinking both. 

likely both - what are you using for AV?
Sysadmin - Parallel42

Robin Deatherage

AVG, not the free version but the paid subscription Network Edition.
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Bloody Jack Kidd

hmmm... it has some kind of LinkScanner technology right?  Something to help prevent Internet borne threats?
Sysadmin - Parallel42

Gene Foraker

I can't think of any good excuse an employee can have for downloading a virus.   Either too much personal emails or bad decisions in web browsing.

(Beating on wood as hard as I can)  I can't remember the last time I got a virus.   I browse fearlessly across the web (with Firefox) and maybe get an alarm every 3 years or so.   And yes, I visit lots of strange links.

My wife gets maybe one alarm a year which virus protection stops.  She visits lots of strange German sites and I have only recently convinced her that "Klicken Sie Hier" should sometimes be ignored even if it is in German.   Not even a nibble since I installed Win 7 for her.

Neither of us has gotten any bug in our emails in over 5 years.
Gene Foraker CPCU
Gates-Foraker Insurance Agency
Norton, OH


My posts are a natural hand made product. The slight variations in spelling and grammar enhance its individual character and beauty and in no way are to be considered flaws or defects.

Robin Deatherage

Yes it does have a LinkScanner component.
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Bloody Jack Kidd

we see pretty steady hits, both from endpoint security software and our IDS...

personally I don't see much on my Windows box at home, but I really only visit a handful of sites; with the BSD workstation I do my infosec work on I visit many infected sites - so windows does not really get exposed to much.

Both the email filter at work (postini) and the one for Parallel42 (ASSP) still sniff out the occasional email virus, but they aren't nearly as common as they once were.

We have multiple squid proxies running at work, which are really "lite" versions of Portcullis - my home http traffic is also filtered thru Portcullis.
Sysadmin - Parallel42

Jan Regnier

Quote from: Rob Talkington on February 23, 2010, 03:25:19 PM
FYI, if none of solutions above work there is a powerful program called Combofix that will most certainly fix the problem.  It uses multiple scanners to search for rootkits and other hard to get rid of malware.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I used this a few months ago on a machine I couldn't get clean - I used Sophos SAV32 CLI, Malwarebytes, Antispyware Super Antispyware and Combofix.  Combofix seemed to be the only program that worked....took me 10 hours of "cleaning" and recleaning and searching for answers to get the job done.  Combofix was the last program I used and the one that worked for whatever the final issue was on that machine.
Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Rob Talkington

Quote from: Robin Deatherage on March 10, 2010, 11:52:15 AM
Is it just me or does there seem to be an increase in virus infections from the web lately?  I've had several machines hit in the last few months.  I'm wondering if that means my anti-virus isn't doing a good job with updating their definition files or my users' reckless browsing habits are just catching up to them (and me).  I'm thinking both. 

Was it the same virus that hit all of those machines? 

How often does your av software check for updates?

Rob Talkington
IT Manager
Salem Insurance Agency
Goshen, IN
Tam 10.3, 24 users

Billy Welsh

Quote from: Robin Deatherage on March 10, 2010, 11:52:15 AM
Is it just me or does there seem to be an increase in virus infections from the web lately?  I've had several machines hit in the last few months.  I'm wondering if that means my anti-virus isn't doing a good job with updating their definition files or my users' reckless browsing habits are just catching up to them (and me).  I'm thinking both. 

It is not just you.  >:(

We are using AVG here (paid good $ for it), and I have AVG Free at home and at my in-laws.  We've been hit here 5 times in recent months, and so have my in-laws and my home PC (one time each).
Billy Welsh
Director of Accounting
LCMC Health

Bloody Jack Kidd

If one does come across a suspicious file - submit it to http://www.virustotal.com for analysis, which will not only help you determine if it's malware, but will also give you some insight as to which AV engines are giving consistent results.

A very recent incident here left me with several executables on a server that were suspicious but undetected by all the engines I have at my disposal (Sophos, F-Prot, ClamAV)

So I ran it thru VirusTotal - very enlightening
Sysadmin - Parallel42

Robin Deatherage

Quote from: Rob Talkington on March 10, 2010, 05:09:46 PM

Was it the same virus that hit all of those machines? 

How often does your av software check for updates?


I believe it is a different varient of the same virus.  The AV is supposed to check for updates once a day.  So far I've been able to get rid of it using Malewarebytes and ComboFix.  Have to run them both several times though, starting off in safe mode.  Spent almost the entire day yesterday working on an infected machine.
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Rob Talkington

Sounds liike you're having a good ole time with this.  I want to make sure I've got this straight.  You're still getting additional PC's infected with this particular virus and it's been the same one or a variant for a few months now?

If this is the case what is the name(s) of the virus it is detecting?  You may have an infected file somewhere on the network like Rick possibly had.  I'd run a Malwarebytes scan on your file server(s) to see if it catches something. 
Rob Talkington
IT Manager
Salem Insurance Agency
Goshen, IN
Tam 10.3, 24 users

Jan Regnier

[/quote]  The AV is supposed to check for updates once a day.  [/quote]

I guess I am somewhat anal about this...but I have our AV set to check and update 1 @ hr......
probably being in a small office I can get away with this time element.... 
Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Bloody Jack Kidd

I have Sophos EM Library grabbing updates 2X daily, and for the most part there's about 3 new or modified IDEs (signatures) each time.  At max I'd probably do somewhere between 4-6 per day.

Nothing wrong with 1 per hour, but likely if you check the logs most of the time there isn't much coming down.  So in one sense, it's a waste of resources, but on the other hand, it's a quick check with a NULL result so the impact is negligible. 
Sysadmin - Parallel42