Vundo - Virus/Trojan/Hijack etc.

Hans Manhave · October 01, 2009, 09:45:35 AM

Besides reformat, how do I remove a Vundo infection? This is on a home computer, it was a good lesson for a kid not to go wherever a thought leads, and a dad to install more Deepfrozen machines instead of letting some be open and trusting a virus scanning software. But I like to get rid of it first. I ran SuperAntiSpyware which may have gotten rid of a bunch, a virus scanner which may have gotten rid of a bunch, but instead of it becoming more subdued, it is out in greater force than yesterday.

Thanks.

Marie (Zionkowski) Gozikowski · October 01, 2009, 10:36:51 AM

Hans

I just cleaned up someone's laptop 2 weeks ago with this....

Download Malwarebytes' Anti-Malware, and install it on the computer - run once, and make note of the
names of the files it is deleting... go into your registry and search/remove those, then reboot in safe mode
and run Malwarebyte again.... It was the only thing that I could get to work --- SuperAntispyware and others didn't seem to be able to remove it

Took a while, but it is possible to remove it - good luck!

Mark · October 01, 2009, 04:50:04 PM

+1 for Malwarebytes -- though I am not familiar with your infection.

Marie (Zionkowski) Gozikowski · October 01, 2009, 04:56:14 PM

New one going around... have actually cleaned up two computers in the last month with it...

Also a REALLY nasty one out there called PCAntispyware2010... one of those things where it pops up
and says 'your computer is infected, click here to download our free on-line virus scan..." It was a
tenacious little bas***d, and took a long time to track down the dll's and registry items....

(Good thing I'm tenancious too....)

Mark · October 01, 2009, 05:02:30 PM

I added HAVP to my proxy so now I am scanning http traffic for viruses using the ClamAV database. I've already heard about some false positives some shops have experienced in the past, but I'd rather a false positive then an infection.

I am happy with this configuration so far. Performance is decent as well.

Sheila Foss · October 02, 2009, 11:59:28 AM

SuperAntiSpyware which is free, was the only one that removed the prior versions easily. Although you had to rename the file to install it, since those programs watch out for the name.

Haven't had the pleasure (!) of working on the 2010 version yet.

Marie (Zionkowski) Gozikowski · October 02, 2009, 12:52:47 PM

Quote from: Sheila Foss on October 02, 2009, 11:59:28 AM

Haven't had the pleasure (!) of working on the 2010 version yet.

LOL --- your friends will hit you up soon enough~

Bob · October 02, 2009, 01:35:45 PM

Han's what ever happened to your strong endorsement of Hit Man Pro?

Jeff Zylstra · October 06, 2009, 06:02:13 PM

VUndoFix.exe is a specialty program that I've used a couple of times with great success. It is an executable that will run right off a usb memory stick without installing, and it was not blocked by VUndo. That said, VUndo is somewhat "old" by now so I think that either Malware Bytes or Super Anti Spyware would both clean it up too. Good luck.

Hans Manhave · October 06, 2009, 06:12:51 PM

SuperAntiSpyware made an attempt but by no means was succesful. MalwareBytes did a much better job, plus, and I think this was also a big part, I deleted the other users. Tough they lost their files, but a good lesson.

Still wondering if I should do DeepFreeze with Igloo or WinSelect. The latter looks more interesting to me. But I'll probably end up doing both. The Enterprise version of each appears to be what I want. Just wish they had it as one product.

Marie (Zionkowski) Gozikowski · October 07, 2009, 09:40:38 AM

I never used Deep Freeze before... I'd be interested in knowing what people think
about it...

Dawn Shirley · October 08, 2009, 10:46:03 AM

I think its a cold dark place, when the lid is closed. Remember on Desperate Housewives the old lady had her husband in it!

Marie (Zionkowski) Gozikowski · October 08, 2009, 10:49:24 AM

Wow --- I'm gonna have to start watching that show

Nick Oliver · October 12, 2009, 09:37:26 PM

Quote from: Marie Long on October 07, 2009, 09:40:38 AM
I never used Deep Freeze before... I'd be interested in knowing what people think
about it...

Deepfreeze is awesome, I'll fill you in more at TENCon when I see you

Hans Manhave · October 13, 2009, 09:46:56 AM

It is. You just have to handle the unfrozen parts, because you'll need those. They made an Igloo for that. Planning ahead and scheduling in the use of DeepFreeze would greatly help.

Jeff Zylstra · October 13, 2009, 03:06:10 PM

Yes, I tried Deep Freeze a few years ago on computer that I deloused from malware, only I forgot to unfreeze an area to save files. When it was shut down all of the files that were added were lost, along with all of the e-mails and changes to other files as well. There's no warning before you shut down, so everyone assumes that since they saved their work to the hard drive, it will be there tomorrow. That may have changed now, but just be aware of it.

Hans Manhave · October 13, 2009, 03:23:35 PM

No, no warning after you have it installed. But they do have Igloo, which is free, and also is useful if you don't have DeepFreeze! Except, I haven't evaluated that yet.

Jim Jensen · January 27, 2010, 04:08:44 PM

Thanks for starting this thread, Hans. I recently started having some problems with IE hanging up and some other related issues (like most all of my saved passwords in IE were gone). I suspected a potential virus. Had an email come in that didn't trigger a message from ESET here at work, but did later at home. Looks like I did end up with it here. It was a backdoor trojan from email about updated W-2 forms. It was very precise timing that made me get it. I would have always ignored the email - supposedly sent by the IRS with an updated W-2 form attached in PDF. It came just minutes after I had logged into the business services area of social security to file my W-2's electronically. The timing took down my guard. I thought it reasonable that my logging in might have triggered the notification since I hadn't logged in for many months.

Anyway, I used Malewarebytes to find 14 issues and remove them. IE seems to be working better now. Hitmanpro also scanned at the next restart and didn't appear find anything, so hopefully it's indeed gone.

Jeff Zylstra · January 29, 2010, 01:34:13 PM

Has anyone used the "cloud" version of Hitman Pro yet? I'm kind of interested to see how that works since it uses all new products, and is supposed to be very quick and effective.

As far as malware cleanup goes, I've started removing hard drives out of infected machines and hooking them up to the USB ports on clean ones. I ran into one that had a rootkit on it a while back, and it wasn't getting detected until I removed the drive and scanned it from another machine. Removing drives out of machines and connecting them to others has gotten so easy with newer computers that I just pull them out right away after I do a "quick" scan using Malware Bytes and find problems. I find that going right for the throat of these little buggers saves a lot of time and aggravation in the end.

Bloody Jack Kidd · January 29, 2010, 02:07:57 PM

Another nice tactic is to use a LiveCD - this prevent malware that's dug into the OS from hiding itself effectively.

malware clean-up has become part art, part science, but in the end, the only real clean-up is format and reinstall OS.

Rob Talkington · February 23, 2010, 03:25:19 PM

FYI, if none of solutions above work there is a powerful program called Combofix that will most certainly fix the problem. It uses multiple scanners to search for rootkits and other hard to get rid of malware.

I've had a couple of machines where none of the spyware removers were even able to run. I tried renaming the exe's and they still wouldn't run (safe-mode didn't matter). I used Combofix and had to rename it as well but when I did it found rootkits that were causing the problem.

If your spyware removal software won't run try renaming the executible. Some malware has code to prevent certain filenames from running.

Personally I don't rely on any single program to clean a PC. I always use at least two because there is no single solution out there that catches everything.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Robin Deatherage · March 10, 2010, 11:52:15 AM

Is it just me or does there seem to be an increase in virus infections from the web lately? I've had several machines hit in the last few months. I'm wondering if that means my anti-virus isn't doing a good job with updating their definition files or my users' reckless browsing habits are just catching up to them (and me). I'm thinking both.

Bloody Jack Kidd · March 10, 2010, 12:00:07 PM

Quote from: Robin Deatherage on March 10, 2010, 11:52:15 AM
Is it just me or does there seem to be an increase in virus infections from the web lately? I've had several machines hit in the last few months. I'm wondering if that means my anti-virus isn't doing a good job with updating their definition files or my users' reckless browsing habits are just catching up to them (and me). I'm thinking both.

likely both - what are you using for AV?

Robin Deatherage · March 10, 2010, 12:06:50 PM

AVG, not the free version but the paid subscription Network Edition.

Bloody Jack Kidd · March 10, 2010, 12:10:36 PM

hmmm... it has some kind of LinkScanner technology right? Something to help prevent Internet borne threats?

Gene Foraker · March 10, 2010, 12:14:31 PM

I can't think of any good excuse an employee can have for downloading a virus. Either too much personal emails or bad decisions in web browsing.

(Beating on wood as hard as I can) I can't remember the last time I got a virus. I browse fearlessly across the web (with Firefox) and maybe get an alarm every 3 years or so. And yes, I visit lots of strange links.

My wife gets maybe one alarm a year which virus protection stops. She visits lots of strange German sites and I have only recently convinced her that "Klicken Sie Hier" should sometimes be ignored even if it is in German. Not even a nibble since I installed Win 7 for her.

Neither of us has gotten any bug in our emails in over 5 years.

Robin Deatherage · March 10, 2010, 12:14:51 PM

Yes it does have a LinkScanner component.

Bloody Jack Kidd · March 10, 2010, 12:35:16 PM

we see pretty steady hits, both from endpoint security software and our IDS...

personally I don't see much on my Windows box at home, but I really only visit a handful of sites; with the BSD workstation I do my infosec work on I visit many infected sites - so windows does not really get exposed to much.

Both the email filter at work (postini) and the one for Parallel42 (ASSP) still sniff out the occasional email virus, but they aren't nearly as common as they once were.

We have multiple squid proxies running at work, which are really "lite" versions of Portcullis - my home http traffic is also filtered thru Portcullis.

Jan Regnier · March 10, 2010, 12:46:09 PM

Quote from: Rob Talkington on February 23, 2010, 03:25:19 PM
FYI, if none of solutions above work there is a powerful program called Combofix that will most certainly fix the problem. It uses multiple scanners to search for rootkits and other hard to get rid of malware.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I used this a few months ago on a machine I couldn't get clean - I used Sophos SAV32 CLI, Malwarebytes, Antispyware Super Antispyware and Combofix. Combofix seemed to be the only program that worked....took me 10 hours of "cleaning" and recleaning and searching for answers to get the job done. Combofix was the last program I used and the one that worked for whatever the final issue was on that machine.

Rob Talkington · March 10, 2010, 05:09:46 PM

Quote from: Robin Deatherage on March 10, 2010, 11:52:15 AM
Is it just me or does there seem to be an increase in virus infections from the web lately? I've had several machines hit in the last few months. I'm wondering if that means my anti-virus isn't doing a good job with updating their definition files or my users' reckless browsing habits are just catching up to them (and me). I'm thinking both.

Was it the same virus that hit all of those machines?

How often does your av software check for updates?

Billy Welsh · March 10, 2010, 05:28:13 PM

Quote from: Robin Deatherage on March 10, 2010, 11:52:15 AM
Is it just me or does there seem to be an increase in virus infections from the web lately? I've had several machines hit in the last few months. I'm wondering if that means my anti-virus isn't doing a good job with updating their definition files or my users' reckless browsing habits are just catching up to them (and me). I'm thinking both.

It is not just you.

We are using AVG here (paid good $ for it), and I have AVG Free at home and at my in-laws. We've been hit here 5 times in recent months, and so have my in-laws and my home PC (one time each).

Bloody Jack Kidd · March 11, 2010, 02:01:37 PM

If one does come across a suspicious file - submit it to http://www.virustotal.com for analysis, which will not only help you determine if it's malware, but will also give you some insight as to which AV engines are giving consistent results.

A very recent incident here left me with several executables on a server that were suspicious but undetected by all the engines I have at my disposal (Sophos, F-Prot, ClamAV)

So I ran it thru VirusTotal - very enlightening

Robin Deatherage · March 11, 2010, 02:23:11 PM

Quote from: Rob Talkington on March 10, 2010, 05:09:46 PM

Was it the same virus that hit all of those machines?

How often does your av software check for updates?

I believe it is a different varient of the same virus. The AV is supposed to check for updates once a day. So far I've been able to get rid of it using Malewarebytes and ComboFix. Have to run them both several times though, starting off in safe mode. Spent almost the entire day yesterday working on an infected machine.

Rob Talkington · March 12, 2010, 09:32:51 AM

Sounds liike you're having a good ole time with this. I want to make sure I've got this straight. You're still getting additional PC's infected with this particular virus and it's been the same one or a variant for a few months now?

If this is the case what is the name(s) of the virus it is detecting? You may have an infected file somewhere on the network like Rick possibly had. I'd run a Malwarebytes scan on your file server(s) to see if it catches something.

Jan Regnier · March 12, 2010, 11:08:24 AM

[/quote] The AV is supposed to check for updates once a day. [/quote]

I guess I am somewhat anal about this...but I have our AV set to check and update 1 @ hr......
probably being in a small office I can get away with this time element....

Bloody Jack Kidd · March 12, 2010, 11:27:14 AM

I have Sophos EM Library grabbing updates 2X daily, and for the most part there's about 3 new or modified IDEs (signatures) each time. At max I'd probably do somewhere between 4-6 per day.

Nothing wrong with 1 per hour, but likely if you check the logs most of the time there isn't much coming down. So in one sense, it's a waste of resources, but on the other hand, it's a quick check with a NULL result so the impact is negligible.