Vundo - Virus/Trojan/Hijack etc.

Jeff Zylstra · October 13, 2009, 03:06:10 PM

Yes, I tried Deep Freeze a few years ago on computer that I deloused from malware, only I forgot to unfreeze an area to save files. When it was shut down all of the files that were added were lost, along with all of the e-mails and changes to other files as well. There's no warning before you shut down, so everyone assumes that since they saved their work to the hard drive, it will be there tomorrow. That may have changed now, but just be aware of it.

Hans Manhave · October 13, 2009, 03:23:35 PM

No, no warning after you have it installed. But they do have Igloo, which is free, and also is useful if you don't have DeepFreeze! Except, I haven't evaluated that yet.

Jim Jensen · January 27, 2010, 04:08:44 PM

Thanks for starting this thread, Hans. I recently started having some problems with IE hanging up and some other related issues (like most all of my saved passwords in IE were gone). I suspected a potential virus. Had an email come in that didn't trigger a message from ESET here at work, but did later at home. Looks like I did end up with it here. It was a backdoor trojan from email about updated W-2 forms. It was very precise timing that made me get it. I would have always ignored the email - supposedly sent by the IRS with an updated W-2 form attached in PDF. It came just minutes after I had logged into the business services area of social security to file my W-2's electronically. The timing took down my guard. I thought it reasonable that my logging in might have triggered the notification since I hadn't logged in for many months.

Anyway, I used Malewarebytes to find 14 issues and remove them. IE seems to be working better now. Hitmanpro also scanned at the next restart and didn't appear find anything, so hopefully it's indeed gone.

Jeff Zylstra · January 29, 2010, 01:34:13 PM

Has anyone used the "cloud" version of Hitman Pro yet? I'm kind of interested to see how that works since it uses all new products, and is supposed to be very quick and effective.

As far as malware cleanup goes, I've started removing hard drives out of infected machines and hooking them up to the USB ports on clean ones. I ran into one that had a rootkit on it a while back, and it wasn't getting detected until I removed the drive and scanned it from another machine. Removing drives out of machines and connecting them to others has gotten so easy with newer computers that I just pull them out right away after I do a "quick" scan using Malware Bytes and find problems. I find that going right for the throat of these little buggers saves a lot of time and aggravation in the end.

Bloody Jack Kidd · January 29, 2010, 02:07:57 PM

Another nice tactic is to use a LiveCD - this prevent malware that's dug into the OS from hiding itself effectively.

malware clean-up has become part art, part science, but in the end, the only real clean-up is format and reinstall OS.

Rob Talkington · February 23, 2010, 03:25:19 PM

FYI, if none of solutions above work there is a powerful program called Combofix that will most certainly fix the problem. It uses multiple scanners to search for rootkits and other hard to get rid of malware.

I've had a couple of machines where none of the spyware removers were even able to run. I tried renaming the exe's and they still wouldn't run (safe-mode didn't matter). I used Combofix and had to rename it as well but when I did it found rootkits that were causing the problem.

If your spyware removal software won't run try renaming the executible. Some malware has code to prevent certain filenames from running.

Personally I don't rely on any single program to clean a PC. I always use at least two because there is no single solution out there that catches everything.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Robin Deatherage · March 10, 2010, 11:52:15 AM

Is it just me or does there seem to be an increase in virus infections from the web lately? I've had several machines hit in the last few months. I'm wondering if that means my anti-virus isn't doing a good job with updating their definition files or my users' reckless browsing habits are just catching up to them (and me). I'm thinking both.

Bloody Jack Kidd · March 10, 2010, 12:00:07 PM

Quote from: Robin Deatherage on March 10, 2010, 11:52:15 AM
Is it just me or does there seem to be an increase in virus infections from the web lately? I've had several machines hit in the last few months. I'm wondering if that means my anti-virus isn't doing a good job with updating their definition files or my users' reckless browsing habits are just catching up to them (and me). I'm thinking both.

likely both - what are you using for AV?

Robin Deatherage · March 10, 2010, 12:06:50 PM

AVG, not the free version but the paid subscription Network Edition.

Bloody Jack Kidd · March 10, 2010, 12:10:36 PM

hmmm... it has some kind of LinkScanner technology right? Something to help prevent Internet borne threats?

Gene Foraker · March 10, 2010, 12:14:31 PM

I can't think of any good excuse an employee can have for downloading a virus. Either too much personal emails or bad decisions in web browsing.

(Beating on wood as hard as I can) I can't remember the last time I got a virus. I browse fearlessly across the web (with Firefox) and maybe get an alarm every 3 years or so. And yes, I visit lots of strange links.

My wife gets maybe one alarm a year which virus protection stops. She visits lots of strange German sites and I have only recently convinced her that "Klicken Sie Hier" should sometimes be ignored even if it is in German. Not even a nibble since I installed Win 7 for her.

Neither of us has gotten any bug in our emails in over 5 years.

Robin Deatherage · March 10, 2010, 12:14:51 PM

Yes it does have a LinkScanner component.

Bloody Jack Kidd · March 10, 2010, 12:35:16 PM

we see pretty steady hits, both from endpoint security software and our IDS...

personally I don't see much on my Windows box at home, but I really only visit a handful of sites; with the BSD workstation I do my infosec work on I visit many infected sites - so windows does not really get exposed to much.

Both the email filter at work (postini) and the one for Parallel42 (ASSP) still sniff out the occasional email virus, but they aren't nearly as common as they once were.

We have multiple squid proxies running at work, which are really "lite" versions of Portcullis - my home http traffic is also filtered thru Portcullis.

Jan Regnier · March 10, 2010, 12:46:09 PM

Quote from: Rob Talkington on February 23, 2010, 03:25:19 PM
FYI, if none of solutions above work there is a powerful program called Combofix that will most certainly fix the problem. It uses multiple scanners to search for rootkits and other hard to get rid of malware.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I used this a few months ago on a machine I couldn't get clean - I used Sophos SAV32 CLI, Malwarebytes, Antispyware Super Antispyware and Combofix. Combofix seemed to be the only program that worked....took me 10 hours of "cleaning" and recleaning and searching for answers to get the job done. Combofix was the last program I used and the one that worked for whatever the final issue was on that machine.

Rob Talkington · March 10, 2010, 05:09:46 PM

Quote from: Robin Deatherage on March 10, 2010, 11:52:15 AM
Is it just me or does there seem to be an increase in virus infections from the web lately? I've had several machines hit in the last few months. I'm wondering if that means my anti-virus isn't doing a good job with updating their definition files or my users' reckless browsing habits are just catching up to them (and me). I'm thinking both.

Was it the same virus that hit all of those machines?

How often does your av software check for updates?