Vicious Vundo Infection

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
My laptop (XP professional) has been infected with the Vundo virus for
a while now.  I've tried various tools (1. VundoFix, 2. a tool
provided by Symantec and 3. Spybot) but cannot get rid of it.  Spybot
appears to find and clean it, however the virus returns with the next
boot-up.  I've also removed all relevant registry entries and files as
suggested by Symantec.

The virus puts a new entry in the startup command every time I re-
boot.
e.g. Rundll32.exe C:\WINDOWS\system32\pajuneyo.dll, s.  Unchecking,
the startup item (using msconfig) just causes it to be re-checked with
the next boot-up with a different dll specified in the command.

Any help with tips on removing this virus would be appreciated.

Thanks.

Re: Vicious Vundo Infection

On Fri, 19 Dec 2008 18:45:23 -0800 (PST), in alt.comp.anti-virus, Vik
arranged some electrons, so they looked like this:

 ... My laptop (XP professional) has been infected with the Vundo virus for
 ... a while now.  I've tried various tools (1. VundoFix, 2. a tool
 ... provided by Symantec and 3. Spybot) but cannot get rid of it.  Spybot
 ... appears to find and clean it, however the virus returns with the next
 ... boot-up.  I've also removed all relevant registry entries and files as
 ... suggested by Symantec.
 ...
 ... The virus puts a new entry in the startup command every time I re-
 ... boot.
 ... e.g. Rundll32.exe C:\WINDOWS\system32\pajuneyo.dll, s.  Unchecking,
 ... the startup item (using msconfig) just causes it to be re-checked with
 ... the next boot-up with a different dll specified in the command.
 ...
 ... Any help with tips on removing this virus would be appreciated.
 ...
 ... Thanks.

Whenever I can't delete a file, I delete or change its extension.


=====
It sounds much better in French, but then, everything does.

Re: Vicious Vundo Infection


| My laptop (XP professional) has been infected with the Vundo virus for
| a while now.  I've tried various tools (1. VundoFix, 2. a tool
| provided by Symantec and 3. Spybot) but cannot get rid of it.  Spybot
| appears to find and clean it, however the virus returns with the next
| boot-up.  I've also removed all relevant registry entries and files as
| suggested by Symantec.

| The virus puts a new entry in the startup command every time I re-
| boot.
| e.g. Rundll32.exe C:\WINDOWS\system32\pajuneyo.dll, s.  Unchecking,
| the startup item (using msconfig) just causes it to be re-checked with
| the next boot-up with a different dll specified in the command.

| Any help with tips on removing this virus would be appreciated.

| Thanks.

You keep writing "virus".  However the Vundo is a trojan, and NOT a virus.

Start with Malwarebytes Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Vicious Vundo Infection

On Fri, 19 Dec 2008 18:45:23 -0800, Vik wrote:

Quoted text here. Click to load it

Since none of the removers worked for you... you'll have to do it
manually. Get a boot disk.. The Active Boot Disk has a 10 day trial,
or make the UBCD4Win. They both have really cool Windows-like GUI's.
You don't have to be a Dos Geek to use them and clear your virus.

For me, I used HijackThis to get knowledge of which files were being
used by the trojan. Focus on the windows\system32 dll file or files
that the trojan created. There is at least one in there that must be
deleted. Note also the time stamps on that one and pay attention to
the other files that were created then, as well.

For me, when I cleared the virus, I created and booted with the Active
Boot disk trial.. then deleted the "locked" dll file in the system32
folder that kept coming back. Then, I deleted all my temp files. I
deleted my Firefox profiles. I deleted all cookies and temporary
internet files for both Firefox and IExplorer. I also deleted my
restore points-as the trojan had disabled my system restore, but a
couple of the scanners said infected files were in that hidden folder.
No worries to delete that "restore_" folder in a dos-like, bootdisk
environment. I also deleted a few ini1 and ini2 files that were being
recreated in the system32 folder when I rebooted.. They were easily
spotted and disposed of. Their creation dates and nonsense names
aligned them as part of the trojan mess.

Then, after deleting those and rebooting back to regular windows, I
had hijackthis "fix" the entries of those files. Finally, because the
trojan had disabled so many of my services, I had to do a windows
repair. There are instructions on the net to help you with that. None
of your files or programs will be overwritten and all the settings
that have been tampered with or deleted will be restored..

Thats how I took care of Virtumonde

--
C:\Internet\Pan\sig.txt

Re: Vicious Vundo Infection

Quoted text here. Click to load it

That's what I like to do.
For anyone who wants to try a boot disk I have created
a BartPE boot image.
http://www.nu2.nu/pebuilder /
This is a boot disk based on XP with some extra tools included.
It is a 79 M/b zip which extracts to a 150 M/b iso image.
As well as an aid to fixing malware, a boot disk is useful for when
Windows decides not to boot for some reason or other.
You can download it from here:
http://www.megaupload.com/?d=HTIGTU5P


From the readme file:
[ A4 File manager ]
Similar to the usual Windows Explorer.

[ Registry editor ]
Select Registry Editor
Select location of the Windows registry that you want to edit [normally
C:\windows]
Accept default Sam file
Accept default Security file
Accept default Software file
Accept default System file
Do you want a remote user profile hive y/n  [yes if you want to edit HKCU hive]
The registry keys will be loaded and labeled as  _Remote.
They will be listed under the HKEY_LOCAL_MACHINE\
E.g. HKEY_LOCAL_MACHINE\_Remote_Software  or  HKEY_LOCAL_MACHINE\_Remote_System
etc.
You should now be able to edit the _Remote sections with no restrictions.

[System]
Some basic tools for disk management etc.
Keyboard layout, default is UK keyboard but can be changed to US, French, German
etc.

[Drive Image XML]
This is a plug in for the free disk imaging software from Runtime:
www.runtime.org/driveimage-xml.htm
If you have created a backup image on a separate hard disk use this to restore
your image.


(Runtime Software have created a video describing how to make your own BartPE
disk
with their plug-ins:)

http://uk.youtube.com/watch?v=0reKK2ASEaU




Re: Vicious Vundo Infection

On Mon, 22 Dec 2008 15:35:57 +0000, Dave-UK wrote:

Quoted text here. Click to load it

I think that if many of the people who seek help online with their issues
were aware just how sophisticated and sleek these bootdisks are, they
would take a stab at repairing the disk and/or clearing the virus by
themselves.. I was amazed at how brilliant and easy the GUI is to work
with. In days past, even for those of us who knew our way around DOS, it
was still an ordeal to search for and clear a virus. But now, it's
simplified and almost easy. You can delve right into the file manager on
the boot disk and click your way around in seconds, exploring properties
and creation dates, deleting easily everything that doesn't belong.

Also, in my case, I made a big error by staying online while
troubleshooting the virus/trojan. The boys who got that virus in - with
the help of my teen daughter, were trapping my keyboard and watching what
I was doing. They deleted services as I thought of them. They watched me
type the admin password and they disabled it... They disabled nearly all
of the av software. It failed to run.. msi files wouldnt run either..
copy and paste wouldnt work, my search abilities were gone, the help
files were not working.. etc.. They had control thru a terminal.. So, I
wised up. I went offline, made the bootdisk on another computer,
developed a general plan and carried it out, all offline.

Since I could not copy and paste, I zipped/archived the files I needed to
work with on another computer and extracted them on the infected
computer. Extraction worked to move the files, copy and paste did not.
Also, though I was unaware of it till nearly the end of the process, the
copy command worked in a dos window..

By the way, in addition to the boot disk you refer to, HijackThis is the
OTHER invaluable tool. With those two alone.. most viruses can be
cleared..


--
Regards,
Cadillakin

Re: Vicious Vundo Infection




| By the way, in addition to the boot disk you refer to, HijackThis is the
| OTHER invaluable tool. With those two alone.. most viruses can be
| cleared..


| --
| Regards,
| Cadillakin

Not really.  Some non-viral malware yes.  However its won't help with many true
viruses as
they will prepend, append or insert code into legitimate files and you can't
tell theat
from a HJT log.  It won't help with Boot Sector Infectors either.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Vicious Vundo Infection

On Mon, 22 Dec 2008 17:39:22 -0500, David H. Lipman wrote:

Quoted text here. Click to load it

Yes, like many people, I sometimes incorrectly use virus in place of the
word "trojan", or malware. I know the difference.. I just stated it
incorrectly.

--
Regards,
Cadillakin

Re: Vicious Vundo Infection


Quoted text here. Click to load it

Before you give up or spend a lot of time, download and install
SUPERAntiSpyware Free Edition.  I had a Vundo infection several weeks ago
and tried many of the fixes that you did.  I was about ready to do the
step-by-step registry change and repair process suggested by one site when I
checked with the tech support folks at Smart Computing and they recommended
the antispyware.   A few minutes later, Vundo was gone and I haven't had a
problem since.  I agree it's one of the nastiest out there.  Certainly the
worst that I've ever encountered

TKM

P.S. I also tried the Lavasoft Ad-Watch which I liked from a previous bout
with spyware; but it didn't clean Vundo.




Re: Vicious Vundo Infection

On Wed, 24 Dec 2008 22:53:06 +0000, TKM wrote:

Quoted text here. Click to load it

I fixed it easily with the boot disk and Hijack This and a Windows
Repair. I think you might have misunderstood some of my original posting.

Yes, I agree that Vundo is particularly nasty, but in my case, it wasn't
just the trojan itself and it's intent to advertise and redirect, but the
OPEN access the intrusion provided to my wife's computer.. As I noted in
my first posting, they blocked many of the services that one would use to
troubleshoot and they rewrote many of the registry keys... But even more
troublesome was that they were following (trapping) my keystrokes and
passwords and adjusting my computer so that I couldn't find workarounds
or fix things.

So, my particular trojan was not just sitting there.. but my data was
being transmitted to boys (presumably) that were actively working to
thwart me. Until I got offline and created that boot disk, I was getting
deeper in the hole.

After I got the main dll file deleted in the system32 folder, everything
fell into place. I then cleaned up with the help of HijackThis and some
common sense, and finally, I repaired my Windows installation.





--
Regards,
Cadillakin

Re: Vicious Vundo Infection

On Fri, 26 Dec 2008 19:45:08 GMT, Cadillakin

Quoted text here. Click to load it

I want to thank you all for this thread. My daughter's computer picked
up the Virtumonde spyware. The computer was just frozen solid with
pop-ups and ads (for a virus scanner, of all things). Several attempts
to exorcise it with Spybot failed. It kept coming back. Googling
"Virtumonde" led me to several sites that claimed to be able to do the
exorcism. But it was your lead to "SUPERAntiSpyware" that did the
trick. The name "SUPERAntiSpyware" is dorky, like "FinallyFast dot
com", or some piece-of-shit scam like that. But I figured if it works
or not, that computer can be in no worse shape. But it worked (I
think, so far).

This thread also tells me HijackThis is a good thing to have. I will
get it and learn about it.

The experience with Virtumonde tells me also a better reason to
maintain backups is not for recovery after a hard drive crash as much
as it is for recovery from this kind of malware. Instead of trying to
figure out what's been tampered with or inserted or infected, just
kill it all and do a restore from the backup.

Thanks much.


Re: Vicious Vundo Infection



dogbreath wrote:
Quoted text here. Click to load it

Yes, that is what it proclaims to be, a virus scanner. Giant scam.

Quoted text here. Click to load it

Yes, SuperAntiSpyware (SAS) is a great program and I own the paid version.
The name is kind of suspicious sounding.  :)
Another great and free program is MalwareByte's Anti-Malware (MBAM).



Site Timeline