Vundo remover safe?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have what fits the description of Vundo malware on a Windows XP SP2
system.  Symantec's Vundo remover (fixvundo.exe) fails to remove
the malware.  (What a surprise.) So I downloaded another Vundo remover
(Vundofix.exe) from a link to atribune.org from a thread on
spywareinfo.com.

This Vundofix.exe file shows up as clean when sent to virustotal.com
except for one line:

        Panda   9.0.0.4/20060417        found [Suspicious file]

I figure the above report is probably spurious and I have a legitimate
Vundo remover file and should run it.  Any opinions whether this
is a reasonable assumption?

Thanks much,

Steve

Re: Vundo remover safe?

Hi Steve - Probably OK.  Here's some good data including a link I know is
good for VundoFix:


Seven approaches to removing Winfixer (Vundo).  Not all will work on all
variants.  It's suggested that you try them in this order.

1 - Feedback from users reports that the Removal Tool here is the most
effective against what is currently the most common variety of this
'malware':
http://forums.mcafeehelp.com/viewtopic.php?t=57049



2 - Symantec has a new Vundo remover:
http://securityresponse.symantec.com/avcenter/FixVundo.exe
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions



3 - Courtesy of Dave Lipman:

"Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe


On the infected PC...

Execute;  WinFixerFix.exe  { Note: You must accept the default of
C:\McAfee }
Choose;   Unzip
Choose;   Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your FireWall to enable WGET.EXE to download the needed McAfee
related files.

Execute;  c:\mcafee\clean.bat   { or Double-click on 'Clean Link' in
c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated.  At the end of the scan, it will be displayed in your browser
(Opera, FireFox or Internet Explorer).  It is suggested that you move the
report out of c:\mcafee before performing another scan.  It would be a good
idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session."



4 - McAfee has a combined automated/manual removal procedure here:
http://vil.nai.com/vil/content/v_127690.htm



5 - Then, courtesy of MVP Suzi Turner and Mosaic1:

"Atribune, a guy in the forums, has a Vundo fix tool as well:

Instructions for use by user as posted in the SpywareWarrior forum:

'Please download VundoFix.exe to your desktop. Here's a link:

http://www.atribune.org/downloads/VundoFix.exe

Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please restart your computer into Safe Mode.

Once in safe mode open the VundoFix folder and double-click on KillVundo.bat

A command window will open and it should look like this:

VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk

At this point press enter one time.

Next you will see:

Type in the filepath as instructed by the forum staff
Then Press Enter, to continue with the fix.


At this point please type the following file path (make sure to enter it
exactly as below!):
C:\WINDOWS\system32\geeby.dll

Press Enter.

Next you will see:

Please type in the second filepath as instructed by the forum staff

At this point please type the following file path (make sure to enter it
exactly as below!):
C:\WINDOWS\system32\ybeeg.*

Press Enter to continue.

The fix will run then HijackThis will open.
In HijackThis, please place a check next to the following items and click
FIX CHECKED:


O2 - BHO: MSEvents Object - -
C:\WINDOWS\system32\geeby.dll
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll

After you have fixed these items, close Hijackthis.

The fix will tell you to shutdown using the Power button. Hold in your power
button until the computer shuts down. Wait about 15 seconds and then restart
the computer into regular windows.

Chkdsk will run. This is normal. It will take a few minutes and is checking
your file system because of the Bad Shutdown we caused.

Go for free online Virus scans here:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan /

Allow them to clean

Panda will have the option to create a log after the scan has finished.
Click
the See Report button. Then click the save Report button. It will be saved
under the name activescan.txt Do that and post that log into your next reply
here.

Run hijackthis and post the new log and the vundofix.txt file from the
vundofix folder into as well.'

The forum helpers have reported this fix from Atribune works.  I don't know
about the Symantec tool.

If you'd like to join Spyware Warrior, you could see the thread where the
helpers are discussing this.

Suzi"


Note:  Here's some added info relative to the above courtesy of MVP Steve
Wechsler  (akaMowGreen):

"the .dll's file name :

C:\WINDOWS\system32\geeby.dll

will be different on different systems. What you can do to identify it
is to scan the system with HijackThis and look at the O2 BHO and/or O20
Winlogon entries to find out it's name. Close all other programs and
browsers prior to scanning with HJT.  REMEMBER that there is a hidden file
that will have the name of the .dll spelled backwards. Enter that name when
the VundoFix requests the path to the second file.



6 - Grinler, (Lawrence Abrams, a Security MVP), has another removal method
that can be used if the recommended method fails :
http://www.bleepingcomputer.com/forums/topic18610.html "




7 - Courtesy of S.Sengupta[MS-MVP]

Download VirtumundoBegone and save it to your desktop.

VirtumundoBegone
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Run that application after booting into safe mode.





Here's the HijackThis info you may need:

Download HijackThis, free, here:
http://www.merijn.org/files/hijackthis.zip (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html

In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)

Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
when it's finished which will create hijackthis.log. Now click the Config
button, then Misc Tools and click on Generate StartupList.log which will
create Startuplist.txt


Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com /
or Jim Eshelman's site here:  http://forum.aumha.org /
or Bleepingcomputer here:  http://www.bleepingcomputer.com /
or Computer Cops here:  http://www.computercops.biz/forums.html
or Tom Coyote here:  http://forums.tomcoyote.org/index.php?act=idx
or Net-Integration here:  http://net-integration.us/forums/index.php

Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s).  Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken."




*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******


You probably should consider switching to Sun Java J2SE 5.0 JRE or later
here: http://java.sun.com/j2se/1.5.0/download.jsp (What I use, BTW),
especially since MS will apparently no longer be distributing Java or
providing any support for Java including security fixes after Dec 31, 2007.
BE SURE that you uninstall any prior versions of Sun Java as some,
specifically JRE v. 1.4.2 and earlier, contain a security bug which certain
malware, notably Winfixer/Vundo, are suspected of exploiting.  If you did
have one of these versions of Sun Java, JRE v. 1.4.2 or earlier, installed,
please post back and tell us.


When you get things cleaned up, take a look at my Blog, Defending Your
Machine, addy in my Signature below, for some additional curative and
preventive measures you might want to implement to help prevent this type of
thing in the future.

--
Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://DefendingYourMachine.blogspot.com /



|| I have what fits the description of Vundo malware on a Windows XP SP2
|| system.  Symantec's Vundo remover (fixvundo.exe) fails to remove
|| the malware.  (What a surprise.) So I downloaded another Vundo remover
|| (Vundofix.exe) from a link to atribune.org from a thread on
|| spywareinfo.com.
||
|| This Vundofix.exe file shows up as clean when sent to virustotal.com
|| except for one line:
||
||         Panda   9.0.0.4/20060417        found [Suspicious file]
||
|| I figure the above report is probably spurious and I have a legitimate
|| Vundo remover file and should run it.  Any opinions whether this
|| is a reasonable assumption?
||
|| Thanks much,
||
|| Steve



Re: Vundo remover safe?


| I have what fits the description of Vundo malware on a Windows XP SP2
| system.  Symantec's Vundo remover (fixvundo.exe) fails to remove
| the malware.  (What a surprise.) So I downloaded another Vundo remover
| (Vundofix.exe) from a link to atribune.org from a thread on
| spywareinfo.com.

| This Vundofix.exe file shows up as clean when sent to virustotal.com
| except for one line:

|         Panda   9.0.0.4/20060417        found [Suspicious file]

| I figure the above report is probably spurious and I have a legitimate
| Vundo remover file and should run it.  Any opinions whether this
| is a reasonable assumption?

| Thanks much,

| Steve


There are new variants of Vundo Trojan put out periodically and it might not
catch it.

Can you please copy & paste the log created by Vundofix.


-------

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0.  There are vulnerabilities in them and they are actively being
exploited.
This is most likely why you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun
Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_06


http://www.java.com/en/download/manual.jsp



Part 1
------------
Download Adware-Virtumundo Removal Tool --
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Information on the Adware-Virtumundo Removal Tool:
http://forums.mcafeehelp.com/viewtopic.php?t=57049

Part 2
------------
Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe

Execute;  WinFixerFix.exe  { Note: You must accept the default of C:\McAfee }
Choose;   Unzip
Choose;   Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute;  c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated.  At the end of the scan, it
will be displayed in your browser (Opera, FireFox or Internet Explorer).
However, if you are using WinXP, Win2K or Win2003 your system will be left in a
state where you will have to manually shutdown/reboot the PC.  On Win9x/ME
platforms the report will not be shown in your bowser but your PC will
automatically be shutdown.  It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of
the HTML report for each session.



Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML  in your reply.

* * *  Please report back your results  * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Site Timeline