Can't get rid of Vundo

Status
Not open for further replies.

wormgod

Posts: 8   +0
I believe that I have a Vundo infection that I have been trying to get rid of for several days, but like a bad rash it keeps coming back. Symptoms include XP freezing (some running programs freeze but others do not, system clock freezes -- requires a power off), IE having to close, tmproxy restarting, etc.
I have tried multiple antivirus/spyware tools -- VirtumundoBeGone (nothing), FixVundo (nothing), VundoFix (nothing), SpyBot (found and removed something but probably not all), Trojan Remover (nothing), and several others whose names escape me at the moment. Please help. Logs are attached.
 

Attachments

  • hijackthis.log
    13 KB · Views: 7
WinFixer / Vundo / Dropper and others detected...

Hello Wormgod...
Your SAS log shows multiple issues, not just Vundo.
Have you completed the 8 steps?
See https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

I only glanced at your HJT log... What AV are you using? Is it fully updated?
What did it say that it was able to do? (Do you have a log file from your last scan?)
Were you able to update MBAM?

Re: Vundo... Maybe you saw this... (on bleepingcomputer)
The Vundo family of Trojans is one of the most common infections we find on user's computers. This infection can cause popups that include advertisements for rogue anti-spyware programs. Some common rogue antispyware programs that are advertised include WinFixer, SysProtect and WinAntiSpyware. Users are normally targeted by false positives, fake alerts, and warning of infections on their computer. An example of this type of misleading advertisement would be popups alerting users that they are infected with a blackworm virus. The most common method of infection is through outdated versions of the Sun Java platform; older versions are being exploited so it is important to firstly make sure that your Java software is fully up to date. This infection is normally detectable by users receiving popups when they use the Internet. Your antivirus program might also notify you via an alert that you have a Vundo Trojan on your computer.

The Vundo infection has evolved over time to include harder and harder protection methods so that it cannot be easily removed. These methods are random names, random autorun locations, random CLSIDs, and rootkits to hide these locations from removal tools. Due to this, specialized tools have been created in order to target this specific infection and remove it.

From what I have seen, Vundo, though difficult, is defeatable.
I have seen our generous volunteer experts at TechSpot help several with Vundo and with other difficult nasties.
I would observe, some of the others can be even a little more difficult.
 
Thanks for the quick response. I did go through all 8 of the steps before my initial post. I also noticed some problems that SAS found/removed, but I (perhaps naively) assumed they had been taken care of.


My AV is Trend Micro PC-Cillin 2007 (fully updated as I have the subscription service). I had issues the last two times that I ran it. The first time, the computer (including the scan) hung in the middle requiring a power off. The second time, the computer hung, but the scan continued to run to completion, but it did not report any problems. I'll try running it again and see what log it generates.

MBAM was able to update itself (db version 2079).
 
Reran the full Trend Micro scan, and it found nothing but a couple of cookies, which I removed.

Any ideas?
 
Still having the same problems -- computer freezing (sometimes at Welcome screen), tmproxy restarting, IE restarting, other components/programs restarting, etc.

Can anyone help? Thanks.
 
Let´s see a combofix log ;)


Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix, if you have any

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
 
No change. Still having the same problems. Something nasty is running that I cannot get rid of. It may not be Vundo, but it is nasty nonetheless.
 
Ok. We´ll dig deeper -

Click here: http://www.gmer.net/
and download the installer for Gmer to your desktop, then click that file to run Gmer.
(scroll down, and click on – Download Exe – Button)

If on it's opening scan Gmer locates items shown in red or indicates "hidden" or "rootkit", stop there, and click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Attach the information and post it here please. We don't want any crashes just from taking an initial look at things.

If not, then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Attach the information and post it here please.
 
It looks clean.

I don´t think your problems are virus related, I´ll therefore you check for corrupted systemfiles.

To do so ->
Click Start > Run and type sfc /scannow and the click OK.
Note the space between the c and the /
You may need your Windows XP CD so have it ready.
If you have Service Pack 2 (SP2) or SP3 installed, you will need the SP2 or SP3 version of the version of the CD. This can be done with a borrowed CD, if you don't have one.

Allow the scan to run and when completed, reboot the system, and tell how things are running now ?
 
This really didn't sound like a corrupted system files issue, so I downloaded another scanner that checks the master boot record, and it found and removed the trojan. Everything seems to be running fine now. Thanks for all your suggestions -- they pointed me in the right direction.
 
Status
Not open for further replies.
Back