TechSpot

Help removing Trojan.Vundo virus

By Radian444
Nov 30, 2007
  1. Hello Everyone,

    I have a client's machine that is infected by the Trojan.Vundo virus. They are running Norton Antivirus and about every 10 minutes it gives the message, "Your computer must restart in order to continue the removal of security risks". After the computer reboots it finds the virus again about 10 minutes later. I've performed all of the steps in the preliminary removal instructions (by the way the link to that page doesn't appear to be working anymore), but the virus continues to show up. Vundofix doesn't detect the virus. I've also run fixvundo from Symantec and although it found the virus and said it removed it, it still shows the same behavior and asks the client to reboot every 10 minutes. Panda Rootkit didn't find anything. Attached are my Combofix, Vundofix, and Hijackthis logs. AVG Antispyware didn't find anything so it didn't generate a log. By the way, I had updated Java already and for some reason it went back to an old version. If you have a link for the latest version of Java handy I'd appreciate it.
     

    Attached Files:

  2. Radian444

    Radian444 TS Rookie Topic Starter

    By the way I attempted to update Java and it said I was already running the latest version.
     
  3. evilfantasy

    evilfantasy Banned Posts: 428

    www.java.com

    =====

    Open HijackThis and Do a system scan only.

    Place a check mark next to

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab?2de704c7de34659d1426bdbf 7305713b71f63c21a9362cd448d0394fa7e25770eb7c2f805dd491215862bf84e3cc4da159cef9c6 12b7dca9fb551573457330:22b32e0c79951ba72dbf4c44a0363a5c

    Close all windows except for HijackThis and click "Fix checked"

    =====

    Delete these files/folders, as follows:

    * Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    * Save this as CFScript on the desktop.
    * Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

    [​IMG]

    * ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

    Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    =====

    Next post please attach
    combofix.txt
    New HijackThis log
     
  4. Radian444

    Radian444 TS Rookie Topic Starter

    Thanks for the quick response

    Thank you for responding so quickly. Attached are the combofix and hijack this logs.
     
  5. evilfantasy

    evilfantasy Banned Posts: 428

    The logs look fine.

    Are you still having any problems?
     
  6. Radian444

    Radian444 TS Rookie Topic Starter

    Yeah, I re-enabled Real time scanning in Norton Antivirus and it found the Trojan.Vundo infection and asked to reboot. I'm rebooting to see if it pops up again, but this is the same thing it was doing before. One note I should mention is that I'm doing this remotely so the machine is constantly connected to the internet. If there is no way to remove this infection without disconnecting from the internet it's going to mean a 60 mile drive for me.
     
  7. evilfantasy

    evilfantasy Banned Posts: 428

    Try flushing the system restore points and see if it stops finding it.

    1. Turn off System Restore
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Restart your computer

    3. Turn ON System Restore
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check Turn off System Restore.
    Click Apply, and then click OK.
     
  8. evilfantasy

    evilfantasy Banned Posts: 428

  9. Radian444

    Radian444 TS Rookie Topic Starter

    After the reboot turned system restore back off in case the virus was hiding in there. Apparently combofix.exe is turning the system restore points back on each time that it runs.

    Edit: Oops, didn't read your POST first. Guess you were suggesting the same thing that I did. I'll try running the software that you suggested.
     
  10. Radian444

    Radian444 TS Rookie Topic Starter

    Should I run a full scan or a quick scan of the SuperAnti... program. The computer has 600,000 files on it so it takes a long time to run a full scan.
     
  11. evilfantasy

    evilfantasy Banned Posts: 428

    A quick scan should work, but if it is hidden well then the full scan would be better.

    Also does Norton say exactly where the trojan/vundo is being found?
     
  12. Radian444

    Radian444 TS Rookie Topic Starter

    Well the "Detected Trojan.Vundo" message popped up again after turning off the system restore. However, this time it didn't state that the system required a reboot...I'm running the SuperAntiSpyware program right now. The quarantine items show that the item was resolved and no action needs to be taken. The quarantine shows 173 registry entries, 2 processes (both iexplore.exe), 1 service (domainservice), 1 file C:\documents and settings\all users\application data\symantec\subeng\temp\{f4da0be6-07e0-4db8-a081-f85a849ae57a}, but every time it is detected it is has a different hex address. In some of the items it was also located in C:\Windows\temp\"hex address" Deleted the C:\Windows\Temp folder
     
  13. evilfantasy

    evilfantasy Banned Posts: 428

    You can use this program to do a very thorough scrubbing of temp. folders.

    Please download ATF Cleaner by Atribune. ATF Cleaner.exe This program does not require an installation. The executable actually runs the program.

    NOTE: ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser
    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.
     
  14. evilfantasy

    evilfantasy Banned Posts: 428

    You will want to at some point uninstalll combofix, it has copies of everything removed in it's quarantine so they could be detected as malicious when they actually aren't because they are quarantined.

    If SuperAntiSpyware (SAS) or Norton detects anything in c\:qoovox then that is combofixes quarantine.

    Combofix removal.

    Go to Start > Run and copy and paste next command in the field:

    ComboFix /u

    [​IMG]

    Make sure there's a space between Combofix and /
    Then hit Enter.

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again
     
  15. Radian444

    Radian444 TS Rookie Topic Starter

    Ran the ATF Cleaner and updated the virus definitions. I'll uninstall Combofix and then run another scan of Norton AV and see if the virus has gone away. Thanks again for the help.

    While running the SuperAntiSpyware scan the system locked up and had to be rebooted. Unfortunately, the client has already left for the day so I can't continue working on this issue until Monday. I did uninstall Combofix before it locked up, and after 45 minutes of scanning with SuperAntiSpyware (quick scan...) the system locked up. However, it didn't pop up the message about Trojan.Vundo in the auto protect so it is definitely making progress. I think that ATF Cleaner tool to clean the temp files may have killed it. I'll post again on Monday.

    The Trojan.Vundo virus is still being detected. I'm running Windows Updates, but I'm running out of ideas.

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.
     
  16. momok

    momok TS Rookie Posts: 2,265

    Could you provide full details of the message which shows the detection? Perhaps a screenshot would be helpful. Just in case it is a case of false positives.

    Regards,
    momok =)
     
  17. evilfantasy

    evilfantasy Banned Posts: 428

    If ATF Cleaner had done any damage it would have shown immediately.
     
  18. Radian444

    Radian444 TS Rookie Topic Starter

    When I stated that ATF Cleaner might have killed it I meant killed the virus, not the computer :) . I'm running a full virus scan in safe mode to see if it finds the virus, but this computer has over 650,000 files and takes about 3 hours to run a scan. Momok, basically the error message is that Norton Antivirus 2006 pops up a message that states, "Your computer must restart in order to continue the removal of security risks". After restarting the message appears again within 10-15 minutes. When viewing the quarantine it shows hundreds of entries of Trojan.Vundo and says that it was partially removed each time and then says "resolved - no action" under recommended action, but the message pops up again asking the user to reboot the computer. By the way, the quarantine (in this case) does not have a way to remove any of these infections because it states they have already been removed. The folder path of these items is always one of two different paths that I mentioned in a previous post (C:\documents and settings\all users\application data\symantec\subeng\temp\"hex address" or C:\Windows\temp\"hex address". I have deleted the C:\Windows\Temp folder contents and run ccleaner and ATF Cleaner. The scan completed in safe mode without finding anything and now I'm running a scan in normal mode to see if it finds anything.
     
  19. evilfantasy

    evilfantasy Banned Posts: 428

    Download a fresh copy of Combofix and lets try that again.

    Only wait until any other scans are done.

    Please download Combofix by sUBs from either here or here

    Save Combofix.exe to your your Desktop.

    1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
    2. When finished, it will produce a log for you.
    3. Attach that log in your next reply.

    Note:
    Do not mouseclick combofix's window while it's running. That may cause your computer to stall
     
  20. Radian444

    Radian444 TS Rookie Topic Starter

    Ran ATF Cleaner again in safe mode and it removed over one GB of temporary files. The AV scan in normal mode is only at around 70,000 files so it's going to be a while. When it finishes I'll run combofix and post the log.

    Edit: The scan finally completed, but took over 6 hours to run. It said it didn't find anything and so far the pop ups haven't occurred again so I'm hoping the machine is finally clean. If they start occurring again I'll post the combofix log. Thanks again for the help.
     
  21. onociram

    onociram TS Rookie

    Hi,
    I have the same problem...i got alot of posxxx.......temp. files inside my drive "C".i already did vundofix using safemode twice,did the combo fix but unfortunately it took
    me 8 hours to do the combofix but only the bluescreen and there was no log at all.Soi also did the hijack this and got the log report and all the posxxx....temp files
    were finally gone,didn't fix nothing yet using the hijack thing,just saved the log and started working again.The thing right now is that my computer is kinda slow.I need your help...PLEASE.
    Thanks for all your time...
     
  22. rf6647

    rf6647 TS Maniac Posts: 829

    onociram, please post your problem in a new thread if you are seeking assistance. This thread is stale.

    http://www.techspot.com/vb/topic58138.html

    Follow the 15 step procedure found in the above link. Posting the logs from following the instructions is the entry point to getting help here.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...