Help removing Trojan.Vundo virus

[Radian444]

Hello Everyone,

I have a client's machine that is infected by the Trojan.Vundo virus. They are running Norton Antivirus and about every 10 minutes it gives the message, "Your computer must restart in order to continue the removal of security risks". After the computer reboots it finds the virus again about 10 minutes later. I've performed all of the steps in the preliminary removal instructions (by the way the link to that page doesn't appear to be working anymore), but the virus continues to show up. Vundofix doesn't detect the virus. I've also run fixvundo from Symantec and although it found the virus and said it removed it, it still shows the same behavior and asks the client to reboot every 10 minutes. Panda Rootkit didn't find anything. Attached are my Combofix, Vundofix, and Hijackthis logs. AVG Antispyware didn't find anything so it didn't generate a log. By the way, I had updated Java already and for some reason it went back to an old version. If you have a link for the latest version of Java handy I'd appreciate it.

 

[Radian444]

By the way I attempted to update Java and it said I was already running the latest version.

 

[evilfantasy]

www.java.com

=====

Open HijackThis and Do a system scan only.

Place a check mark next to

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab?2de704c7de34659d1426bdbf 7305713b71f63c21a9362cd448d0394fa7e25770eb7c2f805dd491215862bf84e3cc4da159cef9c6 12b7dca9fb551573457330:22b32e0c79951ba72dbf4c44a0363a5c

Close all windows except for HijackThis and click "Fix checked"

=====

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

File::
C:\WINDOWS\system32\iypxskqn.ini
C:\WINDOWS\system32\qqnnlggy.ini
C:\WINDOWS\system32\nbkatsbt.ini
C:\WINDOWS\system32\gtxupfgd.ini
C:\WINDOWS\system32\fqsnvutu.ini

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

=====

Next post please attach
combofix.txt
New HijackThis log

 

[Radian444]

Thanks for the quick response

Thank you for responding so quickly. Attached are the combofix and hijack this logs.

 

[evilfantasy]

The logs look fine.

Are you still having any problems?

 

[Radian444]

Yeah, I re-enabled Real time scanning in Norton Antivirus and it found the Trojan.Vundo infection and asked to reboot. I'm rebooting to see if it pops up again, but this is the same thing it was doing before. One note I should mention is that I'm doing this remotely so the machine is constantly connected to the internet. If there is no way to remove this infection without disconnecting from the internet it's going to mean a 60 mile drive for me.

 

[evilfantasy]

Try flushing the system restore points and see if it stops finding it.

1. Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer

3. Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

 

[evilfantasy]

Also you may try running SUPERAntispyware Free Edition

It has a very large trojan/vundo detection/removal database.

 

[Radian444]

After the reboot turned system restore back off in case the virus was hiding in there. Apparently combofix.exe is turning the system restore points back on each time that it runs.

Edit: Oops, didn't read your POST first. Guess you were suggesting the same thing that I did. I'll try running the software that you suggested.

 

[Radian444]

Should I run a full scan or a quick scan of the SuperAnti... program. The computer has 600,000 files on it so it takes a long time to run a full scan.

 

[evilfantasy]

A quick scan should work, but if it is hidden well then the full scan would be better.

Also does Norton say exactly where the trojan/vundo is being found?

 

[Radian444]

Well the "Detected Trojan.Vundo" message popped up again after turning off the system restore. However, this time it didn't state that the system required a reboot...I'm running the SuperAntiSpyware program right now. The quarantine items show that the item was resolved and no action needs to be taken. The quarantine shows 173 registry entries, 2 processes (both iexplore.exe), 1 service (domainservice), 1 file C:\documents and settings\all users\application data\symantec\subeng\temp\{f4da0be6-07e0-4db8-a081-f85a849ae57a}, but every time it is detected it is has a different hex address. In some of the items it was also located in C:\Windows\temp\"hex address" Deleted the C:\Windows\Temp folder

 

[evilfantasy]

You can use this program to do a very thorough scrubbing of temp. folders.

Please download ATF Cleaner by Atribune. ATF Cleaner.exe This program does not require an installation. The executable actually runs the program.

NOTE: ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser
* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

 

[evilfantasy]

You will want to at some point uninstalll combofix, it has copies of everything removed in it's quarantine so they could be detected as malicious when they actually aren't because they are quarantined.

If SuperAntiSpyware (SAS) or Norton detects anything in c\:qoovox then that is combofixes quarantine.

Combofix removal.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again

 

[Radian444]

Ran the ATF Cleaner and updated the virus definitions. I'll uninstall Combofix and then run another scan of Norton AV and see if the virus has gone away. Thanks again for the help.

While running the SuperAntiSpyware scan the system locked up and had to be rebooted. Unfortunately, the client has already left for the day so I can't continue working on this issue until Monday. I did uninstall Combofix before it locked up, and after 45 minutes of scanning with SuperAntiSpyware (quick scan...) the system locked up. However, it didn't pop up the message about Trojan.Vundo in the auto protect so it is definitely making progress. I think that ATF Cleaner tool to clean the temp files may have killed it. I'll post again on Monday.

The Trojan.Vundo virus is still being detected. I'm running Windows Updates, but I'm running out of ideas.

(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.

 

[momok]

Could you provide full details of the message which shows the detection? Perhaps a screenshot would be helpful. Just in case it is a case of false positives.

Regards,
momok =)

 

[evilfantasy]

If ATF Cleaner had done any damage it would have shown immediately.

 

[Radian444]

When I stated that ATF Cleaner might have killed it I meant killed the virus, not the computer . I'm running a full virus scan in safe mode to see if it finds the virus, but this computer has over 650,000 files and takes about 3 hours to run a scan. Momok, basically the error message is that Norton Antivirus 2006 pops up a message that states, "Your computer must restart in order to continue the removal of security risks". After restarting the message appears again within 10-15 minutes. When viewing the quarantine it shows hundreds of entries of Trojan.Vundo and says that it was partially removed each time and then says "resolved - no action" under recommended action, but the message pops up again asking the user to reboot the computer. By the way, the quarantine (in this case) does not have a way to remove any of these infections because it states they have already been removed. The folder path of these items is always one of two different paths that I mentioned in a previous post (C:\documents and settings\all users\application data\symantec\subeng\temp\"hex address" or C:\Windows\temp\"hex address". I have deleted the C:\Windows\Temp folder contents and run ccleaner and ATF Cleaner. The scan completed in safe mode without finding anything and now I'm running a scan in normal mode to see if it finds anything.

 

[evilfantasy]

Download a fresh copy of Combofix and lets try that again.

Only wait until any other scans are done.

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall

 

[Radian444]

Ran ATF Cleaner again in safe mode and it removed over one GB of temporary files. The AV scan in normal mode is only at around 70,000 files so it's going to be a while. When it finishes I'll run combofix and post the log.

Edit: The scan finally completed, but took over 6 hours to run. It said it didn't find anything and so far the pop ups haven't occurred again so I'm hoping the machine is finally clean. If they start occurring again I'll post the combofix log. Thanks again for the help.

 

[onociram]

Hi,
I have the same problem...i got alot of posxxx.......temp. files inside my drive "C".i already did vundofix using safemode twice,did the combo fix but unfortunately it took
me 8 hours to do the combofix but only the bluescreen and there was no log at all.Soi also did the hijack this and got the log report and all the posxxx....temp files
were finally gone,didn't fix nothing yet using the hijack thing,just saved the log and started working again.The thing right now is that my computer is kinda slow.I need your help...PLEASE.
Thanks for all your time...

 

[rf6647]

onociram, please post your problem in a new thread if you are seeking assistance. This thread is stale.

https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Follow the 15 step procedure found in the above link. Posting the logs from following the instructions is the entry point to getting help here.