Vundo removal

By BigKahuna
Dec 15, 2008
Topic Status:
Not open for further replies.
  1. i am running windows xp home edition and i think i have the vundo virus. if i re-install windows will that get rid of the virus, if not can someone help?also when i try to run adaware i get the blue screen.
  2. mflynn

    mflynn Newcomer, in training Posts: 2,793

    A full format and reinstall may do it, but that hardly seems necessary!

    Do the below in order presented.

    Copy all inside the box and paste to an open Command prompt. It will close the Command prompt when finished.

    Code:
    @echo off
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    exit
    exit
    ----------------------------------------------------------------------------------------------------------------------------------
    D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

    http://www.majorgeeks.com/ATF_Cleaner_d4949.html
    ----------------------------------------------------------------------------------------------------------------------------------

    D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
    No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

    Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.

    Please make a note of what it found if any as it has no log.
    If it finds several things reboot to Safe Mode and run again before continuing below.
    ----------------------------------------------------------------------------------------------------------------------------------

    Get and run Malware Removal Tool by Joe Pestro http://majorgeeks.com/Malware_Removal_Tool_d4632.html
    ---------------------------------------------------------------------------------------------------------------------------------
    Do this: http://www.techspot.com/vb/post684649-3.html

    When Fixit.cmd finishes it will reboot to normal, then the below is the meat what we need to run to really get fixed:

    Do the TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    Skip no steps (do not install another virus scanner as you already have one).

    Most importantly update MalwareBytes and SuperAntiSptware!

    Before you scan with SuperAntiSpyWare do the below:

    SuperAntispyware extra config

    After installed double-click the icon on your desktop to run it.

    Update the program definitions.

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

    MalwareBytes extra config

    After update but before running
    Click settings and confirm all are Checked.

    I repeat Update these 2 programs.

    Run them and attach their logs.

    Do this correctly and we will make a short job of this!

    Mike
  3. BigKahuna

    BigKahuna Newcomer, in training Topic Starter Posts: 81

    should I remove the antivirus programs that i have already? I have avg and adaware
  4. mflynn

    mflynn Newcomer, in training Posts: 2,793

    No!

    In the 8 Steps the Virus scanners are if you have no Virus scanner at all.

    Same for Firewalls just don't Add/Remove or install anything yet except MBAM SAS and HJT.

    Mike
  5. BigKahuna

    BigKahuna Newcomer, in training Topic Starter Posts: 81

    i downloaded teh programs and i put them on a flash frive and copied and pasted them onto the infected pc but they will not run. what should i do?
  6. mflynn

    mflynn Newcomer, in training Posts: 2,793

    You mean they won't even install or install but not run or update?

    Mike
  7. BigKahuna

    BigKahuna Newcomer, in training Topic Starter Posts: 81

    yea. i am using the infected pc now and i am going to try to D/L and install instead of copying and pasting
  8. BigKahuna

    BigKahuna Newcomer, in training Topic Starter Posts: 81

    i cannot get to the page. firefox says it is unable to connect but i am hard to my router
  9. mflynn

    mflynn Newcomer, in training Posts: 2,793

  10. BigKahuna

    BigKahuna Newcomer, in training Topic Starter Posts: 81

    i still cannot connect. the links you posted above wont work either
  11. BigKahuna

    BigKahuna Newcomer, in training Topic Starter Posts: 81

    if i reinstall windows xp their is no guarantee that it will work? shouldnt it wipe the pc clean therefore getting rid of the virus?the links arent working and neither are the programs.
  12. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK not looking good.

    Go into regular Safe Mode and try all. Will any of them work?

    Mike
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    It sounds like the problem is with your internet connection. If setting is wrong, reinstalling may not fix it. I would suggest you check the Event View for Errors that correspond to failed connections. You do not need internet connection for this:

    Start> Run> cmd> type in eventvwr

    Can you tell me please why you suspect a Vundo infection? Have you run some security program identifying this? Which one? What did it say?
     
  14. BigKahuna

    BigKahuna Newcomer, in training Topic Starter Posts: 81

    only X-Cleaner works but it needs to be updated and i cannot update anything, but it is scanning right now.
  15. BigKahuna

    BigKahuna Newcomer, in training Topic Starter Posts: 81

    it is done scanning and a couple of alerts came up and i removed them, then i said no to reboot.
  16. BigKahuna

    BigKahuna Newcomer, in training Topic Starter Posts: 81

    i cannot go to any antivirus websites, my wireless wont work, i cannot update anything (avg adaware) when i run adaware i get the blue screen.
  17. BigKahuna

    BigKahuna Newcomer, in training Topic Starter Posts: 81

    here are the files
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Guess you missed that part!

    First of all, most drivers don't load in Safe Modeso ignore all those error with the 'Safe Mode' description. Were you in Safe Mode at all the times the system Errors occurred?

    Secondly, some Services depend on other Services which might not start in Safe Mode, so we an throw those out too.

    Do you have or did you have MS Works?

    Regarding most of the rest- this isn't going to help us at all. The Safe Mode errors aren't valid for out purposes and you're running outdated programs. Current program aren't properly installed due to either missing or corrupt Windows Installer.

    Specifically, why Vundo?

    Going by the errors that are valid, it appears that you have many programs that are out of date and/or incorrectly installed due to a bad Windows Installer. I can't tell about the network card yet, but that and the router are also suspect at this point. The fix for the Windows Installer for Windows XP is found on the site below:
    http://support.microsoft.com/kb/315353/en-us

    This calls for a registry edit so you must be sure to backup the registry first.
  19. AaronSimpson

    AaronSimpson Newcomer, in training

    The following may not apply, because this thread seems to be dealing with a rootkit, but i figured i would post here anyways to spread the knowledge.

    Here is a Vundo fix that I developed. I work as a high level tech, and I have tested it many times in the field. It is one of the only ways to get rid of malicious *.dll’s that seem “undeletable”.

    You have to follow these instructions exactly because the virus is loaded into memory and most likely attached to winlogon.exe (as well as other system processes)!!!!

    Before you begin:

    ***.. anything referenced with << >> means that there is a dos command within the "brackets". You dont need any extra tools - all you need is dos!

    ***.. the instructions are adapted to Windows XP, but if you are just a lil bit savvy, you can easily adapt them to Vista as well – as long as you have the necessary admin.



    1. I usually start off by doing a “Hijackthis” in order to diagnose, and take note of all the malicious files/services I am planning on removing. There is already plenty of tutorials on how to do this on the net. If you find some pesky “*.dll’s”, then the following technique is what you can use to get rid of them.



    2. ENABLE VIEW OF HIDDEN FILES:

    - Go to "Folder Options" in "Control Panel"

    - Click the "View" Tab, and do the following:
    - check "Show hidden files & folders" &
    - uncheck "Hide protected operating files (Recommended)"



    3. FIND THE FILES:

    - If you are unsure where to start, use the notes you took from the Hijackthis scan to find the primary locations.

    - The most common infected spots are:
    - c:\windows\system32
    - c:\documents & settings\%userprofile%\local settings\temp

    - Once you have navigated to the infected folder, add the "Date Created" column within the explorer window. You can "right click" on the horizontal column to add and remove it from the view.

    - Sort by "Date Created", newest on top (descending).

    - Look for any strange *.dll's. Usually you will find something random such as:
    “dofjdiijdd.dll”.

    - If you find more bad files, write them down as well. (Usually with Vundo there is a "host" *.dll that re-creates at least 3 other slaves that might not show up in a Hijackthis scan.)

    - Highlight all of the bad *.dll's at once

    - Right click, and then choose "rename".

    - Rename them to something like "temp". This will run you through prompts asking to rename each one "temp01, temp02" etc. Hit "OK" on all prompts to rename all files.

    - After files have been renamed, do a HARD BOOT by holding down the power button!!!



    Things to note before continuing:

    **..YOU HAVE TO DO A HARD BOOT IN ORDER TO KILL THE VIRUS!!!

    **..IF YOU DO A REGULAR RESTART IT WILL COME BACK FROM MEMORY!

    **..YOU WILL HAVE MORE SUCCESS RENAMING INSTEAD OF DELETING DLL FILES IF THEY ARE IN USE. YOU CAN ALWAYS JUST DELETE THE RE-NAMED FILE LATER.

    **..WHEN A VIRUS IS IN MEMORY, YOU MUST ALWAYS KILL THE FILE FIRST, AND THEN THE REG ENTRIES, BECAUSE THEY WILL AUTOMATICALLY COME BACK IF THE FILE STILL EXISTS.



    3. CLEAN THE TRACES:

    - Go back to the locations where you found the malicious files.

    - Check to see if any new ones were created, or missed.

    - Delete the files that were re-named.

    - Use "regedit.exe" in the system32 folder to search out any and all registry entries for malicious files that were noted in step 2. (You should be able to lookup how to use the "find" feature in the registry somewhere online - there are many tutorials)


    **..BUT WHAT IF YOU STILL CAN'T RENAME THE BAD *.DLL BECAUSE IT IS IN USE?!!??!


    4. DO THE FOLLOWING TO KILL THE NECESSARY PROCESSES:

    FIGURE OUT THE PROCESS IDENTIFIERS FOR "WINLOGON.EXE" AND "SMSS.EXE":

    - Open "Task Manager"

    - Go to "View" Drop down menu

    - Choose "Select Columns"

    - Enable view of "PID (Process Identifier)"

    - Hit "OK" to escape that view

    - Look at the "Processes" tab, and check to see which PID "winlogon.exe" and "smss.exe" is using. Write them down

    - Open up "cmd.exe" from system32 folder with admin rights.

    - Within command prompt, navigate to the folder where the infection is occurring by using the following commands:
    << cd %windir%\system32 >> or
    << cd %userprofile%\local settings\temp >>

    - End the smss.exe and winlogon.exe processes with the following command:
    << ntsd -c q -p "PID" >>

    - To use myself as an example, the commands would look like this:
    << ntsd -c q -p "1420" >> (for "smss.exe")
    << ntsd -c q -p "1612" >> (for "winlogon.exe")


    **MAKE SURE TO RUN THOSE 2 COMMANDS IN ORDER, YOU MUST KILL "SMSS.EXE" FIRST BEFORE YOU CAN KILL "WINLOGON.EXE"


    - Delete the file within the command prompt:
    << del -f /q filename.dll >>

    - Immediately hardboot the machine!!

    - After the machine boots - finish cleanup process listed in step 3.

    - As an example… the complete list of Dos commands will look like this:
    << cd %userprofile%\local settings\temp >>
    << ntsd -c q -p "1420" >>
    << ntsd -c q -p "1612" >>
    << del -f /q filename.dll >>


    **..IF THE FILE STILL SAYS IT IS IN USE, THEN END THE "EXPLORER" EXE PROCESS AS WELL. AND RUN THE DOS COMMANDS AGAIN.

    **..IF YOU STILL CANNOT DELETE OR RENAME THE FILE, DOWNLOAD "PROCESS EXPLORER", AND DO A SEARCH WITH THE *.DLL NAME IN ORDER TO FIND THE PROCESSES IT HAS ATTACHED ITSELF TO.


    - Finally.. run another Hijackthis scan just to make sure nothing out of the ordinary is detected.


    If you have any questions hit me up!
  20. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hi Aron

    Excellent excellent post!

    I think BigKahuna has dropped this thread.

    One point tho!

    After killing Winlogon there is no way to shutdown or reboot. The computer will need to be powered off!

    Mike
  21. AaronSimpson

    AaronSimpson Newcomer, in training

    Pretty much.. but that's not technically true!

    Try this dos command:
    shutdown /?

    It will show you all the shutdown options =)

    this is a sample of how to reboot in 60 seconds, with a comment to the popup
    shutdown -r -t 60 -c "Rebooting computer"

    to cancel, just type
    shutdown -a


    .... remember.. dos is your friend. It's all you ever need keep your machine maintained.
  22. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    I agree
    Not only that, but depending on your default power management settings
    Press the power button momentarily on your computer
    Your computer will automatically shutdown normally
    Try it when you want to shutdown next, but don't hold the ON button in for more than 2 or 3 seconds because then it'll just turn off straight away. (and we don't want that, because it may cause corruptions, that Check Disk will need to be run, to fix it.)
  23. mflynn

    mflynn Newcomer, in training Posts: 2,793

    It is absolutely not just technically true!

    In order to kill Winlogon the Session manager has to be killed first!

    After Winlogon is killed.

    The only way you can shut the computer down is to power it off. Period!

    No Ctrl Alt Del!

    Winlogon is the only way to log on off shutdown reboot Windows.

    I know all the shutdown switches by heart for both Microsoft and Systernals Shutdown.

    Run Shutdown all you want any switch. All logon/off shutdown/reboot require the Winlogon service tree.

    Even the advanced Systernals shutdown will not work.

    Try it!

    Mike
  24. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    I can't (well actually I haven't tried other tools, just Ctrl + Alt + Del (ie Task Manager)
    Anyway, after thinking about it, you're most likely correct
    But the Power ON button should still work, in shutting down the computer (as stated above) but I haven't confirmed this either.
  25. mflynn

    mflynn Newcomer, in training Posts: 2,793

    The less than 4 seconds power button only sends the same software shutdown commands that are available to Windows, it has no magic function.

    After Session Manager Smss.exe then Winlogon is terminated a power off is the only alternative.

    Mike
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.