Vundo removal
- Thread starter BigKahuna
- Start date
- Status
A full format and reinstall may do it, but that hardly seems necessary!
Do the below in order presented.
Copy all inside the box and paste to an open Command prompt. It will close the Command prompt when finished.
----------------------------------------------------------------------------------------------------------------------------------
D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
----------------------------------------------------------------------------------------------------------------------------------
D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.
Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.
Please make a note of what it found if any as it has no log.
If it finds several things reboot to Safe Mode and run again before continuing below.
----------------------------------------------------------------------------------------------------------------------------------
Get and run Malware Removal Tool by Joe Pestro http://majorgeeks.com/Malware_Removal_Tool_d4632.html
---------------------------------------------------------------------------------------------------------------------------------
Do this: https://www.techspot.com/vb/post684649-3.html
When Fixit.cmd finishes it will reboot to normal, then the below is the meat what we need to run to really get fixed:
Do the TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Skip no steps (do not install another virus scanner as you already have one).
Most importantly update MalwareBytes and SuperAntiSptware!
Before you scan with SuperAntiSpyWare do the below:
SuperAntispyware extra config
After installed double-click the icon on your desktop to run it.
Update the program definitions.
Click the Preferences button.
Then Scanning Control.
In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:
MalwareBytes extra config
After update but before running
Click settings and confirm all are Checked.
I repeat Update these 2 programs.
Run them and attach their logs.
Do this correctly and we will make a short job of this!
Mike
Do the below in order presented.
Copy all inside the box and paste to an open Command prompt. It will close the Command prompt when finished.
Code:
@echo off
sc stop TDSSserv.sys
sc delete TDSSserv.sys
exit
exit----------------------------------------------------------------------------------------------------------------------------------
D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
----------------------------------------------------------------------------------------------------------------------------------
D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.
Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.
Please make a note of what it found if any as it has no log.
If it finds several things reboot to Safe Mode and run again before continuing below.
----------------------------------------------------------------------------------------------------------------------------------
Get and run Malware Removal Tool by Joe Pestro http://majorgeeks.com/Malware_Removal_Tool_d4632.html
---------------------------------------------------------------------------------------------------------------------------------
Do this: https://www.techspot.com/vb/post684649-3.html
When Fixit.cmd finishes it will reboot to normal, then the below is the meat what we need to run to really get fixed:
Do the TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Skip no steps (do not install another virus scanner as you already have one).
Most importantly update MalwareBytes and SuperAntiSptware!
Before you scan with SuperAntiSpyWare do the below:
SuperAntispyware extra config
After installed double-click the icon on your desktop to run it.
Update the program definitions.
Click the Preferences button.
Then Scanning Control.
In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:
MalwareBytes extra config
After update but before running
Click settings and confirm all are Checked.
I repeat Update these 2 programs.
Run them and attach their logs.
Do this correctly and we will make a short job of this!
Mike
OK boot to Safe Mode Networking. Internet should be working here.
Do the below first then try to run all as in the other post.
Download and run: http://www.techsupportforum.com/sect...ckard/daft.exe
Try this again from Safe Mode networking: https://www.techspot.com/vb/post684649-3.html
When Fixit.cmd finishes it will reboot to normal, then the other post is the meat what we need to run to really get fixed:
Mike
Do the below first then try to run all as in the other post.
Download and run: http://www.techsupportforum.com/sect...ckard/daft.exe
Try this again from Safe Mode networking: https://www.techspot.com/vb/post684649-3.html
When Fixit.cmd finishes it will reboot to normal, then the other post is the meat what we need to run to really get fixed:
Mike
Bobbye
Posts: 16,313 +36
It sounds like the problem is with your internet connection. If setting is wrong, reinstalling may not fix it. I would suggest you check the Event View for Errors that correspond to failed connections. You do not need internet connection for this:
Start> Run> cmd> type in eventvwr
Start> Run> cmd> type in eventvwr
Can you tell me please why you suspect a Vundo infection? Have you run some security program identifying this? Which one? What did it say?
Bobbye
Posts: 16,313 +36
Guess you missed that part!
First of all, most drivers don't load in Safe Modeso ignore all those error with the 'Safe Mode' description. Were you in Safe Mode at all the times the system Errors occurred?
Secondly, some Services depend on other Services which might not start in Safe Mode, so we an throw those out too.
Do you have or did you have MS Works?
Regarding most of the rest- this isn't going to help us at all. The Safe Mode errors aren't valid for out purposes and you're running outdated programs. Current program aren't properly installed due to either missing or corrupt Windows Installer.
Specifically, why Vundo?
Going by the errors that are valid, it appears that you have many programs that are out of date and/or incorrectly installed due to a bad Windows Installer. I can't tell about the network card yet, but that and the router are also suspect at this point. The fix for the Windows Installer for Windows XP is found on the site below:
http://support.microsoft.com/kb/315353/en-us
This calls for a registry edit so you must be sure to backup the registry first.
The following may not apply, because this thread seems to be dealing with a rootkit, but i figured i would post here anyways to spread the knowledge.
Here is a Vundo fix that I developed. I work as a high level tech, and I have tested it many times in the field. It is one of the only ways to get rid of malicious *.dll’s that seem “undeletable”.
You have to follow these instructions exactly because the virus is loaded into memory and most likely attached to winlogon.exe (as well as other system processes)!!!!
Before you begin:
***.. anything referenced with << >> means that there is a dos command within the "brackets". You dont need any extra tools - all you need is dos!
***.. the instructions are adapted to Windows XP, but if you are just a lil bit savvy, you can easily adapt them to Vista as well – as long as you have the necessary admin.
1. I usually start off by doing a “Hijackthis” in order to diagnose, and take note of all the malicious files/services I am planning on removing. There is already plenty of tutorials on how to do this on the net. If you find some pesky “*.dll’s”, then the following technique is what you can use to get rid of them.
2. ENABLE VIEW OF HIDDEN FILES:
- Go to "Folder Options" in "Control Panel"
- Click the "View" Tab, and do the following:
- check "Show hidden files & folders" &
- uncheck "Hide protected operating files (Recommended)"
3. FIND THE FILES:
- If you are unsure where to start, use the notes you took from the Hijackthis scan to find the primary locations.
- The most common infected spots are:
- c:\windows\system32
- c:\documents & settings\%userprofile%\local settings\temp
- Once you have navigated to the infected folder, add the "Date Created" column within the explorer window. You can "right click" on the horizontal column to add and remove it from the view.
- Sort by "Date Created", newest on top (descending).
- Look for any strange *.dll's. Usually you will find something random such as:
“dofjdiijdd.dll”.
- If you find more bad files, write them down as well. (Usually with Vundo there is a "host" *.dll that re-creates at least 3 other slaves that might not show up in a Hijackthis scan.)
- Highlight all of the bad *.dll's at once
- Right click, and then choose "rename".
- Rename them to something like "temp". This will run you through prompts asking to rename each one "temp01, temp02" etc. Hit "OK" on all prompts to rename all files.
- After files have been renamed, do a HARD BOOT by holding down the power button!!!
Things to note before continuing:
**..YOU HAVE TO DO A HARD BOOT IN ORDER TO KILL THE VIRUS!!!
**..IF YOU DO A REGULAR RESTART IT WILL COME BACK FROM MEMORY!
**..YOU WILL HAVE MORE SUCCESS RENAMING INSTEAD OF DELETING DLL FILES IF THEY ARE IN USE. YOU CAN ALWAYS JUST DELETE THE RE-NAMED FILE LATER.
**..WHEN A VIRUS IS IN MEMORY, YOU MUST ALWAYS KILL THE FILE FIRST, AND THEN THE REG ENTRIES, BECAUSE THEY WILL AUTOMATICALLY COME BACK IF THE FILE STILL EXISTS.
3. CLEAN THE TRACES:
- Go back to the locations where you found the malicious files.
- Check to see if any new ones were created, or missed.
- Delete the files that were re-named.
- Use "regedit.exe" in the system32 folder to search out any and all registry entries for malicious files that were noted in step 2. (You should be able to lookup how to use the "find" feature in the registry somewhere online - there are many tutorials)
**..BUT WHAT IF YOU STILL CAN'T RENAME THE BAD *.DLL BECAUSE IT IS IN USE?!!??!
4. DO THE FOLLOWING TO KILL THE NECESSARY PROCESSES:
FIGURE OUT THE PROCESS IDENTIFIERS FOR "WINLOGON.EXE" AND "SMSS.EXE":
- Open "Task Manager"
- Go to "View" Drop down menu
- Choose "Select Columns"
- Enable view of "PID (Process Identifier)"
- Hit "OK" to escape that view
- Look at the "Processes" tab, and check to see which PID "winlogon.exe" and "smss.exe" is using. Write them down
- Open up "cmd.exe" from system32 folder with admin rights.
- Within command prompt, navigate to the folder where the infection is occurring by using the following commands:
<< cd %windir%\system32 >> or
<< cd %userprofile%\local settings\temp >>
- End the smss.exe and winlogon.exe processes with the following command:
<< ntsd -c q -p "PID" >>
- To use myself as an example, the commands would look like this:
<< ntsd -c q -p "1420" >> (for "smss.exe")
<< ntsd -c q -p "1612" >> (for "winlogon.exe")
**MAKE SURE TO RUN THOSE 2 COMMANDS IN ORDER, YOU MUST KILL "SMSS.EXE" FIRST BEFORE YOU CAN KILL "WINLOGON.EXE"
- Delete the file within the command prompt:
<< del -f /q filename.dll >>
- Immediately hardboot the machine!!
- After the machine boots - finish cleanup process listed in step 3.
- As an example… the complete list of Dos commands will look like this:
<< cd %userprofile%\local settings\temp >>
<< ntsd -c q -p "1420" >>
<< ntsd -c q -p "1612" >>
<< del -f /q filename.dll >>
**..IF THE FILE STILL SAYS IT IS IN USE, THEN END THE "EXPLORER" EXE PROCESS AS WELL. AND RUN THE DOS COMMANDS AGAIN.
**..IF YOU STILL CANNOT DELETE OR RENAME THE FILE, DOWNLOAD "PROCESS EXPLORER", AND DO A SEARCH WITH THE *.DLL NAME IN ORDER TO FIND THE PROCESSES IT HAS ATTACHED ITSELF TO.
- Finally.. run another Hijackthis scan just to make sure nothing out of the ordinary is detected.
If you have any questions hit me up!
Here is a Vundo fix that I developed. I work as a high level tech, and I have tested it many times in the field. It is one of the only ways to get rid of malicious *.dll’s that seem “undeletable”.
You have to follow these instructions exactly because the virus is loaded into memory and most likely attached to winlogon.exe (as well as other system processes)!!!!
Before you begin:
***.. anything referenced with << >> means that there is a dos command within the "brackets". You dont need any extra tools - all you need is dos!
***.. the instructions are adapted to Windows XP, but if you are just a lil bit savvy, you can easily adapt them to Vista as well – as long as you have the necessary admin.
1. I usually start off by doing a “Hijackthis” in order to diagnose, and take note of all the malicious files/services I am planning on removing. There is already plenty of tutorials on how to do this on the net. If you find some pesky “*.dll’s”, then the following technique is what you can use to get rid of them.
2. ENABLE VIEW OF HIDDEN FILES:
- Go to "Folder Options" in "Control Panel"
- Click the "View" Tab, and do the following:
- check "Show hidden files & folders" &
- uncheck "Hide protected operating files (Recommended)"
3. FIND THE FILES:
- If you are unsure where to start, use the notes you took from the Hijackthis scan to find the primary locations.
- The most common infected spots are:
- c:\windows\system32
- c:\documents & settings\%userprofile%\local settings\temp
- Once you have navigated to the infected folder, add the "Date Created" column within the explorer window. You can "right click" on the horizontal column to add and remove it from the view.
- Sort by "Date Created", newest on top (descending).
- Look for any strange *.dll's. Usually you will find something random such as:
“dofjdiijdd.dll”.
- If you find more bad files, write them down as well. (Usually with Vundo there is a "host" *.dll that re-creates at least 3 other slaves that might not show up in a Hijackthis scan.)
- Highlight all of the bad *.dll's at once
- Right click, and then choose "rename".
- Rename them to something like "temp". This will run you through prompts asking to rename each one "temp01, temp02" etc. Hit "OK" on all prompts to rename all files.
- After files have been renamed, do a HARD BOOT by holding down the power button!!!
Things to note before continuing:
**..YOU HAVE TO DO A HARD BOOT IN ORDER TO KILL THE VIRUS!!!
**..IF YOU DO A REGULAR RESTART IT WILL COME BACK FROM MEMORY!
**..YOU WILL HAVE MORE SUCCESS RENAMING INSTEAD OF DELETING DLL FILES IF THEY ARE IN USE. YOU CAN ALWAYS JUST DELETE THE RE-NAMED FILE LATER.
**..WHEN A VIRUS IS IN MEMORY, YOU MUST ALWAYS KILL THE FILE FIRST, AND THEN THE REG ENTRIES, BECAUSE THEY WILL AUTOMATICALLY COME BACK IF THE FILE STILL EXISTS.
3. CLEAN THE TRACES:
- Go back to the locations where you found the malicious files.
- Check to see if any new ones were created, or missed.
- Delete the files that were re-named.
- Use "regedit.exe" in the system32 folder to search out any and all registry entries for malicious files that were noted in step 2. (You should be able to lookup how to use the "find" feature in the registry somewhere online - there are many tutorials)
**..BUT WHAT IF YOU STILL CAN'T RENAME THE BAD *.DLL BECAUSE IT IS IN USE?!!??!
4. DO THE FOLLOWING TO KILL THE NECESSARY PROCESSES:
FIGURE OUT THE PROCESS IDENTIFIERS FOR "WINLOGON.EXE" AND "SMSS.EXE":
- Open "Task Manager"
- Go to "View" Drop down menu
- Choose "Select Columns"
- Enable view of "PID (Process Identifier)"
- Hit "OK" to escape that view
- Look at the "Processes" tab, and check to see which PID "winlogon.exe" and "smss.exe" is using. Write them down
- Open up "cmd.exe" from system32 folder with admin rights.
- Within command prompt, navigate to the folder where the infection is occurring by using the following commands:
<< cd %windir%\system32 >> or
<< cd %userprofile%\local settings\temp >>
- End the smss.exe and winlogon.exe processes with the following command:
<< ntsd -c q -p "PID" >>
- To use myself as an example, the commands would look like this:
<< ntsd -c q -p "1420" >> (for "smss.exe")
<< ntsd -c q -p "1612" >> (for "winlogon.exe")
**MAKE SURE TO RUN THOSE 2 COMMANDS IN ORDER, YOU MUST KILL "SMSS.EXE" FIRST BEFORE YOU CAN KILL "WINLOGON.EXE"
- Delete the file within the command prompt:
<< del -f /q filename.dll >>
- Immediately hardboot the machine!!
- After the machine boots - finish cleanup process listed in step 3.
- As an example… the complete list of Dos commands will look like this:
<< cd %userprofile%\local settings\temp >>
<< ntsd -c q -p "1420" >>
<< ntsd -c q -p "1612" >>
<< del -f /q filename.dll >>
**..IF THE FILE STILL SAYS IT IS IN USE, THEN END THE "EXPLORER" EXE PROCESS AS WELL. AND RUN THE DOS COMMANDS AGAIN.
**..IF YOU STILL CANNOT DELETE OR RENAME THE FILE, DOWNLOAD "PROCESS EXPLORER", AND DO A SEARCH WITH THE *.DLL NAME IN ORDER TO FIND THE PROCESSES IT HAS ATTACHED ITSELF TO.
- Finally.. run another Hijackthis scan just to make sure nothing out of the ordinary is detected.
If you have any questions hit me up!
Pretty much.. but that's not technically true!
Try this dos command:
shutdown /?
It will show you all the shutdown options =)
this is a sample of how to reboot in 60 seconds, with a comment to the popup
shutdown -r -t 60 -c "Rebooting computer"
to cancel, just type
shutdown -a
.... remember.. dos is your friend. It's all you ever need keep your machine maintained.
Try this dos command:
shutdown /?
It will show you all the shutdown options =)
this is a sample of how to reboot in 60 seconds, with a comment to the popup
shutdown -r -t 60 -c "Rebooting computer"
to cancel, just type
shutdown -a
.... remember.. dos is your friend. It's all you ever need keep your machine maintained.
I agree
Not only that, but depending on your default power management settings
Press the power button momentarily on your computer
Your computer will automatically shutdown normally
Try it when you want to shutdown next, but don't hold the ON button in for more than 2 or 3 seconds because then it'll just turn off straight away. (and we don't want that, because it may cause corruptions, that Check Disk will need to be run, to fix it.)
Not only that, but depending on your default power management settings
Press the power button momentarily on your computer
Your computer will automatically shutdown normally
Try it when you want to shutdown next, but don't hold the ON button in for more than 2 or 3 seconds because then it'll just turn off straight away. (and we don't want that, because it may cause corruptions, that Check Disk will need to be run, to fix it.)
It is absolutely not just technically true!
In order to kill Winlogon the Session manager has to be killed first!
After Winlogon is killed.
The only way you can shut the computer down is to power it off. Period!
No Ctrl Alt Del!
Winlogon is the only way to log on off shutdown reboot Windows.
I know all the shutdown switches by heart for both Microsoft and Systernals Shutdown.
Run Shutdown all you want any switch. All logon/off shutdown/reboot require the Winlogon service tree.
Even the advanced Systernals shutdown will not work.
Try it!
Mike
In order to kill Winlogon the Session manager has to be killed first!
After Winlogon is killed.
The only way you can shut the computer down is to power it off. Period!
No Ctrl Alt Del!
Winlogon is the only way to log on off shutdown reboot Windows.
I know all the shutdown switches by heart for both Microsoft and Systernals Shutdown.
Run Shutdown all you want any switch. All logon/off shutdown/reboot require the Winlogon service tree.
Even the advanced Systernals shutdown will not work.
Try it!
Mike
I can't (well actually I haven't tried other tools, just Ctrl + Alt + Del (ie Task Manager)
Anyway, after thinking about it, you're most likely correct
But the Power ON button should still work, in shutting down the computer (as stated above) but I haven't confirmed this either.
- Status
