Re: Vicious Vundo Infection

On Fri, 19 Dec 2008 18:45:23 -0800, Vik wrote:

My laptop (XP professional) has been infected with the Vundo virus for a
while now. I've tried various tools (1. VundoFix, 2. a tool provided by
Symantec and 3. Spybot) but cannot get rid of it. Spybot appears to
find and clean it, however the virus returns with the next boot-up.
I've also removed all relevant registry entries and files as suggested
by Symantec.

The virus puts a new entry in the startup command every time I re- boot.
e.g. Rundll32.exe C:\WINDOWS\system32\pajuneyo.dll, s. Unchecking, the
startup item (using msconfig) just causes it to be re-checked with the
next boot-up with a different dll specified in the command.

Any help with tips on removing this virus would be appreciated.

Thanks.

Since none of the removers worked for you... you'll have to do it
manually. Get a boot disk.. The Active Boot Disk has a 10 day trial,
or make the UBCD4Win. They both have really cool Windows-like GUI's.
You don't have to be a Dos Geek to use them and clear your virus.

For me, I used HijackThis to get knowledge of which files were being
used by the trojan. Focus on the windows\system32 dll file or files
that the trojan created. There is at least one in there that must be
deleted. Note also the time stamps on that one and pay attention to
the other files that were created then, as well.

For me, when I cleared the virus, I created and booted with the Active
Boot disk trial.. then deleted the "locked" dll file in the system32
folder that kept coming back. Then, I deleted all my temp files. I
deleted my Firefox profiles. I deleted all cookies and temporary
internet files for both Firefox and IExplorer. I also deleted my
restore points-as the trojan had disabled my system restore, but a
couple of the scanners said infected files were in that hidden folder.
No worries to delete that "restore_" folder in a dos-like, bootdisk
environment. I also deleted a few ini1 and ini2 files that were being
recreated in the system32 folder when I rebooted.. They were easily
spotted and disposed of. Their creation dates and nonsense names
aligned them as part of the trojan mess.

Then, after deleting those and rebooting back to regular windows, I
had hijackthis "fix" the entries of those files. Finally, because the
trojan had disabled so many of my services, I had to do a windows
repair. There are instructions on the net to help you with that. None
of your files or programs will be overwritten and all the settings
that have been tampered with or deleted will be restored..

Thats how I took care of Virtumonde

--
C:\Internet\Pan\sig.txt
.

Relevant Pages

  • Re: Trojan.Drooper
    ... > | I regularly run Adaware SE and Spybot, ... > | Norton AntiVirus has detected a virus on your computer. ... > It is a generic detection for a Trojan responsible for going out and obtaing other Trojans ...
    (microsoft.public.security.virus)
  • Re: Taxonomy rant!
    ... virus or trojan taking over your machine. ... I bought Spyware Doctor a week ago and ran it ... on a machine that Spybot 1.4 had been protecting for the last year. ...
    (rec.gardens.orchids)
  • Please help: HFKDSIFZ.DLL What is it? What does it relate too?
    ... try an on virus then a trojan scan. ... >I consitantly get an error when starting Ieplorer. ... >Have run Spybot etc... ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • >>>> REMOVE MANUALLY <<<<
    ... Remove Virus Manually ... How To Remove Spyware Manually ... Manually Remove Trojan Horse ... Manually Remove Symantec Antivirus ...
    (sci.math.num-analysis)
  • Re: trojan virus PLEASE HELP!
    ... There are anti virus News Groups specifically for this type of discussion. ... How do you know you have a Trojan on your PC? ... This will bring up the initial menu of choices and should be executed in Normal Mode. ... You can choose to go to each menu item and just download the needed files or you can ...
    (microsoft.public.windowsupdate)