Fighting a persistent Vundo infection

[DSF]

About two weeks ago my main PC became infected with Vundo/Virtumondo. I manually wiped out as many of the files and registry items as I could find, which at least opened up the use of Malware Bytes, SuperAntiSpyware and Spybot for me. However, none of those has been completely able to kill the virus. Because some of the DLLs are in use, all of those programs as well as HijackThis are unable to remove them.

The DLLs that are scheduled for deletion on reboot stick around nonetheless, and there's a registry value that I can't delete which seems to be part of the source of the problem. There are also a couple DLLs which are residing in C:\windows\system32 according to HT and ListDLLs, but they don't show up there in Windows Explorer or the command prompt.

I downloaded Symantec's Vundo removal tool, but after running the scan for a half hour it declared that there was no Vundo infection, which is BS. SAS and MB report the virus as Vundo, and it's clear from the symptoms and the names of the rogue DLLs that it's a version of Vundo.

OS is Windows XP 32 SP3. I'm at work right now, but I can post a HijackThis log when I get home. I know what items need to be removed, it's just that HT can't get the job done.

My system is sufficiently usable that I could relatively easily backup my data and do a clean wipe, but I'm stubborn, and I'd rather beat this thing if possible. (Although really, it's been almost a year since I built the machine, so a clean install would probably be a good thing, and would let me set the machine up according to mechBgon's guide.)

My laptop, on a separate network, recently became infected as well and has had the same problems with removing the trojan. The laptop was provided to me by the city school system, so a total wipe isn't possible. I may just end up turning the machine over to them to be fixed, I'll have to check with IT.

 

[Sam25]

You can give this a read and try the steps listed here:

http://www.bleepingcomputer.co...emove-vundo-virtumonde

 

[DSF]

Originally posted by: Sam25
You can give this a read and try the steps listed here:

http://www.bleepingcomputer.co...emove-vundo-virtumonde

Thanks, my Google-fu didn't turn that page up earlier. I'll give that a try when I get home.

 

[DSF]

Well, those tools didn't work. I'm going to try the Rescue CD mechBgon linked in another thread.

Edit: The Rescue CD mechBgon posted didn't work either.

Here's my HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 5:19:38 PM, on 11/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.co...mize/ptec/defaults/su/*http://www.yahoo.com
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.09\RivaTuner.exe" /T
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\EmergencyUtils\bob.exe /auto
O4 - HKLM\..\Run: [lifayeboma] Rundll32.exe "C:\WINDOWS\system32\katovibu.dll",s
O4 - HKCU\..\Run: [Steam] "c:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - AppInit_DLLs: C:\WINDOWS\system32\pipiwuhi.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[Sam25]

I googled and found this:

http://www.vundoremoval.com/vundotrojanremoval.html

Chances are you have already gone through all those steps listed on the above site. I think it's better you take your necessary backup and go for a fresh install of Windows. I happened to read that Mozilla FF 3 is unaffected by the trojan's .dll file.

 

[DSF]

Originally posted by: Sam25
I googled and found this:

http://www.vundoremoval.com/vundotrojanremoval.html

Chances are you have already gone through all those steps listed on the above site. I think it's better you take your necessary backup and go for a fresh install of Windows. I happened to read that Mozilla FF 3 is unaffected by the trojan's .dll file.

Yeah, I'm backing my stuff up now, and tonight I'll probably reinstall. Thanks for your help.

I have a Vista64 disc from the Windows Feedback Program and my system has 4GB of RAM. Should I just go with Vista when I reinstall?

Edit: Also, if I go with Vista will my Office2003 copy still work fine? I assume so, just making sure.

 

[Sam25]

No problem! Yes, Office 2003 should run just fine with Vista-64 bit.

 

[EULA]

I had a problem with Vundo/Virtumondo. I used several different removal utilities and other spyware programs, but the one that finally got rid of it for me was SUPERAntiSpyware

 

[DSF]

Yeah, SAS didn't do it for me. Oh well. It was time for a clean wipe anyway.

 

[law9933]

DSF
There is a new version of HJT being used, 2.02.
A online analyzer found nothing, but that is not a very good check. A trained HJT adviser uses many tools to clean up a PC.
Hope all is well after the reinstall.

 

[redbeard1]

O4 - HKLM\..\Run: [lifayeboma] Rundll32.exe "C:\WINDOWS\system32\katovibu.dll",s
O20 - AppInit_DLLs: C:\WINDOWS\system32\pipiwuhi.dll
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

These are all suspect files to my mind.

If it was me, I would boot into safe mode and delete them all. I would also search the entire registry for each of those file names and delete any entries found containing them.

The one in the appinit spot may not stay gone until all of the files are deleted first.

The other thing I wonder about is what anti virus are you running, as I do not see any AV installed, just firewalls and anti spyware cleaners. Antivir AV does a good job of removing trojan viruses, and it is free.

Two other cleaners to get would be A-squared and Malware bytes.

 

[SneakyStuff]

I have the same problems. Definately a Vundo infection on my system but some very strange things are happening.

-No restore points, all previous restore points are gone
-System keeps asking me to register my copy of Windows XP due to "changes made"
-I cannot turn on automatic updates

Trying a2 right now, system is for the most part usable but restarting makes for a fun startup...

 

[redbeard1]

-No restore points, all previous restore points are gone
-System keeps asking me to register my copy of Windows XP due to "changes made"
-I cannot turn on automatic updates

Some of the versions of this empties the restore points folders.

Dialafix can fix the windows update issue, but getting the virus off of your system is more pressing.

Combofix

I have a fellow tech who just told me this tool removes AntivirusXP, with some of the variants containing vundo.

Roguefix

This is another tool claiming to clean these types of infections.

Vundofix

Have you tried this as well?

 

[SneakyStuff]

Originally posted by: redbeard1

-No restore points, all previous restore points are gone
-System keeps asking me to register my copy of Windows XP due to "changes made"
-I cannot turn on automatic updates

Some of the versions of this empties the restore points folders.

Dialafix can fix the windows update issue, but getting the virus off of your system is more pressing.

Combofix

I have a fellow tech who just told me this tool removes AntivirusXP, with some of the variants containing vundo.

Roguefix

This is another tool claiming to clean these types of infections.

Vundofix

Have you tried this as well?

You deserve a medal for actually going out of your way to link all of this info, my google searches turned up garbage. I will get to work with what you linked and post back in a little bit.

EDIT: auto updates working again, combofix worked well. Installed all XP security updates, ran Vundofix. My startup is normal again. I'll keep you posted, fingers crossed on this one because reinstalling windows isn't an option for me at the moment!

EDIT 2: No more trojans found when I run spybot, just browser entries.

 

[RebateMonger]

OP,

In addition to any security practice changes you make after this incident, consider setting up some sort of ongoing image backups of your PC. There are some great products nowadays, such as Acronis TrueImage, ShadowProtect Desktop, and Windows Home Server. These programs are all $100 or less and will all let you quickly restore your entire PC to its condition before you got infected by malware. It's a great timesaver, keeps you from losing important data when your hard drive fails, and it's reassuring to know that you fully set your PC back to a time when it wasn't infected.