Solved

Can't Remove Vundo.H

Posted on 2009-05-14
14
840 Views
Last Modified: 2013-11-16
Greetings,

I am having difficulty removing Vundo.h from a computer.  It is preventing me from updating the system to SP3 which seems to be the only current symptom. Combofix will not run as it says that the virus has caused changes to it.

Have run Malwarebytes and Trojan Remover (www.simplysup.com) on this machine many times.  Malwarebytes continues with the same infections.  I am attaching a copy of the Malwarebytes log. I can provide a HJT log on request.  I also have run F-Secure on the system and it didn't even find the infection at all.

Malwarebytes detects the virus every time and tries to delete it on reboot but it keeps coming back with the same name every time.  I have run both tools in safe mode several times as well.

The log I am attaching from Malwarebytes is from a normal boot.  

I am currently scanning the system with the tool located here:http://www.scanforfree.com/11/trojan-vundo-h-remover.html

Any help or advice would be greatly appreciated.

mbam-log-2009-05-14--11-35-41-.txt
0
Comment
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 12

Expert Comment

by:kadafitcd
ID: 24386845
Have you tried renaming combofix.exe after downloading to something like thefix.exe?  This can trick the malware into not recognizing the program and letting it run properly.

You can also try to use superantispyware from http://www.superantispyware.com/

And yes get us that hijackthis log.

Good Luck HTH.
0
 

Author Comment

by:techknowledgesolutions
ID: 24386890
Thank you for your prompt reply, I am attempting to run Combofix as another name now and I am obtaining a HJT log now. I will return shortly with the results
0
 

Author Comment

by:techknowledgesolutions
ID: 24387525
HJT Log. Combo Fix is currently doing it's thing and I will post back shortly.
hijackthis.log
0
 
LVL 12

Expert Comment

by:kadafitcd
ID: 24387577
Ok sounds good let me know how things are after that combofix finishes up.  But as for your HJT log Remove the following:

O2 - BHO: (no name) - {116770D0-04AC-4938-AD90-39302F4A1353} - c:\windows\system32\daxmqgd.dll (file missing)

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

O20 - Winlogon Notify: piesnsjj - daxmqgd.dll (file missing)



Now if you've not setup any proxy's then you need to remove these 2 as well:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

Good Luck HTH.
0
 

Author Comment

by:techknowledgesolutions
ID: 24387604
Hmm it killed the combofix log after it tried to save it!

Crazy
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24387620
Are you performing any of these scans in Safe Mode? If not, I would try that.
You might also try logging on as a differenet user and trying the scans. Sometimes malware affects only the profile that it was loaded under.
0
 
LVL 12

Expert Comment

by:kadafitcd
ID: 24387872
The combofix logs are saved to.. C:\QooBox

They should be there if it finished properly.  Run your superantispyware scan and let us know if it finds anything.
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 

Author Comment

by:techknowledgesolutions
ID: 24388001
Running ComboFix and HJT in safe mode now.  As far as removing those .dlls and such they keep recreating themselves on reboot.  That's what Malwarebytes was doing correct?
0
 

Author Comment

by:techknowledgesolutions
ID: 24388497
New Combofix and HJT as run in safe mode
log.txt
hijackthis.log
0
 
LVL 12

Expert Comment

by:kadafitcd
ID: 24389555
You need to open HJT run a scan only and delete the entries I mentioned above...

Ok sounds good let me know how things are after that combofix finishes up.  But as for your HJT log Remove the following:

O2 - BHO: (no name) - {116770D0-04AC-4938-AD90-39302F4A1353} - c:\windows\system32\daxmqgd.dll (file missing)

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

O20 - Winlogon Notify: piesnsjj - daxmqgd.dll (file missing)



Now if you've not setup any proxy's then you need to remove these 2 as well:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

Good Luck HTH.
0
 

Author Comment

by:techknowledgesolutions
ID: 24390428
I did attempt to remove those with the HJT. They came back again.
0
 
LVL 12

Assisted Solution

by:kadafitcd
kadafitcd earned 150 total points
ID: 24395554
One last thing you might try is download ccleaner from here:  http://www.ccleaner.com/download and install it. > Open it up > click run cleaner > click on registry to the left > click scan for issues > once it is done click fix selected issues > click yes to backup changes > save the file where you can find it > click fix all selected.  

Once this is done you can run combofix 1 more time then run your HJT try and remove the above stated lines.

If you've ran ccleaner, combofix, malwarebytes, and superantispyware and these keep coming back then it is highly possible that you have a compromised windows system file.  In which case you can run a couple of things but you will need your Windows Installation disk.

(Warning make sure to backup any crucial data before performing any of these steps)

First thing to try:
Go to Start > click run > at the run box type in "sfc /scannow" (w/o quotes) > click ok it will run a system file check on your computer but you will have to put in your cd for it to complete properly

Second thing to try:
Try performing a repair install on Windows by following these directions:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/doug92.mspx

Third Thing to try:
If all else fails, backup your computer.  Make sure you go to the manufacturers website and download the drivers and put them on a cd or jump drive.  Then Format your computer and reinstall XP using the CD follow these steps:
http://www.microsoft.com/windowsxp/using/setup/winxp/install.mspx

Fourth thing to try(If you don't have and XP CD start here):
If your computer came with a built in recovery partition you can start a recovery process.  Some (HP/Compaq) have an option to perform a recovery without the loss of data.  You will have to reinstall any programs to perform this option.  Most just have a factory recovery which formats and reinstalls everything.  This case you will lose all data so be sure to backup.

Sorry that I could not be of more help to remove the malware.  If it gets into system files then it can come down to this.

Good Luck again.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 350 total points
ID: 24396691
Run Combofix in normal mode.
Run combofix again using this script to delete the files and reg entries in the script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\pch.bat
c:\windows\system32\daxmqgd.dll

Rootkit::
c:\windows\system32\drivers\iljnvylf.sys

Driver::
iljnvylf

NetSvc::
fdjraekd

DirLook::
c:\documents and settings\NetworkService\Local Settings\Application Data\jszzwhde
c:\documents and settings\HP_Owner\Local Settings\Application Data\jszzwhde

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{116770D0-04AC-4938-AD90-39302F4A1353}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\piesnsjj]

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24432523
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u

The above process will remove Combofix and its files, delete the created backup and reset system Restore.

Thanks!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now