Improve company productivity with a Business Account.Sign Up

x
?
Solved

Can't Remove Vundo.H

Posted on 2009-05-14
14
Medium Priority
?
876 Views
Last Modified: 2013-11-16
Greetings,

I am having difficulty removing Vundo.h from a computer.  It is preventing me from updating the system to SP3 which seems to be the only current symptom. Combofix will not run as it says that the virus has caused changes to it.

Have run Malwarebytes and Trojan Remover (www.simplysup.com) on this machine many times.  Malwarebytes continues with the same infections.  I am attaching a copy of the Malwarebytes log. I can provide a HJT log on request.  I also have run F-Secure on the system and it didn't even find the infection at all.

Malwarebytes detects the virus every time and tries to delete it on reboot but it keeps coming back with the same name every time.  I have run both tools in safe mode several times as well.

The log I am attaching from Malwarebytes is from a normal boot.  

I am currently scanning the system with the tool located here:http://www.scanforfree.com/11/trojan-vundo-h-remover.html

Any help or advice would be greatly appreciated.

mbam-log-2009-05-14--11-35-41-.txt
0
Comment
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 12

Expert Comment

by:kadafitcd
ID: 24386845
Have you tried renaming combofix.exe after downloading to something like thefix.exe?  This can trick the malware into not recognizing the program and letting it run properly.

You can also try to use superantispyware from http://www.superantispyware.com/

And yes get us that hijackthis log.

Good Luck HTH.
0
 

Author Comment

by:techknowledgesolutions
ID: 24386890
Thank you for your prompt reply, I am attempting to run Combofix as another name now and I am obtaining a HJT log now. I will return shortly with the results
0
 

Author Comment

by:techknowledgesolutions
ID: 24387525
HJT Log. Combo Fix is currently doing it's thing and I will post back shortly.
hijackthis.log
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
LVL 12

Expert Comment

by:kadafitcd
ID: 24387577
Ok sounds good let me know how things are after that combofix finishes up.  But as for your HJT log Remove the following:

O2 - BHO: (no name) - {116770D0-04AC-4938-AD90-39302F4A1353} - c:\windows\system32\daxmqgd.dll (file missing)

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

O20 - Winlogon Notify: piesnsjj - daxmqgd.dll (file missing)



Now if you've not setup any proxy's then you need to remove these 2 as well:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

Good Luck HTH.
0
 

Author Comment

by:techknowledgesolutions
ID: 24387604
Hmm it killed the combofix log after it tried to save it!

Crazy
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24387620
Are you performing any of these scans in Safe Mode? If not, I would try that.
You might also try logging on as a differenet user and trying the scans. Sometimes malware affects only the profile that it was loaded under.
0
 
LVL 12

Expert Comment

by:kadafitcd
ID: 24387872
The combofix logs are saved to.. C:\QooBox

They should be there if it finished properly.  Run your superantispyware scan and let us know if it finds anything.
0
 

Author Comment

by:techknowledgesolutions
ID: 24388001
Running ComboFix and HJT in safe mode now.  As far as removing those .dlls and such they keep recreating themselves on reboot.  That's what Malwarebytes was doing correct?
0
 

Author Comment

by:techknowledgesolutions
ID: 24388497
New Combofix and HJT as run in safe mode
log.txt
hijackthis.log
0
 
LVL 12

Expert Comment

by:kadafitcd
ID: 24389555
You need to open HJT run a scan only and delete the entries I mentioned above...

Ok sounds good let me know how things are after that combofix finishes up.  But as for your HJT log Remove the following:

O2 - BHO: (no name) - {116770D0-04AC-4938-AD90-39302F4A1353} - c:\windows\system32\daxmqgd.dll (file missing)

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

O20 - Winlogon Notify: piesnsjj - daxmqgd.dll (file missing)



Now if you've not setup any proxy's then you need to remove these 2 as well:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

Good Luck HTH.
0
 

Author Comment

by:techknowledgesolutions
ID: 24390428
I did attempt to remove those with the HJT. They came back again.
0
 
LVL 12

Assisted Solution

by:kadafitcd
kadafitcd earned 450 total points
ID: 24395554
One last thing you might try is download ccleaner from here:  http://www.ccleaner.com/download and install it. > Open it up > click run cleaner > click on registry to the left > click scan for issues > once it is done click fix selected issues > click yes to backup changes > save the file where you can find it > click fix all selected.  

Once this is done you can run combofix 1 more time then run your HJT try and remove the above stated lines.

If you've ran ccleaner, combofix, malwarebytes, and superantispyware and these keep coming back then it is highly possible that you have a compromised windows system file.  In which case you can run a couple of things but you will need your Windows Installation disk.

(Warning make sure to backup any crucial data before performing any of these steps)

First thing to try:
Go to Start > click run > at the run box type in "sfc /scannow" (w/o quotes) > click ok it will run a system file check on your computer but you will have to put in your cd for it to complete properly

Second thing to try:
Try performing a repair install on Windows by following these directions:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/doug92.mspx

Third Thing to try:
If all else fails, backup your computer.  Make sure you go to the manufacturers website and download the drivers and put them on a cd or jump drive.  Then Format your computer and reinstall XP using the CD follow these steps:
http://www.microsoft.com/windowsxp/using/setup/winxp/install.mspx

Fourth thing to try(If you don't have and XP CD start here):
If your computer came with a built in recovery partition you can start a recovery process.  Some (HP/Compaq) have an option to perform a recovery without the loss of data.  You will have to reinstall any programs to perform this option.  Most just have a factory recovery which formats and reinstalls everything.  This case you will lose all data so be sure to backup.

Sorry that I could not be of more help to remove the malware.  If it gets into system files then it can come down to this.

Good Luck again.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1050 total points
ID: 24396691
Run Combofix in normal mode.
Run combofix again using this script to delete the files and reg entries in the script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\pch.bat
c:\windows\system32\daxmqgd.dll

Rootkit::
c:\windows\system32\drivers\iljnvylf.sys

Driver::
iljnvylf

NetSvc::
fdjraekd

DirLook::
c:\documents and settings\NetworkService\Local Settings\Application Data\jszzwhde
c:\documents and settings\HP_Owner\Local Settings\Application Data\jszzwhde

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{116770D0-04AC-4938-AD90-39302F4A1353}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\piesnsjj]

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24432523
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u

The above process will remove Combofix and its files, delete the created backup and reset system Restore.

Thanks!
0

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In current releases of Windows 10, MS removed the ability to format a volume with ReFS. That feature is moved to Windows 10 Pro for Workstations. The requisite files exist in Pro, but functionality is locked and/or otherwise unavailable. A $125 upgr…
One thing I've always found frustrating is no matter how many times one asks the end users to not save things on their local machines, they do it anyway.  Forget that we don't back up the desktops - only the servers.  Well, let's sneak their data on…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

605 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question