• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 874
  • Last Modified:

Can't Remove Vundo.H

Greetings,

I am having difficulty removing Vundo.h from a computer.  It is preventing me from updating the system to SP3 which seems to be the only current symptom. Combofix will not run as it says that the virus has caused changes to it.

Have run Malwarebytes and Trojan Remover (www.simplysup.com) on this machine many times.  Malwarebytes continues with the same infections.  I am attaching a copy of the Malwarebytes log. I can provide a HJT log on request.  I also have run F-Secure on the system and it didn't even find the infection at all.

Malwarebytes detects the virus every time and tries to delete it on reboot but it keeps coming back with the same name every time.  I have run both tools in safe mode several times as well.

The log I am attaching from Malwarebytes is from a normal boot.  

I am currently scanning the system with the tool located here:http://www.scanforfree.com/11/trojan-vundo-h-remover.html

Any help or advice would be greatly appreciated.

mbam-log-2009-05-14--11-35-41-.txt
0
techknowledgesolutions
Asked:
techknowledgesolutions
  • 6
  • 5
  • 2
  • +1
2 Solutions
 
kadafitcdCommented:
Have you tried renaming combofix.exe after downloading to something like thefix.exe?  This can trick the malware into not recognizing the program and letting it run properly.

You can also try to use superantispyware from http://www.superantispyware.com/

And yes get us that hijackthis log.

Good Luck HTH.
0
 
techknowledgesolutionsAuthor Commented:
Thank you for your prompt reply, I am attempting to run Combofix as another name now and I am obtaining a HJT log now. I will return shortly with the results
0
 
techknowledgesolutionsAuthor Commented:
HJT Log. Combo Fix is currently doing it's thing and I will post back shortly.
hijackthis.log
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
kadafitcdCommented:
Ok sounds good let me know how things are after that combofix finishes up.  But as for your HJT log Remove the following:

O2 - BHO: (no name) - {116770D0-04AC-4938-AD90-39302F4A1353} - c:\windows\system32\daxmqgd.dll (file missing)

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

O20 - Winlogon Notify: piesnsjj - daxmqgd.dll (file missing)



Now if you've not setup any proxy's then you need to remove these 2 as well:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

Good Luck HTH.
0
 
techknowledgesolutionsAuthor Commented:
Hmm it killed the combofix log after it tried to save it!

Crazy
0
 
David-HowardCommented:
Are you performing any of these scans in Safe Mode? If not, I would try that.
You might also try logging on as a differenet user and trying the scans. Sometimes malware affects only the profile that it was loaded under.
0
 
kadafitcdCommented:
The combofix logs are saved to.. C:\QooBox

They should be there if it finished properly.  Run your superantispyware scan and let us know if it finds anything.
0
 
techknowledgesolutionsAuthor Commented:
Running ComboFix and HJT in safe mode now.  As far as removing those .dlls and such they keep recreating themselves on reboot.  That's what Malwarebytes was doing correct?
0
 
techknowledgesolutionsAuthor Commented:
New Combofix and HJT as run in safe mode
log.txt
hijackthis.log
0
 
kadafitcdCommented:
You need to open HJT run a scan only and delete the entries I mentioned above...

Ok sounds good let me know how things are after that combofix finishes up.  But as for your HJT log Remove the following:

O2 - BHO: (no name) - {116770D0-04AC-4938-AD90-39302F4A1353} - c:\windows\system32\daxmqgd.dll (file missing)

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

O20 - Winlogon Notify: piesnsjj - daxmqgd.dll (file missing)



Now if you've not setup any proxy's then you need to remove these 2 as well:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

Good Luck HTH.
0
 
techknowledgesolutionsAuthor Commented:
I did attempt to remove those with the HJT. They came back again.
0
 
kadafitcdCommented:
One last thing you might try is download ccleaner from here:  http://www.ccleaner.com/download and install it. > Open it up > click run cleaner > click on registry to the left > click scan for issues > once it is done click fix selected issues > click yes to backup changes > save the file where you can find it > click fix all selected.  

Once this is done you can run combofix 1 more time then run your HJT try and remove the above stated lines.

If you've ran ccleaner, combofix, malwarebytes, and superantispyware and these keep coming back then it is highly possible that you have a compromised windows system file.  In which case you can run a couple of things but you will need your Windows Installation disk.

(Warning make sure to backup any crucial data before performing any of these steps)

First thing to try:
Go to Start > click run > at the run box type in "sfc /scannow" (w/o quotes) > click ok it will run a system file check on your computer but you will have to put in your cd for it to complete properly

Second thing to try:
Try performing a repair install on Windows by following these directions:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/doug92.mspx

Third Thing to try:
If all else fails, backup your computer.  Make sure you go to the manufacturers website and download the drivers and put them on a cd or jump drive.  Then Format your computer and reinstall XP using the CD follow these steps:
http://www.microsoft.com/windowsxp/using/setup/winxp/install.mspx

Fourth thing to try(If you don't have and XP CD start here):
If your computer came with a built in recovery partition you can start a recovery process.  Some (HP/Compaq) have an option to perform a recovery without the loss of data.  You will have to reinstall any programs to perform this option.  Most just have a factory recovery which formats and reinstalls everything.  This case you will lose all data so be sure to backup.

Sorry that I could not be of more help to remove the malware.  If it gets into system files then it can come down to this.

Good Luck again.
0
 
rpggamergirlCommented:
Run Combofix in normal mode.
Run combofix again using this script to delete the files and reg entries in the script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\pch.bat
c:\windows\system32\daxmqgd.dll

Rootkit::
c:\windows\system32\drivers\iljnvylf.sys

Driver::
iljnvylf

NetSvc::
fdjraekd

DirLook::
c:\documents and settings\NetworkService\Local Settings\Application Data\jszzwhde
c:\documents and settings\HP_Owner\Local Settings\Application Data\jszzwhde

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{116770D0-04AC-4938-AD90-39302F4A1353}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\piesnsjj]

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
0
 
rpggamergirlCommented:
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u

The above process will remove Combofix and its files, delete the created backup and reset system Restore.

Thanks!
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 6
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now