Solved

Can't Remove Vundo.H

Posted on 2009-05-14
14
847 Views
Last Modified: 2013-11-16
Greetings,

I am having difficulty removing Vundo.h from a computer.  It is preventing me from updating the system to SP3 which seems to be the only current symptom. Combofix will not run as it says that the virus has caused changes to it.

Have run Malwarebytes and Trojan Remover (www.simplysup.com) on this machine many times.  Malwarebytes continues with the same infections.  I am attaching a copy of the Malwarebytes log. I can provide a HJT log on request.  I also have run F-Secure on the system and it didn't even find the infection at all.

Malwarebytes detects the virus every time and tries to delete it on reboot but it keeps coming back with the same name every time.  I have run both tools in safe mode several times as well.

The log I am attaching from Malwarebytes is from a normal boot.  

I am currently scanning the system with the tool located here:http://www.scanforfree.com/11/trojan-vundo-h-remover.html

Any help or advice would be greatly appreciated.

mbam-log-2009-05-14--11-35-41-.txt
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 12

Expert Comment

by:kadafitcd
ID: 24386845
Have you tried renaming combofix.exe after downloading to something like thefix.exe?  This can trick the malware into not recognizing the program and letting it run properly.

You can also try to use superantispyware from http://www.superantispyware.com/

And yes get us that hijackthis log.

Good Luck HTH.
0
 

Author Comment

by:techknowledgesolutions
ID: 24386890
Thank you for your prompt reply, I am attempting to run Combofix as another name now and I am obtaining a HJT log now. I will return shortly with the results
0
 

Author Comment

by:techknowledgesolutions
ID: 24387525
HJT Log. Combo Fix is currently doing it's thing and I will post back shortly.
hijackthis.log
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 12

Expert Comment

by:kadafitcd
ID: 24387577
Ok sounds good let me know how things are after that combofix finishes up.  But as for your HJT log Remove the following:

O2 - BHO: (no name) - {116770D0-04AC-4938-AD90-39302F4A1353} - c:\windows\system32\daxmqgd.dll (file missing)

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

O20 - Winlogon Notify: piesnsjj - daxmqgd.dll (file missing)



Now if you've not setup any proxy's then you need to remove these 2 as well:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

Good Luck HTH.
0
 

Author Comment

by:techknowledgesolutions
ID: 24387604
Hmm it killed the combofix log after it tried to save it!

Crazy
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24387620
Are you performing any of these scans in Safe Mode? If not, I would try that.
You might also try logging on as a differenet user and trying the scans. Sometimes malware affects only the profile that it was loaded under.
0
 
LVL 12

Expert Comment

by:kadafitcd
ID: 24387872
The combofix logs are saved to.. C:\QooBox

They should be there if it finished properly.  Run your superantispyware scan and let us know if it finds anything.
0
 

Author Comment

by:techknowledgesolutions
ID: 24388001
Running ComboFix and HJT in safe mode now.  As far as removing those .dlls and such they keep recreating themselves on reboot.  That's what Malwarebytes was doing correct?
0
 

Author Comment

by:techknowledgesolutions
ID: 24388497
New Combofix and HJT as run in safe mode
log.txt
hijackthis.log
0
 
LVL 12

Expert Comment

by:kadafitcd
ID: 24389555
You need to open HJT run a scan only and delete the entries I mentioned above...

Ok sounds good let me know how things are after that combofix finishes up.  But as for your HJT log Remove the following:

O2 - BHO: (no name) - {116770D0-04AC-4938-AD90-39302F4A1353} - c:\windows\system32\daxmqgd.dll (file missing)

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

O20 - Winlogon Notify: piesnsjj - daxmqgd.dll (file missing)



Now if you've not setup any proxy's then you need to remove these 2 as well:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

Good Luck HTH.
0
 

Author Comment

by:techknowledgesolutions
ID: 24390428
I did attempt to remove those with the HJT. They came back again.
0
 
LVL 12

Assisted Solution

by:kadafitcd
kadafitcd earned 150 total points
ID: 24395554
One last thing you might try is download ccleaner from here:  http://www.ccleaner.com/download and install it. > Open it up > click run cleaner > click on registry to the left > click scan for issues > once it is done click fix selected issues > click yes to backup changes > save the file where you can find it > click fix all selected.  

Once this is done you can run combofix 1 more time then run your HJT try and remove the above stated lines.

If you've ran ccleaner, combofix, malwarebytes, and superantispyware and these keep coming back then it is highly possible that you have a compromised windows system file.  In which case you can run a couple of things but you will need your Windows Installation disk.

(Warning make sure to backup any crucial data before performing any of these steps)

First thing to try:
Go to Start > click run > at the run box type in "sfc /scannow" (w/o quotes) > click ok it will run a system file check on your computer but you will have to put in your cd for it to complete properly

Second thing to try:
Try performing a repair install on Windows by following these directions:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/doug92.mspx

Third Thing to try:
If all else fails, backup your computer.  Make sure you go to the manufacturers website and download the drivers and put them on a cd or jump drive.  Then Format your computer and reinstall XP using the CD follow these steps:
http://www.microsoft.com/windowsxp/using/setup/winxp/install.mspx

Fourth thing to try(If you don't have and XP CD start here):
If your computer came with a built in recovery partition you can start a recovery process.  Some (HP/Compaq) have an option to perform a recovery without the loss of data.  You will have to reinstall any programs to perform this option.  Most just have a factory recovery which formats and reinstalls everything.  This case you will lose all data so be sure to backup.

Sorry that I could not be of more help to remove the malware.  If it gets into system files then it can come down to this.

Good Luck again.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 350 total points
ID: 24396691
Run Combofix in normal mode.
Run combofix again using this script to delete the files and reg entries in the script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\pch.bat
c:\windows\system32\daxmqgd.dll

Rootkit::
c:\windows\system32\drivers\iljnvylf.sys

Driver::
iljnvylf

NetSvc::
fdjraekd

DirLook::
c:\documents and settings\NetworkService\Local Settings\Application Data\jszzwhde
c:\documents and settings\HP_Owner\Local Settings\Application Data\jszzwhde

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{116770D0-04AC-4938-AD90-39302F4A1353}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\piesnsjj]

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24432523
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u

The above process will remove Combofix and its files, delete the created backup and reset system Restore.

Thanks!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question