Solved

Can't Remove Vundo.H

Posted on 2009-05-14
14
839 Views
Last Modified: 2013-11-16
Greetings,

I am having difficulty removing Vundo.h from a computer.  It is preventing me from updating the system to SP3 which seems to be the only current symptom. Combofix will not run as it says that the virus has caused changes to it.

Have run Malwarebytes and Trojan Remover (www.simplysup.com) on this machine many times.  Malwarebytes continues with the same infections.  I am attaching a copy of the Malwarebytes log. I can provide a HJT log on request.  I also have run F-Secure on the system and it didn't even find the infection at all.

Malwarebytes detects the virus every time and tries to delete it on reboot but it keeps coming back with the same name every time.  I have run both tools in safe mode several times as well.

The log I am attaching from Malwarebytes is from a normal boot.  

I am currently scanning the system with the tool located here:http://www.scanforfree.com/11/trojan-vundo-h-remover.html

Any help or advice would be greatly appreciated.

mbam-log-2009-05-14--11-35-41-.txt
0
Comment
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 12

Expert Comment

by:kadafitcd
ID: 24386845
Have you tried renaming combofix.exe after downloading to something like thefix.exe?  This can trick the malware into not recognizing the program and letting it run properly.

You can also try to use superantispyware from http://www.superantispyware.com/

And yes get us that hijackthis log.

Good Luck HTH.
0
 

Author Comment

by:techknowledgesolutions
ID: 24386890
Thank you for your prompt reply, I am attempting to run Combofix as another name now and I am obtaining a HJT log now. I will return shortly with the results
0
 

Author Comment

by:techknowledgesolutions
ID: 24387525
HJT Log. Combo Fix is currently doing it's thing and I will post back shortly.
hijackthis.log
0
 
LVL 12

Expert Comment

by:kadafitcd
ID: 24387577
Ok sounds good let me know how things are after that combofix finishes up.  But as for your HJT log Remove the following:

O2 - BHO: (no name) - {116770D0-04AC-4938-AD90-39302F4A1353} - c:\windows\system32\daxmqgd.dll (file missing)

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

O20 - Winlogon Notify: piesnsjj - daxmqgd.dll (file missing)



Now if you've not setup any proxy's then you need to remove these 2 as well:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

Good Luck HTH.
0
 

Author Comment

by:techknowledgesolutions
ID: 24387604
Hmm it killed the combofix log after it tried to save it!

Crazy
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24387620
Are you performing any of these scans in Safe Mode? If not, I would try that.
You might also try logging on as a differenet user and trying the scans. Sometimes malware affects only the profile that it was loaded under.
0
 
LVL 12

Expert Comment

by:kadafitcd
ID: 24387872
The combofix logs are saved to.. C:\QooBox

They should be there if it finished properly.  Run your superantispyware scan and let us know if it finds anything.
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 

Author Comment

by:techknowledgesolutions
ID: 24388001
Running ComboFix and HJT in safe mode now.  As far as removing those .dlls and such they keep recreating themselves on reboot.  That's what Malwarebytes was doing correct?
0
 

Author Comment

by:techknowledgesolutions
ID: 24388497
New Combofix and HJT as run in safe mode
log.txt
hijackthis.log
0
 
LVL 12

Expert Comment

by:kadafitcd
ID: 24389555
You need to open HJT run a scan only and delete the entries I mentioned above...

Ok sounds good let me know how things are after that combofix finishes up.  But as for your HJT log Remove the following:

O2 - BHO: (no name) - {116770D0-04AC-4938-AD90-39302F4A1353} - c:\windows\system32\daxmqgd.dll (file missing)

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

O20 - Winlogon Notify: piesnsjj - daxmqgd.dll (file missing)



Now if you've not setup any proxy's then you need to remove these 2 as well:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

Good Luck HTH.
0
 

Author Comment

by:techknowledgesolutions
ID: 24390428
I did attempt to remove those with the HJT. They came back again.
0
 
LVL 12

Assisted Solution

by:kadafitcd
kadafitcd earned 150 total points
ID: 24395554
One last thing you might try is download ccleaner from here:  http://www.ccleaner.com/download and install it. > Open it up > click run cleaner > click on registry to the left > click scan for issues > once it is done click fix selected issues > click yes to backup changes > save the file where you can find it > click fix all selected.  

Once this is done you can run combofix 1 more time then run your HJT try and remove the above stated lines.

If you've ran ccleaner, combofix, malwarebytes, and superantispyware and these keep coming back then it is highly possible that you have a compromised windows system file.  In which case you can run a couple of things but you will need your Windows Installation disk.

(Warning make sure to backup any crucial data before performing any of these steps)

First thing to try:
Go to Start > click run > at the run box type in "sfc /scannow" (w/o quotes) > click ok it will run a system file check on your computer but you will have to put in your cd for it to complete properly

Second thing to try:
Try performing a repair install on Windows by following these directions:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/doug92.mspx

Third Thing to try:
If all else fails, backup your computer.  Make sure you go to the manufacturers website and download the drivers and put them on a cd or jump drive.  Then Format your computer and reinstall XP using the CD follow these steps:
http://www.microsoft.com/windowsxp/using/setup/winxp/install.mspx

Fourth thing to try(If you don't have and XP CD start here):
If your computer came with a built in recovery partition you can start a recovery process.  Some (HP/Compaq) have an option to perform a recovery without the loss of data.  You will have to reinstall any programs to perform this option.  Most just have a factory recovery which formats and reinstalls everything.  This case you will lose all data so be sure to backup.

Sorry that I could not be of more help to remove the malware.  If it gets into system files then it can come down to this.

Good Luck again.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 350 total points
ID: 24396691
Run Combofix in normal mode.
Run combofix again using this script to delete the files and reg entries in the script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\pch.bat
c:\windows\system32\daxmqgd.dll

Rootkit::
c:\windows\system32\drivers\iljnvylf.sys

Driver::
iljnvylf

NetSvc::
fdjraekd

DirLook::
c:\documents and settings\NetworkService\Local Settings\Application Data\jszzwhde
c:\documents and settings\HP_Owner\Local Settings\Application Data\jszzwhde

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{116770D0-04AC-4938-AD90-39302F4A1353}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\piesnsjj]

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24432523
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u

The above process will remove Combofix and its files, delete the created backup and reset system Restore.

Thanks!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now