[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 963
  • Last Modified:

How to remove suspicious.vundo.2

I am having a really difficult time battling a malware infection on my Windows XP machine that has disabled many anti-virus programs and my windows security updates. I'd like to try and remove the virus to save software that I cannot replace.

I received an alert from symantec that it found a threat called 'suspicious.vundo.2', and that quarantine, clean, and delete all failed. Soon after, I began seeing somewhat fake-looking windows security alerts, warning that my computer was infected and asking me to click to download an anti-virus software program.

I rebooted my computer in safe-mode and ran a symantec scan, hoping that it would be able to find and remove the virus in safe-mode. But it showed a clean scan, and attempts to delete the offending files via the log gave errors saying they were no longer there. But the virus persisted. I tried downloading a few other anti-virus programs (spybot search and destroy, malwarebytes, and spyware doctor), but the virus blocked the installation executables from running. Malwarebytes did successfully install, but the program hung after trying to launch (the exe shows up in task manager, but the program never actually starts up). I tried re-naming the executable files of the different programs, but this did not help.

I then tried doing a system restore, but the restore interface would hang and not go through with the restore. I next decided to try doing a repair install of the windows operating system. After the re-install, however, the virus was still there. In retrospect, the repair install may not have been the best idea since the virus had clearly integrated itself into the operating system pretty well.

With the virus blocking windows update, I now have a very vulnerable OS (windows XP without any service-pack or security updates)! I am only booting in safe mode (with networking) to avoid some potentially nasty problems.

I have had some minor success after running an online scan through TrendMicro's HouseCall. It found and fixed a few things, and afterward I was able to run Malwarebytes. This found a few more issues, which I fixed. But, I still cannot launch windows update or other anti-virus software. So there is still some lingering infection.

I've attached a log from HijackThis and an online BitDefender scan (which does find an infected dll, which I have tried to remove manually with no success).

And here is a list of anti-virus software I have tried and cannot run:
spybot search and destroy
spyware doctor
ad-aware
registry patrol
combo-fix
hijackthis-log-010410.txt
Report-2010-01-04-21.36.47.txt
0
jesuisbiencalee
Asked:
jesuisbiencalee
1 Solution
 
optomaCommented:
Have you tried renaming Combofix prior to saving to desktop to something like svchost.exe?
0
 
optomaCommented:
Also disable Spy Bot Tea Timer so it wont interfere
http://forums.majorgeeks.com/showthread.php?t=103692&highlight=Teatimer

Lsess.exe entries in Hijackthis are bad
0
 
Srikanth_hitsCommented:
Hi,
Try running combofix as suggested by optoma. Its a very powerful tool.
You can download it from : http://download.bleepingcomputer.com/sUBs/ComboFix.exe

¬JNSV
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
FayazCommented:
Download rescue CD from here and try to recover
http://www.freedrweb.com/livecd/?lng=en 
Once done do a windows repair and install SP3 on it, post your results in case of problems!
0
 
jesuisbiencaleeAuthor Commented:
Saving ComboFix as svchost.exe seems to have done the trick! It found and removed the suspicious dll's that bitDefender had found. BitDefender now shows no infection, and I've got Spybot Search and Destroy running now to double-check that it's all clean. I've also attached the ComboFix and a new HijackThis log.

I am still getting a weird issue when I try to run microsoft update, though. I get the following error message: 'The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem. ' The error code shown is 'Error number: 0x8007043C' This text is within the Microsoft Update IE window--not an internet connectivity or 404 type of message. Of course, none of their options are helpful. Could that be an issue with running in safe mode?

Thanks so much! This is certainly significant progress.
hijackthis-log-010410-v2.txt
comboFix-log-010410.txt
0
 
jesuisbiencaleeAuthor Commented:
Ah, did a bit of searching and the error is due to safe-mode. Looks like I *should* be in the clear after a reboot to normal.

Thanks again.
0
 
optomaCommented:
In Hijackthis remove:
O4 - HKUS\S-1-5-21-1935655697-1757981266-839522115-1004\..\Run: [Sysino] lsess.exe

Delete this file:
C:\cojpjy.exe

Upload these to http://www.virustotal.com/ :
c:\windows\system32\umdmxfrm.datc:\windows\system32\msxbdq40.datc:\windows\system32\iuenginc.datc:\windows\system32\slbcopeo.datc:\windows\system32\esxbej.datc:\windows\system32\loadoerf.datc:\windows\system32\msctopfd.datc:\documents and settings\All Users\Application Data\1CASHWIPECHIN\Stupidplay.exe

Your other scanners may have removed them already if bad.

Post back!
0
 
jesuisbiencaleeAuthor Commented:
I removed the lsess.exe with hijackThis. I've attached a new log file.

I also removed the cojpjy.exe file.

I uploaded the files listed to virustotal.com, and all showed 0/41. I assume that means they are ok? However, I wasn't able to upload msctopfd.dat or esxbej.dat to the website. Every time, I got a '0 bytes received' error message from the website. I looked and both files are 0 bytes.

On the 'Stupidplay.exe', on start-up a command window with that name pops up for a brief second. It has been there since I don't know when, but I've never noticed any issues with it. Though it has always slightly concerned me. Can I just remove it?

I have now run Symantec and Spybot scans, and both found nothing. I also have my OS updated to the current updates etc.  

Thanks!
hijackthis-log-010510.txt
0
 
optomaCommented:
Unfortunately, there are new bad entries in logfile.
We could try running more removable scanners+repeat steps but I think it would be safer to backup your data and install Xp fresh.

Also am unsure on how trusted "registry patrol" program is..

For safety,it is advisable log into a non-infected machine and change any passwords for any accounts which you have.

I'll try and get others in on this thread for another opinion.
0
 
jesuisbiencaleeAuthor Commented:
Hmm. I will try running ComboFix and a few other scanners again later tonight. I did uninstall registry patrol (and never actually used it, it was just one of many programs I tried when the virus was blocking all anti-virus software).

I'd really like to try avoiding a fresh install of XP. I have a lot of great software I got as a student that I cannot replace. But all of my data is already backed up.

And for changing passwords, you mean any online accounts I may have logged into while using the computer?
0
 
optomaCommented:
Ok we can continue on so and try and clear it up fully. Can be more time consuming but you want to keep applications!

Yes it would be safer to change any online passwords accessed on that machine.

You can try these steps in order:
1-Boot into safe mode with networking for this step only:
>Run disk cleanup and Atf cleaner to clear temp files http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25


2-Kaspersky live cd scanner (live cds can take hours to complete scan-good boot scanner!)
http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/
--It is in iso/image format so you will have to burn it to a cd.
--Once the cd is created, boot the infected machine to that cd and scan your system
NB-Update the virus database in live cd before scanning.

IMPORTANT:::READ THIS:::
Also, do you have your installation media?
If so you may have to do a repair installation afterwards, depending on what infected files Kaspersky live cd removes->ie.If system files are infected and removed, the operating system will not start, thus resulting in a repair installation
http://michaelstevenstech.com/XPrepairinstall.htm

3-Run Hitman Pro cloud scanner http://www.surfright.nl/en/hitmanpro

4-Rerun Combofix

5-Rerun Malwarebytes quick scan>update it first

6-Run Hijackthis beta:
http://go.trendmicro.com/free-tools/hijackthis/beta/HijackThis.msi

Reboot machine when required and make note of detections for 2+3.
Attach 4+5+6 new logfiles
0
 
jesuisbiencaleeAuthor Commented:
Thanks for the suggestions.

I do have the installation media, and have done repair installs before, so that's not a problem. I'm at work now, but I will start work on these steps when I'm back home tonight.

Just out of curiosity, what are the bad entries you're seeing in the hijackThis log? I was scanning through and didn't see much that seemed out of the ordinary. I'd also like to know what I'm looking to get rid of. (granted, I know less about this stuff, but I didn't see many things that weren't associated with programs I know I put on my computer).

Thanks!
0
 
optomaCommented:
No prob:These are the ones which look nasty to me but run the steps in order. If they are bad the other scanners should remove them.

O4 - HKCU\..\Run: [Microsoft Update] phqghumea.exe
O4 - HKCU\..\Run: [pileadmin] C:\DOCUME~1\Amy\APPLIC~1\CREATI~1\Onlinetick.exe
O4 - HKCU\..\Run: [richtx64.exe] C:\DOCUME~1\Amy\LOCALS~1\Temp\richtx64.exe
0
 
jesuisbiencaleeAuthor Commented:
I'm having issues running Kaspersky live cd scanner. I've burned the ISO file to a cd, and restart my computer with the cd in the drive, but I can't get the computer to boot from the cd.

I double-checked that my BIOS boot order starts with the CD drive. But on start-up, the 'press any key to boot from disk...' never shows up. Am I missing something?
0
 
jesuisbiencaleeAuthor Commented:
Nevermind! Made a stupid mistake. Its running now.
0
 
optomaCommented:
It will be interesting in what it finds!
0
 
jesuisbiencaleeAuthor Commented:
Ok. I've run all the scans you suggested. That took a while!

The Kaspersky scan found quite a few trojans etc.--many of which appeared to be in my Symantec quarantine folders. But a few were not. I've attached a log that lists the found and deleted items.

The hitman pro scan did not find anything.

ComboFix deleted one thing, and MalwareBytes quickscan didn't find anything. Logs are attached.

And I've got an updated hijackThis log file. I believe the guys you were concerned about are gone. Let me know if you notice anything else suspicious!

kaspersky-virus-scan-log-1-7-10.txt
combofix-log-010710.txt
mbam-log-2010-01-07--20-05-30-.txt
hijackthisLog-010710.txt
0
 
optomaCommented:
Rescue cd scanners can take hours!

All looks better.
Last few things:
-Uninstall Hitman Pro trial or you can uninstall at a later date-dosn't matter either way!

-Uninstall Java from add/remove programs >restart machine
-Get latest Java version
http://jdl.sun.com/webapps/getjava/BrowserRedirect?locale=en&host=www.java.com:80

-Get latest flash version>uncheck box to install toolbar or security scan
http://get.adobe.com/flashplayer/

-Hit start,run, type combofix /uninstall to remove restore points and create a new "clean" one.

-Then check for any Windows Updates  :)
0
 
jesuisbiencaleeAuthor Commented:
Done! Thanks so much for your help. Its nice to have my computer back :)
0
 
optomaCommented:
You're welcome ;)
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now