trojan vundo

December 21, 2008 at 08:45:32
Specs: XP, PENTIUM 4 RAM 128
Hi,

I am infected with Trojan Vundo
Registry Key Infected:
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}

No tool would delete it at scan or reboot, in either safe or normal mode.
I cannot delete it manually either.

Help very much appreciated.



See More: trojan vundo

Report •


#1
Report •

#2
December 22, 2008 at 22:04:42
I have a fix for you. It is pretty much gauranteed. I work as a high level tech for a large corporation - and this is the fix i developed to remove Vundo and other non-removable *dll.s

You have to follow these instructions exactly because the virus is loaded into memory and most likely attached to winlogon.exe.

**.. anything referenced with << >> means that there is a dos command within the "brackets". You dont need any extra tools - all you need is dos!

1. Enable view of hidden folders:
- Go to "Folder Options" in "Control Panel"
- Click the "View" Tab, and do the following:
check "Show hidden files & folders" &
uncheck "Hide protected operating files (Recommended)"

2. Find the files:
- Go to the following folder locations:
c:\windows\system32
c:\documents & settings\%userprofile%\local settings\temp
- Add the "Date Created" column within the explorer window if it does not exist.
- Sort by "Date Created" - newest on top (descending).
- Look for any strange *.dll's. Usually you will find something random such as: “dofjdiijdd.dll”.
- Write down the names of the bad files.
- Highlight all of the bad *.dll's at once, - Right click, and then choose "rename".
- Rename them to something like "temp".
This will run you through prompts asking to rename each one "temp01, temp02" etc. Hit "OK"
- After files have been renamed, do a hard boot.

YOU HAVE TO DO A HARD BOOT IN ORDER TO KILL THE VIRUS. IF YOU DO A REGULAR RESTART IT WILL COME BACK FROM MEMORY.

YOU WILL HAVE MORE SUCCESS RENAMING INSTEAD OF DELETING DLL FILES IF THEY ARE IN USE. AFTER RENAMING THEM YOU CAN DELETE THEM AFTER THE NEXT BOOT.

3. Clean the traces:
- Go back to the locations where you found the malicious files.
- Check to see if any new ones were created, or missed.
- Delete the files that were re-named.
- Use "regedit.exe" in the system32 folder to search out any and all registry entries for malicious files that were noted in step 2

4. What if you can't rename the file(s) because they are in use?
- Figure out the Process Identifiers for "winlogon.exe" and "smss.exe":
- Open "Task Manager"
- Go to "View" Drop Down Menu
- Choose "Select Columns"
- Enable view of "PID (Process Identifier)"
- Hit OK to escape that view
- Look at the "Processes" tab, and check to see which PID "winlogon.exe" and "smss.exe" is using.

- Open up "cmd.exe" from system32 folder with admin rights
- Within command prompt, navigate to the folder where the infection is occurring:
<< cd %windir%\system32 >> or
<< cd %userprofile%\local settings\temp >>
- End the smss.exe and winlogon.exe processes:
<< ntsd -c q -p "PID" >>
- To use myself as an example, the commands would look like this:
<< ntsd -c q -p "1420" >> (for "smss.exe")
<< ntsd -c q -p "1612" >> (for "winlogon.exe")
- *Make sure to run those 2 commands in ORDER. You MUST kill "smss.exe" before killing "winlogon.exe"
- Delete the file within the command prompt:
<< del -f /q filename.dll >>
- Immediately hardboot the machine.
- After the machine reboots - finish cleanup process listed in step 3.
- As an example… the complete list of Dos commands will look like this:
<< cd %userprofile%\local settings\temp >>
<< ntsd -c q -p "1420" >>
<< ntsd -c q -p "1612" >>
<< del -f /q filename.dll >>

If you still can't rename or delete the file, then go repeat the process of killing "smss.exe" and "winlogon.exe", but this time kill "explorer.exe" as well.

Since you are navigating from a command prompt you wont need a explorer window anyways.

If you have any questions hit me up!


Report •

#3
December 24, 2008 at 02:02:16
Aaron...

When I try and kill the SMSS.exe (and WINLOGON.exe) processes using the CMD function at the location of the vundo file (C:\WINNT\system32), I get the following error:

NTSD: cannot debug pid "xxx"

As a result, I'm unable to complete the steps you outlined.

Any help or suggestions are greatly appreciated, as this vundo virus has my home PC slowed to nearly a crawl.

Thank you for your time,
-Brian B.


Report •

Related Solutions

#4
January 15, 2009 at 09:04:14
Hi,

There are some tools created to remove Vundo trojan. They called vundofix, they can fix certain variants of Vundo trojan. Also read this article: http://www.2-spyware.com/remove-vun...

Good Luck!


Report •


Ask Question