Trojan.Vundo help

[bwatson283]

One of our sites has a computer that has the Trojan.Vundo virus, and i cant seem to get it removed.
The symantec AV shows that the infected files are climbing as a few files scaned move up (On the system protection background scan), sound like it is acting like a worm.

I have run the Trojan.Vundo tool and it says there is no Trojan.Vundo found.....ERRRR I ran the tool twice, once in normal and once in safe mode, no luck.

I downloaded NOD32 and scaned it and it found 2 SystemDoctor threats, so those got removed, but it wasnt Vundo.

 

[JustaGeek]

Do all the scans in Safe Mode, remove the malware, reboot and scan again.

Spy Sweeper is the best in dealing with trojans.

 

[John]

1) Download and check the readme

2) Download SAS and install in Normal mode, then reboot to safe mode w/ networking to do #1 and #2

3) Run an F-Secure online scan

 

[dclive]

Just do this:

http://www.symantec.com/securi...id=2004-112210-3747-99

and that will fix the issue.

If that's the tool you ran, download BartPE, create a bootable BartPE CD, install the McAfee plug-in with the latest DAT files, and burn the CD. Boot from it. Scan your machine again.

Why do this with a bootable CD? Because trojan/virus processes can now mask themselves - even in safe mode - so that it's very difficult to spot them when booted from already-infected c:\Windows media. Creating a bootable, clean CD gets around this, and a normal filescan will find infected files.

 

[John]

Originally posted by: dclive
Just do this:

http://www.symantec.com/securi...id=2004-112210-3747-99

and that will fix the issue.

It sounds like the OP already ran it. Unfortunately that tool is severely outdated (Updated: November 30, 2005 12:00:00 AM), and there are hundreds (maybe thousands?) of Vundo variants with new ones released daily.

 

[bwatson283]

Originally posted by: John

Originally posted by: dclive
Just do this:

http://www.symantec.com/securi...id=2004-112210-3747-99

and that will fix the issue.

It sounds like the OP already ran it. Unfortunately that tool is severely outdated (Updated: November 30, 2005 12:00:00 AM), and there are hundreds (maybe thousands?) of Vundo variants with new ones released daily.

Yup, i have run the tool. like i stated already. I might have to resort to manual deletion.......errr
Or reformat.......but will take too damn long! kinda want to avoid a reformat

Next question:
Best way to make a backup of registry and restore for fail safe reasons?

 

[John]

The instructions in my OP should help you get rid of the vundo infections.

 

[bwatson283]

This will all have to be done via thumb drive only. No floppy drive, and no way in hell it is getting on the network at corporate. I am a little hesitant to use unknown 3rd party stuff on a work computer, and im not really a command line person........since i just got into the industry as my job.......i think i might have too. So im a command line noob.

 

[dclive]

If you're convinced you're infected, doing an offline scan with McAfee and BartPE is an easy way to get rid of infections. Did you try that? Assuming you have a CD burner, you can have the CD made and the scanner 'installed' on the CD in under 30 minutes...

 

[dclive]

BartPE has a convenient way to put itself onto a thumb drive, now included in the main BartPE package... (CDs boot faster tho)

 

[John]

So your IT guy lets end user(s) on an admin account which allows the pc(s) to become infected, but you refuse to install quality detection and removal tools?

SAS can be installed and run from a flash memory drive. When you launch superantispyware.exe it will ask to update and only the updated sigs are copied to the local machine.

FWIW McAfee's detection rate is somewhat respectable, but it chokes hard on vundo and other hard to removal malware.

 

[dclive]

Originally posted by: John

FWIW McAfee's detection rate is somewhat respectable, but it chokes hard on vundo and other hard to removal malware.

When scanning another non-live iteration of Windows? First I've heard of that.

Bear in mind when you are not running that iteration of Windows, any scanners you run will not be looking through any filter drivers, will not have any masking in place, and will be able to scan the files (and actually see them), which is in stark contrast to a well-done virus being scanned on a "living" and infected Windows system. At that point it's just a question of looking for virus signatures, and pretty much anyone these days can hit 99% at that, assuming a current antivirus data file. That's easy.

That's why scanning offline is smart.

 

[John]

Originally posted by: dclive
At that point it's just a question of looking for virus signatures, and pretty much anyone these days can hit 99% at that, assuming a current antivirus data file. That's easy.

Unfortunately that is not the case. Numerous independent reviews and real world experience will show otherwise. With your train of thought we should all be using ClamAV. McAfee's signature and heuristic detection rates lags behind Kaspersky (and those that use the KAV engine), Bitdefender, and other fine products. I clean infected systems for a living, and 99% of those are cleaned in safe mode or safe mode with networking. Granted everyone has their own malware removal methods, but not everyone is aware of what constitutes quality removal tools.

 

[dclive]

Originally posted by: John

Originally posted by: dclive
At that point it's just a question of looking for virus signatures, and pretty much anyone these days can hit 99% at that, assuming a current antivirus data file. That's easy.

Unfortunately that is not the case. Numerous independent reviews and real world experience will show otherwise. With your train of thought we should all be using ClamAV. McAfee's signature and heuristic detection rates lags behind Kaspersky (and those that use the KAV engine), Bitdefender, and other fine products. I clean infected systems for a living, and 99% of those are cleaned in safe mode or safe mode with networking. Granted everyone has their own malware removal methods, but not everyone is aware of what constitutes quality removal tools.

Again, if all you are doing is offline scanning, it's a wonderful product. It's also got a nice BartPE plug-in that makes adding it to the BartPE boot CD trivial. I'm not slamming the KAV engine - it's great - but if what is wanted is a one-time removal tool (for free), McAfee's scan32 tool (again, free, and trivial to toss into BartPE) is a quick, simple, fast way to go. If you'd like to talk him thru adding the KAV engine to BartPE, be my guest.

I'm not aware of any significant differences in the scan engines for offline scanning - do you have anything suggesting otherwise? Note this is completely different from what you've brought up, which is online scanning (whether in safe or normal mode).

Having had to deal with viruses that add themselves to safeboot (and hence boot up in safe mode), I'm fully aware of the repercussions of booting in safe mode and thinking that will stop viruses from starting. For some of the stuff introduced in the past few years...it won't. And it won't be visible, either. Nasty stuff... that's why I suggested booting from a known-good boot media (BartPE...but another OS install works just as well) and then scanning the infected media.

Edit : Interesting link, but again only focused on online scanning: http://www.av-comparatives.org...g/seiten/overview.html

 

[John]

I find no reason to use BartPE w/ an AV or AS to clean a pc unless 1) you don't have the knowledge to clean a pc in safe mode using the proper tools and manual removal techniques, and 2) you do not have access to a secondary "clean" computer as a last resort. Why settle for quick and simple when you can do it right the first time? If you're relying on McAfee's detection rates alone that is nothing more than a false sense of security. IMO it's no different than suggesting someone use Windows Defender or Ad-Aware; both are garbage. For kicks and grins let's say you run McAfee via BartPE, it comes up clean, but you still have a nice fake security alert pimping VirusProtectPro....what's next? Is that the 1% you were referring to?

Originally posted by: dclive
Edit : Interesting link, but again only focused on online scanning: http://www.av-comparatives.org...g/seiten/overview.html

http://forums.anandtech.com/me...=2004933&enterthread=y

 

[mechBgon]

McAfee has near-zero signature or heuristic detection of some modern families of malware/PUPs. Online or offline, if it doesn't recognize the malware, it won't help. If you have lots of time, go down a few dozen of my SiteAdvisor reviews and start tallying how many Zlob and DNSChanger samples were detected by McAfee's scan engine (not Vundo, but updated several times a day), either heuristically or by signature. You could probably read all 400+ reviews and count them on your fingers.

I'm not saying don't scan with McAfee, but don't expect them to be great, either. If I were doing an offline scan, yeah I'd throw on McAfee's command-line scanner, but I'd be pinning most of my hopes on the F-Secure online scanner to nail the files, since it combines the Kaspersky engine/defs with a few others. And for fixing the Registry, I'd still be using John's approach (or just re-image the system from a RIS server while taking a coffee break ).


Here's my Webimmune queue at one point in time, incidentally: over 200 samples being actively ignored by McAfee :camera: They topped themselves by emailing me (after a couple weeks, far too late) to ask me what was malicious about a couple samples of malware. I mean, bicycle mechanics are endowed with secret powars and everything, but that's THEIR job.

(I did tell them the answer, and that sample is still not detected today)

 

[dclive]

Originally posted by: John
I find no reason to use BartPE w/ an AV or AS to clean a pc unless 1) you don't have the knowledge to clean a pc in safe mode using the proper tools and manual removal techniques, and 2) you do not have access to a secondary "clean" computer as a last resort. Why settle for quick and simple when you can do it right the first time? If you're relying on McAfee's detection rates alone that is nothing more than a false sense of security. IMO it's no different than suggesting someone use Windows Defender or Ad-Aware; both are garbage. For kicks and grins let's say you run McAfee via BartPE, it comes up clean, but you still have a nice fake security alert pimping VirusProtectPro....what's next? Is that the 1% you were referring to?

Fair enough - in that case, simple question:

If you find a virus that masks directory listings (so that you cannot see the file in the filesystem) and you find a virus that stops you from scanning/viewing the registry, then what do you do?

When the host system is infected, there's no way you can guarantee that what you are viewing (in the 'proper tools and manual removal techniques' you talk about) will actually work - nor can you even verify they've worked.

Once again, the best way to scan an infected system is from a system that isn't infected. One way to do that is BartPE (it's easy and well-known), and one AV scanner easily available in that environment is McAfee's SCAN32 (since it's natively supported by BartPE with a plugin included in the default PE install).

If you don't like those methods, feel free to suggest others. However, on-line scanners can miss things that off-line scanners will get, merely because they don't need to worry about the virus masking itself. If you want to debate McAfee vs. KAV, I think that's in another thread...

Your suggestion of using a secondary clean computer as a 'last resort' is essentially what I'm suggesting with using BartPE, but I skip the middleman and simply jump to that. Another bonus is it doesn't require modifying your Windows system at all, so if things are unstable, going downhill, or you want to scan prior to uninstalling your current AV (if present) and installing KAV, you can easily do so....then install a better AV.

 

[dclive]

Originally posted by: mechBgon
And for fixing the Registry, I'd still be using John's approach (or just re-image the system from a RIS server while taking a coffee break ).

The re-imaging bit is great, but most here don't have the luxury of their own RIS server, Altiris server, or whathaveyou. I do, but I'm also familiar with how to scan a system and remote things when you don't have those nice options.

Having choices is good....no doubt.

 

[John]

mech, you obviously put a lot of time and effort into fighting malware, and it's a shame that you aren't compensated for it. When are you going to work for McAfee? I am pleased to see that you're pimping F-Secure because it truly is one of the best on the market. For those that don't know F-Secure uses multiple scan engines: AVP (Kaspersky) + Libra (modded F-Prot) + Pegasus (Norman) + Draco (Ad-Aware) + Orion (in-house heuristics) + Blacklight (in-house rootkit)

 

[mechBgon]

Originally posted by: dclive

Originally posted by: mechBgon
And for fixing the Registry, I'd still be using John's approach (or just re-image the system from a RIS server while taking a coffee break ).

The re-imaging bit is great, but most here don't have the luxury of their own RIS server, Altiris server, or whathaveyou. I do, but I'm also familiar with how to scan a system and remote things when you don't have those nice options.

Having choices is good....no doubt.

OK, then an unattended install using the usual method (Windows CD-ROM and a floppy diskette with the unattended.sif file of choice). It can't be that difficult if *I* can do it

 

[dclive]

Originally posted by: mechBgon

Originally posted by: dclive

Originally posted by: mechBgon
And for fixing the Registry, I'd still be using John's approach (or just re-image the system from a RIS server while taking a coffee break ).

The re-imaging bit is great, but most here don't have the luxury of their own RIS server, Altiris server, or whathaveyou. I do, but I'm also familiar with how to scan a system and remote things when you don't have those nice options.

Having choices is good....no doubt.

OK, then an unattended install using the usual method (Windows CD-ROM and a floppy diskette with the unattended.sif file of choice). It can't be that difficult if *I* can do it

I think you're quite a bit more knowledgeable than the average user.

Putting together even an nLite setup can be trying for many....and reinstalling all of the applications and whathaveyou can also be very, very difficult and time-consuming. This is why people spend $ on AV products...

 

[mechBgon]

Originally posted by: John
mech, you obviously put a lot of time and effort into fighting malware, and it's a shame that you aren't compensated for it. When are you going to work for McAfee?

I wish I knew the answer to that, although I would try for someone besides McAfee. Having a real career instead of a dead-end job would be nice.

 

[John]

Originally posted by: dclive
If you find a virus that masks directory listings (so that you cannot see the file in the filesystem) and you find a virus that stops you from scanning/viewing the registry, then what do you do?

I run quality anti-rootkits (RKU, Ice Sword) and use the tools listed in my guide.

Once again, the best way to scan an infected system is from a system that isn't infected. One way to do that is BartPE (it's easy and well-known), and one AV scanner easily available in that environment is McAfee's SCAN32 (since it's natively supported by BartPE with a plugin included in the default PE install).

I suppose we all have our own opinion of the best. Visit the popular malware removal forums (Bleeping, SWI, Major Geeks, Castle Cops, etc.) and report back with how many specialists recommend offline scans.

If you don't like those methods, feel free to suggest others. However, on-line scanners can miss things that off-line scanners will get, merely because they don't need to worry about the virus masking itself. If you want to debate McAfee vs. KAV, I think that's in another thread...

What you're referring to is rootkits and they aren't all that common.

Your suggestion of using a secondary clean computer as a 'last resort' is essentially what I'm suggesting with using BartPE, but I skip the middleman and simply jump to that.

The difference is my secondary computer has quality tools such as SAV 10.1 Corp, F-Secure, SAS, SS, AVGAS, a-squared and a host of other fine software. I don't like scanning "offline" because access to the registry is limited, and when someone has multiple admin accounts you need to log on to the account and scan each one.

 

[dclive]

Originally posted by: John

Originally posted by: dclive
If you find a virus that masks directory listings (so that you cannot see the file in the filesystem) and you find a virus that stops you from scanning/viewing the registry, then what do you do?

I run quality anti-rootkits (RKU, Ice Sword) and use the tools listed in my guide.

Once again, the best way to scan an infected system is from a system that isn't infected. One way to do that is BartPE (it's easy and well-known), and one AV scanner easily available in that environment is McAfee's SCAN32 (since it's natively supported by BartPE with a plugin included in the default PE install).

I suppose we all have our own opinion of the best. Visit the popular malware removal forums (Bleeping, SWI, Major Geeks, Castle Cops, etc.) and report back with how many specialists recommend offline scans.

If you don't like those methods, feel free to suggest others. However, on-line scanners can miss things that off-line scanners will get, merely because they don't need to worry about the virus masking itself. If you want to debate McAfee vs. KAV, I think that's in another thread...

What you're referring to is rootkits and they aren't all that common.

Your suggestion of using a secondary clean computer as a 'last resort' is essentially what I'm suggesting with using BartPE, but I skip the middleman and simply jump to that.

The difference is my secondary computer has quality tools such as SAV 10.1 Corp, F-Secure, SAS, SS, AVGAS, a-squared and a host of other fine software. I don't like scanning "offline" because access to the registry is limited, and when someone has multiple admin accounts you need to log on to the account and scan each one.

I've read your guide. You explicitly point out running McAfee's scanner:
"
Although I recommended that you uninstall McAfee (due to bloatware) you can use their command line scanner in DOS or Windows without having to install the program. McAfee's detection rate is somewhat respectable, and this will allow you to leave your current AV installed and get a second opinion in case you are unable to get on the internet to run an online scan, or you do not have the ability to scan the drive on a clean computer. "The scanner runs faster if its window is minimized. It's normal for the text in the window to get all jumbled and overwritten. The virus definitions in this scanner get updated several times per day, and although McAfee is not our favorite anti-virus vendor in the home-user realm, they do sometimes find stuff heuristically and this does use their full threat database, for what it's worth." - mechBgon"

I thought that was interesting. For a product you dislike, too.

Creating a boot CD is significantly more technical than what most people will suggest, so your suggesting it's an uncommon option isn't news or notable. That most people can't read a debugger doesn't mean one shouldn't do it, either, so just because knowledge isn't common, to me, isn't remotely interesting nor is it a point in favor of your suggestion.

Agreed, rootkits are a serious issue. It's odd you talk about them not being common - would that be less common than the 1% number you brought up (against me) above?

We can debate "quality" tools all night long. If you like KAV, use it. I suggested McAfee's scanner because, for at least the third time, it's got a great BartPE plug-in, it's native to BartPE, it's simple to use, and those things make it more likely someone will actually use it. Your rebuttal has been it's less reliable than KAV, of which there are varying opinions (see the link I posted for one counter-opinion...straight from a link from one of your other postings...)

 

[dclive]

From a link on your Elite page: http://www.virusbtn.com/virusb...-comparative#id3600134:

Kaspersky:
ItW: 100.00%
ItW (o/a): 100.00%
Macro: 98.82%
Standard: 83.73%
Polymorphic: 69.52%

Kaspersky Anti-Virus 6.0.0.299

KAV includes various self-protection features which turn out to be a double-edged sword. The less-than-welcome aspect is that the virus definitions are so well protected that they are, by default, unable to be updated manually. Since the update function does not allow updates from a local folder, this is somewhat irritating.

There also seem to have been some changes in scanning methods, the effects of which are particularly unpleasant. On-access scanning was seemingly interminable, while the clean set scanning rate is pretty indicative of the speeds seen while scanning the infected sets. This is not an effect of low scanning priorities however ? during scanning KAV remained steadily at 99% processor usage.

All of this work was, at least, for good reason as all files in all test sets were detected and no false positives were produced. A VB 100% award thus acts as a distraction from the various problems encountered.

McAfee:
ItW: 100.00%
ItW (o/a): 100.00%
Macro: 100.00%
Standard: 100.00%
Polymorphic: 100.00%

McAfee VirusScan Enterprise 8.0i 4400 4753

Happily, with VirusScan we return to a product that had no nasty surprises in store and gave a good performance with full detection of infected samples across all test sets. With no false positives noted in the clean test sets either, VirusScan is awarded a well deserved VB 100%.


_________
I'm just posting data points. McAfee isn't my favorite either - I like the management features in Symantec AV for the enterprise, and never got into McAfee's EPO, but people should be aware there are a variety of reviews out there for McAfee products, some of them quite favorable....