Vundo and variants

[Mad Dog Vee]

I notice a lot of the help requests are about Vundo, Virtumonde, MS Juan, etc.

I was wondering if there was a generic tutorial of the removal process located anywhere.

I am not infected with it nor is anyone that I know.

I'm just interested in reading through the process.

If there isn't one anywhere, don't worry about it, I'll follow one of the logs underway.

[AdvancedSetup]

I suppose it depends on how much you really want to know about it. Generally speaking there are schools where they will train you to learn how to detect and clean a system. It takes many, many hours of training but many find it valuable and enjoy helping others.

If you're interested in going that route speak up and we can provide you with links to sites for training.

[exile360]

I notice a lot of the help requests are about Vundo, Virtumonde, MS Juan, etc.

I was wondering if there was a generic tutorial of the removal process located anywhere.

I am not infected with it nor is anyone that I know.

I'm just interested in reading through the process.

If there isn't one anywhere, don't worry about it, I'll follow one of the logs underway.

Unfortunately there is no "cure all" sure fire way to kill Vundo, and right now the closest thing is MBAM. The reason is because they keep modifying it to bypass detection and removal. Malwarebytes' is better, even at catching many new variants however, because it has excellent heuristics, meaning it can often catch new versions that aren't specifically in definitions yet.

[Mad Dog Vee]

Advanced Setup, thank you, I've been down that road in another thread. I like the concept but it is too long term for me at this stage and a market for serious embarrassment and failure.

Exile, thank you for that response. I read a removal process on HowTo but it didn't sound accurate to me. I guess I'll just have to follow a couple of logs to get the general idea.

[Beenthere]

There's no general tutorial because vundo is the most difficult to remove along with some other rootkits. It also involves manual removal. I would just add up that besides mbam, kaspersky and antivir are also good at catching it.

[TAZ]

I notice a lot of the help requests are about Vundo, Virtumonde, MS Juan, etc.

I was wondering if there was a generic tutorial of the removal process located anywhere.

I am not infected with it nor is anyone that I know.

I'm just interested in reading through the process.

If there isn't one anywhere, don't worry about it, I'll follow one of the logs underway.

Hello Mad Dog Vee: Not specifically in regard to Vundo or the others, but you may have seen where someone who has a trojan or virus etc, and the person assisting us to delete on a forum, asks for a Hijackthis log. I assume you are familiar with the program Hijackthis. You may want to download it, run a scan: print out a copy of the scan-then:( It is from Trend Micro Inc.) (Hijackthis) It is good to be familiar with Hijackthis - There is a website that helps in understanding and interpreting the Hijackthis scan. What to look for, how to delete the item. There are "3" parts. (tutorial of removal processes)

www.malwarehelp.org/understanding-and-interpreting-hjt1.html.

Note the letter 1 just before the html. That is the first part. It will take you to the others. When you compare this tutorial with your own hijackthis print out that you down loaded, you will should have a good understanding, because hijackthis seems to be where it starts, otherwise they don't know what or where the varmits are at. Good Luck!

[Mad Dog Vee]

First of all apologies for the bump.

Today I've been reading some logs and repairs about these variants and it seems the goal is to nail the dll and sys files by whatever means necessary, may even require GMER or RootRepeal and once things look as clean as possible with all the standard tools (hjt, mbam, sas, avira).

Then you run Combofix, this is the process that appears to clean all infections when the infected user hasn't given up or hasn't been advised to reformat and reinstall.

[exile360]

True enough MDV, often (in fact, usually) the best way to kill pretty much all of the nastier infections these days (and even the not so nasty) is to go straight for the dll's and rootkit drivers that they load from, as killing the entry points in the registry is often futile as they are just resurrected by the malware. In fact, usually once the rootkit is killed (if one is involved) MBAM can often kill the rest off (if the rootkit was preventing the use of tools like MBAM, which they often do nowadays ). As far as ComboFix etc goes, it's usually a matter of the preference of the helper. ComboFix is useful because it's updated regularly to get rid of these nasties and runs a rootkit scan using GMER and creates a very useful log for not only seeing what it removed, but also other helpful info that may lead to the discovery of as-of-yet undedected/unremoved threats. ComboFix and certain other tools like it also have the ability to run custom scripts to disable and remove nasties that the helper identifies, files that would normally be undeletable by other means unless booting from a live disc, similar to how MBAM removes threats, but with the ability to specifically tell it what to remove instead of just relying on definitions, but that's also one of the reasons it should never be used by someone that doesn't know what they're doing because it could also potentially delete or damage critical system files if you told it to by mistake.

[Mad Dog Vee]

As I read somewhere on bleepingcomputer today, someone ran combofix off their own bat and it seems that they have done exactly that.

Which is how I also learnt it was designed to specifically target SurfSideKick, QooLogic, and Look2Me as well as any other combination of the mentioned spyware applications. With its built-in engine that removes Vundo infections, it can also take charge of the latter but not all of them.

Malware, I've largely never heard of, but it explains the Qoobox that is deleted after most combofix logs.

[exile360]

Those are very old (and formerly very common) spyware/adware infections that made their rounds for a long time. Nice thread you linked to. Looks like extremeboy's helping out. That's also one of the reasons that ComboFix advises you to install the Recovery Console in case something goes wrong. There used to be (and may still be) certain infections that would detect if ComboFix was executed, and if it was the infection would delete the entire System32 directory in Windows. Bad news.