Vundo Removal

From Dickinson College Wiki
Revision as of 20:30, 28 February 2007 by Becka (talk | contribs)
Jump to navigationJump to search

originally from www.nerdhelp.com/forums/internet-and-networking/security-viruses-spyware-adware-etc/trojan-vundo-b-removal-instructions.html

Preparation

First off, you're going to need to grab these two tools:

1. Process Explorer
2. Pocket Killbox

These are on the RSA Fix CD in the Utils folder.

Follow these instructions to the letter:

Turn off System Restore.
Use BlasTemp and del_temp_all to quickly remove temporary files.

Step 1

First what you need to do is get the security alert that says you are infected and then copy down the name of the file it says is infected.
In my case, I am infected in c:\windows\system32\ddccd.dll **WRITE THIS DOWN!**
If no security alert comes up, you can still get the name of the DLL by running a HijackThis scan.... The infection can be spotted by finding a line like this:

O20 - Winlogon Notify: ddabx - C:\WINDOWS\System32\ddabx.dll

The name is random, and there is a BHO O2 entry with the same name. You also have to write down the dll name backwards, since the virus creates a second file (e.g., in this case, xbadd) that needs to be cleaned or the process fails.


Step 2

This step will require you to reboot your computer, so make sure you've printed these instructions)
You need to set your computer up to always boot into safe mode during this removal process.
In msconfig select the boot.ini tab, then check the /SAFEBOOT box, then select the NETWORK radio button next to it.
Click OK then reboot your computer.
Your computer will now automatically reboot into SafeMode without pressing F8.
You will also have your networking and Internet enabled, so you can update any virus scanners, etc.

When you are finished, you just need to repeat these steps, except uncheck the SAFEBOOT box, then press ok and reboot again and it will go back to normal.


Step 3

After you set your computer to always boot into Safe Mode, you should have followed the prompt to reboot your system. If so, you should be in safe mode now, if not, you need to reboot your computer now.

First thing to do is to open all of the following programs and processes:
- Process Explorer
- Pocket Killbox
- Windows Explorer or My Computer (something to give you the ability to browse through your computer)
- Registry Editor (to get this, go to Start then Run then type regedit and hit enter)

Step 4

Once all the things in Step 3 are open, go to Process Explorer and find the explorer.exe process on the list. Right click it and click the "kill" option. (this will kill your windows shell, that's why you opened everything needed in this tutorial in Step 3).

    • You can still switch back and forth between programs by holding alt and hitting the TAB key**


Step 5

Go to the Registry Editor and delete the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[Trojan file name]

Note: [Trojan File Name] is the name of the DLL minus the ".dll" part. In my case, the folder was called DDCCD.


Step 6

Go back to Process Explorer and find the process called "winlogon.exe".

Double click it to open up another window that has 8 tabs on the top.

Click the tab that says "threads".

In this tab you will see a bunch of stuff listed under "Start Address".

There should be about 4 of them (might be more, might be less, either way, follow the directions) that will have the name of your trojan.dll file.

One by one, click each trojan dll file in the list, then click the "Kill" button.

When all are gone, click the "ok" button at the bottom to close that window and go back to the Registry Editor.


Step 7

Now, the next key hides in the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ part of the registry.

To find the specific key, in the Registry Editor window, click on the top "My Computer" icon in the list, then go to "Edit" on the top bar, then click "find" and search for the trojan name. In my case, I will search for ddccd.


[Becka’s note: when I did this, it was actually found in the HKEY_CLASSES_ROOT section... but since you’re searching, it will be found wherever it may hide....]


Step 8

It may take a while to scan (depending on your processor speed and what not), but it should find a file in that registry tree I mentioned above. It will open the folder up so you know which one it found it in. In my case, it found the tree "{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}". Write down that name, then delete the tree.


Step 9

Now, you have to delete one more registry key that is hiding in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ .

Go there and look for the same file tree as the one you just deleted, in my case I'm looking for "{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}". Find it and remove it.


Step 10

Go to your Pocket Killbox and type into the "Full Path of File to Delete" box: c:\windows\system32\[Your trojan DLL file here]

In my case, I typed: c:\windows\system32\ddccd.dll

Next, click "Delete on Reboot" and check the "End Explorer Shell While Killing File".

Click the red circle with a white X to kill the file and follow the prompts to continue with the kill.


Step 11

It may take a minute or so for your system to finally reboot, but when it does it will be in SafeMode again (this is good).


Step 12

When your computer completely reboots, open up Process XP again and double click on the WinLogon.exe file again then go back to Threads. If you do not see your trojan dll file in there, then congratulations, you're almost clean!


Step 13

Just one more step. You should, before you reboot into regular windows, search your computer for the DLL file. It likes to copy itself into folders, so seek it out and destroy it. In both computers I have cleaned, it hid itself in C:\!Submit, however, it may be different for you, so scan. After you delete where it copied itself, or verified its not on your system anymore, go onto the next step.


Step 14

Go back to Start, click run, type msconfig, and go to the Boot.ini tab and uncheck the safeboot mode option. You're all set to reboot.

Finished.

When you're computer reboots into the normal mode, you should not get any more warnings about the virus, nor should you get any popups. In both computers I fixed using my tutorial, I scanned them after fixing and only a small trace of the trojan was found in a temporary Internet folder, so just delete your temporary internet files and you will be all clean.


Back to the RSA Techs main page

Retrieved from "https://wiki.dickinson.edu/index.php?title=Vundo_Removal&oldid=23905"