 |
|
05-19-2009, 01:59 AM
|
|
#1
|
|
|
Sleep Deprived Lazyhawk
Join Date: Feb 2004
Location: In the dreams of the righteous; in the hearts of the deceitful
Posts: 2,900
|
Vundo Infection - Feasible Solution?
My secondary computer has been infected since the day I got it. I had just been dealing with it until recently, when I figured I'd give a stab at trying to clean up the system.
If anyone's familiar with the Vundo infection, that's what I got. Trust me, I've done plenty of research. ;]
Problem is that no matter how many times I remove the infection, there are 3-4 files that are constantly being reinstalled anytime I use any search engine. Don't ask me why, cause I have no clue. But after a few weeks of testing, I can honestly say that these files do not appear until the moment that I enter a search query on any website (though browsing through websites causes nothing). I've gone through all my own logs and can confidently say that these are coming from my computer--not the websites. You could say that there's something still left in the depths of this old computer that's constantly reinstalling itself. But that's not what I'm trying to remove.
Instead, I'm curious if it's possible/feasible to simply inhibit the creation of the same 3-4 files that are constantly being added in the system32 and registry. I'm still using Windows XP, and like majority of the people I've asked, I've no idea how to manage permissions, or if this is even a relevant topic for the situation.
TL;DR: I'm not looking for a cure. I'm curious if it's possible to prevent specific files within /system32/ and the registry from being created or altered, since it is only after these files are created that the infection becomes malicious.
__________________
The Original... Juparis
>Blog : DeviantArt : Pandora : Facebook > MichaelTribune.net > Inactive
|Be committed to Do what it takes to Have what you want|
|
|
 Add to del.icio.us
 Can you digg it?
|
|
|
|
|
05-21-2009, 07:40 AM
|
|
#2
|
|
|
Mister Admin to you
Join Date: Jul 2001
Posts: 30,868
|
no it is not possible since Windows needs to alter files itself in those folders. The best thing to do is to not run Internet Explorer but run another web browser.
The problem it seems is you have Windows Restore turned on and when you delete the malware/spyware it comes back by windows restoring the file.
Turn off Restore, go into safe mode and run the cleaning programs for Vundo, it will get so thick the only way to clean it is to reformat it.
|
|
|
Add to del.icio.us
Can you digg it?
|
|
|
|
|
05-27-2009, 10:37 PM
|
|
#3
|
|
|
Sleep Deprived Lazyhawk
Join Date: Feb 2004
Location: In the dreams of the righteous; in the hearts of the deceitful
Posts: 2,900
|
I've disabled Windows Restore, and the trojan/virus continues to reinstall itself. The infection is not thick or difficult to remove; on the contrary, it's been one of the simplest I've ever encountered, and hasn't corrupted any files that I can tell. The only problem is that its constantly reinstalling itself anytime I'm typing a search query, so it's becoming quite tedious.
There are now only two files that are constantly being created, and both are in the registry. Is it possible to at least prevent these entries from being modified, if I enter blank or false values?
I'm very skeptic about reformatting--I never got any Windows CD with this machine, though it's old enough now that I wouldn't be able to get one anyway. I know I'm cheap in holding onto this dying machine, but I really don't have the money to update/upgrade any of its components, let alone the OS. And as much as I can respect Linux, it doesn't suit my needs.
I will say though, that Malwarebyte's Anti-Malware has been the most efficient in finding/removing these files. Most other anti-malware/virus programs hadn't even detected Vundo (including the VundoFix program)
__________________
The Original... Juparis
>Blog : DeviantArt : Pandora : Facebook > MichaelTribune.net > Inactive
|Be committed to Do what it takes to Have what you want|
|
|
|
Add to del.icio.us
Can you digg it?
|
|
|
|
|
05-28-2009, 07:23 AM
|
|
#4
|
|
|
Mister Admin to you
Join Date: Jul 2001
Posts: 30,868
|
anytime I have used Vundo Fix it has never comes back. If files are recreating themselves then you seem to have Windows Restore still on. Cause if you remove the files they shouldn't come back, unless you visit the same site over and over. File do not go into the registry, they get created and the settings go into the registry, there fore you are still getting the files. It could also mean you have another one that is undiscovered and it is installing the vundo every time. MalwareBytes is good but it will not find everything. Are you still using IE when you query?
Vundo can become a real problem, I have seen it and dealt with it.
|
|
|
Add to del.icio.us
Can you digg it?
|
|
|
|
|
05-28-2009, 12:05 PM
|
|
#5
|
|
|
Part Time Lurker
Join Date: Aug 2002
Location: Bethlehem, PA
Posts: 1,614
|
I used to work for a helpdesk at college and infected PC's would come in all the time. The way that I got rid of viruses/spyware was to run a bunch of different tools (vundofix, super anti spyware, adaware, spybot s&d, etc) in safe mode. Sometimes I would have to do it 2-3 times each in order to get the machine fully clean.
If that doesn't get rid of it... one of your only options might be to reformat and reinstall... though you said that you don't have a Windows CD which makes it tough. Linux? 
Scoutt, do you think there would be any harm in placing that hard drive in another clean computer and doing the scans from there? That way the system files that are infected shouldn't be active as Windows is running from another disk. |
|
|
Add to del.icio.us
Can you digg it?
|
|
|
|
|
05-29-2009, 10:56 AM
|
|
#6
|
|
|
Super Deity (Level 18)
Join Date: Mar 2001
Location: 127.0.0.1
Posts: 4,035
|
You will want to indentify what process you have running in the background that continues to restore these files. A couple tools that will help you with this are:
Process Explorer: http://technet.microsoft.com/en-us/s.../bb896653.aspx
Autoruns: http://technet.microsoft.com/en-us/s.../bb963902.aspx
Process explorer will give you a detailed break down of all the processes you have running, look for anything that is not signed. Autoruns does a detailed scan of everything that boots up on your computer. This will be a huge list but again look for anything that is not signed.
Once you have identified that file you will want to write down the location and boot in to Microsoft Recovery Console. You can find the recovery console by booting from your XP CD, the following article might also help:
http://support.microsoft.com/kb/307654
Once in recovery console delete any files that you identified as malware. If you get access denied when trying to delete the files renaming them will usually work, just add a ".virus" extension to it or something like that. |
|
|
Add to del.icio.us
Can you digg it?
|
|
|
|
|
05-29-2009, 10:58 PM
|
|
#7
|
|
|
Mister Admin to you
Join Date: Jul 2001
Posts: 30,868
|
Quote:
Originally Posted by mikeyp
Scoutt, do you think there would be any harm in placing that hard drive in another clean computer and doing the scans from there? That way the system files that are infected shouldn't be active as Windows is running from another disk.
|
If worse came to worse that is an excellent idea. That would be the best idea next to reformat. |
|
|
Add to del.icio.us
Can you digg it?
|
|
|
|
KEEP TABS |
|
SPONSORS |
| |
|
| |
|
|
| |
|
Linear Mode
