I hope someone can help me sort out my Vundo

Discussion in 'malware problems & news' started by John Lock, May 9, 2008.

Thread Status:
Not open for further replies.
  1. John Lock

    John Lock Registered Member

    Joined:
    May 9, 2008
    Posts:
    6
    Hi, Newby here. Fell onto this site, liked the thread and post so much, I joined. you guys seem to know whats what. Got a question for anyone thats interested or can help. Got a trojan a while back (Doh!), bit nasty! Vundo/Virtumonde. Followed some advice I found online and it seemed to work (involved Dr. Webcureit and SuperAntiSpyware). But ran a routine SaS on our second pc and it froze dead each time it found a file c:\$Secure::$SDS
    Does anyone know why/seen this before/know what it is? Despite the suspicious $, I think it might be some form of archiving/data storage file.
    Could it be Vundo hiding itself or am I being paranoid? Anyone got any more info on Vundo?
    All help appreciated.
    Best,
    John

    This post and numerous responses below were moved from this thread and this one for better assistance and to remain on topic....Bubba
     
    Last edited by a moderator: Jun 1, 2008
  2. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Re: Spyware What is Recommended These Days?

    Hi, and welcome to wilders.:thumb:
    Sometimes, SAS freezes and causes BSOD when it finds some poorly written malware. To avoid this, uncheck "terminate memory threts before quarantining".

    You could also try scanning in safe mode.


    Just use the search feature and look for "vundo" or "virtumonde"...
     
  3. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Re: Spyware What is Recommended These Days?

    I think these Malware is very well written. LOL :D
     
  4. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Re: Spyware What is Recommended These Days?

    LMAO yeah probably...:D
    But I don't know how much time is dedicated by "developers" to debug malware...

    Anyways, I hope John Lock can solve his problem.
     
  5. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    Re: Spyware What is Recommended These Days?

    John - please try our 4.1 pre-release of SUPERAntiSpyware here:
    http://www.superantispyware.com/prerelease.html

    This should resolve the problem you are having, if not, please let us know and we will find out what is going on.
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Re: Spyware What is Recommended These Days?

    I also believe that a malware in alpha or beta mode can cause more problems than its final version, but I can't prove it.
     
  7. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    Re: Spyware What is Recommended These Days?

    Yes, ALPHA or BETA products can - ours is PRE-RELEASE, long past alpha/beta - just about ready for public release.
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Re: Spyware What is Recommended These Days?

    Yes, but I think you are talking about ANTI-MALWARE, I was talking about MALWARE. :)
     
  9. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Re: Spyware What is Recommended These Days?

    badly written malware stay us relatively safe i guess,there so many floating around,for their writers the whole web is a testbed,endless debugging and improving their code until finally something real hit our systems.Its obvious they have no official alpha/beta releases,just releases with gradually over time becoming more serious a treath.

    If a ''badly written malware'' let crash SAS then its not that bad written at all! ;)
     
  10. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    Re: Spyware What is Recommended These Days?

    Version 4.1 resolves any BSOD/Crash issues due poorly written malware.
     
  11. John Lock

    John Lock Registered Member

    Joined:
    May 9, 2008
    Posts:
    6
    Re: Spyware What is Recommended These Days?

    Just noticed your comment on 'Rogue' antispyware scanners. I've been running SAS to try to get of a problem and it keeps on finding 'Rogue-Search+destroy'. I dont get a chance to do anything about it because about five seconds after that, it finds 'Documents and settings\Default User\NTUSER.DAT' and then freezes. The whole PC is frozen and the only remedy is the power button.
    I've turned it back on and can't find any S+D software anywhere. I did find the NTUSER.DAT file and tried to delete it but it won't let me -says its being used or I don't have permission.
    Can you help? I downloaded the prerelease version of SAS on the recommendation of the SAS guy (you were on that thread) but it does the same each time. Any ideas?
    Best
    :doubt: John Lock
     
  12. John Lock

    John Lock Registered Member

    Joined:
    May 9, 2008
    Posts:
    6
    Re: Spyware What is Recommended These Days?


    Hi, I'm still bumbling around in the dark, trying various AS to fix my problem. I downloaded the SAS pre release version 4.1 but still freezes (no BSOD) in contact a "NTUSER.DAT" file. Once I've rebooted it refuses to be moved, deleted or even talked to, claiming its in use or that I don't have permission!
    Just thought I'd trow this one into the ring to see if anyone, like yourself, fancies chewing on it.
    Best regards,
    John Lock
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Re: Spyware What is Recommended These Days?

    No, I can't help you, because I'm not a professional.
    In this link :
    https://www.wilderssecurity.com/showthread.php?t=42148
    you will find Malware Forums at the bottom. These forums are specialized in removing any kind of malware.
    I suggest you create a HijackThis Log and post that log in one of these forums along with an explanation of your problem.

    I had the same problems like you in the past and didn't have a solution either.
    Each time I found strange objects due to installing/uninstalling healthy or dirty softwares, I was really irritated by this and it repeated itself over and over again.
    After becoming more knowledgeable, I solved this problem once and for all by a frozen system partition. :)
     
    Last edited: May 28, 2008
  14. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Re: Spyware What is Recommended These Days?

    @John Lock

    Have you tried scanning in safe mode?
     
  15. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    Re: Spyware What is Recommended These Days?

    http://forums.superantispyware.com/viewtopic.php?t=1591

    That should resolve the problem.
     
    Last edited by a moderator: May 29, 2008
  16. John Lock

    John Lock Registered Member

    Joined:
    May 9, 2008
    Posts:
    6
    Re: Spyware What is Recommended These Days?


    Hi,
    Thanks for your interest. Yes, I tried scanning in safe mode but to no avail. I'm stuck!
     
  17. John Lock

    John Lock Registered Member

    Joined:
    May 9, 2008
    Posts:
    6
    Re: SAS Saves The Day!

    Hi, I hope someone can help me sort out my Vundo. My teenage daughter is strongly suspected of getting me this, three oldish pc's networked. Yeah, asking for trouble I know. I've run SAS a number of times and it seems to have cleaned house on mine but freezes SAS on my daughters PC everytime I run it. Same spot, same file. Tried finding the file and deleting (nothing could be that simple.. and it wasn't!) "NTuser.DAT", which has appeared all over the place and seems to appear again after being deleted or refuses to be deleted. I've tried this in safe mode and disconnected from the web, system restore turned off too. Anyone want to toss in some suggestions, apart from the obvious format and reinstall which seems to be the next logical step.
    Any help appreciated, but bear with me, I'm slow, old and understand installing hardware more than repairing software so be gentle with me!
    Thanks,
    John
     
  18. Pseudo

    Pseudo Registered Member

    Joined:
    May 4, 2008
    Posts:
    193
    Re: SAS Saves The Day!

    I suppose you could try Malwarebytes' Anti-Malware if you haven't already.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Re: SAS Saves The Day!

    If I am not mistaken NTuser.dat is part of the registry. Deleting that wouldn't be good.

    Pete
     
  20. SoCalReviews

    SoCalReviews Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    282
    Location:
    Los Angeles, CA
    Re: SAS Saves The Day!

    Hello John,

    I am sure there are entire threads in this forum and other forums devoted to providing you the answers you are looking for but I will try to help out some here. I don't mind at all posting about this or discussing it in this thread but you might be better off starting another new thread regarding this rather extensive topic of removing Vundo variants. The Moderators have my approval if they want to move this post into that new thread or into a different thread regarding Vundo removal.

    Until this past week I had never seen a Vundo infection on a system. The big problem with Vundo is that there are so many variants. The virus also seems to randomly generate executable files that re-infect the machine. I am sure there are other threads explaining the best way to remove the Vundo infections. I can only provide some basic advice for the machine that is still infected.

    Your best bet is to boot in safe mode without network support by tapping F8 during the initial computer boot phase and try to run all of your security software...anti-virus, anti-spyware, etc.. that is already installed and see if it can at least partially cripple the virus. If you have any previous experience using the msconfig command (START > Run... , type msconfig, click on the Startup tab) you could try to disable any Vundo virus related startup entries (usually seen as weird looking files using runndll with multiple letters. You can refer to the Vundo removal information web sites may explain what entries to consider malicious. Not all rundll files are bad so you don't want to un-check just any file from starting up.) Unchecking some of the suspect Windows startup entries that look malicious by using msconfig does not remove the infection but can help you gain control over your system so that the anti-malware software can better do its job. Note that changing the active startup entries will not have an effect until you reboot the system.

    You will make your Windows startup changes remain by ok'ing the change and checking the Windows startup change pop up box that shows up after you reboot the system (reboot again in safe mode if you still need to run online scans). If you have never used msconfig or do not have any idea how to identify the good startup entries vs. possible Vundo ones then do not do this and simply try to mostly use security software scans to remove the infection. After all this try to reboot into safe mode (tapping F8 during intial system startup again) but with networking support and update all your anti-malware programs including SAS (then run it with a FULL system scan) so that you have the latest definitions and then run those programs in safe mode again.

    Reboot again into safe mode with networking support and if possible do as many browser based online scans that that you can ...ESET has one, Kaspersky, Trend Micro, etc... I would go in that order and it might take hours to complete them and some might require that you use Internet Explorer as a browser. One word of advice...don't use system restore with Vundo because the infected files can re-install from the backed up files. As a matter of fact if you are able to remove or cripple the virus you might want to turn off system restore and then turn it back on. This action clears those backed up system files and should delete the backed up virus files with them.

    That is about all I can suggest with this type of virus. Just like you experienced with one of your systems I would think that when SAS is fully updated and running in safe mode it should be able to remove most of the Vundo remnants. However, if the infection is bad enough it actually might be easier to re-install Windows but you should at least give it your best effort and some time to try to get rid of the virus first.

    I am sure others here can offer more solutions for you. You should search in this forum for those other Wilder's threads about removing Vundo. I always try to get as much information as possible to help remove infections like this one. You can also Google some other sites for more information. Here is some additional information I found regarding removing Vundo infections...

    http://wiki.castlecops.com/Malware_Removal:_Virtumundo

    http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview
     
    Last edited: Jun 1, 2008
  21. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Hi John Lock! I think peter is correct, If your talking about the NTuser.dat I think that is part of the normal registry where users customizations are saved.why are you trying to remove that? or am I missing something.
     
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    John,
    In post #13 I already said what to do.
    You won't get rid of vundo, unless you ask for experienced help, which is provided in Malware Forums.
    A Malware Forum will tell you exactly what to do step by step, based on your HijackThis Log.
    Wilders doesn't solve HijackThis Logs anymore.

    Once you get rid of vundo, you can ask Wilders how to prevent this in the future. It's possible, if you want to do something about it. I get rid of any vundo variant or any other nasty malware in no time, but I'm PREPARED and many users don't like to be prepared, because that requires extra work and other procedures and other habits and who wants to change is rusted habits ?
     
    Last edited: Jun 2, 2008
  23. John Lock

    John Lock Registered Member

    Joined:
    May 9, 2008
    Posts:
    6
    Firstly Guys, so sorry for my incorrect protocol. I didn't intentionally mean to hijack this thread - Bubba, moderator pointed this out and has started a new thread for Vundo problems with my posts.
    Secondly, thanks for your efforts in trying to help, SoCal, and Erik amongst others. I'll do my best to follow your advice and get rid of it.
    Thirdly, Pete, SAS froze five times in safe mode on NTuser.DAT which was why I thought it was suspicious.
    Thanks for your patience-I'm new to forums!- apologies and I'm out of this thread.
    John.
     
  24. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    @John Lock

    I believe it's OK for you to ask your questions on this thread. Several posts where removed from other threads and merged here, so you can get help cleaning your Vundo infection in just one thread.

    Have you tried MBAM?

    It's weird that SAS freezes on safe mode. If I were you, I would format the PC...it seems in this case it's a lot less trouble.
     
Loading...
Thread Status:
Not open for further replies.