Vundo Variant

This nasty thing bypassed my internet security. I was able to finally remove it using Super Anti Spy. During the infection I noticed that this thing:

- deleted all my system restore points while creating its own only restore point after infection

-constantly froze explorer in a loop of stopping and restarting itself

-changed my cookie setting in IE

-Modified several modules and services in windows and office

-also started in safe mode

Please excuse my noobness but this is the first time I have ever been infected by malware. But my question is if anyone could tell me everything this thing altered on my system so that I can undo it and prepare my system for a reformat after safely backing up my data. I have the infected file inside of a passworded .rar so if anyone would like to examine the file themselves I can upload it somewhere at their request. Any help would be appreciated. Thank you.

 

Hi razor0018, could you upload the rar to RS and PM me the link please.

And maybe the url where it was picked up from as well.

SAS is an excellent AS and one of the first I run on other machines but you may want to see if any dregs remain by trying VundoFix.exe

 

How did u get it?

May be u need to post a HJT log on some forums( not here though).

 

Ran it in a test sandbox where a pmnmnNGX.dll was created in a sandboxed system 32 folder.

A batchfile named "removalfile" with the following code was creasted in C:\Sandbox\TestVundo\user\current\Local Settings\Temp

Code:

@echo off
:df
del %1
if exist %1 goto df

A reghive was created which I have no idea how to interpret.

Code:

regf
   
   ³D/¥È

      
   
        0  
   l u m e 1 \ S a n d b o x \ T e s t V u n d o \ R e g H i v e                                                                                                                                                                                                                                                                                                                                                                                                               ,óa#DIRTÿÿÿ                                                     

And an error popped up when it couldn't do anything else with everything seemigly contained within the sandbox.

 

Hello razor0018,

Please take a look at the following links below.

http://www.raymond.cc/blog/archives...e-msevents-and-trojanvundo-atldistrib-object/
http://wiki.castlecops.com/Malware_Removal:_Virtumundo
http://wiki.castlecops.com/Vundo_Rootkit_Detection_and_Removal_Procedure

Hope this helps.


Peace & Gratitude,

CogitoErgoSum

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix