Bitch of a Virus - Could not delete. ( Also SATA weakness)

[David]

Troj Vundo H

Macafee didn't detect this one.

Norton detected it but was helpless.

AVG didn't detect it.

PC Cillin Detected it but was also helpess.

All the removal instruction couldn't remove the Virus Program.

.........
OS Windows XP Pro SP2

The Virus was located in the Directory ... Windows\Microsoft.NET

The offending progam was vbmc.dll

Quarantine and Delete both failed.

First I had to turn off Real-time scan as it kept popping the alert up
continuously.

Then I couldn't find the program in the directory, I had to uncheck, 'hide
protected operating system files' in the file view section.

The system wouldn't let me delete the virus file, even in Safe Mode, and
when all possible programs were shut down.

(Bare in mind I'd tried the recommended removal instructions earlier..
removing registry strings etc)

Next I tried various downloadable + promising deletion programs... non
worked, the file was in use by another user or another program... every damn
time.

Next, I booted with a Windows 98 Startup disk and entered the Dos prompt but
the folder wasn't listed in the Windows Directory.

Now here is a problem with SATA Hard Drives... ordinarily with an IDE hard
drive, I'd take the disk to another machine and delete the folder from the
other operating system.... but not so easy with the less popular SATA.

Solution...

I didn't want to reformat.

I have two SATA hard drives on the system.

I loaded Windows 98 onto a partition on the 2nd Hard Drive.
This overwrote the Boot info and defaulted Boot to Win 98.
I was then able to delete the file from a basic Win 98 install.
However on Booting the machine, it didn't detect the XP and defaulted to
Win98.
I needed to reboot the XP disk, reload the SATA Driver, then enter the XP
repair utilities and fixboot. ( An option when reloading XP)

XP booted successfully without a Virus.

Would have been less chew without SATA drives but in the end was better than
a full reformat.

Also, I still have the option to boot into Win98 should the problem
re-occur.

This was the hardest Virus I've encountered to remove.

Norton and PCcillin well done in detecting it.

See my other mailing re-Macafee.

I'd advise anyone reading this to check their microsoft.Net folder and
remember to uncheck the hide protect OS files first.

If anyone had another method of removing this one, let me know.

Cheers

David.

p.s. remember to remove the other files listed with vbmc.dll but not the
sub-directory folders.

 

[Lew/+Silat]

In

Troj Vundo H

Macafee didn't detect this one.

Norton detected it but was helpless.

AVG didn't detect it.

PC Cillin Detected it but was also helpess.

All the removal instruction couldn't remove the Virus Program.

David.

p.s. remember to remove the other files listed with vbmc.dll but not
the sub-directory folders.

Looks like a bad one.
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453079972

 

[David H. Lipman]

From: "David" <[email protected]>

| Troj Vundo H
|
| Macafee didn't detect this one.
|
| Norton detected it but was helpless.
|
| AVG didn't detect it.
|
| PC Cillin Detected it but was also helpess.
|
| All the removal instruction couldn't remove the Virus Program.
|
| ........
| OS Windows XP Pro SP2
|
| The Virus was located in the Directory ... Windows\Microsoft.NET
|
| The offending progam was vbmc.dll
|
| Quarantine and Delete both failed.
|
| First I had to turn off Real-time scan as it kept popping the alert up
| continuously.
|
| Then I couldn't find the program in the directory, I had to uncheck, 'hide
| protected operating system files' in the file view section.
|
| The system wouldn't let me delete the virus file, even in Safe Mode, and
| when all possible programs were shut down.
|
| (Bare in mind I'd tried the recommended removal instructions earlier..
| removing registry strings etc)
|
| Next I tried various downloadable + promising deletion programs... non
| worked, the file was in use by another user or another program... every damn
| time.
|
| Next, I booted with a Windows 98 Startup disk and entered the Dos prompt but
| the folder wasn't listed in the Windows Directory.
|
| Now here is a problem with SATA Hard Drives... ordinarily with an IDE hard
| drive, I'd take the disk to another machine and delete the folder from the
| other operating system.... but not so easy with the less popular SATA.
|
| Solution...
|
| I didn't want to reformat.
|
| I have two SATA hard drives on the system.
|
| I loaded Windows 98 onto a partition on the 2nd Hard Drive.
| This overwrote the Boot info and defaulted Boot to Win 98.
| I was then able to delete the file from a basic Win 98 install.
| However on Booting the machine, it didn't detect the XP and defaulted to
| Win98.
| I needed to reboot the XP disk, reload the SATA Driver, then enter the XP
| repair utilities and fixboot. ( An option when reloading XP)
|
| XP booted successfully without a Virus.
|
| Would have been less chew without SATA drives but in the end was better than
| a full reformat.
|
| Also, I still have the option to boot into Win98 should the problem
| re-occur.
|
| This was the hardest Virus I've encountered to remove.
|
| Norton and PCcillin well done in detecting it.
|
| See my other mailing re-Macafee.
|
| I'd advise anyone reading this to check their microsoft.Net folder and
| remember to uncheck the hide protect OS files first.
|
| If anyone had another method of removing this one, let me know.
|
| Cheers
|
| David.
|
| p.s. remember to remove the other files listed with vbmc.dll but not the
| sub-directory folders.
|

You say McAfee didn't detect this.

What version ?
What ENGINE ?
What DAT file ?

I suggest you try the following...

Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. If you are using Windows XP, you may have to disable the Windows XP FireWall to
allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

 

[Dave Budd]

Troj Vundo H

Vundo manages to get itself stitched into the winlogon process,
so it's tough to remove as you can't kill that process without
hanging the machine. You can use procexp from sysinternals to
suspend it, though.

 

[David]

Hi David,

The full issue surrounding Macafee was as follows.

Norton Internet Security detected the Vundo Virus but couldn't clean or
delete it and my subscription was about to end. I thought I'd deleted the
virus manually as I couldn't see it in the folder but Norton kept popping up
a warning saying it was still active, I thought possibly it was a bug and my
Norton was about to expire, I switched to Macafee Security 7, I downloaded
all the updates and ran several full system scans... NO Virus.

Macafee made my browser run slowly, had a typing delay effect on scripts and
had a bug with Outlook express, so I chose a refund option and installed
PC-cillin trial.

PC-Cillin detected that the Vundo Virus was still there.

No points for Macafee.

Norton didn't have a bug after all.

( The reason I couldn't see the virus file is explained below.)

Regards

David.

From: "David" <[email protected]>

| Troj Vundo H
|
| Macafee didn't detect this one.
|
| Norton detected it but was helpless.
|
| AVG didn't detect it.
|
| PC Cillin Detected it but was also helpess.
|
| All the removal instruction couldn't remove the Virus Program.
|
| ........
| OS Windows XP Pro SP2
|
| The Virus was located in the Directory ... Windows\Microsoft.NET
|
| The offending progam was vbmc.dll
|
| Quarantine and Delete both failed.
|
| First I had to turn off Real-time scan as it kept popping the alert up
| continuously.
|
| Then I couldn't find the program in the directory, I had to uncheck,
'hide
| protected operating system files' in the file view section.
|
| The system wouldn't let me delete the virus file, even in Safe Mode, and
| when all possible programs were shut down.
|
| (Bare in mind I'd tried the recommended removal instructions earlier..
| removing registry strings etc)
|
| Next I tried various downloadable + promising deletion programs... non
| worked, the file was in use by another user or another program... every
damn
| time.
|
| Next, I booted with a Windows 98 Startup disk and entered the Dos prompt
but
| the folder wasn't listed in the Windows Directory.
|
| Now here is a problem with SATA Hard Drives... ordinarily with an IDE
hard
| drive, I'd take the disk to another machine and delete the folder from
the
| other operating system.... but not so easy with the less popular SATA.
|
| Solution...
|
| I didn't want to reformat.
|
| I have two SATA hard drives on the system.
|
| I loaded Windows 98 onto a partition on the 2nd Hard Drive.
| This overwrote the Boot info and defaulted Boot to Win 98.
| I was then able to delete the file from a basic Win 98 install.
| However on Booting the machine, it didn't detect the XP and defaulted to
| Win98.
| I needed to reboot the XP disk, reload the SATA Driver, then enter the
XP
| repair utilities and fixboot. ( An option when reloading XP)
|
| XP booted successfully without a Virus.
|
| Would have been less chew without SATA drives but in the end was better
than
| a full reformat.
|
| Also, I still have the option to boot into Win98 should the problem
| re-occur.
|
| This was the hardest Virus I've encountered to remove.
|
| Norton and PCcillin well done in detecting it.
|
| See my other mailing re-Macafee.
|
| I'd advise anyone reading this to check their microsoft.Net folder and
| remember to uncheck the hide protect OS files first.
|
| If anyone had another method of removing this one, let me know.
|
| Cheers
|
| David.
|
| p.s. remember to remove the other files listed with vbmc.dll but not the
| sub-directory folders.
|

You say McAfee didn't detect this.

What version ?
What ENGINE ?
What DAT file ?

I suggest you try the following...

Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script
Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart
scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee
Command Line
Scanner. If you are using Windows XP, you may have to disable the Windows
XP FireWall to
allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running
c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will
automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will
download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is
using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already
executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be
obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in
Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

 

[Virus Guy]

Troj Vundo H

Macafee didn't detect this one.
Norton detected it but was helpless.
AVG didn't detect it.
PC Cillin Detected it but was also helpess.
All the removal instruction couldn't remove the Virus Program.

Take the drive out of the computer and connect it as a slave to a
second computer with anti-viral detection tools. You should have no
problem removing the virus.

 

[David H. Lipman]

From: "David" <[email protected]>

| Hi David,
|
| The full issue surrounding Macafee was as follows.
|
| Norton Internet Security detected the Vundo Virus but couldn't clean or
| delete it and my subscription was about to end. I thought I'd deleted the
| virus manually as I couldn't see it in the folder but Norton kept popping up
| a warning saying it was still active, I thought possibly it was a bug and my
| Norton was about to expire, I switched to Macafee Security 7, I downloaded
| all the updates and ran several full system scans... NO Virus.
|
| Macafee made my browser run slowly, had a typing delay effect on scripts and
| had a bug with Outlook express, so I chose a refund option and installed
| PC-cillin trial.
|
| PC-Cillin detected that the Vundo Virus was still there.
|
| No points for Macafee.
|
| Norton didn't have a bug after all.
|
| ( The reason I couldn't see the virus file is explained below.)
|
| Regards
|
| David.


David:

You didn't answer all my questions nor did you indicate that you had performed my suggested
procedures.

 

[David H. Lipman]

ADDENDUM:

Updated set of instructions specifically for Vundo.H

Download Process Explorer v9.03 from Sysinternals
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. If you are using Windows XP, you may have to disable the Windows XP FireWall to
allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Run Process Explorer and suspend the Explorer.exe, Winlogon.exe, and rundll32.exe processes
(right-click on these process names and choose suspend)


Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

Physically power the machine off and back on.(a hard reset is required as Windows will not
shutdown without Winlogon.exe running, and resuming that process will revert the changes
made by the scanner).

 

[Rick]

The offending progam was vbmc.dll
[snip]


If anyone had another method of removing this one, let me know.

Use a BartPE boot disk ( http://www.nu2.nu/pebuilder/ ). Once you have the
name of the infected file, boot up your system with the boot disk and
rename/delete the offending file.

 

[David]

Hi,

I fixed the problem as described originally; I loaded Win98 onto my second
drive and deleted the Virus file from the first drive. Then ran fixboot to
get XP running at bootup again from the Setup Disk.

 

[David]

Hi,

This looks like exactly what I needed.

Cheers

David.

The offending progam was vbmc.dll
[snip]


If anyone had another method of removing this one, let me know.

Use a BartPE boot disk ( http://www.nu2.nu/pebuilder/ ). Once you have the
name of the infected file, boot up your system with the boot disk and
rename/delete the offending file.


--
Rick Simon (e-mail address removed)

Include "spam(trap)key" somewhere in the
body of any email to avoid spam filters.

 

[Stan]

Hi Rick

I've also encountered this nasty invader.

On a client's machine that has just one SATA drive.

Interestingly -- the machine's a Dell 8400 -- both
BartPE and the original XP SP2 install disk were
unable to complete a boot; a BSOD appeared with each.

I need to find another machine with SATA to cure
the issue per Virus Guy's thoughts.

Barring that, I'll use David Lipman's technique. The
reason I'm holding off using David's technique is that
it looks like a lengthy one, and the machine in question
is in use (the trojan is relatively benign, albeit sticky)
an hour's drive away.

Sadly, the techniques used by this trojan will spread;
they are quite effective. Microsoft needs to come up
with a fix that blocks off the use of winlogon in such
a scenario.

-- stan