Once again blogging remotely… because I can.

I’m sitting in the front lobby of the New Horizon’s training center where my wife is taking a class waiting it to finish up. I’ve been here about a half-hour or so and probably have at least another half-hour to go, but I have my laptop and they have unsecured wireless so I’m taking advantage of it. I have to admit that this is one of the cooler things about having a laptop with a wireless card. It’s not something I do very often, but I always feel all man-of-the-world-like whenever I get the chance.

I’m only here because I had a 5:30PM job to do with the Compeople folks and by the time I got done it just didn’t make sense to go all the way home when I’d have to turn around and come back out to get my wife from her class. The job this evening was dealing with a nasty adware trojan known as Trojan.Vundo.B. This bastard is so clever that it knows the only way to remove it is to use a special program running in safe mode so it makes it as difficult as possible to boot into safe mode. It does this by trying to prevent the desktop interface from coming up when you login, but it can’t stop you from pulling up the task manager so using that I was able to get a DOS window open and run the tool from Symantec. Alas, the tool from Symantec totally failed to find the virus in question even though Norton Anti-Virus would go nuts reporting the virus’s presence when it was allowed to run. I eventually find another means of removing it that involved hacking the hell out of the registry and deleting the files by hand after killing the processes involved.

Complete. Pain. In. The. Ass. But it worked. Only took two hours to figure it out too.

Whoops. Looks like Anne just got out of class. Time to go.

5 thoughts on “Once again blogging remotely… because I can.

  1. Personally, I prefer clean rebuilds instead of major surgery on Windows boxen. The clean rebuild may just entail replacing Windows with Linux; other than for the odd game or two I have no use for Windows anymore.

  2. Oh, trust me, I wanted to just do a clean restage. In fact, this was my second visit to this person’s place and the first time I left I told him we needed to restage it and I thought I had convinced him that was the way to go, but he called up and said he wanted to take the risk of it taking more time for me to fix it without a restage. I told him I couldn’t guarantee that it could be fixed without a restage and that even if I did get the one virus off there was no guarantee I’d get all of them.

    But, I’m so good, I got ‘em all. Not how I wanted to do it, but it’s done and he’s happy.

  3. Les, instead of using Symantec’s toy, try this one:
    http://www.atribune.org/downloads/VundoFix.exe

    Vundo is tricky. Here’s part of a canned speech at the malware forum I am a member of…

    # Double-click VundoFix.exe to extract the files
    # This will create a VundoFix folder on your desktop.
    # After the files are extracted, please reboot your computer into Safe Mode.

      * If the computer is running, shut down Windows, and then turn off the power.
      * Wait 30 seconds, and then turn the computer on.
      * Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a “keyboard error” message. To resolve this, restart the computer and try again.
      * Ensure that the Safe Mode option is selected.
      * Press Enter. The computer then begins to start in Safe mode.

    # Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
    # You will first be presented with a warning and a list of forums to seek help at.
    It should look like this:

    VundoFix V2.13 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue….

    # At this point press Enter one time.
    # Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

    # At this point please type the following file path (make sure to enter it exactly as below!):

        C:\WINDOWS\system32\vtstr.dll

    (Note: the filename itself varies from infection to infection)

    # Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
    # Next you will see:

    Please type in the second filepath as instructed by the forum staff

    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

    # At this point please type the following file path (make sure to enter it exactly as below!):

        C:\WINDOWS\system32\rtstv.*

    # Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
    # The fix will run then HijackThis will open.
    # In HijackThis, please place a check next to the following items and click FIX CHECKED:

        O2 – BHO: MSEvents Object – {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} – C:\WINDOWS\system32\vtstr.dll
        O20 – Winlogon Notify: vtstr – C:\WINDOWS\system32\vtstr.dll

    # After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
    # Pressing any key will cause a “Blue Screen of Death” this is normal, do not worry!

    That is just a sample, you could make up any canned speech of your own. I know you are smart enough to get the gist of how to use atribune’s vundo tool.

    Malware fighting is one of my specialties. Need any help or info about something, just give me a yell or email me.

  4. Jynxed, actually that’s exactly the tool I ended up using to clean it off. Then I followed it up with Microsoft’s Anti-Spyware tool which removed the remaining Registry entries for the trojan.

    Elwed, I’ll check it out. Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.