Trojan.Vundo - removing the virus
Posted by Matt on 7th June 2007
Below is my account of getting the Trojan.Vundo virus. Here’s what I did to get rid of it. Use this info at your own risk.
Recently while browsing the internet with MSIE version 7 on Windows XP SP 2, fully updated I got a bunch of windows suddenly popping up and things started downloading onto my computer. AVG antivirus said I had a virus but couldn’t do anything about it. The virus seemed to install a number of crap software on my computer and imbedded into winlogon.exe process. Some things I saw were think-adz search assistant, zenosearch, twink, yazzle, outerinfo. Keep in mind I was just browsing the internet, I did not download anything.
The first thing I did when processes and things started going crazy was start killing processes, then disconnected my internet connection. I delete whatever I could out of my temp folders, windows/temp and each users temp folder in documents&settings/localsettings/temp. I deleted all my internet browsers cache/history/cookes. I downloaded a uninstall for outerinfo from outerinfo website which I will not link to here. In short I deleted everything I could that I could find and that the system would let me delete. I also tried to delete things in safe mode but still could not remove the apparent virus file sstqp.dll. When using MSIE, search windows would pop open and windows to other websites, some of them are think-adz, searchhound, mysearchlive, hollywood, canceriq, jack9, and a few other ip address, all of which I blocked with norton internet security. I also changed my browser settings. In internet explorer -> tools->internet options->security->trusted sites, set the slider to high and click ok, delete every site that was there which were added by the viruses because I never use this feature. These viruses exploit the trusted sites feature by injecting urls in there, having another program visit them, which becuase they are trusted, download more viruses with ease because of the slacker active x default settings of the trusted sites.
AVG antivirus couldn’t do anything about it. I installed norton internet security including the firewall and antivirus and it also couldn’t do anything about it. I downloaded fixvundo.exe from Norton, followed the instructions and after a long scan of the computer it could not even find the virus…. yet Norton Antivirus is showing me the problem file seems to be in WINDOWS/system32/sstqp.dll
I downloaded a VundoFix.exe file by atribune.org. It found a list of files that were problems but couldn’t delete 3 of them:
cbxvsst.dll
ddcbcyw.dll
pmnljii.dll
pmnnono.dll - could not be deleted
pqtss.bak1
pqtss.ini - could not be deleted
sstqp.dll - could not be deleted
Seeing how all these programs had been downloaded and installed on my computer without my knowledge during this time, I was limiting my internet connection, I’d just turn it off. Checking my running processes with windows task manager (ctrl+alt+del) I observed winlogon.exe using tons of resources, about every second it would flicker on then off, then on then off…… it was really slowing the computer down. I found that by using process explorer and suspending winlogon.exe which is where the virus was hiding, the resource usage went back to normal and I could still use the computer normally. I connected to the internet only when winlogon.exe was suspended thinking that if the resources aren’t being used, possibly nothing more is being downloaded. I would un-suspend winlogon.exe only when I was not connected to the internet and I also set internet explorer to work-offline and was using netscape instead which the virus didn’t seem to be involved with. When the virus would try to pop open an IE window, I would just click tell IE to stay offline.
Now to actually fixing the problem. I found my answer at spywareinfo forums. I had before downloaded some software while reading in other forums about the problem. Software I downloaded included HiJackThis, which is vitally useful for this problem, brute force uninstaller, which I didn’t end up using and some other files at the suggestions of different forum threads that I read. I used hijackthis and delete registry entries that didn’t look right to me, but only ones I was sure about. I followed the suggestions from spywareinfo forums, downloaded their software called VundoFix.exe. Their instructions were basically to do the following, run VundoFix.exe to unzip the files:
restart in safemode:
run killvundo.bat
at the first screen type: C:\WINDOWS\system32\sstqp.dll
enter
at the second screen type C:\WINDOWS\system32\sstqp.*
enter, and the program does its magic.
Place the hijackthis file in the root C folder (do this to begin with). After typing the second string I got an error that the hijackthis file couldn’t be found and the whole safemode desktop screen went black and all my desktop icons disappeared. I got worried.
I manually turned the computer off by holding the power button. Turned it back on and it started normally. First thing I noticed is that when norton antivirus loaded it no longer gave me a popup that could not be turned off saying I had the trojan.vundo virus in file sstqp.dll. That was nice. Then I opened hijack this and deleted the two entries pertaining to sstqp.dll, one a BHO and one a winlogon notify which now said (file missing) next to them. I also noticed my system resources seemed normal.
Looking good……. I was still not connected to the internet. I then deleted every possible thing I could think of, all the temp folders, internet cache…. etc…. Installed Spybot, Spywareblaster, and Ad-aware SE personal, ran them without updating the definitions and deleted everything they found that was a problem.
Then connected to the internet, update the definitions of all 3 programs and ran them all again. Deleting everything found.
System seems fine. Resources and usage is normal and no apparent virus.
I do still have the pmnnono.dll file and it runs as a winlogon notify according to hijackthis. The main infection is gone, but there is still cleaning up to do.
I found this page, which is very useful: http://forums.spywareinfo.com/lofiversion/index.php/t96702.html
I followed all the directions there. The program VirtumundoBeGone managed to get rid of pmnnono.dll, and also gave me the blue screen of death which was a bit heart stopping for a moment… but all is well, reboot by holding the power button and it booted fine.
Then I ran Dr. Web CureIt. It found a few more files with problems that I took care of. This program scan takes a long time but seems very thorough.
The next program SDfix found a few hidden files which shouldn’t have been there and I manually reviewed them and deleted them. One of them was C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe. The other 4 belonged to GTek, which it seems from a Google search is not a good thing, so I deleted that entire folder also. C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
Back in non-safe-mode….. I removed my older version of Java via add/remove and downloaded the latest version from sun java and installed it. I also replaced my hosts file in windows/system32/drivers/etc with one from http://www.mvps.org/winhelp2002/hosts.htm ….. there were a few entries that I omitted in the file because I need them turned on, but it is nice to have this level of definite security from these sites, most of which are no good.
System seems good and may even be running better than before all of this. HiJackThis log file shows no apparent problems to me, one file it shows that I can’t figure out what it is for is named mjdsregl.exe in windows/system32. Google search for this turns up nothing.
The hijackthis entry is O4 - HKLM\..\Run: [{F4-4A-A9-9E-ZN}] C:\windows\system32\mjdsregl.exe CHD003
The file does not even exist on my computer, so I guess it is fine.All in all, I lost about 2 days productivity due to this virus.
–end
Posted in Windows XP, Internet | No Comments »
