Please help with vundo.KA

[Jackrmy]

Please Help me. I’ve got Vundo.KA in explorer.exe of win XP pro. AVG scan states that the infection is in “ explorer.exe (1996) memory 001a0000” and in “explorer.exe(1996)”. It’s causing browers redirects and other weird things. Everytime I restart, the Antivirus scanners find more/different Trojans. I have tried AVG, Malwarebytes, Spybot search & destroy, Stinger, Avast, MS security essentials, Hijack this, ComboFix, Windows Defender, and some others I cant think of right now, in and out of Safe Mode. Even the Avast boot time scan won’t get rid of it. I can’t boot from the windows cd, because I have a raid controller and the cd doesn’t see any drives at all. HELP!

[Yanto.Chiang]

Hi Jack,

This link reference may help you about this :

http://en.kioskea.net/faq/259-getting-rid-of-vundo-trojan


What is a Vundo Trojan?


Vundo is a particularly frustrating Trojan horse that causes popups and now and again causes flaws to the computer system by blocking the access to some websites like Google. The Trojan resides in the memory through the Internet browser’s setup program.

On Window’s operating systems, the DLL Trojan files are labeled as eight random upper and lower case characters and reside in the system32 directory. This will create hidden files, which will be located during a virus scanning process, instead of the DLL file itself.

[computerfreaker]

Vundo's a bad one; hopefully we can get you fixed up.
First of all, download MalwareBytes Anti-Malware, install it, do a full system scan, and do what it tells you. You can also try the Vundo/Virtumonde removal instructions given here.
Then, run OTL as follows:
1 Download OTL to your Desktop
2 Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
3 Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
c:\windows\system32\*.dll /lockedfiles
c:\windows\system32\drivers\*.sys /lockedfiles
%systemroot%\*. /mp /s
CREATERESTOREPOINT

4 Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into your reply as an attachment.

EDIT: changed the link to the removal instructions from a MajorGeeks forum thread to a more-generic, probably more-helpful BleepingComputer article.

[essexboy]

As an addition to computerfreaker's request also run GMER as that will show if the system file is hooked.  This could be a TDSS variant 

 Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[Jackrmy]

Another link sent by a helpful forum poster.


http://www.geekstogo.com/forum/How-to-fix-Google-Redirects-t267407.html&p=1754524#entry1754524


This cured my memory and explorer Vundo.KA ! I Worked on this one for 7 Bloody days. No other software could cure the infection. But these two little unknown bits of software cured it in under 10 minutes. (no longer using avg)

[essexboy]

Glad you found that link useful - it gets updated when we find new variants

That one was only finalised last week

Welcome to Avast