Trojan Vundo - Can't Remove!!!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Leezza, Mar 18, 2005.

  1. Leezza

    Leezza Private E-2

    :(
    Working in a small office setting the trying to help remove the VUNDO trojan from my co-worker's computer. (No systems people here and the only suggestion ou boss gives is to call Dell and have them step us through reformatting the hard drive and reinstalling everything. Trying to avoid that, as that will take hours of time and hoping for a solution through your website.

    In the process of running the online scans on that computer now, but can tell you what has happened so far:

    Have run installed the VUNDO tool from Symantec and ran twice, both times it comes back saying no VUNDO. (Even tried again in SAFE mode, still says not VUNDO??? (Note: It's (Vundo) been on this system for a few months, and we ran the tool back in December at which time, it said it was all cleaned etc., but it really never was!! or at least it's been back for days--tons of pop-ups on IE (all about spyware, which constanting crashes IE). NOTE: We did exactly as instructed, including disconnecting from the Network.

    RE: Running processes - None of those you named are found.

    Online Trend Scan - Detects Vundo in about 7 files, but "Cannot Clean"

    McAfee (says no infected files found???)

    Spyware (Adware-Lavasoft) find and cleans "Virtumundo" about 7 times, but it's only listing as registry keys etc., (no files, executibles etc).

    Microsoft Antispyware - Again, finds the Virtumundo in the registry keys and cleans, but doesn't show any exe. files etc.

    So, something is very strange here, some programs find it, some don't and ultimately no one can get rid of it. (Having difficulty running online things because of crashes, have also been using Fire Fox for months as a back-up, but we hate it).

    I'll continue the steps and will also do a HiJack log.

    Please advise when I can submit a HiJack Thank You!

    THANK YOU!
     
  2. TheOldThug

    TheOldThug First Sergeant

    Welcome :eek:

    If you have run through the whole READ ME listed below then send a HJT log

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    Try this... you may find it's all you need. If not post your results and I am sure someone wll help you. Everyone is quite busy, as you can see by the number of posts, so hang in there. Good Luck!! :)

    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT
     
  3. TheOldThug

    TheOldThug First Sergeant

    Have you gone to PP thread on removing this. You probably should try that also.

    Virtumundo
     
  4. Leezza

    Leezza Private E-2

    Yes, have tried everything suggested....and even looked throught many of the subforums within that logs. (Nothing I'm trying works it just keeps being there over and over and over).

    I will go to that computer now and run HiJack and post....
    And thank you again for your help~
     
  5. Leezza

    Leezza Private E-2

    Here is the log:
     

    Attached Files:

  6. TheOldThug

    TheOldThug First Sergeant

    Do me a favor.

    Let's make sure these are good files. Do you have a Language selection icon in system tray? If not get me some info on this file. Right click it, properties, and find version, company, etc.
    C:\WINNT\system32\internat.exe

    Also:
    C:\WINNT\msagent\bakdb.exe
    get some information on the above file. Are you familiar with the msagent folder.
    I'm pretty sure this is the culprit. See how the spelling is backwards in regards to this line in your HJT file.
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bdkab.dat
     
  7. Leezza

    Leezza Private E-2

    Update:
    Regarding the internat.exe -
    No, I don't see an icon in the system tray, but I did search for it and found the following by right clicking it:
    Application - Microsoft - Keyboard Language Indicator Applet

    Regarding: MSAgent Folder (No, not familiar with it, thought maybe it had something to do with Mcafee?)

    I agree, it looks like it may be the probem and it contains several folders all created back on 12/14/04 which was about the time this whole thing started.

    Next step please!
     
  8. TheOldThug

    TheOldThug First Sergeant

    I am very busy today but will try and get you a fix soon. Is there anything in the MSAgent folder that looks like should be kept?
     
  9. Leezza

    Leezza Private E-2

    I don't see anything, but there lots there nothing sounds too familiar, will look forward to hearing from you when you free up some time.


    Thanks....your help is truly appreciated.
     
  10. Leezza

    Leezza Private E-2

    Update:
    RE: MSAGENT FOLDER

    Attached is a JPEG image of the "Print Screen" of that folder:

    Note: Only the highlighted sadrah.tmp file was created in December 2004

    All the other seems to be from Microsoft and application, but not something we are familiar with - Agent International DLL files

    Also please note that the bakdb.exe doesn't show??
     
  11. TheOldThug

    TheOldThug First Sergeant

    We will use PP generic solution to fixing this. He has had good success with it. I am also going to supply a fix for Real ToolBaar which is a questionable application and also your Desktop weather. The choice is yours on whether to keep them (I would not). I am not sure if the Weather program has pop ups or not. If you decide to keep them disregard any of the lines pertaining to them.

    ALSO NOTE that the tough part is nailing that pesky running process that always springs back to life. To do this, I use the Delete a File on Reboot option in HijackThis. If you do this successfully, that process will be Deleted before it ever gets a chance to run! This should work every time. Please make sure to enter the correct path for the file to be deleted. If, for some reason, you are not able to delete the file in question, please try again before posting back.

    Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    FIRST:
    Look in C: > WINDOWS > PREFETCH & Delete bakdb.exe (or any bakdb or bdkab entries) if found. If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

    ALSO: take a look inside the C:\WINNT\msagent Folder for any backups (bakdb.bak & bdkab.bak etc. . . ) – Note that they will probably be Hidden Files – Delete the ones that allow you to do so.

    Please look in Add or Remove Programs for the following and Uninstall them if found:

    Real ToolBar
    Desktop Weather

    NOW:
    Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

    bakdb.exe
    The Weather Channel.exe

    Now scan with HijackThis and Check the Boxes for the following:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bdkab.dat
    O4 - HKLM\..\RunOnce: [*bakdb] C:\WINNT\msagent\bakdb.exe rerun
    O4 - HKCU\..\Run: [Desktop Weather 3] C:\Program Files\The Weather Channel\The Weather Channel.exe
    O20 - Winlogon Notify: bakdb - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bdkab.dat

    Again, make sure All Browser Windows are Closed when you Click FIX.and then, while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, Enter (or navigate to the file in the HijackThis pane) C:\WINNT\msagent\bakdb.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

    You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click OKAY and DO NOT REBOOT AGAIN.

    THEN:
    Use Windows Explorer to run a search of your computer for:

    bakdb
    bdkab


    and DELETE the related files. (We especially want to get rid of bakdb.ini & bakdb.dat & bakdb.bak AND bdkab.ini & bdkab.dat & bdkab.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL. So, when you find them, search the associated folders carefully for any hidden remnants!

    NEXT:
    Run CCleaner and Spybot S&D and have Spybot fix what it finds.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to what you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to what you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Reboot to Normal Windows and Scan with HijackThis and attach that log.
    You may want to try running the Symantec tool again, as well.
    Let me know how your computer is running now and if you had trouble with the above instructions.

    Good luck :)
     
  12. TheOldThug

    TheOldThug First Sergeant

    I forgot to mention that if you got rid of real ToolBar and Desktop Weather that you should get rid of the following folders also.

    C:\Program Files\The Weather Channel--->The Folder
    C:\PROGRA~1\COMMON~1\Real--->The folder as long as no other programs in it besides the toolbar
     
  13. Leezza

    Leezza Private E-2

    It's still on the computer and the MAJOR problem is that I CANNOT find, nor deleted all the bakdb files

    Even though they say there are in the MSAGENT folder, when you go into the folder it is not there.

    I tried to KILL the PROCESS several times via CC cleaner and MSFT ANtispyware and also to remove it from START-UP, but it's right back at the end of the process and startup list even after I've asked to STOP or DELETE IT.

    Although the HJ logs shows it in MSAGENT it's NOT there it's hiding somewhere else or under another name.

    Tried searching and still NO files with these name come up under safe or normal

    HELP! THIS ONE IS A NIGHTMARE......

    Final note:

    When you Click the Fix it and then go into the Config (in Hijack) and then go to vavigate to the file C;?WINNT/msagent/bakdb.exe (IT'T NOT THERE), so I CANNOT OPEN or Ask it to deleted at reboot!

    HATE THIS THING - But will be back to look for any other suggestions you have!

    THANX~ :eek:
     
  14. TheOldThug

    TheOldThug First Sergeant

    Have you done this?
    Make sure the Viewing of Hidden Files is Enabled as per the tutorial.

    Give me another HJT log also.

    Enable viewing of hidden files and folders and extensions; Some programs can hide this way by not being visible in Windows. Start Windows Explorer and click on your main hard drive, usually c:\. Then select Tools from the top of Windows Explorer and then Folder Options. Go to the View tab. Scroll down to the folder icon that says Hidden files and folders and check show hidden files and folders. Also, right below it, uncheck the hide file extensions for known types. Not doing this could allow file extensions commonly used by trojans and spyware to be hidden, for example a file ending in .exe or dll making manually finding it, if needed, difficult to impossible.
     
    Last edited: Mar 18, 2005
  15. Leezza

    Leezza Private E-2

    Yes, absolutely...I have view Hidden Files turned on....that is what is drving me crazy-it doesn't show in that file even though the hijack logs shows it there.

    It's a if this trojan is telling us it's there, but the PATH is wrong....!!

    I know it sounds crazy, but that's what is happening.

    PS: I'm no longer at work, but will try more assistance on Monday.

    Is there anything else we can do, besides reformatting!
     
  16. TheOldThug

    TheOldThug First Sergeant

    Do not give up yet. I will see what else we can do. Give me another HJT log.

    OOPS! I see your not at work anymore and probably can't give me another log.

    They will hide themselves. I had the same problem, could not locate the file.
    Hold in there.
     
  17. Leezza

    Leezza Private E-2

    Will send another on Monday morning - glad to hear you've seen the crazy thing "Hide" before!

    Thanks again for your help....chat with you again on Monday!
     
  18. Leezza

    Leezza Private E-2

    MONDAY Morning -

    Here is the latest HJ Log, as you can see the "culprit" file still exisits and still says it's in the MSAGENT folder, even though when you physically look in the folder it's not there. Nor can I search for it and find anything by that name on the system?

    HELP PLEASE!
     

    Attached Files:

  19. TheOldThug

    TheOldThug First Sergeant

    I am going to ask PP to take a look at this. He has handled this problem before. Hang in there, hopefully he can get a look at it sometime today.
     
  20. Leezza

    Leezza Private E-2

    Thank you very much..... :eek: Will look forward to hopefully Killing this thing for good!
     
  21. PhilliePhan

    PhilliePhan Guest

    Hi Leezza,

    This thing is a real pain to track down and remove completely! It takes a lot of dogged persistence on your end to track down and remove all associated duplicates and backups. Let's give it a shot, shall we?

    Please follow the below carefully and as thoroughly as possible.
    Print these instructions out, or save them locally so that you can operate with ALL Browser Windows CLOSED!


    Please download Pocket KillBox

    NOW:
    Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixmundo.reg


    REGEDIT4

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bakdb]



    Leave it for now.


    NEXT:
    Make sure you are completely disconnected from the Internet.


    Then, run CCleaner. After that, you must run a search for all bdkab & bakdb entries on your machine (.ini, .exe, .dat, .bak, etc. . . ) Use Windows Explorer to track them down if possible.


    Now:
    DoubleClick on the fixmundo.reg file you made and follow the prompts to allow it to merge the registry entries into the registry.


    NEXT:
    Please run Pocket Killbox.
    Select the option to Delete on Reboot.

    Now, Enter or Copy and Paste C:\WINNT\msagent\bakdb.exe into the box and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

    Now, Enter or Copy and Paste C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bdkab.dat into the box and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES .


    THEN:
    After your machine reboots, Scan with HijackThis and FIX these entries:
    O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bdkab.dat
    O4 - HKLM\..\RunOnce: [*bakdb] C:\WINNT\msagent\bakdb.exe rerun
    O20 - Winlogon Notify: bakdb - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bdkab.dat


    NEXT:
    Run the Symantec Vundo Removal Tool again and then run CCleaner again.

    Finally, reboot and rescan with HJT and attach the log. Let me know how you fared with the above and whether you ran into any problems. Hopefully we'll get it!

    Best Luck,
    PP :)
     
  22. Leezza

    Leezza Private E-2

    Hi PP,
    Thanks for your help....I'm not in the office today, but will follow your steps tomorrow and post you an update then!

    Crossing my fingers on this one, as it truly is a "Pain"!

    Thanx again,
    LEEZZA
     
  23. PhilliePhan

    PhilliePhan Guest

    AllRightyThen!
    Be sure to follow the instructions carefully and if the first attempt doesn't get work, try them again from the top!

    Good Luck!

    PP :)
     
  24. Leezza

    Leezza Private E-2

    Good Morning,

    Due to being extremely busy here at the office, I'm not sure when I will be able to get back to this - may not be until next week. I truly appreciate your help and will post again once I've completed the instructions.

    Thank you again.....
     
  25. Leezza

    Leezza Private E-2

    .....Oh My Gosh! I ran all the programs and it FINALLY think it's gone...

    Please review my latest HJT Log..........I'm crossing my fingers! :) :) :)
     

    Attached Files:

  26. TheOldThug

    TheOldThug First Sergeant

    Sure looks like PP got those bad lines this time. I bet the regedit was the key. Let PP look at it one more time to confirm. Were you able to find a bunch of bdkab and bakdb files? After he gives you a clean bill of health be sure to:

    You should check this out now: How to Protect yourself from malware!

    Once PP clears you then turn system restore back on.

    Be sure to use SpywareBlaster, software firewall, Ad-AWare, Immunize with Spybot, and Firefox as your browser. Keep your OS and AV updated.

    Happy and safe surfing. :D
     
  27. Leezza

    Leezza Private E-2

    THANK YOU ALL SO VERY MUCH!

    Dear PP,

    Let me know how this looks to you, but so far no i.e. crashes and no Pop-Ups!

    You are all WONDERFUL!!!!
     
  28. PhilliePhan

    PhilliePhan Guest

    You're Welcome! We are happy to help :)

    Latest Log looks good. But, I've been killing this thing for a long time and have been impressed by its resilience! So, if you see any signs of it returning, let us know!

    Right now, everything looks good! Be sure to follow the suggestions that OldThug linked.

    Happy Computing :)
    PP
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds