Got my first "real" virus (well, a trojan really) the other day. It came from a user-made fix for a game I was trying to get working. The virus was called Vundo, and while Norton Antivirus identified it once it was running, it couldn't do anything about it (as usual). Couldn't repair, delete, or quarantine it. I did some research and found out Vundo is particularly annoying and can be hard to get rid of. The first thing it does is go to the Web and start downloading spyware and malicious files, then makes unwanted shortcuts on your desktop and nixes your access to system resources and privileged areas like the command prompt, Control Panel, and editing the Registry. Coincidentally, when the virus-alert window initially popped up for me, the first thing I did was switch off my wireless connection so it had no access to anywhere outside my laptop. Instincts are good sometimes.
I kept getting messages complaining that I didn't have internet access (duh) even though I wasn't trying to do anything online (suspicious much?) and just clicked Work Offline. My girlfriend was able to do some looking around from her computer and found a bit of info on the situation. She found two programs that could supposedly remove it; one worked, one did nothing but waste a lot of time. I had her copy them to a thumb drive, then used that to copy them over. I wasn't getting on the LAN and risking infecting other computers on the network.
What the virus does is it makes a randomly named .dll in the C:\Windows\System32 folder (in my case, tuvUnKAr.dll) that runs in the background, but doesn't show up as a process, can't be killed (ended, terminated, whatever you want to call stopping a process), and is attached to both explorer.exe and winlogon.exe. Shutting off either of those prevents you from doing anything in Windows, like deleting the file. Clever.
The two programs I tried were found here. The first was VundoFix.exe, and all it did was run a thorough scan of a bunch of files in the Windows folder that amounted to nothing. It didn't find anything wrong or out of the ordinary. I also tried running it in Safe Mode with the same results.
The second much more quickly, and produced a wonderfully detailed log file right on the desktop (VBG.txt) of what it did. Basically it killed processes one by one while it was rebooting my computer, found the malicious bugger, and renamed the prickly file as follows:
Post a Comment