Create an Account
username: password:
  MemeStreams Logo

MemeStreams Discussion


This page contains all of the posts and discussion on MemeStreams referencing the following web page: Vundo/VirtuMonde removal tool. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Vundo/VirtuMonde removal tool
by Dagmar at 9:27 am EST, Dec 24, 2007

In case any of you have loved ones or whatever running Windows, this is something you may need soon. Normally this wouldn't be such a pain in the ass, but this is now one of those "landscape changes" resulting from people like the Russian Business Network (also known as "criminals"--there is no mincing words on this) really bearing down on the subject of installing malware onto people's computers.

I'm going to say something that will upset some of you now. Pregnant women and those prone to fainting may wish to stop reading now.

* * *

This fscker will get you through Firefox if you're not careful.

* * *

It's not Firefox that's being exploited, but any one of three plugins (and probably more than that) that are installed if you have not been keeping them up to date. High on the list of possibilities are Quicktime and Adobe Reader plugins for one very specific reason.

Those two things have their automated update checkers tied up in exceptionally ponderous system tray apps that most people disable because they're a big waste and slow down booting. if you don't have these doing their thing through the system tray, the first time you may find out there's a necessary update is when the plugin is triggered by the browser--at which point it's too late, you've been compromised.

The machine I just cleaned up was infected while a person was browsing MySpace (and this isn't MySpace-specific, I'll explain at the bottom) using Firefox and it was infected through the Quicktime plugin. All the user initially saw was that Quicktime was informing them of an update being available... and then they started getting the popups advertising for what are essentially phony anti-spyware programs.

This particular variant did the following things above and beyond "the usual". It blew AVG right off the drive. It damaged the Quicktime installation so that it could not be updated without going and manually getting the update, although Quicktime itself still worked properly. After a partial removal in safe mode was attempted, it locked out all accounts, including the administrator account. Very not cool, that. (It of course disabled all the internet security settings in XP, and riddled the registry with itself, and installed "partner" software as the usual.)

Why this is not specific to MySpace

The problem that's coming up now is that the criminals are using front companies to buy ad space from legitimate/normal ad companies, and serving the ads from their own machines, which every so often will instead return a 404 document which invokes a vulnerable plugin. I've seen multiple perfectly reasonable sites go into a panic lately (CuteOverload got so freaked out their wiped their site and restored it from a scoured backup) because their users were reporting that their antivirus solutions were hollering about viruses on their site--which turned out to be coming from major ad banner companies that would otherwise be considered "safe".

RE: Vundo/VirtuMonde removal tool
by DrArkaneX at 2:35 pm EST, Dec 26, 2007

Just added this up today, it's been on my skull the last few months and just decided to put it up. Bleeping computers removal is not as effective so I had to go old school on this one...

RE: Vundo/VirtuMonde removal tool
by Dagmar at 10:47 pm EST, Dec 28, 2007

DrArkaneX wrote:
Just added this up today, it's been on my skull the last few months and just decided to put it up. Bleeping computers removal is not as effective so I had to go old school on this one...

You really need to double-check your stuff on that page. let me make something clear.

Javascript isn't the mechanism for this. Javascript (at least with FireFox) can't go altering host OS files. If you find a way to do this with JavaScript and can prove it, there's people reading this site who would really like to know about it (and that's putting it mildly).

Third party browser plugins containing vulnerable code can be used, and are being used, as a avenue for infection of vulnerable PCs.

...and for that matter, Bleepingcomputer's fix worked fine here. Perhaps you downloaded an older version of it and haven't revisited the issue since it's been updated, I dunno.

If you prevent the bloody thing from loading by removing it's hooks from the registry, you'll find you don't actually have to use any special tool to bypass the file locking mechanism... It can be ripped out in Safe Mode in just one pass by running the two tools at Bleeping Computer one after the other, just like they say.

Crap cleaner is not necessary for this, and that's not it's job anyway. People should scan with a working virus scanner of their choosing to try to be sure the system's clean.

...and changing the administrator password to blank is not a useful method for reenabling the use of regedit. However, if a user boots to safe mode so they can login as Administrator, they can just go hunting for the 'DisableRegistryTools' value. If Administrator has somehow been explicitly disallowed the use of regedit due to acts of whatever, there's live CDs around that can be used to modify the registry anyway, as well as a few free third-party tools that will just kick that value out of the registry, as the policy only prevents regedit and regedit32 from being run--it doesn't actually make the registry read-only.

RE: Vundo/VirtuMonde removal tool
by DrArkaneX at 12:08 pm EST, Jan 15, 2008

Welp, I've done a LOT of research on this. Stripping the hook out of LSASS really does the trick more than anything, but I have updated my Vundo fix page as well. Only thing about your last reply on this is that Safe Mode does not work. The file is still considered a "Windows Safe File" and will still get used by LSASS even in safe mode. BleepingComputer's fix is not necessarily the right way to go. I have used the most recent version of their fix and this trojan still laid dormant. This prompted me to write my Vundo fix page because Bleeping's wasn't working for me and plus I really wanted to find out how this ticked.

but anyways, Wendy's laptop got hit with it a few days ago and the only caveat, which I have hence updated my page with, is that you MUST boot to a BartPE or ERD Commander (Ultimate Boot Disc) to delete the .DLL or .EXE and then in notepad, create the same filename as a text file and then make them Read Only. Also, it borked with her startup items like loading "googletalk .exe" (notice the space before the .exe) so I had to recreate a new account and copy her stuff over. Best fix i've seen for Vundo yet. Do me a favor and on the computer you fixed, check that Lsa reg entry and see if anything is there.

That was one of the problems I had with Bleeping's fix was that the damn thing laid dormant and you'd think you got rid of it only to find out later you were wrong. (happened to me a few times)

There was actually several ways Vundo gets on your computer. Java and Quicktime. Firefox does use the same java as IE and by default will allow Vundo to get in. Check to make sure Java is updated to Update 3. That will fix it.

Crap Cleaner is an Excellent tool for removing registry entries that are invalid or non-existant. Perhaps you should read my fix on Vundo a little better as I think you just skimmed through it.. :) Crap Cleaner does not get rid of viruses nor did I claim it to. Crap Cleaner is an excellent tool and should be on everyone's Windows PC, next to the Anti Virus of their choosing.

Bear in mind that the only thing that Wendy does on her laptop is check email, Craigslist and MySpace. Nothing else and it was a fresh reload of the OS as well. I checked her Java version before cleanup and it was Java build 1.6.0_02.

Here are some links in reference:

Link 1
Link 2
Link 3

As much as I want to blame Microsoft for this, it's not an IE Exploit that Vundo gets in. Not a Firefox exploit as well. Simply it's either Java or Quicktime that hasn't been updated. Very simple really.. :)

Also, about the RegEdit denied workaround in there. I think you are taking my page out of context and I really think you skimmed it. The question was posed to me by a reader and was wanting to get into Regedit. The link noted is a workaround by microsoft to allow the user to get into RegEdit. Of course you and I both know we can boot up to Ultimate Boot CD or whatever and work around this issue, but sometimes we're dealing with people that don't know too much about computers or have never seen a C64 boot screen.. :)

And my method on that page has been double checked, triple-checked. I use this method for every Vundo removal I run into. I have hence removed the Unlocker, because it's not needed, but it's still a very good tool. I have over the last 2 weeks simplified my methods and with wendy's Laptop just solidified it. As I stated before, I used Bleeping's programs and while they worked (or so I thought), it came back. My method is a sure-fire, multiple tested way to get rid of Vundo. next time you run into it again, try my method.

Powered By Industrial Memetics