Gravity Monkey : Jason Uechi

« Bits and Pieces | Main | Red Beats Blue »

Trojan.Vundo.B Gone!

How much of a pain in the butt was that? Somehow my home computer (XP Pro) got infected with the Trojan.Vundo.B virus. Not sure how I got it, but I don't really have a solid excuse -- hadn't yet installed SP2, been clicking "Later" on the reminder to renew my Norton subscription. Not that I'm so sure it would've stopped it either, as I started seeing symptoms -- the telltale hijacking of Google searches redirected to Search42.com, the CD Rom running at strange times and at all times all by itself -- a few days before anybody identified it, and about a week before any fixes started to surface.

There are a few solutions floating out there, and while it seems like some of 'em do work (at least for others), I would say conclusively that for me, running XP Pro, with SP2, that the following solutions plainly couldn't work:

The Symantec Removal Tool: This can identify the Trojan, and remove and repair most of it, including fixing the registry. It is able to identify the problemmatic DLL, which for me was placed at in the WINDOWS\APPPATCH directory, named nutinfo.dll. However, even running the tool in safe mode, it wasn't able to remove this DLL. The DLL lodges itself in the winlogon process, so it was always "in use" by the computer, and protected from deletion. So, upon restart, no matter what kind of restart (even in safe mode), the Trojan propagated once again. Basically, following their instructions, time and again, it failed to remove the Trojan from my computer.

Various groups and boards noted another solution, using the McAfee command line app, and a few bat scripts. I was more than a bit reticent taking advice that included getting a fix of a BAT file used to FTP down files...sounds like a prescription for further infection. However, this was a bit more promising, and the app identified and removed a few apps that it decided were suspicious. However, in the end, the result was the same -- it was unable to remove the DLL because it had masterfully hidden itself in winlogon, and was shielded from removal tools under guise of XP's "security". Who knew that Windows new security was actually designed pretty well? Who's surprised that it was able to harbor and protect a trojan?

It's clear the key to it all was killing the DLL. Now this Trojan was taunting me -- with searches on Google it would pop-up an ad for some kinda Windows antivirus application. Some pointed to this great app Process Explorer, which allows you to see threads and DLLs that are executing on your machine. While it seems that this app worked for some (perhaps NT users?) to suspend or stop the winlogon process, it couldn't do it for me.

I wasn't able to install the XP Recovery Console from my existing install, so digging up the original CD was my last hope. That, or running Linux, of course -- and yet, I doubt that I would be allowed to live without the Sims 2, or any of the series of Tonka or Thomas games that fill the harddrive. But one last rummage through the desk drawer revealed the actual Windows XP install CD that came with the computer, still sealed in it's prophylactic plastic wrapping!

Booting from the CD allowed me to run the XP Recovery Console, which despite requiring a administrator log on, didn't run winlogon and block access to nutinfo.dll. A simple del from the command prompt, and the DLL was gone. Another run in safe mode of the Symantec tool, and an all clean was proclaimed.

Simply put, if you've got a similar set up -- Windows XP Pro, with Service Pack 2 -- you may experience a similar hassle with trying to get this evil nuisance off your computer. I would suggest running the Symantec tool, following their instructions. If that doesn't solve it, note the full path of the DLL it can't delete. Then run the XP Recovery Console and delete that DLL by hand.

Posted by juechi at 9:02 PM