Jump to content
valurolafsson

XP SP3 goes into reboot loop after removing Adware.Vundo

Recommended Posts

hello all,

after I scanned my computer using SUPERantispyware, it found a few vundo variants on my computer. I removed them all and the program promptly asked me to reboot the computer. After rebooting, the computer would reboot after showing the windows logo with the progress bar. This process looped several times until I gave up and chose to boot into safe mode, which it was able to do, and restore all the files that I had quarantined. After that, I rebooted from safe mode to normal mode and now the computer got all the way into windows, but the Vundo spyware was still there of course.

Next I tried to run SUPERantispyware in safe mode, it detected the same Vundo variant (or just about, I don't know if the other spyware programs that I used removed some of them), and again after removing all detected spyware I rebooted and again this reboot loop started until I went to safe mode and restored the files from quarantine.

Then I ran it for the third time and I only chose to remove one of the detected spyware. This was:

Adware.Vundo Variant/Resident

and again after reboot I went into the reboot loop.

So now I don't know what to do, since even though this variant of Vundo has been detected by other anti-spyware programs they have not been successful in removing it. Please, some help would be much appreciated.

The 3 logs are shown below:

1. scan:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 07/24/2008 at 10:37 PM

Application Version : 4.15.1000

Core Rules Database Version : 3514

Trace Rules Database Version: 1505

Scan type : Quick Scan

Total Scan Time : 00:14:21

Memory items scanned : 605

Memory threats detected : 1

Registry items scanned : 464

Registry threats detected : 8

File items scanned : 6777

File threats detected : 1

Adware.Vundo Variant/Resident

C:\WINDOWS\SYSTEM32\WVUKHFXY.DLL

C:\WINDOWS\SYSTEM32\WVUKHFXY.DLL

Trojan.Vundo-Variant/Small-GEN

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7BCF494-58D4-4E8B-87B8-DEE8F6EB8DEA}

HKCR\CLSID\{A7BCF494-58D4-4E8B-87B8-DEE8F6EB8DEA}

HKCR\CLSID\{A7BCF494-58D4-4E8B-87B8-DEE8F6EB8DEA}\InprocServer32

HKCR\CLSID\{A7BCF494-58D4-4E8B-87B8-DEE8F6EB8DEA}\InprocServer32#ThreadingModel

Adware.Vundo Variant/Rel

HKLM\SOFTWARE\Microsoft\aoprndtws

HKLM\SOFTWARE\Microsoft\FCOVM

HKLM\SOFTWARE\Microsoft\RemoveRP

HKU\S-1-5-21-583907252-651377827-839522115-1003\Software\Microsoft\rdfa

2. scan:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 07/23/2008 at 08:43 PM

Application Version : 4.15.1000

Core Rules Database Version : 3513

Trace Rules Database Version: 1504

Scan type : Quick Scan

Total Scan Time : 00:12:21

Memory items scanned : 201

Memory threats detected : 1

Registry items scanned : 475

Registry threats detected : 4

File items scanned : 6754

File threats detected : 1

Adware.Vundo Variant/Resident

C:\WINDOWS\SYSTEM32\WVUKHFXY.DLL

C:\WINDOWS\SYSTEM32\WVUKHFXY.DLL

Trojan.Vundo-Variant/Small-GEN

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D8C5EEF4-8748-4AE1-878C-9160B287E13B}

HKCR\CLSID\{D8C5EEF4-8748-4AE1-878C-9160B287E13B}

HKCR\CLSID\{D8C5EEF4-8748-4AE1-878C-9160B287E13B}\InprocServer32

HKCR\CLSID\{D8C5EEF4-8748-4AE1-878C-9160B287E13B}\InprocServer32#ThreadingModel

3. scan:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 07/23/2008 at 01:20 AM

Application Version : 4.15.1000

Core Rules Database Version : 3512

Trace Rules Database Version: 1503

Scan type : Quick Scan

Total Scan Time : 00:13:27

Memory items scanned : 637

Memory threats detected : 1

Registry items scanned : 461

Registry threats detected : 5

File items scanned : 6781

File threats detected : 9

Adware.Vundo Variant/Resident

C:\WINDOWS\SYSTEM32\WVUKHFXY.DLL

C:\WINDOWS\SYSTEM32\WVUKHFXY.DLL

Trojan.Vundo-Variant/Small-GEN

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D97DC8B-F5E5-4E23-B37D-4039B77E432E}

HKCR\CLSID\{2D97DC8B-F5E5-4E23-B37D-4039B77E432E}

HKCR\CLSID\{2D97DC8B-F5E5-4E23-B37D-4039B77E432E}\InprocServer32

HKCR\CLSID\{2D97DC8B-F5E5-4E23-B37D-4039B77E432E}\InprocServer32#ThreadingModel

Adware.Tracking Cookie

C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@www.incentaclick[2].txt

C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@incentaclick[2].txt

C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@mediaresponder[2].txt

C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@winanonymous[1].txt

C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@systemerrorfixer[2].txt

C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@adnetserver[2].txt

C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@directtrack[1].txt

C:\Documents and Settings\Valur Olafsson\Cookies\valur_olafsson@angleinteractive.directtrack[1].txt

Adware.Vundo Variant/Rel

HKLM\SOFTWARE\Microsoft\RemoveRP

Thanks,

-Valur

Share this post


Link to post
Share on other sites
Hello,

Please run a Complete scan in Safe mode.

Thanks for the reply,

I ran the 2nd scan in safe mode and after the scan was done I rebooted into normal mode where the computer went into this reboot loop. I could try to scan in safe mode and then boot into safe mode and see if windows removes the files then. Do you know if it will, or is the normal mode boot proceedure needed to remove files at bootup time in windows?

- Valur

Share this post


Link to post
Share on other sites
...

And one more thing.....when does windows reboot? As soon as the welcome screen appears? If yes, then winlogon.exe file had been replaced by a malicious file.

...

Yeah, it reboots just before the welcome screen is supposed to show up. Thanks for that tip. I'm currently at work, but I'll try this stuff when I get home later this evening. Thanks again.

- Valur

Share this post


Link to post
Share on other sites
Yes, worth giving a shot.

BTW, please enable "Ternimate Memory threats before quarantine", in the settings tab.

And run a full system scan...not a quick scan.

And one more thing.....when does windows reboot? As soon as the welcome screen appears? If yes, then winlogon.exe file had been replaced by a malicious file.

To solve the problem ( if step 1 fails perform step 2):

1. Select "last known good configuration", press F8 on startup.

2. Perform a system restore, prior to the infection state.

If still the problem is not solved, then create a rescue disk using PEBuilder, and replace the winlogon.exe file in system32 folder with the original one. PM me if you need the original winlogon.exe file.

DO NOT enable terminating memory threats. In a situation like this terminating the threats can cause them to respawn.

Share this post


Link to post
Share on other sites
Yes, worth giving a shot.

BTW, please enable "Ternimate Memory threats before quarantine", in the settings tab.

And run a full system scan...not a quick scan.

And one more thing.....when does windows reboot? As soon as the welcome screen appears? If yes, then winlogon.exe file had been replaced by a malicious file.

To solve the problem ( if step 1 fails perform step 2):

1. Select "last known good configuration", press F8 on startup.

2. Perform a system restore, prior to the infection state.

If still the problem is not solved, then create a rescue disk using PEBuilder, and replace the winlogon.exe file in system32 folder with the original one. PM me if you need the original winlogon.exe file.

DO NOT enable terminating memory threats. In a situation like this terminating the threats can cause them to respawn.

But they cant respawn if you're scanning in virtual windows environment (eg: rescue disk)

Do you even understand what you are saying? If you are scanning a virtual environment or slave drive, the processes aren't running, so there is no need to terminate anything - if the processes are running and they get terminated no matter how you are scanning they have the opportunity to do something malicious when they are attempted to be terminated.

I understand you are trying to be helpful, but this is better left to experts such as oursleves as you possibly can lead the user down the wrong path and since this has to do with the reputation of SUPERAntiSpyware, please make sure you know what you are talking about before advising a user of ours to do something.

Share this post


Link to post
Share on other sites
Yes, worth giving a shot.

BTW, please enable "Ternimate Memory threats before quarantine", in the settings tab.

And run a full system scan...not a quick scan.

And one more thing.....when does windows reboot? As soon as the welcome screen appears? If yes, then winlogon.exe file had been replaced by a malicious file.

To solve the problem ( if step 1 fails perform step 2):

1. Select "last known good configuration", press F8 on startup.

2. Perform a system restore, prior to the infection state.

If still the problem is not solved, then create a rescue disk using PEBuilder, and replace the winlogon.exe file in system32 folder with the original one. PM me if you need the original winlogon.exe file.

DO NOT enable terminating memory threats. In a situation like this terminating the threats can cause them to respawn.

But they cant respawn if you're scanning in virtual windows environment (eg: rescue disk)

Do you even understand what you are saying? If you are scanning a virtual environment or slave drive, the processes aren't running, so there is no need to terminate anything - if the processes are running and they get terminated no matter how you are scanning they have the opportunity to do something malicious when they are attempted to be terminated.

I understand you are trying to be helpful, but this is better left to experts such as oursleves as you possibly can lead the user down the wrong path and since this has to do with the reputation of SUPERAntiSpyware, please make sure you know what you are talking about before advising a user of ours to do something.

I'm taliking about BartPE rescue disk, with AVS file manager enabled.

Then you CLEARLY know that NO PROCESSES would be running that would need to be terminated! You know that right? .............

Share this post


Link to post
Share on other sites
Yes, worth giving a shot.

BTW, please enable "Ternimate Memory threats before quarantine", in the settings tab.

And run a full system scan...not a quick scan.

And one more thing.....when does windows reboot? As soon as the welcome screen appears? If yes, then winlogon.exe file had been replaced by a malicious file.

To solve the problem ( if step 1 fails perform step 2):

1. Select "last known good configuration", press F8 on startup.

2. Perform a system restore, prior to the infection state.

If still the problem is not solved, then create a rescue disk using PEBuilder, and replace the winlogon.exe file in system32 folder with the original one. PM me if you need the original winlogon.exe file.

I don't have any system restore points ... must have disabled it at some point ... not very bright am I :roll: Anyway, would it be OK to change the winlogon.exe file in rescue mode if I boot from my XP CD?

Share this post


Link to post
Share on other sites

Thanks,

I'll try this later today. I have some questions though, I downloaded procmon to check out what processes where running on my computer, and I noticed that lsass.exe was running periodically. That process seemed to be reading keys in the registry that referenced wvukhfxy.dll, which is the vundo trojan that's causing all the problems. So, does winlogon.exe have anything to do with starting lsass.exe or is it vice verse? Or do these registry keys cause all the problem and also need to be removed prior to me rebooting the machine from safe mode to normal mode?

One other thing, I did downgrade back to SP2, since I thought if winlogon.exe is contaminated the old winlogon would be ok. However, after the downgrade and running Superantispyware in safe mode and rebooting into normal mode, I still hit the never ending reboot loop *sigh* this is getting very tiring indeed.

Thanks for all your help,

Valur

Share this post


Link to post
Share on other sites
I have PMed you a rescue disk, run a scan using it.

FYI, downgrading to SP2 wouldn't help you.

I am 99.99% sure, after running a complete scan using the rescue disk which I have PMed you, the looping reboots would halt.

yes it did....thank you very much. Antivir rescue disc did detect the main .dll-file and renamed it. It also detected other things and it seemed like it renamed most of the things that it detected as threats. After the rescue disk scan was done, I rebooted into normal mode without problems. There I ran CrapCleaner and was able to remove the registry key that referred to the original .dll file name. I then rebooted into safe mode, ran SAS there and lo and behold it detected the RENAMED .dll file and was finally able to remove it completely since it was not loaded in memory. So everything is finally good with the computer :)

So, could it be that SAS needs to be updated to better handle that particular version of Vundo? Do you need any further help from me on that? Anyway, I'm a happy camper right now, and I can finally start to use my computer for more productive things than spyware/virus scanners, like watching DVD's and such ;)

Thanks for all your help,

Valur

P.S. Even though SAS was not able to completely remove the spyware, it was the only one that lead me to the mother .dll-file, so expect a donation from me :)

Share this post


Link to post
Share on other sites

Thanks a lot for the link!

Unfortunately, I didn't get i right with the rescue CD. I ran it first, rebooted my computer and ran SAS. Found the malware, quarantined it and tried to reboot. Here the trouble started. The computer wouldn't shut down and after 1 hour of waiting I did it manually. At restart I got into the rebooting loop and had to start it with the last known configuration.

Any suggestions??

Stefan

Share this post


Link to post
Share on other sites
Oh dear! You have to run a full system scan using Avira Free AV, integrated in the CD....and then in normal mode run a full system scan using SAS.

Is this Avira Free AV on the rescue CD that you provided?. I'm getting the extact same problem. Once SAS detects and tries to remove the spyware, it wants to reboot your PC. One it does, it goes into a reboot loop. I actually see a blue screen for 1 second before it reboots again..

Share this post


Link to post
Share on other sites

Thanks for the reply!

I ran a full system scan with the Avira CD and it found some trojans. But after scanning with SAS the system wouldn't shut down. So I had to restart manually and here we were again. I also did a full system scan with the Avira free version from harddisk. It found one trojan but the problem isn't solved.

Share this post


Link to post
Share on other sites
Oh dear! You have to run a full system scan using Avira Free AV, integrated in the CD....and then in normal mode run a full system scan using SAS.

Is this Avira Free AV on the rescue CD that you provided?. I'm getting the extact same problem. Once SAS detects and tries to remove the spyware, it wants to reboot your PC. One it does, it goes into a reboot loop. I actually see a blue screen for 1 second before it reboots again..

Yes, Avira Free AV is on the rescue disk.

Please provide the details if the blue screen: press F8 on startup and select "Disable Automatic restart on system faliure" : it will allow you to see the BSDOS screen.

When I turned on my computer last night, my Anti-Virus program received the latest update. Then the virus shield detected the Vundo in memory, registry and file system. Once it rebooted, all of the trojans where gone except for the Spyware. I ran a complete SAS scan to remove the rest. It rebooted with no problems. I ran both my Anti-Virus then SAS and both ran clean. But I noticing two problems..

1. I can only access certain websites, cnn.com, gmc.com just to name a few. But I can't access wtopnews.com and others. I did install IE7, but that didn't help. I also updated to XP Service Pack 3. No help..

2. My Anti-virus shield detects the Vundo virus from time to time. Once its detected, its deleted. I'm thinking that maybe its spawning somewhere due the programs above over-looking a Vundo file of some sort...

PS - I download the Windows Version of Avira and everything checked out...

Please assist..

Thanks

Share this post


Link to post
Share on other sites

Heilsa!

I don't know when you installed the Sp3 for XP but if it was not very long before the reboot situation it might be your Sp3 and XP doing this and not some adware or malware. You can check it out here: http://www.slipperybrick.com/2008/05/wi ... -troubles/ . This is not the only site concerning the matter it is all over the internet and at microsoft.

I am not saying this is what it is and am no expert in this area. But I have been reading up on this situation as I am getting a blue screen stop error every now and then after booting. (Which probably does not have anything to do with your situation) but I have been going through the processes and all probabilities as to my situation and someone suggested it being the installation of the Sp3 to XP, hence the investigation of said matter.

Share this post


Link to post
Share on other sites
Okies......

Let me tell you that Avira Free does not detect Spyware/Adware, it has a stripped down detection rate.

As far as the surfing limitation is concerned....i think your host file has been hacked.

Here are my suggestions:

1. Run a FULL SYSTEM SCAN using SAS in safe mode.

2. Run a scan using Spybot v1.6 and also immunize your PC, it will also fix the hacked host file.

If the problem persists then as I said before use the Rescue disk with Avira integrated, and run a full system scan. Rename and delete the detected trojans.

Once my CA Antivirus was updated and I deleted all of my Internet Files and history, I had a corrupt .dll file detected. My virus shield detected it as a trojan and once it rebooted my system, the file was deleted. Then I had the RUNDLL Error message due to the file being deleted. I hence deleted the Run occurance of the file from my registry and all seems to be fine. Once my Anti-Virus deleted the .dll file, I was able to access all my websites again. Everything seems to be a OK.

Far as the blue screen. When SAS detects malware in memory, it showed the blue screen and was looping. Any other detection, it rebooted just fine with no problems..

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×