locked
IMPORTANT: LiveOne fails with Conhook.D and Vundo.JC viruses! RRS feed

  • General discussion

  •  

    OK, guys this is serious. I’m not making this up (if you are a part of Microsoft security team, see Microsoft LiveOne ID case ID SRX1093909786). About four days ago, I found out that my computer is infected with a nasty bugger: Virtumonde.

     

    Sent an e-mail to LiveOne support. Got a response back from a really nice-sounding gengtleman who explained to me (in an easy step-by-step manner) how to run the LiveOne antivirus while in the SafeMode.

     

    Doing this informed me that my computer’s been infected with two viruses:

       - vundo.JC    (a.k.a. Virtumonde)    and

       - conhook.D

    LiveOne module instructed me to restart to remove, etc.. etc.. etc..

    I did that.

     

    Then just on a hunch, decided to run Ad-Aware to make sure that my registry’s intact.  Guess what? – it wasn’t. Ad-Aware found 6 infected regkeys/regvalues and supposedly fixed the problem. But not really… After 6 hours or so, I started getting messages from LiveOne antivirus that it has discovered both Vundo and Conhook.D again. Each time I’d kill them, they’d pop up again.

     

    Furthermore, the Internet Explorer started acting weird by displaying multiple pop-ups (mostly ____). I went to IE Tools -> Internet Options -> Privacy tab  only to find out that the security has been dropped all the way down to “Accept all cookies.”  The most frustrating part was that NO MATTER HOW MANY TIMES I’D RESET IT TO A HIGHER LEVEL, IT WOULD DROP BACK ALL THE WAY DOWN AFTER JUST A FEW MINUTES OF USING THE EXPLORER.

     

    Also, the  ATUOMATIC UPDATES feature of windows security was disabled. IT WOULD IMMEDIATELY GET DISABLED AGAIN NO MATTER HOW MANY TIMES I’D RESET IT.

     

    The LiveOne Care representative (the one who instructed me on how to run LiveOne in SafeMode; a very professional guy, by the way; this whole posting is no reflection on him) informed me that LiveOne DOES NOT DETECT INFECTION of the regkeys/regvalues.

     

    Ok, so that’s when I really began to worry. Looked around the net. Found several forums. <Bleepingcomputer.com> and <geekstogo.com> were especially helpful.

     

    If you are infected with Vundo (Virtumonde) and / or Conhook.D please be aware that LiveOne will NOT TAKE CARE OF YOUR PROBLEM (to be fair, neither will Norton antivirus – I tried it; nor Ad-Aware. Ironically, the program called VundoFix – specifically designed to combat this nastiness -- has utterly failed as well). Both viruses are nasty bugs that hide in your Temporary internet files (which is probably why my FireFox browser was not affected as much as the Explorer), regkeys/regvalue files, and even your recycle bin. So… here’s what worked for me:

     

    1. go to Internet Explorer and delete all cookies, temp files, browsing history etc.

    2. go to your other browsers (FireFox, Netscape, AOL … ) and do the same.

    3. got to START -> All programs -> Accessories -> System Tools ->Disk Cleanup

        check every box (the only one I left unchecked was Microsoft Office Files). Now, delete everything.

    4. Download “Malwarebytes’ Anti-Malware” program. Go to www.besttechie.net. The file is called <mabam-setup.exe>   After downloading it to your desktop, click on it to install the module. Now RUN it. Doing this found 14 infected items (see the log it generated at the bottom of this post). It fixed them all!!!

    5. After rebooting your computer don’t forget to:

         - reset your Internet Explorer security to a higher level (disabled by the viruses)

         - turn on Microsoft Automatic updates (disabled by the viruses)

         - restore your regkey/regvalue directory as both viruses seem to shred it to pieces (you can do this with sfc/ scannow command if you are brave enough or, if – like me – you don’t know much about computers,  you can use a program called PConPoint – which is what I did; PConPoint found 29 registry problems and fixed them.

         - finally (I’m sure you don’t HAVE TO do it, but I did it anyway) overwrite the deleted info with something that will burry these da^n things under endless strings of 1’s and 0’s – I used White Canyon’s SecureClean to completely clean my hard drive.

     

    If someone from the Microsoft Security Team is reading this…. Hey, guys! This is pretty lousy work on your part! You’ve gotta do a better job. Here’s the MBAM log:

     

    Malwarebytes' Anti-Malware 1.34
    Database version: 1780
    Windows 5.1.2600 Service Pack 3

    2/19/2009 9:49:23 PM
    mbam-log-2009-02-19 (21-49-23).txt

    Scan type: Quick Scan
    Objects scanned: 71376
    Time elapsed: 3 minute(s), 44 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 7
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 7

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\benbxc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\bfddsjwl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\gudalvly.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\hgzzyl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lfxvifby.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\hrvnykne.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\mlJCRKBQ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


    Microsoft Doubter
    Friday, February 20, 2009 7:03 AM

All replies

  • I'm sorry that OneCare missed this infection and was unable to clean it. I agree that OneCare's signatures need to be improved to deal with some malware that it just does not take care of.

    Normally, the path to getting an infection cleaned up is to contact support, which you did. The registry keys found by AdAware may not have been an issue, but the bottom line was that OneCare was unable to deal with it. Had you continued a dialog with support after the safe mode scan failed to remove it completely, additional steps would have been taken to help you get rid of it.

    I'll paste the standard reply for a missed infection below:
     

     

    If you are using Windows Live OneCare and you have been infected, but OneCare did not detect or cannot remove the malware, please contact support to report this and for help with removal.

    How to reach support (FAQ) - http://social.microsoft.com/Forums/en-US/onecareinstallandactivate/thread/30400b52-7f26-4ba0-bc18-17e305329d90

     

    If you are in North America, you can call 866-727-2338 for help with virus and spyware infections. See http://www.microsoft.com/protect/support/default.mspx  for details.  For international information, see your local subsidiary Support site.


    -steve


    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    Friday, February 20, 2009 8:06 PM
    Moderator
  • I am experiencing the same thing, have been on 5 seperate calls to One Care Support, and they just keep trying the same things....which gets frustrating after about 6 hours on the phone.  DOnt they keep a "Best practices" document on specific viruses?
    Tuesday, April 14, 2009 12:00 AM
  • I am experiencing the same thing, have been on 5 seperate calls to One Care Support, and they just keep trying the same things....which gets frustrating after about 6 hours on the phone.  DOnt they keep a "Best practices" document on specific viruses?

    I've already replied to your other post. When you call support back, if they repeat the same steps and the problem is not resolved, request escalation. if you are calling and opening a new case each time, you will be repeating the same steps.
    -steve
    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    Tuesday, April 14, 2009 12:03 PM
    Moderator