drink the sweet feeling of the colour zero

Hello, World. (I’m finished with Vundo, you can have it back.)

Tags: , , ,

Hello, World.
Blogs.  I know, I know, I have ranted and railed against them as the vanity enduced tools of <insert negative diety here> a great many times.  WordPress is, however, a great little tool to be able to easily add content to one’s site if one happens to be too lazy to go knobbling around in the HTML, or update the ages-old self-written PHP CMS.  I have decided to actually USE my growing collection of domain names for something, and one thing that would be excellent would be a place to stash useful information on problems I have solved.  For my own personal erudition if for no one else’s.  Thus, in traditional fashion of first post/test/script/program, etc: hello, world.

That said, sticking to the theme that instead of simply serving as a mirror for one’s ego there should be content of some variety in a blog; I do have links to post.

Vundo, and friends.
Some days, you just have to deal with a virus.  More often than not for me recently, that virus is my old nemesis, Vundo.  I’ve had a few customers wander in with this little gem, and even, I am embarrassed to say, managed to infect my home XP web browsing VM with this little menace.  I have some tips on making this go away, however.

Kill it with fire.
No matter what I post here today, trust me, the tools and methods posted will prove incomplete in a few weeks.  Vundo evolves very quickly, so the best I can offer are some good “best practices” in hunting this little pest, (and all of it’s friends,) down.

· Immediately disable system restore and reboot.  Don’t ask questions, just do it.  If you have figured out you have Vundo, then it’s already infected your system restore, and you need to kill it.  If you have a variant that prevents you from doing this, you may need to, (from a clean system,) change permissions on c:\system volume information (taking ownership first, of course,) and go clear out the system restore information yourself.  (There are lots of better walkthroughs about this on the net.)  Be careful in there, delete the wrong thing, and your system is toast!

· Turn your system off, disconnect the disk (or VHD) and attach it to a clean test system.  Don’t bother trying to fix everything from within the native system, it’s almost impossible.

· Pick the low hanging fruit.  There are some pretty standard places where viruses stash their goodies.  Most virus makers haven’t caught onto the idea of modifying the “last modified” date of the infected files they leave around, so you can generally tell what to start nuking based on date.  Here are a list of commonly infected folders:
- C:\Documents and Settings\%username%\local settings\temp
- C:\Documents and settings\%username%\local settings\temporary internet files
- C:\temp
- C:\windows\csc
- C:\windows\prefetch
- C:\windows\temp
- C:\windows\system32
- C:\windows\system32\dllcache
- C:\windows\system32\drivers

· Throw some automated tools at it.  No single antivirus vendor is ever enough.  The best of the best out there still let some of the creeps leak.  There are, however, mixes of free tools that are generally good enough to help you with cleanup.  Here are my favourites.
- http://www.superantispyware.com/ Despite the name, it is real.  It is effective against a limited number of malware, but it works well against those on it’s list.
- http://housecall.trendmicro.com/ Hell yes, housecall.  Trend Micro’s online scanner is excellent, effective, and often my first choice when I suspect a creepy crawly on my system.
- http://support.f-secure.com/enu/home/ols.shtml FSecure online.  IE only.  Effective, but is constantly tearing out VNC even when I tell it not to.
- http://www.symantec.com/security_response/writeup.jsp?docid=2004-112210-3747-99 Symantec’s Vundo removal tool.  Does not kill all variants of Vundo, or all of vundo’s friends.  (Who will re-download Vundo if given a chance.)  A good addition to the arsenal, however.
- http://free.avg.com/ AVG Free.  AVG is your friend.  Why?  It’s free!  (In addition, it’s not half bad.)
- http://www.eset.com/onlinescan/ ESET’s online scanner.  If this actually detects anything after you’ve cleaned with all the rest, you might consider burning the drive.  With lava.

· Reset the permissions.  This one is so critical to surviving VUndo, I’m going to give it it’s own section.

Resetting the file and registry permissions to defaults in Windows XP:
Next, you are going to have to reset file and registry permissions, because Vundo is an evil little abomination, and it mangles all sorts of things just to make your life miserable.  Yes, you too can survive the infinite boot loop cycle, and random “even the few programs Vundo didn’t infect won’t work.”   Most of this is due to Vundo’s desire to muck about with registry and file permissions, denying administrators access to critical areas.  I won’t bother walking through how to do it, because others have done so better than I possibly could have.
http://www.winhelponline.com/blog/reset-the-registry-and-the-file-permissions-in-windows-xp/

Post-op
Reboot, run SFC /SCANNOW from the command line, (so windows can repair any missing/deleted files,) and re-install any programs that Vundo infected, and the virus scanners had to nuke.  You should now have a repaired system, Vundo free.

Most of these ideas should work against other viruses, through the scanners and tools you need to use are often different.  Remember: never rely on just one anti-virus vendor, they are all incomplete, and most can only warn you that you have been infected, not do anything to clean up the infection once it’s hit.

Tags: , , ,

© 2009 drink the sweet feeling of the colour zero. All Rights Reserved.

This blog is powered by Wordpress and Magatheme by Bryan Helmig.